I have a lab environment that I am trying to figure out. And in that case the other unit was operation with the license until we got a replacement device and moved the license to the new unit.Hello - Any help will be greatly appericated. With ASAs with the new software level I dont have expirience of this situation as during the 5 years that I have been working for the local ISP, we have only had 1 ASA brake down. If the licensing information is stored in some hidden file on the ASA I wonder if the ASA then starts counting down towards the 30 day limit on the Secondary as soon as the connection to the Primary unit is lost because of Primary unit hardware failure. So I cant say for 100% sure if the reboot has an effect on the License on the Secondary ASA in the case where the Primary is completely broken. Sounds more to me that the above refers to situation where both units are operational but have lost FO connectivity. During the 30-day grace period, the combined running license continues to be used by both units. If the failover units lose communication for more than 30 days, then each unit reverts to the license installed locally. Heres the quote from the documentation (This is from the same documentation linked above) It just states that the connectivity of the units needs to be restored in 30 days In my opinion the documentation isnt really clear on if a reboot of the Secondary device makes any difference. I assume then that (when referring to the Cisco document) the situation will indeed be that after the Licensed Primary Unit brakes down or looses connectivity otherwise with the Secondary unit that the Secondary unit will be able to act alone for 30 days. (Reboot causes the loss of functionality if Primary (licensed) unit isnt available) I was assuming the same logic for the new software and devices. In that case the Secondary wasnt enough alone to handle the role after reboot and caused problems. In the old PIX failover pair licensing we expirienced a situation where the Secondary device only licensed for FO purpose was the only PIX Active after the Primary PIX broke down. I cant say for sure as the documentation doesnt state it exactly or I have just missed it. I might have been wrong with that operation logic perhaps. The document also explains what happens when the Primary device is lost or there is problem between the 2 ASAs If you have licenses on both units, they combine into a single running failover cluster license. Typically, you buy a license only for the primary unit for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. Starting with Version 8.3(1), you no longer need to install identical licenses. So to my understanding to play it REALLY safe you would still use Licenses on both units but under normal circumstances and getting a replacing device fast enough in the case of Primary ASA failure you should be fine with single license only.Īlso heres a good quote from the 8.6 Configuration Guide for HA setups and their Licensing What you have to notice though that IF the Primary device with the License does break down/malfunction/etc the Secondary unit might loose its license aquired from the Primary IF it reboots (and therefore doesnt get the License from the Primary unit which is now broken down) The License should apply whichever device is Active in the setup. It doesnt matter which device is Active in the Failover pair. You should be fine activating the license only on the Primary unit in the new post 8.3 software levels.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |