How Permanent and Time-Based Licenses Combine When you activate a time-based license, then f eatures from both permanent and time-based licenses combine to form the running license. Unified Communications Proxy Sessions The time-based license sessions are added to the permanent sessions, up to the platform limit.
Security Contexts The time-based license contexts are added to the permanent contexts, up to the platform limit. All Others The higher value is used, either time-based or permanent. Stacking Time-Based Licenses In many cases, you might need to renew your time-based license and have a seamless transition from the old license to the new one.
For example: 1. Similarly: 1. Time-Based License Expiration When the current license for a feature expires, the ASA automatically activates an installed license of the same feature if available. Shared AnyConnect Premium Licens es A shared license lets you purchase a large number of AnyConnect Premium sessions and share the sessions as needed among a group of ASAs by configuring one of the ASAs as a shared licensing server, and the rest as shared licensing participants.
Communication Issues Between Participant and Server See the following guidelines for communication issues between the participant and server: If a participant fails to send a refresh after 3 times the refresh interval, then the server releases the sessions back into the shared license pool.
If the participant cannot reach the license server to send the refresh, then the participant can continue to use the shared license it received from the server for up to 24 hours. If the participant is still not able to communicate with a license server after 24 hours, then the participant releases the shared license, even if it still needs the sessions.
The participant leaves existing connections established, but cannot accept new connections beyond the license limit. If a participant reconnects with the server before 24 hours expires, but after the server expired the participant sessions, then the participant needs to send a new request for the sessions; the server responds with as many sessions as can be reassigned to that participant.
Information About the Shared Licensing Backup Server The shared licensing backup server must register successfully with the main shared licensing server before it can take on the backup role. Figure Failover and Shared License Servers The standby backup server shares the same operating limits as the primary backup server; if the standby unit becomes active, it continues counting down where the primary unit left off.
Failover and Shared License Participants For participant pairs, both units register with the shared licensing server using separate participant IDs. Maximum Numbe r of Participants The ASA does not limit the number of participants for the shared license; however, a very large shared network could potentially affect the performance on the licensing server.
Failover Licenses 8. The exceptions to this rule include: Security Plus license for the ASA , , and X—The Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Encryption license—Both units must have the same encryption license. How Failover Licenses Combine For failover pairs, the licenses on each unit are combined into a single running failover cluster license. If you buy separate licenses for the primary and secondary unit, then the combined license uses the following rules: For licenses that have numerical tiers, such as the number of sessions, the values from both the primary and secondary licenses are combined up to the platform limit. If both licenses in use are time-based, then the licenses count down simultaneously.
For time-based licenses that are enabled or disabled and do not have numerical tiers , the duration is the combined duration of both licenses. The primary unit counts down its license first, and when it expires, the secondary unit starts counting down its license. Loss of Communication Between Failover Units If the failover units lose communication for more than 30 days, then each unit reverts to the license installed locally.
The time-based license behavior depends on when communication is restored: Within 30 days—The time elapsed is subtracted from the primary unit license. In this case, communication is restored after 4 weeks.
Therefore, 4 weeks are subtracted from the primary license leaving 90 weeks combined 38 weeks on the primary, and 52 weeks on the secondary.
After 30 days—The time elapsed is subtracted from both units. In this case, communication is restored after 6 weeks. Therefore, 6 weeks are subtracted from both the primary and secondary licenses, leaving 84 weeks combined 36 weeks on the primary, and 46 weeks on the secondary. Upgrading Failover Pairs Because failover pairs do not require the same license on both units, you can apply new licenses to each unit without any downtime.
Licenses FAQ Q. Guidelines and Lim itations See the following guidelines for activation keys. Context Mode Guidelines In multiple context mode, apply the activation key in the system execution space. Shared licenses are not supported in multiple context mode. Firewall Mode Guidelines All license types are available in both routed and transparent mode.
For the ASA and , both units require the Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license. Upgrade and Downgrade Guidelines Your activation key remains compatible if you upgrade to the latest version from any previous version. However, you might have issues if you want to maintain downgrade capability: Downgrading to Version 8.
However if you activate feature licenses that were introduced in 8. If you have an incompatible license key, then see the following guidelines: — If you previously entered an activation key in an earlier version, then the ASA uses that key without any of the new licenses you activated in Version 8.
Downgrading to Version 8. Additional Guidelines and Limitations The activatio n key is not stored in your configuration file; it is stored as a hidden file in flash memory.
The activation key is tied to the serial number of the device. Feature licenses cannot be transferred between devices except in the case of a hardware failure. If you have to replace your device due to a hardware failure and it is covered by Cisco TAC, contact the Cisco Licensing Team to have your existing license transferred to the new serial number. Once purchased, you cannot return a license for a refund or for an upgraded license.
Although you can activate all license types, some features are incompatible with each other; for example, multiple context mode and VPN.
By default, the AnyConnect Essentials license is used instead of the above licenses, but you can disable the AnyConnect Essentials license in the configuration to restore use of the other licenses using the no anyconnect-essentials command. You have to enter each key as a separate process.
The serial number of your ASA Your e-mail address An activation key is automatically generated and sent to the email address that you provide. Activating or Deactivating Keys This section describes how to enter a new activation key, and how to activate and deactivate time-based keys.
Prerequisites If you are already in multiple context mode, enter the activation key in the system execution space. Some permanent licenses require you to reload the ASA after you activate them. Table lists the licenses that require reloading. All models Changing the Encryption license. All models Downgrading any permanent license for example, going from 10 contexts to 2 contexts.
Limitations and Restrictions Your activation key remains compatible if you upgrade to the latest version from any previous version. Detailed Steps Command Purpose Step 1 activation-key key [ activate deactivate ] hostname activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb 0xfc Applies an activation key to the ASA. Step 2 Might be required. The flash activation key was updated with the requested key, and will become active after the next reload.
Configuring a Shared License This section describes how to configure the shared licensing server and participants. Prerequisites The server must have a shared licensing server key. Step 2 Optional license-server refresh-interval seconds hostname config license-server refresh-interval Sets the refresh interval between 10 and seconds; this value is provided to participants to set how often they should communicate with the server.
Step 3 Optional license-server port port hostname config license-server port Sets the port on which the server listens for SSL connections from participants, between 1 and Examples The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and dmz interface: hostname config license-server secret farscape hostname config license-server refresh-interval hostname config license-server port hostname config license-server backup Configuring the Share d Licensing Backup Server Optional This section enables a shared license participant to act as the backup server if the main server goes down.
Prerequisites The backup server must have a shared licensing participant key. Detailed Steps Command Purpose Step 1 license-server address address secret secret [ port port ] hostname config license-server address Examples The following example identifies the license server and shared secret, and enables this unit as the backup shared license server on the inside interface and dmz interface: hostname config license-server address Configuring the Shared Licensing Participant This section configures a shared licensing participant to communicate with the shared licensing server.
Prerequisites The participant must have a shared licensing participant key. Step 2 Optional license-server backup address address hostname config license-server backup address Examples The following example sets the license server IP address and shared secret, as well as the backup license server IP address: hostname config license-server address Detailed Steps Command Purpose show activation-key [ detail ] hostname show activation-key detail This command shows the permanent license, active time-based licenses, and the running license, which is a combination of the permanent license and active time-based licenses.
The flash permanent activation key is the SAME as the running permanent key. Active Timebased Activation Key: 0xad 0xfe4 0xcb97b 0xce0bb 0x47c7c Botnet Traffic Filter : Enabled 39 days Inactive Timebased Activation Key: 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 AnyConnect Premium Peers : 25 7 days Example Primary Unit Output in a Failover Pair for show activation-key detail The following is sample output from the show activation-key detail command for the primary failover unit that shows: The primary unit license the combined permanent license and time-based licenses.
This is the license that is actually running on the ASA. The values in this license that reflect the combination of the primary and secondary licenses are in bold. The primary unit permanent license. The primary unit installed time-based licenses active and inactive. Active Timebased Activation Key: 0xad 0xfe4 0xcb97b 0xce0bb 0x47c7c Botnet Traffic Filter : Enabled 33 days Inactive Timebased Activation Key: 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 Security Contexts : 2 7 days AnyConnect Premium Peers : 7 days 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 Total UC Proxy Sessions : 14 days Example Secondary Unit Output in a Failover Pair for show activation-key detail The following is sample output from the show activation-key detail command for the secondary failover unit that shows: The secondary unit license the combined permanent license and time-based licenses.
The secondary unit permanent license. The secondary installed time-based licenses active and inactive.
This unit does not have any time-based licenses, so none display in this sample output. Monitoring the Shared Lic ense To monitor the shared license, enter one of the following commands. Command Purpose show shared license [ detail client [ hostname ] backup ] Shows shared license statistics.
Feature History for Licensing Table lists each feature change and the platform release in which it was implemented. Increased interfaces for the Base license on the ASA 7. Increased VLANs 7. Advanced Endpoint Assessment License 8. AnyConnect for Mobile License 8.
Time-based Licenses 8. Unified Communications Proxy Sessions license 8. This feature is not available in Version 8. Botnet Traffic Filter License 8. AnyConnect Essentials License 8. Mobility Proxy application no longer requires Unified Communications Proxy license 8. Non-identical failover licenses 8. Stackable time-based licenses 8. Intercompany Media Engine License 8.
Multiple time-based licenses active at the same time 8. No Payload Encryption image for export 8. Increased contexts for the ASA , , and X 8. Increased connections for the ASA and X 8. ASA —2,, to 4,, No Payload Encryption hardware for export 8. Was this Document Helpful? Yes No Feedback. Firewall Licenses. Optional license: VPN Licenses. General Licenses. Optional licenses:.
AnyConnect Premium sessions. All: Fast Ethernet. Enabled; fiber ifcs run at 10 GE. Might be required. Optional license-server refresh-interval seconds hostname config license-server refresh-interval These firewalls deliver multigigabit security services for large enterprise, data center, and service-provider networks in a robust, 4-rack-unit form factor.
The Cisco ASA accommodates high-density copper and optical interfaces with scalability from Fast Ethernet to 10Gigabit Ethernet, enabling unparalleled security and deployment flexibility. It is a virtual firewall. Each context allows for its own set of rules and default policies. Security Contexts are sold in quantities of 5, 10, 20, 50, and and cannot be stacked.
Previous Next. View Larger Image. Skip to content Skip to search Skip to footer. Available Languages. Download Options. Updated: October 21, March 2, End-of-Sale Date The last date to order the product through Cisco point-of-sale mechanisms. Essentials or Premium See the Product Migration Options section below for detailed information on replacing this product.
Contact Cisco. Get a call from Sales. Was this Document Helpful? Yes No Feedback. As of v8. SSL Essentials and Premium are replicated between licenses. The combined number must be below the platform limitation.
If the count exceeds the platform limit ex. Each license is valid for 60 days. Perhaps these are best explained as a scenario.
XYZ Corp. The key for users is added to the , starting the 60 day timer. After 60 days the key will expire. If XYZ Corp. This will pause the timer on the Flex licenses, allowing them to use the remainder of the time in the future. Be sure to read it before purchasing and using the license. Starting with software v8. Shared licenses are broken into two types: main and participant. The main license starts at SSL Premium sessions and scales to , sessions.
The main license acts as a license pool which participants pull from in 50 session increments. A secondary ASA can act as a backup in case the primary fails. There is no specific backup license, as the ASA only requires a participant license. The participant ASA is able to use the sessions that were last borrowed from the main for 24 hours.
Beyond 24 hours, the sessions are released. Currently connected clients are not disconnected but new connections are not allowed. The backup ASA would be the backup pair. The manual explains this concept pretty well:. Pair 1 includes the main licensing server. Pair 2 includes the backup server. When the primary unit from Pair 1 goes down, the standby unit immediately becomes the new main licensing server. The backup server from Pair 2 never gets used.
0コメント