Cloud PHD

For The Love of Cisco ASA Licensing

For The Love of Cisco ASA Licensing

Originally, I just wanted to point out how you can check your license version to confirm whether or not you’ll be able to configure the “Failover” feature. Then, I realized perhapsĀ it would be good to point out at least the differences between the “Base” license and “Security Plus” licenses. I expect there are some techs out there trying to configure or resolve something they aren’t licensed for. Naturally there are other other variations, but this is what I’ve encountered most.

The most common reason I’ve upgraded clients to the Security Plus license is to activate the “Failover” and “Dual ISP” features. The “Dual ISP” feature is only relevant to the ASA 5505. The 5510 can implement 2 outside interfaces with the “Base” license, whereas the 5505 requires the upgrade. You must upgrade the license to enable “Failover” on both models.

I’ve confirmed that these commands are the same for ASA version 8.2 and 9.1.

There are two commands we can use to determine our license version and features

Firewall# show version

“Show version” will actually show a lot more than your license type and features. It will display information about the currently loaded software along with hardware and device information.

Firewall# show activation-key

“Show activation-key” will show you just details about your currently loaded license.

Here is the licensing related output and feature differences for both ASA models between the BASE and SECURITY PLUS licenses. …..I’ve eliminated any identical features.

ASA 5505 With a BASE license:

Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN Peers                    : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0

This platform has a Base license.

ASA 5505 With a SECURITY PLUS license:


VLANs                        : 20, DMZ Unrestricted
Inside Hosts                 : Unlimited
Failover                     : Active/Standby
VPN Peers                    : 25
WebVPN Peers                 : 2
Dual ISPs                    : Enabled
VLAN Trunk Ports             : 8

This platform has an ASA 5505 Security Plus license.

ASA 5510 With a SECURITY PLUS license:

Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2

This platform has an ASA 5510 Security Plus license.

I’ll describe the license upgrade/installation process in another post.

Leave a Reply

Your email address will not be published. Required fields are marked *