Asa in active/active vpn solution licensing question

Similar Messages

• AddOn Solution License question

  Hi experts, I have a question about solution license for an AddOn in B1 8.8 PL12
  For licensing my addon i have done the following step:
  1) I requested and obtained a solution identifier from SAP.
  2) I generated the AddOn identifier (with solution identifier obtained in step 1) and I putted it in the AddOn connection code.
  3) Then I logged in SAP business One customer portal as a customer (e.g. as an S user) and I started to modify license data.
  4) I searched my AddOn name in the partner solutions section, find it and I added 1 licence to my system.
  5) I downloaded and installed the license file on the production server.
  6) I installed the AddOn and all works fine.
  I would expect that a normal customer cannot download a valid and unlimited license without some partner activities (e.g, without paying for it), so my question is:
  Is this the SAP licensing expected behavior or I have done some mistake?
  Thanks
  Regards
  Marco

  Hi Owen, thank you for replaying.
  So I realized that B1 AddOn license mechanism is totally unuseful for a partner, while is used by SAP to ensure that the partner or the customer will buy an SDK Development license.
  While I can understand SAP reasons to enforce the partner buying an SDK Development license,   really I cannot understand why SAP could not help his partner, implementing a license procedure useful also for partners.
  Actually a partner who has develped an AddOn should implement a custom license check and this is an extra cost that, in my opinion, could be avoided.
  If some SAP member could explain, I really will be very interested to the answer.
  Regards
  Marco

• ASA 5510 VPN Peer License Question

  I just got a new ASA 5510 Base Model and I have some questions I would love some help on.
  1) I was under the impression that the ASA 5510 could support 250 VPN Peers. When I do a show version on this new unit I am told VPN Peers are only 50. I would like to have more than 50 L2L VPN Tunnels and RA clients connected at one. Where did I mess up with this understanding?
  2) I am running ASA Software Version 7.0(6) this is how it was shipped to me. I hear that 7.2 is the latest? Can I get this upgrade from Cisco?

  Hi,
  There a couple of points here which are a bit tricky - the first is the software versioning of PIX/ASA software. If we have a look at how it work in IOS (It would be useful if there was an equivalent paper for PIX/ASA...)
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
  The basic idea is that if you go from 7.0(1) to 7.0(2) you're getting more software fixes and less new features but if you go from 7.0(1) to 7.1(1) you're getting more major new features but less software fixes. On PIX/ASA there seems to be a fairly clear choice between stability and features. Don't forget that the 3 trains have releases independent of each other so it doesn't necessarily follow that the highest numbered release was the latest one, let alone the most stable one. Before 7.2(2) was released last November the latest release was 7.0(6) and we actually standardised on this because all releases above 7.0(6) were giving us issues (especially the 7.1 versions). We're trialling 7.2(2) at the moment and it seems to be as solid as 7.0(6) so that also looks like a good choice.
  With that in mind we need to look at the feature sets of the various releases, and currently 7.2(2) gives you 250 maximum concurrent IPsec sessions whether or not you have the Security Plus license. I think this change happened during one of the 7.1 releases. If you only have 7.0 then you get 50 as standard and can upgrade to 150 if you have a security plus license. (With 7.2(2) you still need the security plus license to get failover and vpn load balancing - but not to get the 250 sessions.)
  As to upgrading - it's possible 7.0(6) was actually the "latest" release when you purchased your box and unless you specified a particular version when you bought it this is what you normally get (you can ask for any version you like at no charge when you buy it initially). You really need smartnet for the ASA because the standard Cisco warranty is rubbish (90 days only and you wait 10 days for a replacement) so unless it's a test network you're pretty much forced to buy smartnet to be sure of a fast replacement (or any replacement at all after 90 days..) Also, the cost of a smartnet contract for a year if you only need NBD replacement is less than the cost of a one-off software upgrade AND you get to download any version you like for the year AND you can also log calls directly with the TAC.
  So, I'd recommend buying a smartnet contract and then go through the release notes to find a suitable release to download - sounds like 7.2(2) might be what you need - at the very least you should be upgrading to get more sessions rather than sticking to 7.0 and buying a security plus license. (Because both the one-off upgrade and the security plus license are probably more expensive than smartnet!)
  HTH - plz rate if useful
  Andrew.

• Asa active/active questions

  if i have asa's configured as active/active;
  1. Is this situation treated as one? I mean can i manage this only with IDM?
  2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
  thanks.

  1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
  In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
  To manage the configuration, you can use ASDM.
  2. I am sorry, I don't know that

• ASA 8.4 transparent mode active/active questions

  Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Thanks for your replies

  Hello,
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  You can configure up to 8 bridge groups per context to achieve this.
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Active/Active failover is only possible in multiple context mode.
  Hope that helps.
  -Mike

• ASA Active/Active Configuration

  Dear All,
  In configuring Active/Active mode of ASA, most examples are stating using
  2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
  following:
  1) Outside
  2) Inside
  3) DMZ
  4) VPN
  Can I still use the Active/Active mode?
  If so, then how to allocate the interfaces to the 2 failover groups? Let
  assume:
  Failover group 1: Outside and DMZ
  Failover group 2: VPN and Inside
  That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
  so, is the traffic between Outside and Inside has problem? Since they are
  crossing the 2 failover group on the 2 ASA.
  Please correct me and my assumption. A sample configuration would be much appreciate.
  Thanks in advance.
  Br,
  Sam

  Thank you for the reply Jennifer.
  I was reffering to the following document:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
  Failure Event
  Policy
  Active Action
  Standby Action
  Notes
  Failover link failed during operation
  No failover
  Mark failover interface as failed
  Mark failover interface as failed
  You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
  Stateful Failover link failed
  No failover
  No action
  No action
  State information becomes out of date, and sessions are terminated if a failover occurs.
  I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
  How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
  Sorry I didn't accurately phrase my original post.
  Thank you

• Cisco ASA Active/ Active

  Hi,
  Can we have ASA in  Active/ Active in single context mode.
  If Active/ Active is  possible in single context mode, then in best practices, Active/Active is  prefered or Active Standby.
  Thanks

  Hi,
  ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
  In a single mode only you can have Active/Standby failover.
  Also, please move the question to the Firewall section for more discussions.
  Thanks.

• Active/Active ASA in GNS3?????

  Hi,
  How can I run ACTIVE/ACTIVE firewall in GNS3??
  I tried in google and FB groups but didnt get answer that works.
  So,I did finally multimode option in ASA but then I couldnt config IP addresses on interfaces!!!!
  Thanks in advance.
  Bye,

  Hello Anand,
  It should work, I have done it
  Make sure you have the licenses to run it,
  Regards
  Remember to rate all of the helpful posts.
  For this community that's as important as a thanks.

• Does VPN works in Firewall Active Active failover mode?

  i want to clarify these two things!
  1. Does VPN works in failover mode in Active/Active mode?
  2. What about in Failover mode Active/Pasive?
  Regards!

  Hi,
  Using an Active/Active Failover means that the Firewalls will be in Multiple Context mode. In other words virtual firewalls.
  This means that you can ONLY use IPsec L2L VPN connections on the virtual firewalls if you are running 9.x software level on the firewalls. Any form of Client and Clientless VPN isnt supported in Multiple Context Mode at the moment.
  Now with Active/Standby we have to make a distinction (if that was the word).
  IF you run a normal Active/Standby Failover pair of ASAs that IS NOT in Multiple Context mode YOU CAN use any type of VPN the ASAs support.
  IF you run a a pair of ASAs in Multiple Context Mode and in Active/Standby Mode you will naturally run into the limitation of VPN support in Multiple Context Mode and WILL NOT be able to use any other VPNs other than IPsec L2L VPN connections provided you are running 9.x software that supports it.
  Hope this helps
  - Jouni

• ASA Expert Wanted | Active Active Failover Requirment

  Hello Everyone,
  We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments
  Here’s what we need to have in place
  A. During normal operation, wherein both ASAs and ISPs are operational.
  1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  B. ASA1 failure, ASA2 and both ISPs are operational
  1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA2's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  C. ASA2 failure, ASA1 and both ISPs are operational
  1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA1's interface g2
  D. ISP1 failure, both ASAs and ISP2 are operational
  1. All traffic will be handled by ASA2's interface g2 (backup)
  E. ISP2 failure, both ASAs and ISP1 are operational
  1. All traffic will be handled by ASA1's interface g1 (outside)
  F. Item D + ASA2 failure
  1. All traffic will be handled by ASA1's interface g2 (backup)
  G. Item E + ASA1 failure
  1. All traffic will be handled by ASA2's interface g1 (outside)
  Note:
  InterfaceG1 is nameif'ed outside and is connected to ISP1
  InterfaceG2 is nameif'ed backup and is connected to ISP2
  Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?
  Here's daigram of what im thinking
  Your inputs is highly appreciated
  Thanks everyone !

  One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.
  the ASA9 supports VPN in A/A, but only site-to-site, no remote access.
  Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.
  Sent from Cisco Technical Support iPad App

• ASA Failover pair Active/Standby

  Hi,
  Two days ago I had a problem with secondary unit in the ASA HA. The problem is because of the CX module failed in the secondary unit (service module failed) showing the standby unit failed in the "show fail" output. 
  Just I reloaded CX module in the secondary unit and then it was working fine.
  Now the same problem facing in Active unit. Kindly find the show fail output below. we are running ASA 5.1(5) in ASA and 9.3.2.1 system image in CX module.
  SOC-FW# sh fail
  Failover On
  Failover unit Secondary
  Failover LAN Interface: fail-1 GigabitEthernet0/4 (up)
  Unit Poll frequency 1 seconds, holdtime 6 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 114 maximum
  Version: Ours 9.1(5), Mate 9.1(5)
  Last Failover at: 03:54:49 IST Mar 28 2015
          This host: Secondary - Active
                  Active time: 206373 (sec)
                  slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
                    Interface OUTSIDE (112.133.222.218): Normal (Monitored)
                    Interface INSIDE (10.0.60.1): Normal (Monitored)
                    Interface DMZ_1 (10.0.40.1): Normal (Monitored)
                    Interface DMZ_2 (10.0.50.1): Normal (Monitored)
                    Interface management (172.16.10.49): Normal (Not-Monitored)
                  slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Up)
                    ASA CX, 9.3.2.1, Up
          Other host: Primary - Failed
                  Active time: 326213 (sec)
                  slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
                    Interface OUTSIDE (112.133.222.219): Normal (Monitored)
                    Interface INSIDE (10.0.60.2): Normal (Monitored)
                    Interface DMZ_1 (10.0.40.2): Normal (Monitored)
                    Interface DMZ_2 (10.0.50.2): Normal (Monitored)
                    Interface management (172.16.10.50): Normal (Not-Monitored)
                  slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Down)
                    ASA CX, 9.3.2.1, Up
  Kindly help if anybody have the solution.
  Thanks in advance.
  Thanks and regards,
  Ashok Kumar S.

  Hi,
  Thank you for opening a separate thread. This seems to be the issue with the DATA plane going down on the CX module and causing the fail-over event.
  Were there any configuration / updates etc done on the CX which caused this ?
  I think this might require some diagnostics log analysis on the CX and so i would request you to open a Cisco TAC case.
  If you want you can send the diagnostic from the CX to my email address and i can check the issue if possible. ([email protected])
  Thanks and Regards,
  Vibhor Amrodia

• User synchronization issue between Active Directory and Solution manager.

  Requirement:
  Synchronize the users between Active directory and solution manager system.
  <u>What we did:</u>
  1.     Created RFC connection (LDAP_RFC) for LDAP connector.
  2.     Created new LDAP connector that utilize the RFC (LDAP_RFC).
  3.     Created new logical LDAP Server(CUA).Here we have to maintain the connection
  details to the physical directory.
  4.     We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
  5.     In transaction LDAPMAP specific SAP data fields, we mapped to the desired
  directory attributes.
  6.     Testing from LDAP transaction working fine. We are able to see the attributes and
  values       from Active directory.
  <b><u>Issue:</u></b>
  When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
  LDAP Server = CUA (created earlier)
  LDAP Connector = LDAP_RFC (RFC connection created created ealier)
  In the tab: (Object that exist both in the directory and in the Database:)
  Selected: Compare Time Stamp.
  In the tab: (Objects the only exist in the Directory.)
  Selected : Create in Database.
  In the tab(Objects that only Exist in the Database:
  Selected: Ignore Object.
  Result from the report shows that connection to LDAP server is fine and ‘0’(zero) objects in Directory.
  The program does not create any new user in the Solution Manager system.
  Any help on this issue greatly appreciated.
  Thanks & Regards,
  Harish

  where did you see this error ? is there anymore details.
  i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Thanks, Noddy

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• To apply license in FWSM (Active-Active mode) and disable failover

  Dear Team
  I want to apply license to increase security context in FWSM which is running in Active-Active mode on VSS Core switches
  As per below document, first we need to disable failover by entering 'no failover' command on active FWSM and then apply the license seperately on both FWSM.
  I just want to know when i will disable the failover then standby move to pseudo-standby state. 
  Will there be any services impact which are running behind the FWSM when disbaling the failover and then re-enabling the failover.
  http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg/swcnfg_f.html#wp1073226
  Appreciate your response.

  Hi,
  I think in your case as it is Active/Active , there is one extra step required.
  You need to make all the contexts active on one unit and on the other one all should be standby.
  Then disable the failover and update the license and re-enable the failover.
  Thanks and Regards,
  Vibhor Amrodia

• How to do nat at active/active asa

  Hi i want to learn how to do nat(PAT) at active/active asa. i must be write nat command each context or other way which i do not know?
  thanks

  Hi Teymur,
  Configuring NAT on an Active/Active pair is the same as any other multi-context ASA. The NAT commands are configured per-context, so you'll just want to login to the appropriate context to configure the commands.
  In an Active/Active pair, some contexts are Active on one physical unit, while other contexts are Active on the other physical unit, but that's the only difference. You'll want to make sure you always make changes on the Active version of the context.
  Hope that helps.
  -Mike