Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Smartnet Contracts for SSM-20's installed in a pair of ASA5520 in Active/Standby Failover

Posted on 2012-08-31
15
Medium Priority
?
1,574 Views
Last Modified: 2012-08-31
I have two ASA5520 configured in Active/Standby Failover.  I have two SSM-20 Modules that I'm going to install and configure in these ASA's.  Now as you know, in Active/Standby, only one device is being used, the other device it just sitting there waiting to take over.  Now Cisco tell's me that the SSM configurations do not replicate from the active unit to the standby unit as they are independent and both need to be configured manually.  They also said I will need to purchase a smartnet contract for both SSM's even though I'm only using one at a time.  I am furious as an contract for an SSM is about $3,000.  I can't afford two of them.  Does anyone have a way around this?  I refuse to purchase a contract for both SSM's when I'm only using one at t time.  I know with AnyConnect licensing I only need to buy one license in for an Active/Standby pair.  This is not right in my eye's.
0
Comment
Question by:denver218
  • 7
  • 4
  • 4
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354024
Well, what I did in the past, when having multiple identical devices was: purchase one smartnet. When a device broke down, register the smartnet on that device and place a support call. Though it's a 'creative' solution it worked for me.
0
 
LVL 4

Author Comment

by:denver218
ID: 38354060
:)Yeah, I've done that before.  I'm concerned if the Active ASA fails, this is the ASA that has the SSM that has contract/license, it will fail over to the standby ASA, but the SSM in the standby ASA will not have a license so it will not have active signatures.  Unless I can manually download the SSM signatures and install them on the second SSM without a license?  I just quoted one SSM, and it came out to $2,700.  There is no way I can afford another $2,700 license.  I mean only one of the devices are active at a time.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354077
Oh wait, you're talking license not smartnet?
So then you have a plus license (?) because there is a default license on the ssm20.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 4

Author Comment

by:denver218
ID: 38354132
I guess I'm confused.  I have two ASA5520's in Active/Standby Failover.  Both of these ASA's have a smartnet contract.  I recently purchased two SSM-20 modules, they are used, but currently don't have a valid license.  The SSM-20 says "there is no license key installed on the SSM-IPS 20", please go to www.cisco.com/go/license to obtain a new license.  I want to put these modules in the ASA's.  So what I did was go to the Cisco Service Contract Center website and quoted the S/N for each SSM-20.  I quoted the serial # for this contract - IPS Svc AR NBD (SU1).  It comes back with a $2,700 price tag.  Both of them do.  I'm guessing this gives me the license.  So since neither have a license key, I am probably going to have to purchase one for both.  Would you agree?
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 1000 total points
ID: 38354183
You are correct.  The license is what lets the SSM update its signatures.  However, with the SSM modules, since they are independent, the ASAs won't care if one has a license and one doesn't as far as failover goes.  So you should be able to have your active/standby running.  The issue is that if it fails to the ASA with the non licensed SSM, it won't be current.  You have to decide what the risk is in running that way for a brief period of time while you fix the reason it failed over versus the $2700.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 38354219
I think I agree........

You purchased used modules so the default license has expired (?)

Then I'm afraid you'll need one for both :-~

As per Cisco:

Two services are required for the effective operation of the CSC-SSM: Software update service and Cisco SMARTnet®. First year of software update service for base feature set is included in the base price of the product for the first year of service as measured from time of license registration. Customers are required to purchase Cisco maintenance separately for an additional fee (SMARTnet or equivalent, for example). This SMARTnet service fee is not included in the base price of the product for the first or subsequent years.

As you allready figured out, the license key is linked to the serial of the device. So two devices, two serials.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354234
Hi ken, where did you came from all of a sudden.
Did it really take me eight minutes to type that comment?

;)
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 38354296
Ernie,
Yea that happens to me all the time ;)
0
 
LVL 4

Author Comment

by:denver218
ID: 38354329
Well that stinks:(  I think I will need to purchase a license for both then.  If not I can do what Ken stated and not have a license on the standby SSM, but as he said,  if failover occured that SSM would have outdated signatures, so there would be some vulnerability.

As far as ASA failover is concerned, since the SSM's are independent, it doesn't matter if one of the SSM's doesn't have a license right?  This won't break failover right?  I wouldn't think it would.

I very surprised that Cisco doesn't have some sort of shared license for this.  I feel I am being ripped off.  I can only use one at a time, the ASA's are in Active/Standby.  I guess this is the price you pay for security.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354367
No failover won't break, as you stated.

And indeed, security will cost you (and cisco as well ;) . Though indeed it is strange that they do have a separate licensing for failover bundles but not for the additional SSMs.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 38354403
Yea and the other thing that stinks is that the configuration doesn't sync between them like on the CSC modules.  The CSC modules are independent but you can sync them.  With the SSM each time you configure a filter, you need to make sure you do it on both of the units.  And.. if the other unit doesn't have all the sigs, then you might not be able to set the same filter.  Have fun.  In either case download the free IME software and install that and get that set up.  It is is much easier to view what is going on with the sensors and you can set up alerting with it as well.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354424
@ken: hehe, this time I saw your comment before I started typing. So that safed me some work :)
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 38354501
Always trying to help a brother out ... ;)
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 38354556
Thanks guys, I really appreciate your help.  I think to start I am only going to purchase a license for one SSM-20.  If failover occurs, I will just try and get the main unit back online as quick as I can since the standby unit will not have a license:)  I will have a 4hr response time on the one contract I purchase.  Maybe later down the line then I will be able to get a license for the SSM in the failover unit.  Thanks again!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38354617
I think I may speak for the both of us when I say: you're welcome & thx 4 the points (and save Ken from some typework ;)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question