I had to configure a pair of Cisco ASA 5506-X firewalls and apply a Security Plus license in order to support the Active/Standby Failover (High Availability) feature. You'll find the comparison between the Base license vs. Security Plus license feature on this link.
You'll be prompted a warning message for the lack of failover license support when you try to configure the standby (failover) IP address on an ASA interface.
ASA5506-X(config-if)# interface BVI1
ASA5506-X(config-if)# nameif inside
ASA5506-X(config-if)# security-level 100
ASA5506-X(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
WARNING: Cannot configure standby IP address because this unit lack failover license support.
ASA5506-X# show version
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)
Compiled on Thu 02-Apr-20 10:19 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"
ASA5506-X up 25 mins 29 secs
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
1: Ext: GigabitEthernet1/1 : address is bc5a.5681.d596, irq 255
2: Ext: GigabitEthernet1/2 : address is bc5a.5681.d597, irq 255
3: Ext: GigabitEthernet1/3 : address is bc5a.5681.d598, irq 255
4: Ext: GigabitEthernet1/4 : address is bc5a.5681.d599, irq 255
5: Ext: GigabitEthernet1/5 : address is bc5a.5681.d59a, irq 255
6: Ext: GigabitEthernet1/6 : address is bc5a.5681.d59b, irq 255
7: Ext: GigabitEthernet1/7 : address is bc5a.5681.d59c, irq 255
8: Ext: GigabitEthernet1/8 : address is bc5a.5681.d59d, irq 255
9: Int: Internal-Data1/1 : address is bc5a.5681.d595, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is bc5a.5681.d595, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JAD24111234
Running Permanent Activation Key: 0xd71be575 0xb069db6f 0xb0523db4 0x949058c8 0x44221234
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by enable_15 at 11:56:07.469 UTC Tue Nov 10 2020
You'll need to register and retrieve the license key in the Cisco Licensing portal. Next, apply the license key using the global config activation-key <KEY> command and issue a reload for the license to take effect.
ASA5506-X(config-if)# activation-key 3c2dfa64 2c9281c9 5491edd8 8b4c40a4 cb356789
Validating activation key. This may take a few minutes...
Failover is different.
running permanent activation key: Restricted(R)
new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm] <ENTER>
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.
ASA5506-X(config-if)# end
ASA5506-X# reload
Proceed with reload? [confirm]
ASA5506-X#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
<OUTPUT TRUNCATED>
Notice the ASA 5506-X now has the Security Plus license as well as the Maximum VLANs is now 30, Failover has been enabled for Active/Standby and VPN peers was increased to 50 (for AnyConnect VPN). The support for AnyConnect requires a separate AnyConnect Plus or Apex license.
ASA5506-X# show version
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)
Compiled on Thu 02-Apr-20 10:19 PDT by builders
System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"
ASA5506-X up 13 mins 34 secs
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
1: Ext: GigabitEthernet1/1 : address is bc5a.5681.d596, irq 255
2: Ext: GigabitEthernet1/2 : address is bc5a.5681.d597, irq 255
3: Ext: GigabitEthernet1/3 : address is bc5a.5681.d598, irq 255
4: Ext: GigabitEthernet1/4 : address is bc5a.5681.d599, irq 255
5: Ext: GigabitEthernet1/5 : address is bc5a.5681.d59a, irq 255
6: Ext: GigabitEthernet1/6 : address is bc5a.5681.d59b, irq 255
7: Ext: GigabitEthernet1/7 : address is bc5a.5681.d59c, irq 255
8: Ext: GigabitEthernet1/8 : address is bc5a.5681.d59d, irq 255
9: Int: Internal-Data1/1 : address is bc5a.5681.d595, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is bc5a.5681.d595, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5506 Security Plus license.
Serial Number: JAD24111234
Running Permanent Activation Key: 0x3c2dfa64 0x2c9281c9 0x5491edd8 0x8b4c40a4 0xcb356789
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration has not been modified since last system restart.
No comments:
Post a Comment