Smartnet Contracts for SSM-20's installed in a pair of ASA5520 in Active/Standby Failover
I have two ASA5520 configured in Active/Standby Failover. I have two SSM-20 Modules that I'm going to install and configure in these ASA's. Now as you know, in Active/Standby, only one device is being used, the other device it just sitting there waiting to take over. Now Cisco tell's me that the SSM configurations do not replicate from the active unit to the standby unit as they are independent and both need to be configured manually. They also said I will need to purchase a smartnet contract for both SSM's even though I'm only using one at a time. I am furious as an contract for an SSM is about $3,000. I can't afford two of them. Does anyone have a way around this? I refuse to purchase a contract for both SSM's when I'm only using one at t time. I know with AnyConnect licensing I only need to buy one license in for an Active/Standby pair. This is not right in my eye's.
Ernie Beek
Well, what I did in the past, when having multiple identical devices was: purchase one smartnet. When a device broke down, register the smartnet on that device and place a support call. Though it's a 'creative' solution it worked for me.
ASKER
:)Yeah, I've done that before. I'm concerned if the Active ASA fails, this is the ASA that has the SSM that has contract/license, it will fail over to the standby ASA, but the SSM in the standby ASA will not have a license so it will not have active signatures. Unless I can manually download the SSM signatures and install them on the second SSM without a license? I just quoted one SSM, and it came out to $2,700. There is no way I can afford another $2,700 license. I mean only one of the devices are active at a time.
Oh wait, you're talking license not smartnet?
So then you have a plus license (?) because there is a default license on the ssm20.
So then you have a plus license (?) because there is a default license on the ssm20.
ASKER
I guess I'm confused. I have two ASA5520's in Active/Standby Failover. Both of these ASA's have a smartnet contract. I recently purchased two SSM-20 modules, they are used, but currently don't have a valid license. The SSM-20 says "there is no license key installed on the SSM-IPS 20", please go to www.cisco.com/go/license to obtain a new license. I want to put these modules in the ASA's. So what I did was go to the Cisco Service Contract Center website and quoted the S/N for each SSM-20. I quoted the serial # for this contract - IPS Svc AR NBD (SU1). It comes back with a $2,700 price tag. Both of them do. I'm guessing this gives me the license. So since neither have a license key, I am probably going to have to purchase one for both. Would you agree?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi ken, where did you came from all of a sudden.
Did it really take me eight minutes to type that comment?
;)
Did it really take me eight minutes to type that comment?
;)
Ernie,
Yea that happens to me all the time ;)
Yea that happens to me all the time ;)
ASKER
Well that stinks:( I think I will need to purchase a license for both then. If not I can do what Ken stated and not have a license on the standby SSM, but as he said, if failover occured that SSM would have outdated signatures, so there would be some vulnerability.
As far as ASA failover is concerned, since the SSM's are independent, it doesn't matter if one of the SSM's doesn't have a license right? This won't break failover right? I wouldn't think it would.
I very surprised that Cisco doesn't have some sort of shared license for this. I feel I am being ripped off. I can only use one at a time, the ASA's are in Active/Standby. I guess this is the price you pay for security.
As far as ASA failover is concerned, since the SSM's are independent, it doesn't matter if one of the SSM's doesn't have a license right? This won't break failover right? I wouldn't think it would.
I very surprised that Cisco doesn't have some sort of shared license for this. I feel I am being ripped off. I can only use one at a time, the ASA's are in Active/Standby. I guess this is the price you pay for security.
No failover won't break, as you stated.
And indeed, security will cost you (and cisco as well ;) . Though indeed it is strange that they do have a separate licensing for failover bundles but not for the additional SSMs.
And indeed, security will cost you (and cisco as well ;) . Though indeed it is strange that they do have a separate licensing for failover bundles but not for the additional SSMs.
Yea and the other thing that stinks is that the configuration doesn't sync between them like on the CSC modules. The CSC modules are independent but you can sync them. With the SSM each time you configure a filter, you need to make sure you do it on both of the units. And.. if the other unit doesn't have all the sigs, then you might not be able to set the same filter. Have fun. In either case download the free IME software and install that and get that set up. It is is much easier to view what is going on with the sensors and you can set up alerting with it as well.
@ken: hehe, this time I saw your comment before I started typing. So that safed me some work :)
Always trying to help a brother out ... ;)
ASKER
Thanks guys, I really appreciate your help. I think to start I am only going to purchase a license for one SSM-20. If failover occurs, I will just try and get the main unit back online as quick as I can since the standby unit will not have a license:) I will have a 4hr response time on the one contract I purchase. Maybe later down the line then I will be able to get a license for the SSM in the failover unit. Thanks again!
I think I may speak for the both of us when I say: you're welcome & thx 4 the points (and save Ken from some typework ;)