Asa failover & SSL vpn license question

Similar Messages

• VPN License question on 5505 ASA Firewall

  Inherited a firewall project, it's getting a VPN running on a ASA 5505 Firewall for remote workers.  Firewall was configured by someone else who isn't available. 
  Basic question on the License: The current license is good for 2 SSL VPN Peers, and 20 "Total VPN Peers".  Can anyone elaborate on "Total VPN Peers"?  Can I configure Clientless SSL VPN connections, or do I need to go IPSec to get the 20 VPN sessions?
  Thank you in advance,
  Jeff

  Hi Linda,
  The default IKE SA lifetime is 86,400 seconds and the default IPSEC SA lifetime is 28,800 seconds. However, these values are configurable so you'll need to check your 5505 configuration to answer these questions. You can look at the output of 'show run crypto' to see the configured values.
  -Mike

• ASA 5505 SSL VPN LOG failed

  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
  %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
  %ASA-6-113012: AAA user authentication Successful : local database : user = admin
  %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
  %ASA-6-113008: AAA transaction status ACCEPT : user = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
  %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
  %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
  %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
  %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
  %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
  %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
  %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
  Red error what is the reason? Only appears in the window 2003 server.

  ciscoasa# show   activation-key 
  Serial Number:  JMX1314Z1UV
  Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : 10       
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has a Base license.
  The flash activation key is the SAME as the running key.
  ciscoasa#
  Sure ？it was licence question？

• IP Phone SSL VPN - Licenses required.

  Hi,
  Can someone confirm the linceses required for me to get this working. I understand that it needs the 'AnyConnect for Cisco VPN Phone' license but do I also need to have anyconnec essentials? This is for ASA version 8.2 and the a license info below is for the ASA i intend to delpoy this on.
  Thanks
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 250
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 5000
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5550 VPN Premium license.

  Hi,
  You would need Anyconnect Premium license along with Cisco Ip phone feature enabled on ASA for Cisco IP phone to use anyconnect vpn feature.
  You can find more details from following link:
  http://www.cisco.com/en/US/products/ps12726/products_qanda_item09186a0080bf292f.shtml
  Regards,
  Varinder
  P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

• Cisco ASA 5505 SSL VPN

  Hi Everyone,
  In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
  I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
  I need help to solve this mystery. Please find attached the ASA config: #show run
  I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
  Best regards,
  BEN

  If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
  I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

• ASA Clientless SSL VPN can't access login pages on websites

  When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
  show run
  : Saved
  ASA Version 8.4(4)1
  hostname PatG
  domain-name resolver4.opendns.com
  enable password aDvdtQE/ih5t061i encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  boot system disk0:/asa844-1-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group Comcast
  name-server 75.75.75.75
  domain-name cdns01.comcast.net
  dns server-group DefaultDNS
  name-server 208.67.220.222
  name-server 208.67.220.220
  domain-name resolver4.opendns.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649-103.bin
  no asdm history enable
  arp timeout 14400
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Remote1 protocol radius
  aaa-server Remote1 (inside) host 192.168.1.8
  key *****
  radius-common-pw *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Remote1
  aaa authentication http console Remote1 LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd domain redtube.com
  dhcpd auto_config outside
  dhcpd option 150 ip 192.168.1.15 192.168.1.5
  dhcpd address 192.168.1.5-192.168.1.36 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  tunnel-group-list enable
  group-policy Eng internal
  group-policy Eng attributes
  vpn-tunnel-protocol ssl-clientless
  webvpn
    url-list value EngineerMarks
  group-policy RemoteHTTP internal
  group-policy RemoteHTTP attributes
  vpn-tunnel-protocol ssl-clientless
  webvpn
    url-list value Test
    customization value Extra
  username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
  tunnel-group Browser type remote-access
  tunnel-group Browser general-attributes
  authentication-server-group Remote1
  default-group-policy RemoteHTTP
  tunnel-group TEST type remote-access
  tunnel-group TEST general-attributes
  authentication-server-group Remote1
  default-group-policy RemoteHTTP
  tunnel-group TEST webvpn-attributes
  group-alias testing enable
  group-url https://24.19.162.53/testing enable
  tunnel-group Engineering type remote-access
  tunnel-group Engineering general-attributes
  authentication-server-group Remote1 LOCAL
  default-group-policy Eng
  tunnel-group Engineering webvpn-attributes
  group-alias engineering enable
  group-url https://209.165.200.2/engineering enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
  policy-map map
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                                                             CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
  : end
  Can anyone please help me? Thanks

  In your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
  Example:
  ASA public IP: 2.2.2.2
  Remote network: 192.168.1.0/24
  access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
  Mirror the above acl on the remote end router.
  PS. If you found this post helpful, please rate it.

• CIsco ASA 5505 and VPN licenses

  Hi,
  Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
  How those licenses are counted? Will I need a license per one IPSec SA?
  If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
  Thank you.
  Regards,
  Alex

  Alex,
  In an ASA 5505, it should say something like this...when you do sh ver.
  VPN Peers : 25
  It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
  Its a per tunnel license.
  Rate this, if it helps!
  Gilbert

• Yet Another ASA VPN Licensing Question :)

  I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
  1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
  2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
  Thanks!

  It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
  Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
  If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

• ASA 5505 VPN licensing question

  I have three locations, that i want to connect via site-to-site vpn's deployed on three ASA 5505. How is the term "Peers" in the licensing text, affecting my scenario? Is each ASA one peer in a site-to-site solution, or is each user transmitting data in the established tunnels also counted?

  Users transmitting across the site to site tunnel are not counted. Only the peers themselves.

• Cisco ASA 5520 SSL VPN Web Login Customization For RSA Login

  I have a Cisco 5520 that I have RSA radius with hardware token up and working witrhout issue. The RSA radius authentication works fine.
  My problem is that I want the login page of the WebVPN portal to display two fields for the user RSA passcode. An RSA passcode is the PIN and the current toke code together.
  I want one field to accept the PIN from the passcode and the other field to accept the TOKEN CODE from the RSA token.
  Currently the login page has in this order:
  USERNAME:
  PASSCODE:
  My end state would be:
  USERNAME:
  PIN:
  TOKENCODE:
  I know this has been done with the native Cisco IPSEC client but I cannot find a way to do this with the WebVPN login page. I have been thru the Customization page and can't seem to get this to work correctly.
  Thanks.

  Hello friend!
  Please allow me to resurect this old post. Did you have the solution?
  Regards!

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• SSL VPN Client Error

  I setup a Cisco ASA 5510 SSL VPN with the folowing;
  IOS 7.2
  SSL VPN CLient sslclient-win-1.1.1.164.pkg
  Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
  IBM Thinkpad T40
  Windows XP SP 2
  Internet Explorer 7
  All patches up-to-date
  All drivers up-to-date
  SSL VPN Client connection process;
  - User login with valid account and password
  - The SSL VPN Client package will automatically download and installed.
  - User will then be connected to SSL VPN
  The ERRORS;
  1. GUI (Cisco SSL VPN Client installation process)
  "The SSL VPN Client driver has Encountered an Error"
  2. Event Viewer
  The only error in this user event viewer that differs from other users who successfully connected are;
  a)
  Function: EnableVA
  Return code: 0
  File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
  Line: 310
  Description: unknown
  b)
  Function: EnableVA
  Return code: 0xFE080007
  File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
  Line: 1145
  Description: VAMGR_ERROR_ENABLE_VA_FAILED
  Anyone know what thus the error means?
  BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
  Thanks

  The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

• ASA 5510 VPN Peer License Question

  I just got a new ASA 5510 Base Model and I have some questions I would love some help on.
  1) I was under the impression that the ASA 5510 could support 250 VPN Peers. When I do a show version on this new unit I am told VPN Peers are only 50. I would like to have more than 50 L2L VPN Tunnels and RA clients connected at one. Where did I mess up with this understanding?
  2) I am running ASA Software Version 7.0(6) this is how it was shipped to me. I hear that 7.2 is the latest? Can I get this upgrade from Cisco?

  Hi,
  There a couple of points here which are a bit tricky - the first is the software versioning of PIX/ASA software. If we have a look at how it work in IOS (It would be useful if there was an equivalent paper for PIX/ASA...)
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
  The basic idea is that if you go from 7.0(1) to 7.0(2) you're getting more software fixes and less new features but if you go from 7.0(1) to 7.1(1) you're getting more major new features but less software fixes. On PIX/ASA there seems to be a fairly clear choice between stability and features. Don't forget that the 3 trains have releases independent of each other so it doesn't necessarily follow that the highest numbered release was the latest one, let alone the most stable one. Before 7.2(2) was released last November the latest release was 7.0(6) and we actually standardised on this because all releases above 7.0(6) were giving us issues (especially the 7.1 versions). We're trialling 7.2(2) at the moment and it seems to be as solid as 7.0(6) so that also looks like a good choice.
  With that in mind we need to look at the feature sets of the various releases, and currently 7.2(2) gives you 250 maximum concurrent IPsec sessions whether or not you have the Security Plus license. I think this change happened during one of the 7.1 releases. If you only have 7.0 then you get 50 as standard and can upgrade to 150 if you have a security plus license. (With 7.2(2) you still need the security plus license to get failover and vpn load balancing - but not to get the 250 sessions.)
  As to upgrading - it's possible 7.0(6) was actually the "latest" release when you purchased your box and unless you specified a particular version when you bought it this is what you normally get (you can ask for any version you like at no charge when you buy it initially). You really need smartnet for the ASA because the standard Cisco warranty is rubbish (90 days only and you wait 10 days for a replacement) so unless it's a test network you're pretty much forced to buy smartnet to be sure of a fast replacement (or any replacement at all after 90 days..) Also, the cost of a smartnet contract for a year if you only need NBD replacement is less than the cost of a one-off software upgrade AND you get to download any version you like for the year AND you can also log calls directly with the TAC.
  So, I'd recommend buying a smartnet contract and then go through the release notes to find a suitable release to download - sounds like 7.2(2) might be what you need - at the very least you should be upgrading to get more sessions rather than sticking to 7.0 and buying a security plus license. (Because both the one-off upgrade and the security plus license are probably more expensive than smartnet!)
  HTH - plz rate if useful
  Andrew.

• Cisco ASA 5505 - 2 questions - VPN Licensing; Routing

  Hi,
  I have a client that has a Cisco ASA 5505 security appliance.  Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN.  The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users.  25 users is the max on this device I believe.
  I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
  The second question I have is routing capability.  We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located.  A Cisco 2851 is used for this connection.  We are wanting to bring in a high speed Internet connection for the VPN access and Internet access.  What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
  Thanks!
  --Kent

  Hi Kent,
  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  Regards,
  David Dunlap
  SBSC Engineer

• What license do I need for 25 SSL VPN Peers

  Hi all,
  I want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...
  ASA1:
  sh activation-key detail:
  Serial Number:  XXXXX
  No active temporary key.
  Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 250      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 5000     
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has an ASA 5550 VPN Premium license.
  The flash activation key is the SAME as the running key.
  ASA2:
  sh activation-key detail:
  Serial Number:  XXXXX
  No active temporary key.
  Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 250
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 25
  Total VPN Peers                : 5000
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5550 VPN Premium license.
  The flash activation key is the SAME as the running key.
  So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?
  Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.
  Thanks much in advance for any help!

  Hi all,
  as I said I tried to upgrade the ASA1 to version 8.3, but unfortunately the limit of 2 SSL VPN Peers remained.
  It seems so that I’ll have to buy that license, although I don’t need that functionality. If someone has some more hints left, I’d be grateful to hear them.
  Here is the output from “sh activation-key detail” and below the output from “sh ver”:
  Licensed features for this platform:
  Maximum Physical Interfaces   : Unlimited     perpetual
  Maximum VLANs                 : 250           perpetual
  Inside Hosts                   : Unlimited     perpetual
  Failover                       : Active/Active perpetual
  VPN-DES                       : Enabled       perpetual
  VPN-3DES-AES                   : Enabled       perpetual
  Security Contexts             : 2            perpetual
  GTP/GPRS                       : Disabled       perpetual
  SSL VPN Peers                 : 2             perpetual
  Total VPN Peers               : 5000           perpetual
  Shared License                 : Disabled       perpetual
  AnyConnect for Mobile         : Disabled       perpetual
  AnyConnect for Cisco VPN Phone : Disabled       perpetual
  AnyConnect Essentials         : Disabled       perpetual
  Advanced Endpoint Assessment   : Disabled       perpetual
  UC Phone Proxy Sessions        : 2             perpetual
  Total UC Proxy Sessions       : 2             perpetual
  Botnet Traffic Filter         : Disabled       perpetual
  Intercompany Media Engine     : Disabled       perpetual
  This platform has an ASA 5550 VPN Premium license.
  Licensed permanent key features for this platform:
  Maximum Physical Interfaces   : Unlimited     perpetual
  Maximum VLANs                 : 250           perpetual
  Inside Hosts                   : Unlimited     perpetual
  Failover                       : Active/Active perpetual
  VPN-DES                       : Enabled       perpetual
  VPN-3DES-AES                  : Enabled       perpetual
  Security Contexts             : 2             perpetual
  GTP/GPRS                       : Disabled       perpetual
  SSL VPN Peers                 : 2             perpetual
  Total VPN Peers               : 5000           perpetual
  Shared License                 : Disabled       perpetual
  AnyConnect for Mobile         : Disabled       perpetual
  AnyConnect for Cisco VPN Phone : Disabled       perpetual
  AnyConnect Essentials         : Disabled       perpetual
  Advanced Endpoint Assessment   : Disabled       perpetual
  UC Phone Proxy Sessions       : 2             perpetual
  Total UC Proxy Sessions       : 2             perpetual
  Botnet Traffic Filter         : Disabled       perpetual
  Intercompany Media Engine     : Disabled       perpetual
  The flash permanent activation key is the SAME as the running permanent key.
  Cisco Adaptive Security Appliance Software Version 8.3(2)
  Device Manager Version 6.4(7)
  Compiled on Fri 30-Jul-10 17:49 by builders
  System image file is "disk0:/asa832-k8.bin"
  Config file at boot was "startup-config"
  xxxxx up 12 mins 33 secs
  Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Thanks,
  Simo