CLI Book 1: Cisco ASA Series General Operations CLI Configuration

Guide, 9.6
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1721R)
© 2005–2016 Cisco Systems, Inc. All rights reserved.
 CONTENTS

PREFACE About This Guide xlv

Document Objectives xlv
Related Documentation xlv
Document Conventions xlv
Communications, Services, and Additional Information xlvii

PART I Getting Started with the ASA 49

CHAPTER 1 Introduction to the Cisco ASA 1

Hardware and Software Compatibility 1
VPN Compatibility 1
New Features 1
New Features in ASA 9.6(4) 2
New Features in ASA 9.6(3.1) 2
New Features in ASA 9.6(2) 2
New Features in ASA 9.6(1) 9
Firewall Functional Overview 12
Security Policy Overview 12
Permitting or Denying Traffic with Access Rules 12
Applying NAT 12
Protecting from IP Fragments 13
Applying HTTP, HTTPS, or FTP Filtering 13
Applying Application Inspection 13
Sending Traffic to Supported Hardware or Software Modules 13
Applying QoS Policies 13
Applying Connection Limits and TCP Normalization 13

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
iii
 Contents

Enabling Threat Detection 13

Firewall Mode Overview 14
Stateful Inspection Overview 14
VPN Functional Overview 15
Security Context Overview 16
ASA Clustering Overview 16
Special and Legacy Services 16

CHAPTER 2 Getting Started 19

Access the Console for the Command-Line Interface 19
Access the Appliance Console 19
Access the ASA Console on the Firepower 4100/9300 Chassis 20
Access the ASA Services Module Console 21
About Connection Methods 22
Log Into the ASA Services Module 23
Log Out of a Console Session 24
Kill an Active Console Connection 25
Log Out of a Telnet Session 25
Access the Software Module Console 26
Access the ASA 5506W-X Wireless Access Point Console 26
Configure ASDM Access 27
Use the Factory Default Configuration for ASDM Access (Appliances, ASAv) 27
Customize ASDM Access 28
Configure ASDM Access for the ASA Services Module 30
Start ASDM 32
Factory Default Configurations 34
Restore the Factory Default Configuration 35
Restore the ASAv Deployment Configuration 36
ASA 5506-X, 5508-X, and 5516-X Default Configuration 37
ASA 5512-X through ASA 5585-X Default Configuration 38
Firepower 4100/9300 Chassis Default Configuration 39
ISA 3000 Default Configuration 39
ASAv Deployment Configuration 41
Work with the Configuration 43

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
iv
 Contents

Save Configuration Changes 43

Save Configuration Changes in Single Context Mode 43
Save Configuration Changes in Multiple Context Mode 43
Copy the Startup Configuration to the Running Configuration 45
View the Configuration 45
Clear and Remove Configuration Settings 45
Create Text Configuration Files Offline 47
Apply Configuration Changes to Connections 47
Reload the ASA 48

CHAPTER 3 Licenses: Product Authorization Key Licensing 49

About PAK Licenses 49

Preinstalled License 49
Permanent License 49
Time-Based Licenses 50
Time-Based License Activation Guidelines 50
How the Time-Based License Timer Works 50
How Permanent and Time-Based Licenses Combine 50
Stacking Time-Based Licenses 51
Time-Based License Expiration 52
License Notes 52
AnyConnect Plus and Apex Licenses 52
Other VPN License 53
Total VPN Sessions Combined, All Types 53

VPN Load Balancing 53

Legacy VPN Licenses 53
Encryption License 53
Carrier License 54
Total TLS Proxy Sessions 54
VLANs, Maximum 55
Botnet Traffic Filter License 55
IPS Module License 55
Shared AnyConnect Premium Licenses (AnyConnect 3 and Earlier) 55
Failover or ASA Cluster Licenses 55

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
v
Contents

Failover License Requirements and Exceptions 55

ASA Cluster License Requirements and Exceptions 57
How Failover or ASA Cluster Licenses Combine 57
Loss of Communication Between Failover or ASA Cluster Units 58
Upgrading Failover Pairs 59
No Payload Encryption Models 59
Licenses FAQ 59
Guidelines for PAK Licenses 60
Configure PAK Licenses 62
Order License PAKs and Obtain an Activation Key 62
Obtain a Strong Encryption License 63
Activate or Deactivate Keys 65
Configure a Shared License (AnyConnect 3 and Earlier) 66
About Shared Licenses 67
About the Shared Licensing Server and Participants 67
Communication Issues Between Participant and Server 68
About the Shared Licensing Backup Server 68
Failover and Shared Licenses 69
Maximum Number of Participants 70
Configure the Shared Licensing Server 71
Configure the Shared Licensing Backup Server (Optional) 72
Configure the Shared Licensing Participant 73
Supported Feature Licenses Per Model 74
Licenses Per Model 74
ASA 5506-X and ASA 5506W-X License Features 74
ASA 5506H-X License Features 75
ASA 5508-X License Features 76
ASA 5512-X License Features 77
ASA 5515-X License Features 78
ASA 5516-X License Features 79
ASA 5525-X License Features 80
ASA 5545-X License Features 81
ASA 5555-X License Features 83
ASA 5585-X with SSP-10 License Features 84

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
vi
 Contents

ASA 5585-X with SSP-20 License Features 85

ASA 5585-X with SSP-40 and -60 License Features 86
ASASM License Features 87
ISA 3000 License Features 89
Monitoring PAK Licenses 90
Viewing Your Current License 90
Monitoring the Shared License 98
History for PAK Licenses 100

CHAPTER 4 Licenses: Smart Software Licensing (ASAv, ASA on Firepower) 109

About Smart Software Licensing 109

Smart Software Licensing for the ASA on the Firepower 4100/9300 Chassis 109
Smart Software Manager and Accounts 110
Offline Management 110
Permanent License Reservation 110
Satellite Server 111
Licenses and Devices Managed per Virtual Account 111
Evaluation License 111
Smart Software Manager Communication 112
Device Registration and Tokens 112
Periodic Communication with the License Authority 112
Out-of-Compliance State 113
Smart Call Home Infrastructure 113
Smart License Certificate Management 113
License Notes 114
AnyConnect Plus and Apex Licenses 114
Other VPN License 114
Total VPN Sessions Combined, All Types 114

Encryption License 114

Carrier License 115
Total TLS Proxy Sessions 115
VLANs, Maximum 116
Botnet Traffic Filter License 116
Failover or ASA Cluster Licenses 117

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
vii
 Contents

Failover Licenses for the ASAv 117

Failover Licenses for the ASA on the Firepower 4100/9300 Chassis 117
ASA Cluster Licenses for the ASA on the Firepower 4100/9300 Chassis 118
Prerequisites for Smart Software Licensing 119
Guidelines for Smart Software Licensing 120
Defaults for Smart Software Licensing 120
ASAv: Configure Smart Software Licensing 120
ASAv: Configure Regular Smart Software Licensing 121
ASAv: Configure Satellite Smart Software Licensing 124
ASAv: Configure Permanent License Reservation 126
Install the ASAv Permanent License 126
(Optional) Return the ASAv Permanent License 128
(Optional) Deregister the ASAv (Regular and Satellite) 129
(Optional) Renew the ASAv ID Certificate or License Entitlement (Regular and Satellite) 129
Firepower 4100/9300 Chassis: Configure Smart Software Licensing 130
Licenses Per Model 132
ASAv 132

Firepower 4100 Series ASA Application 134

Firepower 9300 ASA Application 134
Monitoring Smart Software Licensing 135
Viewing Your Current License 135
Viewing Smart License Status 136
Viewing the UDI 139
Debugging Smart Software Licensing 139
History for Smart Software Licensing 139

CHAPTER 5 Logical Devices for the Firepower 4100/9300 143

About Firepower Interfaces 143

Chassis Management Interface 143
Interface Types 144
Independent Interface States in the Chassis and in the Application 144
About Logical Devices 144
Standalone and Clustered Logical Devices 144
Requirements and Prerequisites for Hardware and Software Combinations 145

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
viii
 Contents

Guidelines and Limitations for Logical Devices 145

Guidelines and Limitations for Firepower Interfaces 146
General Guidelines and Limitations 146
Requirements and Prerequisites for High Availability 147
Configure Interfaces 147
Configure a Physical Interface 147
Add an EtherChannel (Port Channel) 149
Configure Logical Devices 151
Add a Standalone ASA 151
Add a High Availability Pair 156
Change the ASA to Transparent Firewall Mode 157
Change an Interface on an ASA Logical Device 158
Connect to the Console of the Application 159
History for Logical Devices 160

CHAPTER 6 Transparent or Routed Firewall Mode 161

About the Firewall Mode 161

About Routed Firewall Mode 161
About Transparent Firewall Mode 161
Using the Transparent Firewall in Your Network 162
About Bridge Groups 162
Passing Traffic For Routed-Mode Features 167
Default Settings 167
Guidelines for Firewall Mode 168
Set the Firewall Mode 169
Examples for Firewall Mode 170
How Data Moves Through the ASA in Routed Firewall Mode 170
An Inside User Visits a Web Server 170
An Outside User Visits a Web Server on the DMZ 171
An Inside User Visits a Web Server on the DMZ 172
An Outside User Attempts to Access an Inside Host 173
A DMZ User Attempts to Access an Inside Host 174
How Data Moves Through the Transparent Firewall 174
An Inside User Visits a Web Server 175

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
ix
 Contents

An Inside User Visits a Web Server Using NAT 176

An Outside User Visits a Web Server on the Inside Network 178
An Outside User Attempts to Access an Inside Host 179
History for the Firewall Mode 180

PART II High Availability and Scalability 183

CHAPTER 7 Multiple Context Mode 185

About Security Contexts 185

Common Uses for Security Contexts 185
Context Configuration Files 186
Context Configurations 186
System Configuration 186
Admin Context Configuration 186
How the ASA Classifies Packets 186
Valid Classifier Criteria 186
Classification Examples 187
Cascading Security Contexts 189
Management Access to Security Contexts 190
System Administrator Access 190
Context Administrator Access 190
Management Interface Usage 190
About Resource Management 191
Resource Classes 191
Resource Limits 191
Default Class 192
Use Oversubscribed Resources 192
Use Unlimited Resources 193
About MAC Addresses 193
MAC Addresses in Multiple Context Mode 194
Automatic MAC Addresses 194
VPN Support 195
Licensing for Multiple Context Mode 195
Prerequisites for Multiple Context Mode 196

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
x
 Contents

Guidelines for Multiple Context Mode 196

Defaults for Multiple Context Mode 197
Configure Multiple Contexts 198
Enable or Disable Multiple Context Mode 198
Enable Multiple Context Mode 198
Restore Single Context Mode 199
Configure a Class for Resource Management 199
Configure a Security Context 203
Assign MAC Addresses to Context Interfaces Automatically 208
Change Between Contexts and the System Execution Space 208
Manage Security Contexts 209
Remove a Security Context 209
Change the Admin Context 210
Change the Security Context URL 210
Reload a Security Context 212
Reload by Clearing the Configuration 212
Reload by Removing and Re-adding the Context 212
Monitoring Security Contexts 213
View Context Information 213
View Resource Allocation 214
View Resource Usage 218
Monitor SYN Attacks in Contexts 220
View Assigned MAC Addresses 222
View MAC Addresses in the System Configuration 222
View MAC Addresses Within a Context 224
Examples for Multiple Context Mode 224
History for Multiple Context Mode 225

CHAPTER 8 Failover for High Availability 231

About Failover 231

Failover Modes 231
Failover System Requirements 232
Hardware Requirements 232
Software Requirements 232

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xi
Contents

License Requirements 232

Failover and Stateful Failover Links 233
Failover Link 233
Stateful Failover Link 234
Avoiding Interrupted Failover and Data Links 235
MAC Addresses and IP Addresses in Failover 237
Intra- and Inter-Chassis Module Placement for the ASA Services Module 239
Intra-Chassis Failover 239
Inter-Chassis Failover 240
Stateless and Stateful Failover 242
Stateless Failover 242
Stateful Failover 243
Transparent Firewall Mode Bridge Group Requirements for Failover 244
Transparent Mode Bridge Group Requirements for Appliances, ASAv 245

Transparent Mode Bridge Group Requirements for the ASA Services Module 245
Failover Health Monitoring 246
Unit Health Monitoring 246
Interface Monitoring 246
Failover Times 248
Configuration Synchronization 248
Running Configuration Replication 249
File Replication 249
Command Replication 250
About Active/Standby Failover 250
Primary/Secondary Roles and Active/Standby Status 251
Active Unit Determination at Startup 251
Failover Events 251
About Active/Active Failover 252
Active/Active Failover Overview 252
Primary/Secondary Roles and Active/Standby Status for a Failover Group 253
Active Unit Determination for Failover Groups at Startup 253
Failover Events 253
Licensing for Failover 255
Guidelines for Failover 256

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xii
 Contents

Defaults for Failover 257

Configure Active/Standby Failover 258
Configure the Primary Unit for Active/Standby Failover 258
Configure the Secondary Unit for Active/Standby Failover 261
Configure Active/Active Failover 262
Configure the Primary Unit for Active/Active Failover 262
Configure the Secondary Unit for Active/Active Failover 267
Configure Optional Failover Parameters 268
Configure Failover Criteria and Other Settings 268
Configure Interface Monitoring 271
Configure Support for Asymmetrically Routed Packets (Active/Active Mode) 272
Manage Failover 275
Force Failover 276
Disable Failover 276
Restore a Failed Unit 277
Re-Sync the Configuration 278
Test the Failover Functionality 278
Remote Command Execution 279
Send a Command 279
Change Command Modes 280
Security Considerations 281
Limitations of Remote Command Execution 281
Monitoring Failover 281
Failover Messages 282
Failover Syslog Messages 282
Failover Debug Messages 282
SNMP Failover Traps 282
Monitoring Failover Status 282
History for Failover 283

CHAPTER 9 ASA Cluster 287

About ASA Clustering 287

How the ASA Cluster Fits into Your Network 287
Cluster Members 288

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xiii
Contents

Bootstrap Configuration 288

Master and Slave Unit Roles 288
Cluster Interfaces 288
Cluster Control Link 288
Configuration Replication 289
ASA Cluster Management 289
Management Network 289
Management Interface 289
Master Unit Management Vs. Slave Unit Management 289
RSA Key Replication 290
ASDM Connection Certificate IP Address Mismatch 290
Inter-Site Clustering 290
Licenses for ASA Clustering 291
Requirements and Prerequisites for ASA Clustering 291
Guidelines for ASA Clustering 293
Configure ASA Clustering 298
Cable the Units and Configure Interfaces 298
About Cluster Interfaces 298
Cable the Cluster Units and Configure Upstream and Downstream Equipment 307
Configure the Cluster Interface Mode on Each Unit 309
Configure Interfaces on the Master Unit 310
Create the Bootstrap Configuration 317
Configure the Master Unit Bootstrap Settings 317
Configure Slave Unit Bootstrap Settings 322
Customize the Clustering Operation 324
Configure Basic ASA Cluster Parameters 325
Configure Health Monitoring and Auto-Rejoin Settings 325
Configure Connection Rebalancing and the Cluster TCP Replication Delay 328
Configure Inter-Site Features 329
Manage Cluster Members 333
Become an Inactive Member 333
Deactivate a Member 334
Rejoin the Cluster 335
Leave the Cluster 335

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xiv
 Contents

Change the Master Unit 337

Execute a Command Cluster-Wide 337
Monitoring the ASA Cluster 338
Monitoring Cluster Status 338
Capturing Packets Cluster-Wide 339
Monitoring Cluster Resources 340
Monitoring Cluster Traffic 340
Monitoring Cluster Routing 342
Configuring Logging for Clustering 343
Monitoring Cluster Interfaces 343
Debugging Clustering 344
Examples for ASA Clustering 344
Sample ASA and Switch Configuration 344
ASA Configuration 345
Cisco IOS Switch Configuration 346
Firewall on a Stick 347
Traffic Segregation 350
Spanned EtherChannel with Backup Links (Traditional 8 Active/8 Standby) 352
OTV Configuration for Routed Mode Inter-Site Clustering 359
Examples for Inter-Site Clustering 361
Individual Interface Routed Mode North-South Inter-Site Example 361
Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP Addresses 362
Spanned EtherChannel Transparent Mode North-South Inter-Site Example 363
Spanned EtherChannel Transparent Mode East-West Inter-Site Example 364
Reference for Clustering 365
ASA Features and Clustering 365
Unsupported Features with Clustering 365
Centralized Features for Clustering 366
Features Applied to Individual Units 367
AAA for Network Access and Clustering 368
FTP and Clustering 368
Identity Firewall and Clustering 368
Multicast Routing and Clustering 368
NAT and Clustering 369

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xv
 Contents

Dynamic Routing and Clustering 370

SCTP and Clustering 372
SIP Inspection and Clustering 373
SNMP and Clustering 373
STUN and Clustering 373
Syslog and NetFlow and Clustering 373
Cisco TrustSec and Clustering 373
VPN and Clustering 373
Performance Scaling Factor 374
Master Unit Election 374
High Availability Within the ASA Cluster 374
Unit Health Monitoring 375
Interface Monitoring 375
Status After Failure 375
Rejoining the Cluster 375
Data Path Connection State Replication 376
How the ASA Cluster Manages Connections 377
Connection Roles 377
New Connection Ownership 378
Sample Data Flow 378
Rebalancing New TCP Connections Across the Cluster 379
History for ASA Clustering 379

CHAPTER 10 ASA Cluster for the Firepower 4100/9300 Chassis 383

About Clustering on the Firepower 4100/9300 Chassis 383

Bootstrap Configuration 384
Cluster Members 384
Master and Slave Unit Roles 384
Cluster Control Link 385
Size the Cluster Control Link 385
Cluster Control Link Redundancy 386
Cluster Control Link Reliability 386
Cluster Control Link Network 386
Cluster Interfaces 387

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xvi
 Contents

Connecting to a VSS or vPC 387

Configuration Replication 387
ASA Cluster Management 387
Management Network 387
Management Interface 387
Master Unit Management Vs. Slave Unit Management 388
RSA Key Replication 388
ASDM Connection Certificate IP Address Mismatch 388
Spanned EtherChannels (Recommended) 388
Inter-Site Clustering 389
Requirements and Prerequisites for Clustering on the Firepower 4100/9300 Chassis 390
Licenses for Clustering on the Firepower 4100/9300 Chassis 391
Clustering Guidelines and Limitations 392
Configure Clustering on the Firepower 4100/9300 Chassis 396
FXOS: Add an ASA Cluster 396
Create an ASA Cluster 396
Add More Cluster Members 404
ASA: Change the Firewall Mode and Context Mode 405
ASA: Configure Data Interfaces 405
ASA: Customize the Cluster Configuration 408
Configure Basic ASA Cluster Parameters 408
Configure Health Monitoring and Auto-Rejoin Settings 410
Configure Connection Rebalancing and the Cluster TCP Replication Delay 412
Configure Inter-Site Features 413
FXOS: Remove a Cluster Member 417
ASA: Manage Cluster Members 419
Become an Inactive Member 419
Deactivate a Member 419
Rejoin the Cluster 420
Change the Master Unit 421
Execute a Command Cluster-Wide 422
ASA: Monitoring the ASA Cluster on the Firepower 4100/9300 chassis 423
Monitoring Cluster Status 423
Capturing Packets Cluster-Wide 424

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xvii
Contents

Monitoring Cluster Resources 424

Monitoring Cluster Traffic 424
Monitoring Cluster Routing 426
Configuring Logging for Clustering 427
Debugging Clustering 427
Reference for Clustering 428
ASA Features and Clustering 428
Unsupported Features with Clustering 428
Centralized Features for Clustering 428
Features Applied to Individual Units 429
AAA for Network Access and Clustering 430
FTP and Clustering 430
Identity Firewall and Clustering 430
Multicast Routing and Clustering 430
NAT and Clustering 430
Dynamic Routing and Clustering 432
SCTP and Clustering 432
SIP Inspection and Clustering 432
SNMP and Clustering 433
STUN and Clustering 433
Syslog and NetFlow and Clustering 433
Cisco TrustSec and Clustering 433
VPN and Clustering 433
Performance Scaling Factor 434
Master Unit Election 434
High Availability Within the Cluster 434
Chassis-Application Monitoring 434
Unit Health Monitoring 435
Interface Monitoring 435
Decorator Application Monitoring 435
Status After Failure 435
Rejoining the Cluster 435
Data Path Connection State Replication 436
How the Cluster Manages Connections 437

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xviii
 Contents

Connection Roles 437

New Connection Ownership 438
Sample Data Flow 438
History for ASA Clustering on the Firepower 4100/9300 439

PART III Interfaces 441

CHAPTER 11 Basic Interface Configuration 443

About Basic Interface Configuration 443

Auto-MDI/MDIX Feature 443
Management Interface 444
Management Interface Overview 444
Management Slot/Port Interface 444
Use Any Interface for Management-Only Traffic 445
Management Interface for Transparent Mode 445
No Support for Redundant Management Interfaces 446
Management Interface Characteristics for ASA Models 446
Licensing for Basic Interface Configuration 446
Guidelines for Basic Interface Configuration 447
Default Settings for Basic Interface Configuration 447
Enable the Physical Interface and Configure Ethernet Parameters 448
Enable Jumbo Frame Support 450
Monitoring Interfaces 451
Examples for Basic Interfaces 451
Physical Interface Parameters Example 451
Multiple Context Mode Example 452
History for Basic Interface Configuration 452

CHAPTER 12 EtherChannel and Redundant Interfaces 455

About EtherChannels and Redundant Interfaces 455

About Redundant Interfaces 455
Redundant Interface MAC Address 456
About EtherChannels 456
Channel Group Interfaces 456

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xix
 Contents

Connecting to an EtherChannel on Another Device 456

Link Aggregation Control Protocol 457
Load Balancing 458
EtherChannel MAC Address 458
Guidelines for EtherChannels and Redundant Interfaces 458
Default Settings for EtherChannels and Redundant Interfaces 460
Configure a Redundant Interface 461
Configure a Redundant Interface 461
Change the Active Interface 462
Configure an EtherChannel 463
Add Interfaces to the EtherChannel 463
Customize the EtherChannel 465
Monitoring EtherChannel and Redundant Interfaces 466
Examples for EtherChannel and Redundant Interfaces 467
History for EtherChannels and Redundant Interfaces 467

CHAPTER 13 VLAN Subinterfaces 469

About VLAN Subinterfaces 469
Licensing for VLAN Subinterfaces 469
Guidelines and Limitations for VLAN Subinterfaces 470
Default Settings for VLAN Subinterfaces 471
Configure VLAN Subinterfaces and 802.1Q Trunking 471
Monitoring VLAN Subinterfaces 473
Examples for VLAN Subinterfaces 473
History for VLAN Subinterfaces 474

CHAPTER 14 VXLAN Interfaces 475

About VXLAN Interfaces 475

VXLAN Encapsulation 475
VXLAN Tunnel Endpoint 475
VTEP Source Interface 476
VNI Interfaces 476
VXLAN Packet Processing 476
Peer VTEPs 477

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xx
 Contents

VXLAN Use Cases 477

VXLAN Bridge or Gateway Overview 477
VXLAN Bridge (Transparent Mode) 478
VXLAN Gateway (Routed Mode) 478
Router Between VXLAN Domains 478
Guidelines for VXLAN Interfaces 480
Default Settings for VXLAN Interfaces 480
Configure VXLAN Interfaces 480
Configure the VTEP Source Interface 481
Configure the VNI Interface 482
(Optional) Change the VXLAN UDP Port 484
Monitoring VXLAN Interfaces 484
Examples for VXLAN Interfaces 486
Transparent VXLAN Gateway Example 487
VXLAN Routing Example 489
History for VXLAN Interfaces 490

CHAPTER 15 Routed and Transparent Mode Interfaces 491

About Routed and Transparent Mode Interfaces 491

Security Levels 491
Dual IP Stack (IPv4 and IPv6) 492
Guidelines and Requirements for Routed and Transparent Mode Interfaces 492
Configure Routed Mode Interfaces 494
Configure General Routed Mode Interface Parameters 494
Configure PPPoE 497
Configure Transparent Mode Bridge Group Interfaces 498
Configure the Bridge Virtual Interface (BVI) 498
Configure General Bridge Group Member Interface Parameters 499
Configure a Management Interface for Transparent Mode 500
Configure IPv6 Addressing 502
About IPv6 502
IPv6 Addressing 502
Modified EUI-64 Interface IDs 503
Configure the IPv6 Prefix Delegation Client 503

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxi
 Contents

About IPv6 Prefix Delegation 503

Enable the IPv6 Prefix Delegation Client 505
Configure a Global IPv6 Address 507
Configure IPv6 Neighbor Discovery 509
Monitoring Routed and Transparent Mode Interfaces 513
Interface Statistics and Information 514
DHCP Information 514
PPPoE 517
IPv6 Neighbor Discovery 518
Examples for Routed and Transparent Mode Interfaces 518
Transparent Mode Example with 2 Bridge Groups 518
History for Routed and Transparent Mode Interfaces 519

CHAPTER 16 Advanced Interface Configuration 523

About Advanced Interface Configuration 523

About MAC Addresses 523
Default MAC Addresses 523
Automatic MAC Addresses 524
About the MTU 525
Path MTU Discovery 525
Default MTU 525
MTU and Fragmentation 525
MTU and Jumbo Frames 525
About the TCP MSS 526
Default TCP MSS 526
Suggested Maximum TCP MSS Setting 526
Inter-Interface Communication 527
Intra-Interface Communication (Routed Firewall Mode) 527
Manually Configure the MAC Address 528
Automatically Assign MAC Addresses in Multiple Context Mode 529
Configure the MTU and TCP MSS 530
Allow Same Security Level Communication 531
History for Advanced Interface Configuration 532

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxii
 Contents

CHAPTER 17 Traffic Zones 533

About Traffic Zones 533

Non-Zoned Behavior 533
Why Use Zones? 533
Asymmetric Routing 534
Lost Route 534
Load Balancing 535
Per-Zone Connection and Routing Tables 536
ECMP Routing 536
Non-Zoned ECMP Support 536
Zoned ECMP Support 537
How Connections Are Load-Balanced 537
Falling Back to a Route in Another Zone 537
Interface-Based Security Policy 537
Supported Services for Traffic Zones 537
Security Levels 538
Primary and Current Interface for the Flow 538
Joining or Leaving a Zone 538
Intra-Zone Traffic 538
To- and From-the-Box Traffic 538
Overlapping IP Addresses Within a Zone 539
Prerequisites for Traffic Zones 539
Guidelines for Traffic Zones 540
Configure a Traffic Zone 542
Monitoring Traffic Zones 543
Zone Information 543
Zone Connections 543
Zone Routing 544
Example for Traffic Zones 545
History for Traffic Zones 548

PART IV Basic Settings 549

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxiii
 Contents

CHAPTER 18 Basic Settings 551

Set the Hostname, Domain Name, and the Enable and Telnet Passwords 551
Set the Date and Time 553
Set the Time Zone and Daylight Saving Dates 553
Set the Date and Time Using an NTP Server 555
Set the Date and Time Manually 556
Configure the Master Passphrase 557
Add or Change the Master Passphrase 557
Disable the Master Passphrase 559
Remove the Master Passphrase 560
Configure the DNS Server 561
Configure the Hardware Bypass and Dual Power Supply (Cisco ISA 3000) 563
Adjust ASP (Accelerated Security Path) Performance and Behavior 565
Choose a Rule Engine Transactional Commit Model 565
Enable ASP Load Balancing 566
Monitoring the DNS Cache 567
History for Basic Settings 567

CHAPTER 19 DHCP and DDNS Services 569

About DHCP and DDNS Services 569

About the DHCPv4 Server 569
DHCP Options 569
About the DHCPv6 Stateless Server 570
About the DHCP Relay Agent 570
About DDNS 570
DDNS Update Configurations 571
UDP Packet Size 571
Guidelines for DHCP and DDNS Services 571
Configure the DHCP Server 573
Enable the DHCPv4 Server 573
Configure Advanced DHCPv4 Options 575
Configure the DHCPv6 Stateless Server 576
Configure the DHCP Relay Agent 578

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxiv
 Contents

Configure the DHCPv4 Relay Agent 578

Configure the DHCPv6 Relay Agent 580
Configure DDNS 581
Update Both A and PTR RRs for Static IP Addresses 581
Update Both the A and PTR RRs 582
Ignore Updates to Either RR 584
Update the PTR RR Only 585
Update a RR with the Client and a PTR RR with the Server 586
Monitoring DHCP and DDNS Services 587
Monitoring DHCP Services 587
Monitoring DDNS Status 590
History for DHCP and DDNS Services 591

CHAPTER 20 Digital Certificates 593

About Digital Certificates 593

Public Key Cryptography 594
Certificate Scalability 595
Key Pairs 595
Trustpoints 595
Certificate Enrollment 596
Proxy for SCEP Requests 596
Revocation Checking 596
Supported CA Servers 597
CRLs 597
OCSP 598
The Local CA 599
Storage for Local CA Files 599
The Local CA Server 599
Certificates and User Login Credentials 600
User Login Credentials 600
Certificates 600
Guidelines for Digital Certificates 601
Configure Digital Certificates 604
Configure Key Pairs 604

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxv
 Contents

Configure Trustpoints 606

Configure CRLs for a Trustpoint 609
Export or Import a Trustpoint Configuration 612
Configure CA Certificate Map Rules 613
Configure Reference Identities 615
Obtain Certificates Manually 617
Obtain Certificates Automatically with SCEP 619
Configure Proxy Support for SCEP Requests 620
Configure the CA Certificate Lifetime 622
Configure the User Certificate Lifetime 623
Configure the CRL Lifetime 623
Configure the Server Keysize 624
How to Set Up Specific Certificate Types 625
CA Certificates 626
Configure the Local CA Server 626
CA Server Management 627
Set Up External Local CA File Storage 633
Download and Store CRLs 634
Enrollment and User Management 635
Revoke Certificates 640
Set a Certificate Expiration Alert (for Identity or CA Certificates) 640
Monitoring Digital Certificates 641
History for Certificate Management 643

CHAPTER 21 ARP Inspection and the MAC Address Table for Transparent Firewall Mode 647

About ARP Inspection and the MAC Address Table 647

ARP Inspection for Bridge Group Traffic 647
MAC Address Table 648
Default Settings 648
Guidelines for ARP Inspection and the MAC Address Table 648
Configure ARP Inspection and Other ARP Parameters 649
Add a Static ARP Entry and Customize Other ARP Parameters 649
Enable ARP Inspection 650
Customize the MAC Address Table for Transparent Mode Bridge Groups 651

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxvi
 Contents

Add a Static MAC Address for Bridge Groups 651

Set the MAC Address Timeout 651
Disable MAC Address Learning 652
Monitoring ARP Inspection and the MAC Address Table 652
History for ARP Inspection and the MAC Address Table 653

PART V IP Routing 655

CHAPTER 22 Routing Overview 657

Path Determination 657

Supported Route Types 658
Static Versus Dynamic 658
Single-Path Versus Multipath 658
Flat Versus Hierarchical 658
Link-State Versus Distance Vector 659
Supported Internet Protocols for Routing 659
Routing Table 660
How the Routing Table Is Populated 660
Administrative Distances for Routes 660
Backup Dynamic and Floating Static Routes 661
How Forwarding Decisions Are Made 662
Dynamic Routing and Failover 662
Dynamic Routing and Clustering 662
Dynamic Routing in Spanned EtherChannel Mode 663
Dynamic Routing in Individual Interface Mode 663
Dynamic Routing in Multiple Context Mode 664
Route Resource Management 665
Routing Table for Management Traffic 665
Management Interface Identification 666
Equal-Cost Multi-Path (ECMP) Routing 666
Disable Proxy ARP Requests 667
Display the Routing Table 668
History for Route Overview 668

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxvii
 Contents

CHAPTER 23 Static and Default Routes 669

About Static and Default Routes 669
Default Route 669
Static Routes 669
Route to null0 Interface to “Black Hole” Unwanted Traffic 670
Route Priorities 670
Transparent Firewall Mode Routes 670
Static Route Tracking 670
Guidelines for Static and Default Routes 671
Configure Default and Static Routes 671
Configure a Default Route 672
Configure a Static Route 673
Configure Static Route Tracking 674
Monitoring a Static or Default Route 675
Examples for Static or Default Routes 675
History for Static and Default Routes 676

CHAPTER 24 Policy Based Routing 677

About Policy Based Routing 677

Why Use Policy Based Routing? 677
Equal-Access and Source-Sensitive Routing 678
Quality of Service 678
Cost Saving 678
Load Sharing 679
Implementation of PBR 679
Guidelines for Policy Based Routing 679
Configure Policy Based Routing 680
Examples for Policy Based Routing 682
Examples for Route Map Configuration 683
Example Configuration for PBR 684
Policy Based Routing in Action 685
History for Policy Based Routing 690

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxviii
 Contents

CHAPTER 25 Route Maps 691

About Route Maps 691

Permit and Deny Clauses 692
Match and Set Clause Values 692
Guidelines for Route Maps 693
Define a Route Map 693
Customize a Route Map 693
Define a Route to Match a Specific Destination Address 693
Configure the Metric Values for a Route Action 695
Example for Route Maps 695
History for Route Maps 696

CHAPTER 26 Bidirectional Forwarding Detection Routing 697

About BFD Routing 697

BFD Asynchronous Mode and Echo Function 697
BFD Session Establishment 698
BFD Timer Negotiation 699
BFD Failure Detection 700
BFD Deployment Scenarios 700
Guidelines for BFD Routing 700
Configure BFD 701
Create the BFD Template 701
Configure BFD Interfaces 703
Configure BFD Maps 704
Monitoring for BFD 705
History for BFD Routing 706

CHAPTER 27 BGP 707

About BGP 707

When to Use BGP 707
Routing Table Changes 707
BGP Path Selection 708
BGP Multipath 709

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxix
 Contents

Guidelines for BGP 710

Configure BGP 710
Enable BGP 711
Define the Best Path for a BGP Routing Process 712
Configure Policy Lists 713
Configure AS Path Filters 714
Configure Community Rules 715
Configure IPv4 Address Family Settings 716
Configure IPv4 Family General Settings 716
Configure IPv4 Family Aggregate Address Settings 718
Configure IPv4 Family Filtering Settings 719
Configure IPv4 Family BGP Neighbor Settings 720
Configure IPv4 Network Settings 726
Configure IPv4 Redistribution Settings 727
Configure IPv4 Route Injection Settings 728
Configure IPv6 Address Family Settings 729
Configure IPv6 Family General Settings 729
Configure IPv6 Family Aggregate Address Settings 730
Configure IPv6 Family BGP Neighbor Settings 731
Configure IPv6 Network Settings 736
Configure IPv6 Redistribution Settings 737
Configure IPv6 Route Injection Settings 739
Monitoring BGP 739
Example for BGP 742
History for BGP 744

CHAPTER 28 OSPF 747

About OSPF 747
OSPF Support for Fast Hello Packets 749
Prerequisites for OSPF Support for Fast Hello Packets 749
About OSPF Support for Fast Hello Packets 749
Implementation Differences Between OSPFv2 and OSPFv3 750
Guidelines for OSPF 750
Configure OSPFv2 752

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxx
 Contents

Configure OSPFv2 Router ID 753

Manually Configure OSPF Router-ID 753
Router ID Behaviour while Migrating 753

Configure OSPF Fast Hello Packets 754

Customize OSPFv2 755
Redistribute Routes Into OSPFv2 755
Configure Route Summarization When Redistributing Routes Into OSPFv2 756
Add a Route Summary Address 757
Configure Route Summarization Between OSPFv2 Areas 757
Configure OSPFv2 Interface Parameters 758
Configure OSPFv2 Area Parameters 761
Configure OSPFv2 Filter Rules 762
Configure an OSPFv2 NSSA 763
Configure an IP Address Pool for Clustering (OSPFv2 and OSPFv3) 764
Define Static OSPFv2 Neighbors 764
Configure Route Calculation Timers 765
Log Neighbors Going Up or Down 766
Configure OSPFv3 766
Enable OSPFv3 767
Configure OSPFv3 Interface Parameters 767
Configure OSPFv3 Router Parameters 773
Configure OSPFv3 Area Parameters 776
Configure OSPFv3 Passive Interfaces 778
Configure OSPFv3 Administrative Distance 778
Configure OSPFv3 Timers 779
Define Static OSPFv3 Neighbors 781
Reset OSPFv3 Default Parameters 782
Send Syslog Messages 783
Suppress Syslog Messages 783
Calculate Summary Route Costs 784
Generate a Default External Route into an OSPFv3 Routing Domain 784
Configure an IPv6 Summary Prefix 785
Redistribute IPv6 Routes 786
Configure Graceful Restart 787

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxi
 Contents

Configure Capabilities 788

Configuring Graceful Restart for OSPFv2 788
Configure Cisco NSF Graceful Restart for OSPFv2 788
Configure IETF NSF Graceful Restart for OSPFv2 789
Configuring Graceful Restart for OSPFv3 790
Remove the OSPFv2 Configuration 791
Remove the OSPFv3 Configuration 791
Example for OSPFv2 791
Examples for OSPFv3 793
Monitoring OSPF 794
History for OSPF 797

CHAPTER 29 IS-IS 801

About IS-IS 801

About NET 801
IS-IS Dynamic Hostname 802
IS-IS PDU Types 802
Operation of IS-IS on Multiaccess Circuits 803
IS-IS Election of the Designated IS 804
IS-IS LSPDB Synchronization 805
IS-IS Shortest Path Calculation 806
IS-IS Shutdown Protocol 807
Prerequisites for IS-IS 807
Guidelines for IS-IS 807
Configure IS-IS 808
Enable IS-IS Routing Globally 808
Enable IS-IS Authentication 812
Configure IS-IS LSP 815
Configure IS-IS Summary Addresses 819
Configure IS-IS Passive Interfaces 820
Configure IS-IS Interfaces 821
Configure IS-IS Interface Hello Padding 825
Configure IS-IS IPv4 Address Family 828
Configure IS-IS IPv6 Address Family 832

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxii
 Contents

Monitoring IS-IS 837

History for IS-IS 840
Examples for IS-IS 840

CHAPTER 30 EIGRP 851

About EIGRP 851

Guidelines for EIGRP 852
Configure EIGRP 853
Enable EIGRP 853
Enable EIGRP Stub Routing 854
Customize EIGRP 855
Define a Network for an EIGRP Routing Process 855
Configure Interfaces for EIGRP 856
Configure Passive Interfaces 858
Configure the Summary Aggregate Addresses on Interfaces 859
Change the Interface Delay Value 859
Enable EIGRP Authentication on an Interface 860
Define an EIGRP Neighbor 861
Redistribute Routes Into EIGRP 862
Filter Networks in EIGRP 864
Customize the EIGRP Hello Interval and Hold Time 865
Disable Automatic Route Summarization 866
Configure Default Information in EIGRP 866
Disable EIGRP Split Horizon 867
Restart the EIGRP Process 868
Monitoring for EIGRP 869
Example for EIGRP 869
History for EIGRP 870

CHAPTER 31 Multicast Routing 873

About Multicast Routing 873
Stub Multicast Routing 873
PIM Multicast Routing 874
PIM Source Specific Multicast Support 874

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxiii
 Contents

PIM Bootstrap Router (BSR) 874

PIM Bootstrap Router (BSR) Terminology 875
Multicast Group Concept 875
Multicast Addresses 875
Clustering 876
Guidelines for Multicast Routing 876
Enable Multicast Routing 876
Customize Multicast Routing 877
Configure Stub Multicast Routing and Forward IGMP Messages 877
Configure a Static Multicast Route 878
Configure IGMP Features 878
Disable IGMP on an Interface 879
Configure IGMP Group Membership 879
Configure a Statically Joined IGMP Group 880
Control Access to Multicast Groups 880
Limit the Number of IGMP States on an Interface 881
Modify the Query Messages to Multicast Groups 881
Change the IGMP Version 882
Configure PIM Features 883
Enable and Disable PIM on an Interface 883
Configure a Static Rendezvous Point Address 884
Configure the Designated Router Priority 884
Configure and Filter PIM Register Messages 885
Configure PIM Message Intervals 885
Filter PIM Neighbors 886
Configure a Bidirectional Neighbor Filter 886
Configure the ASA as a Candidate BSR 887
Configure a Multicast Boundary 888
Monitoring for PIM 889
Example for Multicast Routing 889
History for Multicast Routing 890

PART VI AAA Servers and the Local Database 893

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxiv
 Contents

CHAPTER 32 AAA and the Local Database 895

About AAA and the Local Database 895

Authentication 895
Authorization 896
Accounting 896
Interaction Between Authentication, Authorization, and Accounting 896
AAA Servers and Server Groups 896
About the Local Database 898
Fallback Support 899
How Fallback Works with Multiple Servers in a Group 899
Guidelines for the Local Database 900
Add a User Account to the Local Database 900
Monitoring the Local Database 902
History for the Local Database 902

CHAPTER 33 RADIUS Servers for AAA 905

About RADIUS Servers for AAA 905
Supported Authentication Methods 905
User Authorization of VPN Connections 906
Supported Sets of RADIUS Attributes 906
Supported RADIUS Authorization Attributes 906
Supported IETF RADIUS Authorization Attributes 920
RADIUS Accounting Disconnect Reason Codes 921
Guidelines for RADIUS Servers for AAA 922
Configure RADIUS Servers for AAA 922
Configure RADIUS Server Groups 923
Add a RADIUS Server to a Group 926
Monitoring RADIUS Servers for AAA 929
History for RADIUS Servers for AAA 930

CHAPTER 34 TACACS+ Servers for AAA 931

About TACACS+ Servers for AAA 931

TACACS+ Attributes 931

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxv
 Contents

Guidelines for TACACS+ Servers for AAA 933

Configure TACACS+ Servers 933
Configure TACACS+ Server Groups 933
Add a TACACS+ Server to a Group 935
Monitoring TACACS+ Servers for AAA 936
History for TACACS+ Servers for AAA 937

CHAPTER 35 LDAP Servers for AAA 939

About LDAP and the ASA 939

How Authentication Works with LDAP 939
LDAP Hierarchy 940
Search the LDAP Hierarchy 940
Bind to an LDAP Server 941
LDAP Attribute Maps 942
Guidelines for LDAP Servers for AAA 942
Configure LDAP Servers for AAA 943
Configure LDAP Attribute Maps 943
Configure LDAP Server Groups 945
Configure Authorization with LDAP for VPN 948
Monitoring LDAP Servers for AAA 949
History for LDAP Servers for AAA 950

CHAPTER 36 Kerberos Servers for AAA 951

Guidelines for Kerberos Servers for AAA 951

Configure Kerberos Servers for AAA 951
Configure Kerberos AAA Server Groups 951
Add Kerberos Servers to a Kerberos Server Group 953
Monitor Kerberos Servers for AAA 954
History for Kerberos Servers for AAA 955

CHAPTER 37 RSA SecurID Servers for AAA 957

About RSA SecurID Servers 957

Guidelines for RSA SecurID Servers for AAA 957
Configure RSA SecurID Servers for AAA 958

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxvi
 Contents

Configure RSA SecurID AAA Server Groups 958

Add RSA SecurID Servers to an SDI Server Group 959
Monitor RSA SecurID Servers for AAA 960
History for RSA SecurID Servers for AAA 960

PART VII System Administration 961

CHAPTER 38 Management Access 963

Configure Management Remote Access 963

Configure SSH Access 963
Configure Telnet Access 969
Configure HTTPS Access for ASDM, Other Clients 971
Configure HTTP Redirect for ASDM Access or Clientless SSL VPN 972
Configure Management Access Over a VPN Tunnel 973
Change the Console Timeout 973
Customize a CLI Prompt 974
Configure a Login Banner 975
Set a Management Session Quota 977
Configure AAA for System Administrators 977
Configure Management Authentication 978
About Management Authentication 978
Configure Authentication for CLI and ASDM Access 979
Configure Enable Authentication (Privileged EXEC Mode) 980
Configure ASDM Certificate Authentication 981
Control CLI and ASDM Access with Management Authorization 983
Configure Command Authorization 985
About Command Authorization 985
Configure Local Command Authorization 987
Configure Commands on the TACACS+ Server 989
Configure TACACS+ Command Authorization 992
Configure a Password Policy for Local Database Users 993
Change Your Password 995
Configure Management Access Accounting 995
Recover from a Lockout 996

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxvii
 Contents

Monitoring Device Access 997

History for Management Access 999

CHAPTER 39 Software and Configurations 1005

Upgrade the Software 1005

Load an Image Using ROMMON 1005
Load an Image for the ASASM Using ROMMON 1007
Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X) 1008
Recover and Load an Image for the ASA 5506W-X Wireless Access Point 1010
Downgrade Your Software 1010
Guidelines and Limitations for Downgrading 1010
Downgrade the Firepower 4100/9300 1011
Downgrade the ASA 5500-X or ISA 3000 1012

Manage Files 1012

View Files in Flash Memory 1012
Delete Files from Flash Memory 1013
Erase the Flash File System 1014
Configure File Access 1014
Configure the FTP Client Mode 1014
Configure the ASA as a Secure Copy Server 1014

Configure the ASA TFTP Client Path 1017

Copy a File to the ASA 1017
Copy a File to the Startup or Running Configuration 1020
Set the ASA Image, ASDM, and Startup Configuration 1022
Back Up and Restore Configurations or Other Files 1024
Perform a Complete System Backup or Restoration 1024
Before You Begin Backup or Restore 1024
Back Up the System 1025
Restore the Backup 1026
Back up the Single Mode Configuration or Multiple Mode System Configuration 1028
Back Up a Context Configuration or Other File in Flash Memory 1029
Back Up a Context Configuration within a Context 1030
Copy the Configuration from the Terminal Display 1031
Back Up Additional Files Using the Export and Import Commands 1031

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxviii
 Contents

Use a Script to Back Up and Restore Files 1032

Before You Begin Using Backup and Restore Scripts 1032
Run the Script 1032
Sample Script 1033
Configure Auto Update 1038
About Auto Update 1038
Auto Update Client or Server 1038
Auto Update Benefits 1038
Auto Update Server Support in Failover Configurations 1039
Guidelines for Auto Update 1040
Configure Communication with an Auto Update Server 1041
Configure Client Updates as an Auto Update Server 1042
Monitoring Auto Update 1043
Monitoring the Auto Update Process 1043
Monitoring Auto Update Status 1045
History for Software and Configurations 1045

CHAPTER 40 Response Automation for System Events 1047

About the EEM 1047

Supported Events 1047
Actions on Event Manager Applets 1048
Output Destinations 1048
Guidelines for the EEM 1048
Configure the EEM 1049
Create an Event Manager Applet and Configure Events 1049
Configure an Action and Destinations for Output from an Action 1051
Run an Event Manager Applet 1053
Track Memory Allocation and Memory Usage 1053
Examples for the EEM 1056
Monitoring the EEM 1057
History for the EEM 1058

CHAPTER 41 Testing and Troubleshooting 1059

Recover Enable and Telnet Passwords 1059

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xxxix
 Contents

Recover Passwords on the ASA 1059

Recover Passwords on the ASA 5506-X, ASA 5508-X, and ASA 5516-X 1061
Recover Passwords or Images on the ASAv 1062

Disable Password Recovery 1063

View Debugging Messages 1064
Packet Capture 1064
Guidelines for Packet Capture 1065
Capture Packets 1065
View a Packet Capture 1068
View the Crash Dump 1070
View the Coredump 1070
vCPU Usage in the ASAv 1070
CPU Usage Example 1070
VMware CPU Usage Reporting 1071
ASAv and vCenter Graphs 1071
Test Your Configuration 1071
Test Basic Connectivity: Pinging Addresses 1072
What You Can Test Using Ping 1072
Choosing Between ICMP and TCP Ping 1072
Enable ICMP 1072
Ping Hosts 1074
Test ASA Connectivity Systematically 1075
Trace Routes to Hosts 1078
Make the ASA Visible on Trace Routes 1078
Determine Packet Routes 1079
Using the Packet Tracer to Test Policy Configuration 1081
Monitoring Connections 1083

PART VIII Monitoring 1085

CHAPTER 42 Logging 1087

About Logging 1087

Logging in Multiple Context Mode 1088
Syslog Message Analysis 1088

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xl
 Contents

Syslog Message Format 1088

Severity Levels 1089
Syslog Message Filtering 1090
Syslog Message Classes 1090
Custom Message Lists 1093
Clustering 1093
Guidelines for Logging 1093
Configure Logging 1095
Enable Logging 1095
Configure an Output Destination 1095
Send Syslog Messages to an External Syslog Server 1096
Send Syslog Messages to the Internal Log Buffer 1098
Send Syslog Messages to an E-mail Address 1101
Send Syslog Messages to ASDM 1101
Send Syslog Messages to the Console Port 1103
Send Syslog Messages to an SNMP Server 1103
Send Syslog Messages to a Telnet or SSH Session 1103
Configure Syslog Messages 1104
Show or Hide Invalid Usernames in Syslogs 1104
Include the Date and Time in Syslog Messages 1104
Disable a Syslog Message 1105
Change the Severity Level of a Syslog Message 1105
Block Syslog Messages on a Standby Unit 1105
Include the Device ID in Non-EMBLEM Format Syslog Messages 1106
Create a Custom Event List 1107
Configure Logging Filters 1108
Send All Syslog Messages in a Class to a Specified Output Destination 1108
Limit the Rate of Syslog Message Generation 1108
Monitoring the Logs 1109
Examples for Logging 1109
History for Logging 1110

CHAPTER 43 SNMP 1115

About SNMP 1115

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xli
 Contents

SNMP Terminology 1115

MIBs and Traps 1116
SNMP Object Identifiers 1118
Physical Vendor Type Values 1123
Supported Tables and Objects in MIBs 1132
Supported Traps (Notifications) 1133
Interface Types and Examples 1139
SNMP Version 3 Overview 1140
Security Models 1141
SNMP Groups 1141
SNMP Users 1141
SNMP Hosts 1141
Implementation Differences Between the ASA and Cisco IOS Software 1141
SNMP Syslog Messaging 1142
Application Services and Third-Party Tools 1142
Guidelines for SNMP 1142
Configure SNMP 1145
Enable the SNMP Agent and SNMP Server 1145
Configure SNMP Traps 1145
Configure a CPU Usage Threshold 1147
Configure a Physical Interface Threshold 1147
Configure Parameters for SNMP Version 1 or 2c 1148
Configure Parameters for SNMP Version 3 1149

Configure a Group of Users 1152

Associate Users with a Network Object 1152
Monitoring SNMP 1153
Examples for SNMP 1154
History for SNMP 1155

CHAPTER 44 Anonymous Reporting and Smart Call Home 1161

About Anonymous Reporting 1161

DNS Requirement 1162
About Smart Call Home 1162
Subscribe to Alert Groups 1163

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xlii
 Contents

Attributes of Alert Groups 1163

Messages Sent to Cisco by Alert Groups 1164
Message Severity Threshold 1166
Subscription Profiles 1167
Guidelines for Anonymous Reporting and Smart Call Home 1168
Configure Anonymous Reporting and Smart Call Home 1169
Configure Anonymous Reporting 1169
Configure Smart Call Home 1170
Enable Smart Call Home 1170
Declare and Authenticate a Certificate Authority Trust Point 1171
Configure the Environment and Snapshot Alert Groups 1172
Configure Alert Group Subscription 1172
Configure Customer Contact Information 1173
Configure the Mail Server 1175
Configure Traffic Rate Limiting 1176
Send Smart Call Home Communications 1176
Configure a Destination Profile 1177
Copy a Destination Profile 1178
Rename a Destination Profile 1179
Monitoring Anonymous Reporting and Smart Call Home 1180
Examples for Smart Call Home 1181
History for Anonymous Reporting and Smart Call Home 1182

PART IX Reference 1185

CHAPTER 45 Using the Command-Line Interface 1187

Firewall Mode and Security Context Mode 1187

Command Modes and Prompts 1188
Syntax Formatting 1189
Abbreviate Commands 1190
Command-Line Editing 1190
Command Completion 1190
Command Help 1190
View the Running Configuration 1191

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xliii
 Contents

Filter show and more Command Output 1191

Redirecting and Appending show Command Output 1192
Command Output Paging 1192
Add Comments 1193
Text Configuration Files 1193
How Commands Correspond with Lines in the Text File 1193
Command-Specific Configuration Mode Commands 1193
Automatic Text Entries 1193
Line Order 1193
Commands Not Included in the Text Configuration 1194
Passwords 1194
Multiple Security Context Files 1194
Supported Character Sets 1194

CHAPTER 46 Addresses, Protocols, and Ports 1195

IPv4 Addresses and Subnet Masks 1195

Classes 1195
Private Networks 1196
Subnet Masks 1196
Determine the Subnet Mask 1196
Determine the Address to Use with the Subnet Mask 1197
IPv6 Addresses 1199
IPv6 Address Format 1199
IPv6 Address Types 1200
Unicast Addresses 1200
Multicast Address 1202
Anycast Address 1203
Required Addresses 1203
IPv6 Address Prefixes 1204
Protocols and Applications 1204
TCP and UDP Ports 1205
Local Ports and Protocols 1209
ICMP Types 1210

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xliv
 About This Guide
The following topics explain how to use this guide.
• Document Objectives, on page xlv
• Related Documentation, on page xlv
• Document Conventions, on page xlv
• Communications, Services, and Additional Information, on page xlvii

Document Objectives
The purpose of this guide is to help you configure general operations for the Cisco ASA series using the
command-line interface. This guide does not cover every feature, but describes only the most common
configuration scenarios.
You can also configure and monitor the ASA by using the Adaptive Security Device Manager (ASDM), a
web-based GUI application. ASDM includes configuration wizards to guide you through some common
configuration scenarios, and online help for less common scenarios.
Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.

Related Documentation
For more information, see Navigating the Cisco ASA Series Documentation at http://www.cisco.com/go/asadocs.

Document Conventions
This document adheres to the following text, display, and alert conventions.

Text Conventions

Convention Indication

boldface Commands, keywords, button labels, field names, and user-entered text appear
in boldface. For menu-based commands, the full path to the command is shown.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xlv
 About This Guide
About This Guide

Convention Indication

italic Variables, for which you supply values, are presented in an italic typeface.
Italic type is also used for document titles, and for general emphasis.

monospace Terminal sessions and information that the system displays appear in monospace
type.

{x | y | z} Required alternative keywords are grouped in braces and separated by vertical

bars.

[] Elements in square brackets are optional.

[x | y | z] Optional alternative keywords are grouped in square brackets and separated by

vertical bars.

[] Default responses to system prompts are also in square brackets.

<> Non-printing characters such as passwords are in angle brackets.

!, # An exclamation point (!) or a number sign (#) at the beginning of a line of code
indicates a comment line.

Reader Alerts
This document uses the following for reader alerts:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Tip Means the following information will help you solve a problem.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or
loss of data.

Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.

Warning Means reader be warned. In this situation, you might perform an action that could result in bodily
injury.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xlvi
 About This Guide
Communications, Services, and Additional Information

Communications, Services, and Additional Information

• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit
Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system
that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides
you with detailed defect information about your products and software.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xlvii
 About This Guide
Communications, Services, and Additional Information

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
xlviii
PA R T I
Getting Started with the ASA
• Introduction to the Cisco ASA, on page 1
• Getting Started, on page 19
• Licenses: Product Authorization Key Licensing, on page 49
• Licenses: Smart Software Licensing (ASAv, ASA on Firepower), on page 109
• Logical Devices for the Firepower 4100/9300, on page 143
• Transparent or Routed Firewall Mode, on page 161
 CHAPTER 1
Introduction to the Cisco ASA
The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device as well
as integrated services with add-on modules. The ASA includes many advanced features, such as multiple
security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single
firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines,
IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features.
• Hardware and Software Compatibility, on page 1
• VPN Compatibility, on page 1
• New Features, on page 1
• Firewall Functional Overview, on page 12
• VPN Functional Overview, on page 15
• Security Context Overview, on page 16
• ASA Clustering Overview, on page 16
• Special and Legacy Services, on page 16

Hardware and Software Compatibility

For a complete list of supported hardware and software, see Cisco ASA Compatibility.

VPN Compatibility
See Supported VPN Platforms, Cisco ASA Series.

New Features
This section lists new features for each release.

Note New, changed, and deprecated syslog messages are listed in the syslog message guide.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
1
 Getting Started with the ASA
New Features in ASA 9.6(4)

New Features in ASA 9.6(4)

Released: December 13, 2017
There are no new features in this release.

New Features in ASA 9.6(3.1)

Released: April 3, 2017

Note Version 9.6(3) was removed from Cisco.com due to bug CSCvd78303.

Feature Description

AAA Features

Separate authentication for users with In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication)
SSH public key authentication and without also explicitly enabling AAA SSH authentication with the Local user database (aaa
users with passwords authentication ssh console LOCAL). In 9.6(2), the ASA required you to explicitly enable
AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH
authentication; when you configure the ssh authentication command for a user, local
authentication is enabled by default for users with this type of authentication. Moreover, when
you explicitly configure AAA SSH authentication, this configuration only applies for for
usernames with passwords, and you can use any AAA server type (aaa authentication ssh
console radius_1, for example). For example, some users can use public key authentication
using the local database, and other users can use passwords with RADIUS.
We did not modify any commands.

New Features in ASA 9.6(2)

Released: August 24, 2016

Feature Description

Platform Features

ASA for the Firepower 4150 We introduced the ASA for the Firepower 4150.
Requires FXOS 2.0.1.
We did not add or modify any commands.

Hot Plug Interfaces on the ASAv You can add and remove Virtio virtual interfaces on the ASAv while the system is active.
When you add a new interface to the ASAv, the virtual machine detects and provisions the
interface. When you remove an existing interface, the virtual machine releases any resource
associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the
Kernel-based Virtual Machine (KVM) hypervisor.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
2
 Getting Started with the ASA
New Features in ASA 9.6(2)

Feature Description

Microsoft Azure support on the Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V
ASAv10 Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V
Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3,
which supports four vCPUs, 14 GB, and four interfaces.
Also in 9.5(2.200).

Through traffic support on the You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously,
Management 0/0 interface for the only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through
ASAv traffic. You can optionally configure this interface to be management-only, but it is not
configured by default.
We modified the following command: management-only

Common Criteria Certification The ASA was updated to comply with the Common Criteria requirements. See the rows in
this table for the following features that were added for this certification:
• ASA SSL Server mode matching for ASDM
• SSL client RFC 6125 support:
• Reference Identities for Secure Syslog Server connections and Smart Licensing
connections
• ASA client checks Extended Key Usage in server certificates
• Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

• PKI debug messages

• Crypto Key Zeroization verification
• IPsec/ESP Transport Mode Support for IKEv2
• New syslog messages

Firewall Features

DNS over TCP inspection You can now inspect DNS over TCP traffic (TCP/53).
We added the following command: tcp-inspection

MTP3 User Adaptation (M3UA) You can now inspect M3UA traffic and also apply actions based on point code, service
inspection indicator, and message class and type.
We added or modified the following commands: clear service-policy inspect m3ua {drops
| endpoint [IP_address]}, inspect m3ua, match dpc, match opc, match service-indicator,
policy-map type inspect m3ua, show asp table classify domain inspect-m3ua, show conn
detail, show service-policy inspect m3ua {drops | endpoint IP_address}, ss7 variant,
timeout endpoint

Session Traversal Utilities for NAT You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection
(STUN) inspection opens pinholes required for return traffic.
We added or modified the following commands: inspect stun, show conn detail, show
service-policy inspect stun

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
3
 Getting Started with the ASA
New Features in ASA 9.6(2)

Feature Description

Application layer health checking for You can now configure Cisco Cloud Web Security to check the health of the Cloud Web
Cisco Cloud Web Security Security application when determining if the server is healthy. By checking application health,
the system can fail over to the backup server when the primary server responds to the TCP
three-way handshake but cannot process requests. This ensures a more reliable system.
We added the following commands: health-check application url, health-check application
timeout

Connection holddown timeout for You can now configure how long the system should maintain a connection when the route
route convergence. used by the connection no longer exists or is inactive. If the route does not become active
within this holddown period, the connection is freed. You can reduce the holddown timer to
make route convergence happen more quickly. However, the 15 second default is appropriate
for most networks to prevent route flapping.
We added the following command: timeout conn-holddown
Also in 9.4(3).

Changes in TCP option handling You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header
when configuring a TCP map. In addition, the default handling of the MSS, timestamp,
window-size, and selective-ack options has changed. Previously, these options were allowed,
even if there were more than one option of a given type in the header. Now, packets are dropped
by default if they contain more than one option of a given type. For example, previously a
packet with 2 timestamp options would be allowed, now it will be dropped.
You can configure a TCP map to allow multiple options of the same type for MD5, MSS,
selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to
clear the option, whereas the default now is to allow it. You can also drop packets that contain
the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map
(per traffic class). The default for all other TCP options remains the same: they are cleared.
We modified the following command: tcp-options

Transparent mode maximum The maximum interfaces per bridge group was increased from 4 to 64.
interfaces per bridge group increased
We did not modify any commands.
to 64

Flow offload support for multicast You can now offload multicast connections to be switched directly in the NIC on transparent
connections in transparent mode. mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups
that contain two and only two interfaces.
There are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting You can set the maximum number of ARP packets allowed per second. The default value
depends on your ASA model. You can customize this value to prevent an ARP storm attack.
We added the following commands: arp rate-limit, show arp rate-limit

Ethertype rule support for the IEEE You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control
802.2 Logical Link Control packet's packet's Destination Service Access Point address. Because of this addition, the bpdu keyword
Destination Service Access Point no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42.
address.
We modified the following commands: access-list ethertype

Remote Access Features

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
4
 Getting Started with the ASA
New Features in ASA 9.6(2)

Feature Description

Pre-fill/Username-from-cert feature AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature

for multiple context mode CLIs, previously available only in single mode, to be enabled in multiple context mode as
well.
We did not modify any commands.

Flash Virtualization for Remote Remote access VPN in multiple context mode now supports flash virtualization. Each context
Access VPN can have a private storage space and a shared storage place based on the total flash that is
available:
• Private storage—Store files associated only with that user and specific to the content that
you want for that user.
• Shared storage—Upload files to this space and have it accessible to any user context for
read/write access once you enable it.

We introduced the following commands: limit-resource storage, storage-url

AnyConnect client profiles supported AnyConnect client profiles are supported in multiple context mode. To add a new profile using
in multiple context mode ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013
and later.

Stateful failover for AnyConnect Stateful failover is now supported for AnyConnect connections in multiple context mode.
connections in multiple context mode
We did not modify any commands.

Remote Access VPN Dynamic You can now configure DAP per context in multiple context mode.
Access Policy (DAP) is supported in
We did not modify any commands.
multiple context mode

Remote Access VPN CoA (Change You can now configure CoA per context in multiple context mode.
of Authorization) is supported in
We did not modify any commands.
multiple context mode

Remote Access VPN localization is Localization is supported globally. There is only one set of localization files that are shared
supported in multiple context mode across different contexts.
We did not modify any commands.

Umbrella Roaming Security module You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming
support Security module for additional DNS-layer security when no VPN is active.
We did not modify any commands.

IPsec/ESP Transport Mode Support Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel
for IKEv2 (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates
only the upper-layer protocols of an IP packet. Transport mode requires that both the source
and destination hosts support IPSec, and can only be used when the destination peer of the
tunnel is the final destination of the IP packet.
We modified the following command: crypto map set ikev2 mode

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
5
 Getting Started with the ASA
New Features in ASA 9.6(2)

Feature Description

Per-packet routing lookups for IPsec By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not
inner packets done for packets sent through the IPsec tunnel. In some network topologies, when a routing
update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through
the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use
the new option to enable per-packet routing lookups for the IPsec inner packets.
We added the following command: crypto ipsec inner-routing-lookup

Certificate and Secure Connection Features

ASA client checks Extended Key Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended
Usage in server certificates Key Usage field. If not, the connection fails.

Mutual authentication when ASA If the server requests a client certificate from the ASA for authentication, the ASA will send
acts as a TLS client for TLS1.1 and the client identity certificate configured for that interface. The certificate is configured by the
1.2 ssl trust-point command.

PKI debug messages The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation
checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces
under debug crypto ca message 5.

ASA SSL Server mode matching for For an ASDM user who authenticates with a certificate, you can now require the certificate
ASDM to match a certificate map.
We modified the following command: http authentication-certificate match

Reference Identities for Secure TLS client processing now supports rules for verification of a server identity defined in RFC
Syslog Server connections and Smart 6125, Section 6. Identity verification will be done during PKI validation for TLS connections
Licensing connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be
matched against the configured reference identity, the connection is not established.
We added or modified the following commands: crypto ca reference-identity, logging host,
call home profile destination address

Crypto Key Zeroization verification The ASA crypto system has been updated to comply with new key zeroization requirements.
Keys must be overwritten with all zeros and then the data must be read to verify that the write
was successful.

SSH public key authentication In earlier releases, you could enable SSH public key authentication (ssh authentication)
improvements without also enabling AAA SSH authentication with the Local user database (aaa
authentication ssh console LOCAL). The configuration is now fixed so that you must
explicitly enable AAA SSH authentication. To disallow users from using a password instead
of the private key, you can now create a username without any password defined.
We modified the following commands: ssh authentication, username

Interface Features

Increased MTU size for the ASA on You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly,
the Firepower 4100/9300 chassis the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.
We modified the following command: mtu

Routing Features

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
6
 Getting Started with the ASA
New Features in ASA 9.6(2)

Feature Description

Bidirectional Forwarding Detection The ASA now supports the BFD routing protocol. Support was added for configuring BFD
(BFD) Support templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.
We added or modified the following commands: authentication, bfd echo, bfd interval, bfd
map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd,
neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd
summary

IPv6 DHCP The ASA now supports the following features for IPv6 addressing:
• DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default
route from the DHCPv6 server.
• DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6
server. The ASA can then use these prefixes to configure other ASA interface addresess
so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6
addresses on the same network.
• BGP router advertisement for delegated prefixes
• DHCPv6 stateless server—The ASA provides other information such as the domain name
to SLAAC clients when they send Information Request (IR) packets to the ASA. The
ASA only accepts IR packets, and does not assign addresses to the clients.

We added or modified the following commands: clear ipv6 dhcp statistics, domain-name,
dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd, ipv6
dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis
domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp,
show ipv6 general-prefix, sip address, sip domain-name, sntp address

High Availability and Scalability Features

Improved sync time for dynamic When you use AnyConnect on a failover pair, then the sync time for the associated dynamic
ACLs from AnyConnect when using ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync
Active/Standby failover time could take hours during which time the standby unit is busy syncing instead of providing
high availability backup.
We did not modify any commands.

Licensing Features

Permanent License Reservation for For highly secure environments where communication with the Cisco Smart Software Manager
the ASAv is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added
support for this feature for the ASAv on Amazon Web Services. This feature is not supported
for Microsoft Azure.
Note Not all accounts are approved for permanent license reservation. Make sure you
have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation
cancel, license smart reservation install, license smart reservation request universal,
license smart reservation return
Also in 9.5(2.200).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
7
 Getting Started with the ASA
New Features in ASA 9.6(2)

Feature Description

Satellite Server support for the ASAv If your devices cannot access the internet for security reasons, you can optionally install a
local Smart Software Manager satellite server as a virtual machine (VM).
We did not modify any commands.

Permanent License Reservation for Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use
the ASAv Short String enhancement shorter strings.
We did not modify any commands.

Permanent License Reservation for For highly secure environments where communication with the Cisco Smart Software Manager
the ASA on the Firepower 4100/9300 is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and
chassis Firepower 4100. All available license entitlements are included in the permanent license,
including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier
licenses. Requires FXOS 2.0.1.
All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required
on the ASA.

Smart Agent Upgrade for ASAv to The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports
v1.6 permanent license reservation and also supports setting the Strong Encryption (3DES/AES)
license entitlement according to the permission set in your license account.
Note If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing
registration state. You need to re-register with the license smart register idtoken
id_token force command; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show
license udi, show license usage
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, show
license pool, show license registration
Also in 9.5(2.200).

Monitoring Features

Packet capture of type asp-drop When you create a packet capture of type asp-drop, you can now also specify an ACL or match
supports ACL and match filtering option to limit the scope of the capture.
We modified the following command: capture type asp-drop

Forensic Analysis enhancements You can create a core dump of any process running on the ASA. The ASA also extracts the
text section of the main ASA process that you can copy from the ASA for examination.
We modified the following commands: copy system:text, verify system:text, crashinfo
force dump process

Tracking Packet Count on a Two counters were added that allow Netflow users to see the number of Layer 4 packets being
Per-Connection Basis through sent in both directions on a connection. You can use these counters to determine average
NetFlow packet rates and sizes and to better predict traffic types, anomalies, and events.
We did not modify any commands.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
8
 Getting Started with the ASA
New Features in ASA 9.6(1)

Feature Description

SNMP engineID sync for Failover In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three
sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote
engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve
localized snmp-server user authentication and privacy options. If a user does not specify the
native engineID, the show running config output will show two engineIDs per user.
We modified the following command: snmp-server user
Also in 9.4(3).

New Features in ASA 9.6(1)

Released: March 21, 2016

Note The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are
available in 9.6(2).

Feature Description

Platform Features

ASA for the Firepower 4100 series We introduced the ASA for the Firepower 4110, 4120, and 4140.
Requires FXOS 1.1.4.
We did not add or modify any commands.

SD card support for the ISA 3000 You can now use an SD card for external storage on the ISA 3000. The card appears as disk3
in the ASA file system. Note that plug and play support requires hardware version 2.1 and
later. Use the show module command to check your hardware version.
We did not add or modify any commands.

Dual power supply support for the For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected
ISA 3000 configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default,
the ASA expects a single power supply and won't issue an alarm as long as it includes one
working power supply.
We introduced the following command: power-supply dual.

Firewall Features

Diameter inspection improvements You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance
checking, and inspect Diameter over SCTP in cluster mode.
We introduced or modified the following commands: client clear-text, inspect diameter,
strict-diameter.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
9
 Getting Started with the ASA
New Features in ASA 9.6(1)

Feature Description

SCTP stateful inspection in cluster SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful
mode inspection bypass in cluster mode.
We did not add or modify any commands.

H.323 inspection support for the You can now configure an H.323 inspection policy map to allow for H.225 FACILITY
H.255 FACILITY message coming messages to come before the H.225 SETUP message, which can happen when endpoints
before the H.225 SETUP message comply with H.460.18.
for H.460.18 compatibility.
We introduced the following command: early-message.

Cisco Trustsec support for Security Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings,
Exchange Protocol (SXP) version 3. which are more efficient than host bindings.
We introduced or modified the following commands: cts sxp mapping network-map
maximum_hosts, cts role-based sgt-map, show cts sgt-map, show cts sxp sgt-map, show
asp table cts sgt-map.

Flow off-load support for the You can identify flows that should be off-loaded from the ASA and switched directly in the
Firepower 4100 series. NIC for the Firepower 4100 series.
Requires FXOS 1.1.4.
We did not add or modify any commands.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 The ASA now supports this standard fragmentation of IKEv2 packets. This allows
support interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA
continues to support the current, proprietary IKEv2 fragmentation to maintain backward
compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect
client.
We introduced the following commands: crypto ikev2 fragmentation, show running-config
crypto ikev2, show crypto ikev2 sa detail

VPN Throughput Performance The crypto engine accelerator-bias command is now supported on the ASA security module
Enhancements on Firepower 9300 on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto
and Firepower 4100 series cores toward either IPSec or SSL.
We modified the following command: crypto engine accelerator-bias

Configurable SSH encryption and Users can select cipher modes when doing SSH encryption management and can configure
HMAC algorithm. HMAC and encryption for varying key exchange algorithms. You might want to change the
ciphers to be more or less strict, depending on your application. Note that the performance of
secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one
of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr
aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance
is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed
ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
Also available in 9.1(7), 9.4(3), and 9.5(3).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
10
 Getting Started with the ASA
New Features in ASA 9.6(1)

Feature Description

HTTP redirect support for IPv6 When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can
now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
Also available in 9.1(7) and 9.4(3).

Routing Features

IS-IS routing The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing
protocol. Support was added for routing data, performing authentication, and redistributing
and monitoring routing information using the IS-IS routing protocol.
We introduced the following commands: advertise passive-only, area-password,
authentication key, authentication mode, authentication send-only, clear isis, debug isis,
distance, domain-password, fast-flood, hello padding, hostname dynamic,
ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis
authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval,
isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric,
isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis
retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress,
lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime,
maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol
shutdown, redistribute isis, route priority high, route isis, set-attached-bit,
set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.

High Availability and Scalability Features

Support for site-specific IP addresses For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure
in Routed, Spanned EtherChannel site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP
mode addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV)
devices to prevent ARP responses from the global MAC address from traveling over the Data
Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for
some switches that cannot use VACLs to filter MAC addresses.
We modified the following commands: mac-address, show interface

Administrative Features

Longer password support for local You can now create local username and enable passwords up to 127 characters (the former
username and enable passwords (up limit was 32). When you create a password longer than 32 characters, it is stored in the
to 127 characters) configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter
passwords continue to use the MD5-based hashing method.
We modified the following commands: enable, username

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
11
 Getting Started with the ASA
Firewall Functional Overview

Feature Description

Support for the cempMemPoolTable The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported.
in the This is a table of memory pool monitoring entries for all physical entities on a managed system.
CISCO-ENHANCED-MEMPOOL-MIB
Note The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports
reporting of memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

Also available in 9.1(7) and 9.4(3).

REST API Version 1.3.1 We added support for the REST API Version 1.3.1.

Firewall Functional Overview

Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can
also protect inside networks from each other, for example, by keeping a human resources network separate
from a user network. If you have network resources that need to be available to an outside user, such as a web
or FTP server, you can place these resources on a separate network behind the firewall, called a
demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes
the public servers, an attack there only affects the servers and does not affect the other inside networks. You
can also control when inside users access outside networks (for example, access to the Internet), by allowing
only certain addresses out, by requiring authentication or authorization, or by coordinating with an external
URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside
network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to
outside users. Because the ASA lets you configure many interfaces with varied security policies, including
many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a
general sense only.

Security Policy Overview

A security policy determines which traffic is allowed to pass through the firewall to access another network.
By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside
network (lower security level). You can apply actions to traffic to customize the security policy.

Permitting or Denying Traffic with Access Rules

You can apply access rules to limit traffic from inside to outside, or allow traffic from outside to inside. For
bridge group interfaces, you can also apply an EtherType access rule to allow non-IP traffic.

Applying NAT
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
12
 Getting Started with the ASA
Protecting from IP Fragments

• NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP Fragments

The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error messages
and virtual reassembly of the remaining IP fragments that are routed through the ASA. Fragments that fail
the security check are dropped and logged. Virtual reassembly cannot be disabled.

Applying HTTP, HTTPS, or FTP Filtering

Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring
and managing web usage this way is not practical because of the size and dynamic nature of the Internet.
You can configure Cloud Web Security on the ASA, or install an ASA module that provides URL and other
filtering services, such as ASA CX or ASA FirePOWER. You can also use the ASA in conjunction with an
external product such as the Cisco Web Security Appliance (WSA).

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet or
that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep
packet inspection.

Sending Traffic to Supported Hardware or Software Modules

Some ASA models allow you to configure software modules, or to insert hardware modules into the chassis,
to provide advanced services. These modules provide additional traffic inspection and can block traffic based
on your configured policies. You can send traffic to these modules to take advantage of these advanced
services.

Applying QoS Policies

Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network
feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide
better service to selected network traffic.

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections
and embryonic connections protects you from a DoS attack. The ASA uses the embryonic limit to trigger
TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with
TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary
handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that
do not appear normal.

Enabling Threat Detection

You can configure scanning threat detection and basic threat detection, and also how to use statistics to analyze
threats.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
13
 Getting Started with the ASA
Firewall Mode Overview

Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and automatically
sends a system log message.
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning
threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based
on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains
host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the ASA to send system log messages about an attacker or you can automatically shun the
host.

Firewall Mode Overview

The ASA runs in two different firewall modes:
• Routed
• Transparent

In routed mode, the ASA is considered to be a router hop in the network.

In transparent mode, the ASA acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a
router hop. The ASA connects to the same network on its inside and outside interfaces in a "bridge group".
You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful
if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that
would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams
using an EtherType access list.

Stateful Inspection Overview

All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed
through or dropped. A simple packet filter can check for the correct source address, destination address, and
ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet
against the filter, which can be a slow process.

Note The TCP state bypass feature allows you to customize the packet flow.

A stateful firewall like the ASA, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to
determine if the packet is allowed or denied. To perform this check, the first packet of the session goes
through the “session management path,” and depending on the type of traffic, it might also pass through
the “control plane path.”
The session management path is responsible for the following tasks:
• Performing the access list checks

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
14
 Getting Started with the ASA
VPN Functional Overview

• Performing route lookups

• Allocating NAT translations (xlates)
• Establishing sessions in the “fast path”

The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates
connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP
inspection), so that they can also use the fast path.

Note For other IP protocols, like SCTP, the ASA does not create reverse path flows.
As a result, ICMP error packets that refer to these connections are dropped.

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed
on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more
channels: a data channel, which uses well-known port numbers, and a control channel, which uses different
port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching
packets can go through the “fast” path in both directions. The fast path is responsible for the following
tasks:
• IP checksum verification
• Session lookup
• TCP sequence number check
• NAT translations based on existing sessions
• Layer 3 and Layer 4 header adjustments

Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the control
plane path. Packets that go through the session management path include HTTP packets that require
inspection or content filtering. Packets that go through the control plane path include the control packets
for protocols that require Layer 7 inspection.

VPN Functional Overview

A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate security
parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and
unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive plain packets,
encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to
their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their
final destination. The ASA invokes various standard protocols to accomplish these functions.
The ASA performs the following functions:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
15
 Getting Started with the ASA
Security Context Overview

• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
• Manages data transfer across the tunnel
• Manages data transfer inbound and outbound as a tunnel endpoint or router

The ASA invokes various standard protocols to accomplish these functions.

Security Context Overview

You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an
independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar
to having multiple standalone devices. Many features are supported in multiple context mode, including
routing tables, firewall features, IPS, and management; however, some features are not supported. See the
feature chapters for more information.
In multiple context mode, the ASA includes a configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a standalone device. The system administrator
adds and manages contexts by configuring them in the system configuration, which, like a single mode
configuration, is the startup configuration. The system configuration identifies basic settings for the ASA.
The system configuration does not include any network interfaces or network settings for itself; rather, when
the system needs to access network resources (such as downloading the contexts from the server), it uses one
of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs into the admin context, then
that user has system administrator rights and can access the system and all other contexts.

ASA Clustering Overview

ASA Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the
convenience of a single device (management, integration into a network) while achieving the increased
throughput and redundancy of multiple devices.
You perform all configuration (aside from the bootstrap configuration) on the master unit only; the configuration
is then replicated to the member units.

Special and Legacy Services

For some services, documentation is located outside of the main configuration guides and online help.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
16
Getting Started with the ASA
Special and Legacy Services

Special Services Guides

Special services allow the ASA to interoperate with other Cisco products; for example, by providing a
security proxy for phone services (Unified Communications), or by providing Botnet traffic filtering in
conjunction with the dynamic database from the Cisco update server, or by providing WCCP services
for the Cisco Web Security Appliance. Some of these special services are covered in separate guides:
• Cisco ASA Botnet Traffic Filter Guide
• Cisco ASA NetFlow Implementation Guide
• Cisco ASA Unified Communications Guide
• Cisco ASA WCCP Traffic Redirection Guide
• SNMP Version 3 Tools Implementation Guide

Legacy Services Guide

Legacy services are still supported on the ASA, however there may be better alternative services that
you can use instead. Legacy services are covered in a separate guide:
Cisco ASA Legacy Feature Guide
This guide includes the following chapters:
• Configuring RIP
• AAA Rules for Network Access
• Using Protection Tools, which includes Preventing IP Spoofing (ip verify reverse-path), Configuring
the Fragment Size (fragment), Blocking Unwanted Connections (shun), Configuring TCP Options
(for ASDM), and Configuring IP Audit for Basic IPS Support (ip audit).
• Configuring Filtering Services

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
17
 Getting Started with the ASA
Special and Legacy Services

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
18
 CHAPTER 2
Getting Started
This chapter describes how to get started with your Cisco ASA.
• Access the Console for the Command-Line Interface, on page 19
• Configure ASDM Access, on page 27
• Start ASDM, on page 32
• Factory Default Configurations, on page 34
• Work with the Configuration, on page 43
• Apply Configuration Changes to Connections, on page 47
• Reload the ASA, on page 48

Access the Console for the Command-Line Interface

For initial configuration, access the CLI directly from the console port. Later, you can configure remote access
using Telnet or SSH according to #unique_35. If your system is already in multiple context mode, then
accessing the console port places you in the system execution space.

Note For ASAv console access, see the ASAv quick start guide.

Access the Appliance Console

Follow these steps to access the appliance console.

Procedure

Step 1 Connect a computer to the console port using the provided console cable, and connect to the console using a
terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide for your ASA for more information about the console cable.

Step 2 Press the Enter key to see the following prompt:

ciscoasa>

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
19
 Getting Started with the ASA
Access the ASA Console on the Firepower 4100/9300 Chassis

This prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC
mode.

Step 3 Access privileged EXEC mode.

enable
You are prompted for the password. By default, the password is blank, and you can press the Enter key to
continue. See Set the Hostname, Domain Name, and the Enable and Telnet Passwords, on page 551 to change
the enable password.
Example:

ciscoasa> enable
Password:
ciscoasa#

All non-configuration commands are available in privileged EXEC mode. You can also enter configuration
mode from privileged EXEC mode.
To exit privileged mode, enter the disable, exit, or quit command.

Step 4 Access global configuration mode.

configure terminal
Example:

ciscoasa# configure terminal

ciscoasa(config)#

You can begin to configure the ASA from global configuration mode. To exit global configuration mode,
enter the exit, quit, or end command.

Access the ASA Console on the Firepower 4100/9300 Chassis

For initial configuration, access the command-line interface by connecting to the Firepower 4100/9300 chassis
supervisor (either to the console port or remotely using Telnet or SSH) and then connecting to the ASA security
module.

Procedure

Step 1 Connect to the Firepower 4100/9300 chassis supervisor CLI (console or SSH), and then session to the ASA:
connect module slot console
The first time you access the module, you access the FXOS module CLI. You must then connect to the ASA
application.
connect asa
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
20
 Getting Started with the ASA
Access the ASA Services Module Console

Firepower# connect module 1 console

Firepower-module1> connect asa

asa>

Step 2 Access privileged EXEC mode, which is the highest privilege level.
enable
You are prompted for the password. By default, the password is blank, and you can press the Enter key to
continue. See Set the Hostname, Domain Name, and the Enable and Telnet Passwords, on page 551 to change
the enable password.
Example:

asa> enable
Password:
asa#

All non-configuration commands are available in privileged EXEC mode. You can also enter configuration
mode from privileged EXEC mode.
To exit privileged mode, enter the disable, exit, or quit command.

Step 3 Enter global configuration mode.

configure terminal
Example:

asa# configure terminal

asa(config)#

To exit global configuration mode, enter the disable, exit, or quit command.

Step 4 Exit the application console to the FXOS module CLI by entering Ctrl-a, d
You might want to use the FXOS module CLI for troubleshooting purposes.

Step 5 Return to the supervisor level of the FXOS CLI.

a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Access the ASA Services Module Console

For initial configuration, access the command-line interface by connecting to the switch (either to the console
port or remotely using Telnet or SSH) and then connecting to the ASASM. This section describes how to
access the ASASM CLI.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
21
 Getting Started with the ASA
About Connection Methods

About Connection Methods

From the switch CLI, you can use two methods to connect to the ASASM:
• Virtual console connection—Using the service-module session command, you create a virtual console
connection to the ASASM, with all the benefits and limitations of an actual console connection.
Benefits include:
• The connection is persistent across reloads and does not time out.
• You can stay connected through ASASM reloads and view startup messages.
• You can access ROMMON if the ASASM cannot load the image.
• No initial password configuration is required.

Limitations include:
• The connection is slow (9600 baud).
• You can only have one console connection active at a time.
• You cannot use this command in conjunction with a terminal server where Ctrl-Shift-6, x is the
escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to
escape the ASASM console and return to the switch prompt. Therefore, if you try to exit the ASASM
console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect
the terminal server to the switch, the ASASM console session is still active; you can never exit to
the switch prompt. You must use a direct serial connection to return the console to the switch prompt.
In this case, either change the terminal server or switch escape character in Cisco IOS software, or
use the Telnet session command instead.

Note Because of the persistence of the console connection, if you do not properly log
out of the ASASM, the connection may exist longer than intended. If someone
else wants to log in, they will need to kill the existing connection.

• Telnet connection—Using the session command, you create a Telnet connection to the ASASM.

Note You cannot connect using this method for a new ASASM; this method requires
you to configure a Telnet login password on the ASASM (there is no default
password). After you set a password using the passwd command, you can use
this method.

Benefits include:
• You can have multiple sessions to the ASASM at the same time.
• The Telnet session is a fast connection.

Limitations include:
• The Telnet session is terminated when the ASASM reloads, and can time out.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
22
 Getting Started with the ASA
Log Into the ASA Services Module

• You cannot access the ASASM until it completely loads; you cannot access ROMMON.
• You must first set a Telnet login password; there is no default password.

Log Into the ASA Services Module

For initial configuration, access the command-line interface by connecting to the switch (either to the switch
console port or remotely using Telnet or SSH) and then connecting to the ASASM.
If your system is already in multiple context mode, then accessing the ASASM from the switch places you
in the system execution space.
Later, you can configure remote access directly to the ASASM using Telnet or SSH.

Procedure

Step 1 From the switch, perform one of the following:

• Available for initial access—From the switch CLI, enter this command to gain console access to the
ASASM:
service-module session [switch {1 | 2}] slot number
Example:

Router# service-module session slot 3

ciscoasa>

For a switch in a VSS, enter the switch argument.

To view the module slot numbers, enter the show module command at the switch prompt.
You access user EXEC mode.
• Available after you configure a login password—From the switch CLI, enter this command to Telnet to
the ASASM over the backplane:
session [switch {1 | | 2}] slot number processor 1
You are prompted for the login password:

ciscoasa passwd:

Example:

Router# session slot 3 processor 1

ciscoasa passwd: cisco
ciscoasa>

For a switch in a VSS, enter the switch argument.

The session slot processor 0 command, which is supported on other services modules, is not supported
on the ASASM; the ASASM does not have a processor 0.
To view the module slot numbers, enter the show module command at the switch prompt.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
23
 Getting Started with the ASA
Log Out of a Console Session

Enter the login password to the ASASM. Set the password using the passwd command. There is no
default password.
You access user EXEC mode.

Step 2 Access privileged EXEC mode, which is the highest privilege level.
enable
You are prompted for the password. By default, the password is blank, and you can press the Enter key to
continue. See Set the Hostname, Domain Name, and the Enable and Telnet Passwords, on page 551 to change
the enable password.
Example:

ciscoasa> enable
Password:
ciscoasa#

All non-configuration commands are available in privileged EXEC mode. You can also enter configuration
mode from privileged EXEC mode.
To exit privileged mode, enter the disable, exit, or quit command.

Step 3 Access global configuration mode:

configure terminal
To exit global configuration mode, enter the disable, exit, or quit command.

Related Topics
Guidelines for Management Access
Set the Hostname, Domain Name, and the Enable and Telnet Passwords, on page 551

Log Out of a Console Session

If you do not log out of the ASASM, the console connection persists; there is no timeout. To end the ASASM
console session and access the switch CLI, perform the following steps.
To kill another user’s active connection, which may have been unintentionally left open, see Kill an Active
Console Connection, on page 25.

Procedure

To return to the switch CLI, type the following:

Ctrl-Shift-6, x
You return to the switch prompt:

asasm# [Ctrl-Shift-6, x]
Router#

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
24
 Getting Started with the ASA
Kill an Active Console Connection

Note Shift-6 on US and UK keyboards issues the caret (^) character. If you have a different keyboard
and cannot issue the caret (^) character as a standalone character, you can temporarily or permanently
change the escape character to a different character. Use the terminal escape-character ascii_number
command (to change for this session) or the default escape-character ascii_number command (to
change permanently). For example, to change the sequence for the current session to Ctrl-w, x,
enter terminal escape-character 23.

Kill an Active Console Connection

Because of the persistence of a console connection, if you do not properly log out of the ASASM, the connection
may exist longer than intended. If someone else wants to log in, they will need to kill the existing connection.

Procedure

Step 1 From the switch CLI, show the connected users using the show users command. A console user is called
“con”. The Host address shown is 127.0.0.slot0, where slot is the slot number of the module.
show users
For example, the following command output shows a user “con” on line 0 on a module in slot 2:

Router# show users

Line User Host(s) Idle Location
* 0 con 0 127.0.0.20 00:00:02

Step 2 To clear the line with the console connection, enter the following command:
clear line number
For example:

Router# clear line 0

Log Out of a Telnet Session

To end the Telnet session and access the switch CLI, perform the following steps.

Procedure

To return to the switch CLI, type exit from the ASASM privileged or user EXEC mode. If you are in a
configuration mode, enter exit repeatedly until you exit the Telnet session.
You return to the switch prompt:

asasm# exit

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
25
 Getting Started with the ASA
Access the Software Module Console

Router#

Note You can alternatively escape the Telnet session using the escape sequence Ctrl-Shift-6, x; this
escape sequence lets you resume the Telnet session by pressing the Enter key at the switch prompt.
To disconnect your Telnet session from the switch, enter disconnect at the switch CLI. If you do
not disconnect the session, it will eventually time out according to the ASASM configuration.

Access the Software Module Console

If you have a software module installed, such as the ASA FirePOWER module on the ASA 5506-X, you can
session to the module console.

Note You cannot access the hardware module CLI over the ASA backplane using the session command.

Procedure

From the ASA CLI, session to the module:

session {sfr | cxsc | ips} console
Example:

ciscoasa# session sfr console

Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA SFR Boot Image 5.3.1

asasfr login: admin
Password: Admin123

Access the ASA 5506W-X Wireless Access Point Console

To access the wireless access point console, perform the following steps.

Procedure

Step 1 From the ASA CLI, session to the access point:

session wlan console
Example:

ciscoasa# session wlan console

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
26
 Getting Started with the ASA
Configure ASDM Access

opening console session with module wlan

connected to module wlan. Escape character sequence is ‘CTRL-^X’

ap>

Step 2 See the Cisco IOS Configuration Guide for Autonomous Aironet Access Points for information about the
access point CLI.

Configure ASDM Access

This section describes how to access ASDM with a default configuration and how to configure access if you
do not have a default configuration.

Use the Factory Default Configuration for ASDM Access (Appliances, ASAv)
With a factory default configuration, ASDM connectivity is pre-configured with default network settings.

Procedure

Connect to ASDM using the following interface and network settings:

• The management interface depends on your model:
• Firepower 4100/9300—The Management type interface and IP address of your choice defined when
you deployed. Management hosts are allowed from any network.
• ASA 5506-X, ASA 5508-X, and ASA 5516-X—Inside GigabitEthernet 1/2 (192.168.1.1) and for
ASA 5506W-X, wifi GigabitEthernet 1/9 (192.168.10.1). Inside hosts are limited to the
192.168.1.0/24 network, and wifi hosts are limited to 192.168.10.0/24.
• ASA 5512-Xand higher—Management 0/0 (192.168.1.1). Management hosts are limited to the
192.168.1.0/24 network.
• ASAv—Management 0/0 (set during deployment). Management hosts are limited to the management
network.
• ISA 3000—Management 1/1 (192.168.1.1). Management hosts are limited to the 192.168.1.0/24
network.

Note If you change to multiple context mode, you can access ASDM from the admin context using the
network settings above.

Related Topics
Factory Default Configurations, on page 34
Enable or Disable Multiple Context Mode, on page 198
Start ASDM, on page 32

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
27
 Getting Started with the ASA
Customize ASDM Access

Customize ASDM Access

This procedure applies to all models except the ASA Services Module.
Use this procedure if one or more of the following conditions applies:
• You do not have a factory default configuration
• You want to change the management IP address
• You want to change to transparent firewall mode
• You want to change to multiple context mode

For routed, single mode, for quick and easy ASDM access, we recommend applying the factory default
configuration with the option to set your own management IP address. Use the procedure in this section only
if you have special needs such as setting transparent or multiple context mode, or if you have other configuration
that you need to preserve.

Note For the ASAv, you can configure transparent mode when you deploy, so this procedure is primarily useful
after you deploy if you need to clear your configuration, for example.

Procedure

Step 1 Access the CLI at the console port.

Step 2 (Optional) Enable transparent firewall mode:
This command clears your configuration.
firewall transparent

Step 3 Configure the management interface:

interface interface_id
nameif name
security-level level
no shutdown
ip address ip_address mask

Example:

ciscoasa(config)# interface management 0/0

ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

The security-level is a number between 1 and 100, where 100 is the most secure.

Step 4 (For directly-connected management hosts) Set the DHCP pool for the management network:

dhcpd address ip_address-ip_address interface_name

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
28
Getting Started with the ASA
Customize ASDM Access

dhcpd enable interface_name

Example:

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 management

ciscoasa(config)# dhcpd enable management

Make sure you do not include the interface address in the range.

Step 5 (For remote management hosts) Configure a route to the management hosts:
route management_ifc management_host_ip mask gateway_ip 1
Example:

ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50 1

Step 6 Enable the HTTP server for ASDM:

http server enable

Step 7 Allow the management host(s) to access ASDM:

http ip_address mask interface_name
Example:

ciscoasa(config)# http 192.168.1.0 255.255.255.0 management

Step 8 Save the configuration:

write memory

Step 9 (Optional) Set the mode to multiple mode:

mode multiple
When prompted, confirm that you want to convert the existing configuration to be the admin context. You
are then prompted to reload the ASA.

Examples
The following configuration converts the firewall mode to transparent mode, configures the
Management 0/0 interface, and enables ASDM for a management host:

firewall transparent
interface management 0/0

ip address 192.168.1.1 255.255.255.0

nameif management
security-level 100
no shutdown

dhcpd address 192.168.1.2-192.168.1.254 management

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
29
 Getting Started with the ASA
Configure ASDM Access for the ASA Services Module

dhcpd enable management

http server enable
http 192.168.1.0 255.255.255.0 management

Related Topics
Restore the Factory Default Configuration, on page 35
Set the Firewall Mode, on page 169
Access the Appliance Console, on page 19
Start ASDM, on page 32

Configure ASDM Access for the ASA Services Module

Because the ASASM does not have physical interfaces, it does not come pre-configured for ASDM access;
you must configure ASDM access using the CLI on the ASASM. To configure the ASASM for ASDM access,
perform the following steps.

Before you begin

Assign a VLAN interface to the ASASM according to ASASM quick start guide.

Procedure

Step 1 Connect to the ASASM and access global configuration mode.

Step 2 (Optional) Enable transparent firewall mode:
firewall transparent
This command clears your configuration.

Step 3 Do one of the following to configure a management interface, depending on your mode:
• Routed mode—Configure an interface in routed mode:

interface vlan number

ip address ip_address [mask]
nameif name
security-level level

Example:

ciscoasa(config)# interface vlan 1

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100

The security-level is a number between 1 and 100, where 100 is the most secure.
• Transparent mode—Configure a bridge virtual interface and assigns a management VLAN to the bridge
group:

interface bvi number

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
30
Getting Started with the ASA
Configure ASDM Access for the ASA Services Module

ip address ip_address [mask]

interface vlan number

bridge-group bvi_number
nameif name
security-level level

Example:

ciscoasa(config)# interface bvi 1

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config)# interface vlan 1

ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100

The security-level is a number between 1 and 100, where 100 is the most secure.

Step 4 (For directly-connected management hosts) Enable DHCP for the management host on the management
interface network:

dhcpd address ip_address-ip_address interface_name

dhcpd enable interface_name

Example:

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 inside

ciscoasa(config)# dhcpd enable inside

Make sure you do not include the management address in the range.

Step 5 (For remote management hosts) Configure a route to the management hosts:
route management_ifc management_host_ip mask gateway_ip 1
Example:

ciscoasa(config)# route management 10.1.1.0 255.255.255.0 192.168.1.50

Step 6 Enable the HTTP server for ASDM:

http server enable

Step 7 Allow the management host to access ASDM:

http ip_address mask interface_name
Example:

ciscoasa(config)# http 192.168.1.0 255.255.255.0 management

Step 8 Save the configuration:

write memory

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
31
 Getting Started with the ASA
Start ASDM

Step 9 (Optional) Set the mode to multiple mode:

mode multiple
When prompted, confirm that you want to convert the existing configuration to be the admin context. You
are then prompted to reload the ASASM.

Examples
The following routed mode configuration configures the VLAN 1 interface and enables ASDM for
a management host:

interface vlan 1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100

dhcpd address 192.168.1.3-192.168.1.254 inside

dhcpd enable inside
http server enable
http 192.168.1.0 255.255.255.0 inside

The following configuration converts the firewall mode to transparent mode, configures the VLAN
1 interface and assigns it to BVI 1, and enables ASDM for a management host:

firewall transparent
interface bvi 1

ip address 192.168.1.1 255.255.255.0

interface vlan 1
bridge-group 1
nameif inside
security-level 100

dhcpd address 192.168.1.3-192.168.1.254 inside

dhcpd enable inside
http server enable
http 192.168.1.0 255.255.255.0 inside

Related Topics
Access the ASA Services Module Console, on page 21
About Connection Methods, on page 22
Log Out of a Console Session, on page 24
Kill an Active Console Connection, on page 25
Log Out of a Telnet Session, on page 25
Set the Firewall Mode, on page 169

Start ASDM
You can start ASDM using two methods:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
32
Getting Started with the ASA
Start ASDM

• ASDM-IDM Launcher—The Launcher is an application downloaded from the ASA using a web browser
that you can use to connect to any ASA IP address. You do not need to re-download the launcher if you
want to connect to other ASAs.
• Java Web Start—For each ASA that you manage, you need to connect with a web browser and then save
or launch the Java Web Start application. You can optionally save the shortcut to your computer; however
you need separate shortcuts for each ASA IP address.

Note If you use web start, clear the Java cache or you might lose changes to some pre-login policies such as Hostscan.
This problem does not occur if you use the launcher.

Within ASDM, you can choose a different ASA IP address to manage; the difference between the Launcher
and Java Web Start functionality rests primarily in how you initially connect to the ASA and launch ASDM.
This section describes how to connect to ASDM initially, and then launch ASDM using the Launcher or the
Java Web Start.
ASDM stores files in the local \Users\<user_id>\.asdm directory, including cache, log, and preferences, and
also in the Temp directory, including AnyConnect profiles.

Procedure

Step 1 On the computer that you specified as the ASDM client, enter the following URL:
https://asa_ip_address/admin
The ASDM launch page appears with the following buttons:
• Install ASDM Launcher and Run ASDM
• Run ASDM
• Run Startup Wizard

Step 2 To download the Launcher:

a) Click Install ASDM Launcher and Run ASDM.
b) Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS
authentication configured, you can gain access to ASDM with no username and the enable password,
which is blank by default. Note: If you enabled HTTPS authentication, enter your username and associated
password. Even without authentication, if you enter a username and password at the login screen (instead
of leaving the username blank), ASDM checks the local database for a match.
c) Save the installer to your computer, and then start the installer. The ASDM-IDM Launcher opens
automatically after installation is complete.
d) Enter the management IP address, the same username and password (blank for a new installation), and
then click OK.
Step 3 To use Java Web Start:
a) Click Run ASDM or Run Startup Wizard.
b) Save the shortcut to your computer when prompted. You can optionally open it instead of saving it.
c) Start Java Web Start from the shortcut.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
33
 Getting Started with the ASA
Factory Default Configurations

d) Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher
appears.
e) Leave the username and password fields empty (for a new installation), and click OK. With no HTTPS
authentication configured, you can gain access to ASDM with no username and the enable password,
which is blank by default. Note: If you enabled HTTPS authentication, enter your username and associated
password. Even without authentication, if you enter a username and password at the login screen (instead
of leaving the username blank), ASDM checks the local database for a match.

Factory Default Configurations

The factory default configuration is the configuration applied by Cisco to new ASAs.
• ASA 5506-X, 5508-X and 5516-X—The factory default configuration enables a functional inside/outside
configuration. You can manage the ASA using ASDM from the inside interface.
• ASA 5512-X through ASA 5585-X—The factory default configuration configures an interface for
management so that you can connect to it using ASDM, with which you can then complete your
configuration.
• Firepower 4100/9300 chassis—When you deploy the standalone or cluster of ASAs, the factory default
configuration configures an interface for management so that you can connect to it using ASDM, with
which you can then complete your configuration.
• ASAv—Depending on your hypervisor, as part of deployment, the deployment configuration (the initial
virtual deployment settings) configures an interface for management so that you can connect to it using
ASDM, with which you can then complete your configuration. You can also configure failover IP
addresses. You can also apply a “factory default” configuration if desired.
• ASASM—No default configuration. See Access the ASA Services Module Console, on page 21 to start
configuration.
• ISA 3000—The factory default configuration is an almost-complete transparent firewall mode
configuration with all inside and outside interfaces on the same network; you can connect to the
management interface with ASDM to set the IP address of your network. Hardware bypass is enabled
for two interface pairs, and all traffic is sent to the ASA FirePOWER module in Inline Tap Monitor-Only
Mode. This mode sends a duplicate stream of traffic to the ASA Firepower module for monitoring
purposes only.

For appliances and the Firepower 4100/9300 chassis, the factory default configuration is available only for
routed firewall mode and single context mode. For the ASAv, you can choose transparent or routed mode at
deployment.

Note In addition to the image files and the (hidden) default configuration, the following folders and files are standard
in flash memory: log/, crypto_archive/, and coredumpinfo/coredump.cfg. The date on these files may not
match the date of the image files in flash memory. These files aid in potential troubleshooting; they do not
indicate that a failure has occurred.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
34
 Getting Started with the ASA
Restore the Factory Default Configuration

Restore the Factory Default Configuration

This section describes how to restore the factory default configuration. For the ASAv, this procedure erases
the deployment configuration and applies the same factory default configuration as for the ASA 5525-X.

Note On the ASASM, restoring the factory default configuration simply erases the configuration; there is no factory
default configuration.
On the Firepower 4100/9300, restoring the factory default configuration simply erases the configuration; to
restore the default configuration, you must re-deploy the ASA from the supervisor.

Before you begin

This feature is available only in routed firewall mode; transparent mode does not support IP addresses for
interfaces. In addition, this feature is available only in single context mode; an ASA with a cleared configuration
does not have any defined contexts to configure automatically using this feature.

Procedure

Step 1 Restore the factory default configuration:

configure factory-default [ip_address [mask]]
Example:

ciscoasa(config)# configure factory-default 10.1.1.1 255.255.255.0

If you specify the ip_address, then you set the inside or management interface IP address, depending on your
model, instead of using the default IP address. See the following model guidelines for which interface is set
by the ip_address option:
• Firepower 4100/9300—No effect.
• ASAv—Sets the management interface IP address.
• ASA 5506-X—Sets the inside interface IP address.
• ASA 5508-X and 5516-X—Sets the inside interface IP address.
• ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X—Sets the management interface IP address.
• ASA 5585-X—Sets the management interface IP address.
• ISA 3000—Sets the management interface IP address.
• ASASM—No effect.

The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of
all available addresses higher than the IP address you specify. For example, if you specify 10.5.6.78 with a
subnet mask of 255.255.255.0, then the DHCP address range will be 10.5.6.79-10.5.6.254.
For the Firepower 2100: This model does not use the boot system command; packages are managed by FXOS.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
35
 Getting Started with the ASA
Restore the ASAv Deployment Configuration

For all other models: This command clears the boot system command, if present, along with the rest of the
configuration. The boot system command lets you boot from a specific image. The next time you reload the
ASA after restoring the factory configuration, it boots from the first image in internal flash memory; if you
do not have an image in internal flash memory, the ASA does not boot.
Example:

docs-bxb-asa3(config)# configure factory-default 10.86.203.151 255.255.254.0

Based on the management IP address and mask, the DHCP address
pool size is reduced to 103 from the platform limit 256

WARNING: The boot system configuration will be cleared.

The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:

Clear all configuration
WARNING: The new maximum-session limit will take effect after the running-config is saved
and the system boots next time. Command accepted
WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for "management" set to 0 by default.
Executing command: ip address 10.86.203.151 255.255.254.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 10.86.202.0 255.255.254.0 management
Executing command: dhcpd address 10.86.203.152-10.86.203.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

Step 2 Save the default configuration to flash memory:

write memory
This command saves the running configuration to the default location for the startup configuration, even if
you previously configured the boot config command to set a different location; when the configuration was
cleared, this path was also cleared.

Restore the ASAv Deployment Configuration

This section describes how to restore the ASAv deployment (Day 0) configuration.

Procedure

Step 1 For failover, power off the standby unit.

To prevent the standby unit from becoming active, you must power it off. If you leave it on, when you erase
the active unit configuration, then the standby unit becomes active. When the former active unit reloads and

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
36
 Getting Started with the ASA
ASA 5506-X, 5508-X, and 5516-X Default Configuration

reconnects over the failover link, the old configuration will sync from the new active unit, wiping out the
deployment configuration you wanted.

Step 2 Restore the deployment configuration after you reload. For failover, enter this command on the active unit:
write erase
Note The ASAv boots the current running image, so you are not reverted to the original boot image. To
use the original boot image, see the boot image command.
Do not save the configuration.

Step 3 Reload the ASAv and load the deployment configuration:

reload

Step 4 For failover, power on the standby unit.

After the active unit reloads, power on the standby unit. The deployment configuration will sync to the standby
unit.

ASA 5506-X, 5508-X, and 5516-X Default Configuration

The default factory configuration for the ASA 5506-X series, 5508-X, and 5516-X configures the following:
• inside --> outside traffic flow—GigabitEthernet 1/1 (outside), GigabitEthernet 1/2 (inside)
• outside IP address from DHCP
• inside IP address—192.168.1.1
• (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow—GigabitEthernet 1/9 (wifi)
• (ASA 5506W-X) wifi IP address—192.168.10.1
• DHCP server on inside and wifi. The access point itself and all its clients use the ASA as the DHCP
server.
• Default route from outside DHCP
• Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER module can then
use this interface to access the ASA inside network and use the inside interface as the gateway to the
Internet.
• ASDM access—inside and wifi hosts allowed.
• NAT—Interface PAT for all traffic from inside, wifi, and management to outside.

The configuration consists of the following commands:

interface Management1/1
management-only
no nameif
no security-level
no ip address
no shutdown

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
37
 Getting Started with the ASA
ASA 5512-X through ASA 5585-X Default Configuration

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface
!
http server enable
http 192.168.1.0 255.255.255.0 inside
!
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
logging asdm informational

For the ASA 5506W-X, the following commands are also included:

same-security-traffic permit inter-interface

!
interface GigabitEthernet 1/9
security-level 100
nameif wifi
ip address 192.168.10.1 255.255.255.0
no shutdown
!
http 192.168.10.0 255.255.255.0 wifi
!
dhcpd address 192.168.10.2-192.168.10.254 wifi
dhcpd enable wifi

ASA 5512-X through ASA 5585-X Default Configuration

The default factory configuration for the ASA 5512-X through ASA 5585-X configures the following:
• Management interface—Management 0/0 (management).
• IP address—The management address is 192.168.1.1/24.
• DHCP server—Enabled for management hosts so that a computer connecting to the management interface
receives an address between 192.168.1.2 and 192.168.1.254.
• ASDM access—Management hosts allowed.

The configuration consists of the following commands:

interface management 0/0

ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
38
 Getting Started with the ASA
Firepower 4100/9300 Chassis Default Configuration

!
asdm logging informational
asdm history enable
!
http server enable
http 192.168.1.0 255.255.255.0 management
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management

Firepower 4100/9300 Chassis Default Configuration

When you deploy the ASA on the Firepower 4100/9300 chassis, you can pre-set many parameters that let
you connect to the Management interface using ASDM. A typical configuration includes the following settings:
• Management interface:
• Management type interface of your choice defined on the Firepower 4100/9300 Chassis supervisor
• Named “management”
• IP address of your choice
• Security level 0
• Management-only

• Default route through the management interface

• ASDM access—All hosts allowed.

The configuration for a standalone unit consists of the following commands. For additional configuration for
clustered units, see Create an ASA Cluster, on page 396.

interface <management_ifc>
management-only
ip address <ip_address> <mask>
ipv6 address <ipv6_address>
ipv6 enable
nameif management
security-level 0
no shutdown
!
http server enable
http 0.0.0.0 0.0.0.0 management
http ::/0 management
!
route management 0.0.0.0 0.0.0.0 <gateway_ip> 1
ipv6 route management ::/0 <gateway_ipv6>

ISA 3000 Default Configuration

The default factory configuration for the ISA 3000 configures the following:
• Transparent firewall mode—A transparent firewall is a Layer 2 firewall that acts like a “bump in the
wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
39
 Getting Started with the ASA
ISA 3000 Default Configuration

• 1 Bridge Virtual Interface—All member interfaces are in the same network (IP address not
pre-configured; you must set to match your network): GigabitEthernet 1/1 (outside1), GigabitEthernet
1/2 (inside1), GigabitEthernet 1/3 (outside2), GigabitEthernet 1/4 (inside2)
• All inside and outside interfaces can communicate with each other.
• Management 1/1 interface—192.168.1.1/24 for ASDM access.
• DHCP for clients on management.
• ASDM access—Management hosts allowed.
• Hardware bypass is enabled for the following interface pairs: GigabitEthernet 1/1 & 1/2; GigabitEthernet
1/3 & 1/4

Note When the ISA 3000 loses power and goes into hardware bypass mode, only the
above interface pairs can communicate; inside1 and inside2, and outside1 and
outside2 can no longer communicate. Any existing connections between these
interfaces will be lost. When the power comes back on, there is a brief connection
interruption as the ASA takes over the flows.

• ASA FirePOWER module—All traffic is sent to the module in Inline Tap Monitor-Only Mode. This
mode sends a duplicate stream of traffic to the ASA Firepower module for monitoring purposes only.

The configuration consists of the following commands:

firewall transparent

interface GigabitEthernet1/1
bridge-group 1
nameif outside1
security-level 0
no shutdown
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
no shutdown
interface GigabitEthernet1/3
bridge-group 1
nameif outside2
security-level 0
no shutdown
interface GigabitEthernet1/4
bridge-group 1
nameif inside2
security-level 100
no shutdown
interface Management1/1
management-only
no shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
interface BVI1
no ip address

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
40
 Getting Started with the ASA
ASAv Deployment Configuration

access-list allowAll extended permit ip any any

access-group allowAll in interface outside1
access-group allowAll in interface outside2

same-security-traffic permit inter-interface

hardware-bypass GigabitEthernet 1/1-1/2

hardware-bypass GigabitEthernet 1/3-1/4

http server enable

http 192.168.1.0 255.255.255.0 management

dhcpd address 192.168.1.5-192.168.1.254 management

dhcpd enable management

access-list sfrAccessList extended permit ip any any

class-map sfrclass
match access-list sfrAccessList
policy-map global_policy
class sfrclass
sfr fail-open monitor-only
service-policy global_policy global

ASAv Deployment Configuration

When you deploy the ASAv, you can pre-set many parameters that let you connect to the Management 0/0
interface using ASDM. A typical configuration includes the following settings:
• Routed or Transparent firewall mode
• Management 0/0 interface:
• Named “management”
• IP address or DHCP
• Security level 0

• Static route for the management host IP address (if it is not on the management subnet)
• HTTP server enabled or disabled
• HTTP access for the management host IP address
• (Optional) Failover link IP addresses for GigabitEthernet 0/8, and the Management 0/0 standby IP address
• DNS server
• Smart licensing ID token
• Smart licensing Throughput Level and Standard Feature Tier
• (Optional) Smart Call Home HTTP Proxy URL and port
• (Optional) SSH management settings:
• Client IP addresses
• Local username and password

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
41
 Getting Started with the ASA
ASAv Deployment Configuration

• Authentication required for SSH using the LOCAL database

• (Optional) REST API enabled or disabled

Note To successfully register the ASAv with the Cisco Licensing Authority, the ASAv requires Internet access.
You might need to perform additional configuration after deployment to achieve Internet access and successful
license registration.

See the following sample configuration for a standalone unit:

interface Management0/0
nameif management
security-level 0
ip address ip_address

no shutdown
http server enable
http managemment_host_IP mask management
route management management_host_IP mask gateway_ip 1
dns server-group DefaultDNS
name-server ip_address
call-home
http-proxy ip_address port port
license smart
feature tier standard
throughput level {100M | 1G | 2G}
license smart register idtoken id_token
aaa authentication ssh console LOCAL
username username password password
ssh source_IP_address mask management
rest-api image boot:/path
rest-api agent

See the following sample configuration for a primary unit in a failover pair:

nameif management
security-level 0
ip address ip_address standby standby_ip

no shutdown
route management management_host_IP mask gateway_ip 1
http server enable
http managemment_host_IP mask management
dns server-group DefaultDNS
name-server ip_address
call-home
http-proxy ip_address port port
license smart
feature tier standard
throughput level {100M | 1G | 2G}
license smart register idtoken id_token
aaa authentication ssh console LOCAL
username username password password
ssh source_IP_address mask management
rest-api image boot:/path

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
42
 Getting Started with the ASA
Work with the Configuration

rest-api agent
failover
failover lan unit primary
failover lan interface fover gigabitethernet0/8
failover link fover gigabitethernet0/8
failover interface ip fover primary_ip mask standby standby_ip

Work with the Configuration

This section describes how to work with the configuration. The ASA loads the configuration from a text file,
called the startup configuration. This file resides by default as a hidden file in internal flash memory. You
can, however, specify a different path for the startup configuration.
When you enter a command, the change is made only to the running configuration in memory. You must
manually save the running configuration to the startup configuration for your changes to remain after a reboot.
The information in this section applies to both single and multiple security contexts, except where noted.

Save Configuration Changes

This section describes how to save your configuration.

Save Configuration Changes in Single Context Mode

To save the running configuration to the startup configuration, perform the following procedure.

Procedure

Save the running configuration to the startup configuration:

write memory
Note The copy running-config startup-config command is equivalent to the write memory command.

Save Configuration Changes in Multiple Context Mode

You can save each context (and system) configuration separately, or you can save all context configurations
at the same time.

Save Each Context and System Separately

Use the following procedure to save the system or context configuration.

Procedure

From within the context or the system, save the running configuration to the startup configuration:
write memory

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
43
 Getting Started with the ASA
Save All Context Configurations at the Same Time

For multiple context mode, context startup configurations can reside on external servers. In this case, the ASA
saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS
URL, which do not let you save the configuration to the server.
Note The copy running-config startup-config command is equivalent to the write memory command.

Save All Context Configurations at the Same Time

Use the following procedure to save all context configurations at the same time, as well as the system
configuration.

Procedure

From the system execution space, save the running configuration to the startup configuration for all contexts
and the system configuration:
write memory all [/noconfirm]
If you do not enter the /noconfirm keyword, you see the following prompt:

Are you sure [Y/N]:

After you enter Y, the ASA saves the system configuration and each context. Context startup configurations
can reside on external servers. In this case, the ASA saves the configuration back to the server you identified
in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the
server.
After the ASA saves each context, the following message appears:

‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’

Sometimes, a context is not saved because of an error. See the following information for errors:
• For contexts that are not saved because of low memory, the following message appears:

The context 'context a' could not be saved due to Unavailability of resources

• For contexts that are not saved because the remote destination is unreachable, the following message
appears:

The context 'context a' could not be saved due to non-reachability of destination

• For contexts that are not saved because the context is locked, the following message appears:

Unable to save the configuration for the following contexts as these contexts are locked.
context ‘a’ , context ‘x’ , context ‘z’ .

A context is only locked if another user is already saving the configuration or in the process of deleting
the context.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
44
 Getting Started with the ASA
Copy the Startup Configuration to the Running Configuration

• For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP
server), the following message report is printed at the end of all other messages:

Unable to save the configuration for the following contexts as these contexts have
read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .

• For contexts that are not saved because of bad sectors in the flash memory, the following message appears:

The context 'context a' could not be saved due to Unknown errors

Copy the Startup Configuration to the Running Configuration

Use one of the following commands to copy a new startup configuration to the running configuration:
• copy startup-config running-config
Merges the startup configuration with the running configuration. A merge adds any new commands from
the new configuration to the running configuration. If the configurations are the same, no changes occur.
If commands conflict or if commands affect the running of the context, then the effect of the merge
depends on the command. You might get errors, or you might have unexpected results.
• reload
Reloads the ASA, which loads the startup configuration and discards the running configuration.
• clear configure all and then copy startup-config running-config
Loads the startup configuration and discards the running configuration without requiring a reload.

View the Configuration

The following commands let you view the running and startup configurations:
• show running-config
Views the running configuration.
• show running-config command
Views the running configuration of a specific command.
• show startup-config
Views the startup configuration.

Clear and Remove Configuration Settings

To erase settings, enter one of the following commands:
• clear configure configurationcommand [level2configurationcommand]

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
45
 Getting Started with the ASA
Clear and Remove Configuration Settings

Clears all the configuration for a specified command. If you only want to clear the configuration for a
specific version of the command, you can enter a value for level2configurationcommand.
For example, to clear the configuration for all aaa commands, enter the following command:

ciscoasa(config)# clear configure aaa

To clear the configuration for only aaa authentication commands, enter the following command:

ciscoasa(config)# clear configure aaa authentication

• no configurationcommand [level2configurationcommand] qualifier

Disables the specific parameters or options of a command. In this case, you use the no command to
remove the specific configuration identified by qualifier.
For example, to remove a specific access-list command, enter enough of the command to identify it
uniquely; you may have to enter the entire command:

ciscoasa(config)# no access-list abc extended permit icmp any any object-group obj_icmp_1

• write erase
Erases the startup configuration.

Note For the ASAv, this command restores the deployment configuration after a reload.
To erase the configuration completely, use the clear configure all command.

• clear configure all

Erases the running configuration.

Note In multiple context mode, if you enter clear configure all from the system
configuration, you also remove all contexts and stop them from running. The
context configuration files are not erased, and remain in their original location.

Note For the Firepower 2100: This model does not use the boot system command;
packages are managed by FXOS.
For all other models: This command clears the boot system command, if present,
along with the rest of the configuration. The boot system command lets you boot
from a specific image, including an image on the external flash memory card.
The next time you reload the ASA, it boots from the first image in internal flash
memory; if you do not have an image in internal flash memory, the ASA does
not boot.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
46
 Getting Started with the ASA
Create Text Configuration Files Offline

Create Text Configuration Files Offline

This guide describes how to use the CLI to configure the ASA; when you save commands, the changes are
written to a text file. Instead of using the CLI, however, you can edit a text file directly on your computer and
paste a configuration at the configuration mode command-line prompt in its entirety, or line by line.
Alternatively, you can download a text file to the ASA internal flash memory. See Software and Configurations,
on page 1005 for information on downloading the configuration file to the ASA.
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following
example is “ciscoasa(config)#”:

ciscoasa(config)# context a

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:

context a

For additional information about formatting the file, see Using the Command-Line Interface, on page 1187.

Apply Configuration Changes to Connections

When you make security policy changes to the configuration, all new connections use the new security policy.
Existing connections continue to use the policy that was configured at the time of the connection establishment.
show command output for old connections reflect the old configuration, and in some cases will not include
data about the old connections.
For example, if you remove a QoS service-policy from an interface, then re-add a modified version, then the
show service-policy command only displays QoS counters associated with new connections that match the
new service policy; existing connections on the old policy no longer show in the command output.
To ensure that all connections use the new policy, you need to disconnect the current connections so that they
can reconnect using the new policy.
To disconnect connections, enter one of the following commands:
• clear local-host [ip_address] [all]
This command reinitializes per-client run-time states such as connection limits and embryonic limits.
As a result, this command removes any connection that uses those limits. See the show local-host all
command to view all current connections per host.
With no arguments, this command clears all affected through-the-box connections. To also clear to-the-box
connections (including your current management session), use the all keyword. To clear connections to
and from a particular IP address, use the ip_address argument.
• clear conn [all] [protocol {tcp | udp}] [address src_ip [-src_ip] [netmask mask]] [port src_port
[-src_port]] [address dest_ip [-dest_ip] [netmask mask]] [port dest_port [-dest_port]]
This command terminates connections in any state. See the show conn command to view all current
connections.
With no arguments, this command clears all through-the-box connections. To also clear to-the-box
connections (including your current management session), use the all keyword. To clear specific

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
47
 Getting Started with the ASA
Reload the ASA

connections based on the source IP address, destination IP address, port, and/or protocol, you can specify
the desired options.

Reload the ASA

To reload the ASA, complete the following procedure.

Procedure

Reload the ASA:

reload
Note In multiple context mode, you can only reload from the system execution space.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
48
 CHAPTER 3
Licenses: Product Authorization Key Licensing
A license specifies the options that are enabled on a given Cisco ASA. This document describes product
authorization key (PAK) licenses for all physical ASAs. For the ASAv, see Licenses: Smart Software Licensing
(ASAv, ASA on Firepower), on page 109.
• About PAK Licenses, on page 49
• Guidelines for PAK Licenses, on page 60
• Configure PAK Licenses, on page 62
• Configure a Shared License (AnyConnect 3 and Earlier), on page 66
• Supported Feature Licenses Per Model, on page 74
• Monitoring PAK Licenses, on page 90
• History for PAK Licenses, on page 100

About PAK Licenses

A license specifies the options that are enabled on a given ASA. It is represented by an activation key that is
a 160-bit (5 32-bit words or 20 bytes) value. This value encodes the serial number (an 11 character string)
and the enabled features.

Preinstalled License
By default, your ASA ships with a license already installed. This license might be the Base License, to which
you want to add more licenses, or it might already have all of your licenses installed, depending on what you
ordered and what your vendor installed for you.
Related Topics
Monitoring PAK Licenses, on page 90

Permanent License
You can have one permanent activation key installed. The permanent activation key includes all licensed
features in a single key. If you also install time-based licenses, the ASA combines the permanent and time-based
licenses into a running license.
Related Topics
How Permanent and Time-Based Licenses Combine, on page 50

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
49
 Getting Started with the ASA
Time-Based Licenses

Time-Based Licenses
In addition to permanent licenses, you can purchase time-based licenses or receive an evaluation license that
has a time-limit. For example, you might buy a time-based AnyConnect Premium license to handle short-term
surges in the number of concurrent SSL VPN users, or you might order a Botnet Traffic Filter time-based
license that is valid for 1 year.

Note The ASA 5506-X and ASA 5506W-X do not support time-based licenses.

Time-Based License Activation Guidelines

• You can install multiple time-based licenses, including multiple licenses for the same feature. However,
only one time-based license per feature can be active at a time. The inactive license remains installed,
and ready for use. For example, if you install a 1000-session AnyConnect Premium license, and a
2500-session AnyConnect Premium license, then only one of these licenses can be active.
• If you activate an evaluation license that has multiple features in the key, then you cannot also activate
another time-based license for one of the included features. For example, if an evaluation license includes
the Botnet Traffic Filter and a 1000-session AnyConnect Premium license, you cannot also activate a
standalone time-based 2500-session AnyConnect Premium license.

How the Time-Based License Timer Works

• The timer for the time-based license starts counting down when you activate it on the ASA.
• If you stop using the time-based license before it times out, then the timer halts. The timer only starts
again when you reactivate the time-based license.
• If the time-based license is active, and you shut down the ASA, then the timer stops counting down. The
time-based license only counts down when the ASA is running. The system clock setting does not affect
the license; only ASA uptime counts towards the license duration.

How Permanent and Time-Based Licenses Combine

When you activate a time-based license, then features from both permanent and time-based licenses combine
to form the running license. How the permanent and time-based licenses combine depends on the type of
license. The following table lists the combination rules for each feature license.

Note Even when the permanent license is used, if the time-based license is active, it continues to count down.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
50
 Getting Started with the ASA
Stacking Time-Based Licenses

Table 1: Time-Based License Combination Rules

Time-Based Feature Combined License Rule

AnyConnect Premium Sessions The higher value is used, either time-based or

permanent. For example, if the permanent license is
1000 sessions, and the time-based license is 2500
sessions, then 2500 sessions are enabled. Typically,
you will not install a time-based license that has less
capability than the permanent license, but if you do
so, then the permanent license is used.

Unified Communications Proxy Sessions The time-based license sessions are added to the
permanent sessions, up to the platform limit. For
example, if the permanent license is 2500 sessions,
and the time-based license is 1000 sessions, then 3500
sessions are enabled for as long as the time-based
license is active.

Security Contexts The time-based license contexts are added to the

permanent contexts, up to the platform limit. For
example, if the permanent license is 10 contexts, and
the time-based license is 20 contexts, then 30 contexts
are enabled for as long as the time-based license is
active.

Botnet Traffic Filter There is no permanent Botnet Traffic Filter license

available; the time-based license is used.

All Others The higher value is used, either time-based or

permanent. For licenses that have a status of enabled
or disabled, then the license with the enabled status
is used. For licenses with numerical tiers, the higher
value is used. Typically, you will not install a
time-based license that has less capability than the
permanent license, but if you do so, then the
permanent license is used.

Related Topics
Monitoring PAK Licenses, on page 90

Stacking Time-Based Licenses

In many cases, you might need to renew your time-based license and have a seamless transition from the old
license to the new one. For features that are only available with a time-based license, it is especially important
that the license not expire before you can apply the new license. The ASA allows you to stack time-based
licenses so that you do not have to worry about the license expiring or about losing time on your licenses
because you installed the new one early.
When you install an identical time-based license as one already installed, then the licenses are combined, and
the duration equals the combined duration.
For example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
51
 Getting Started with the ASA
Time-Based License Expiration

1. You install a 52-week Botnet Traffic Filter license, and use the license for 25 weeks (27 weeks remain).
2. You then purchase another 52-week Botnet Traffic Filter license. When you install the second license,
the licenses combine to have a duration of 79 weeks (52 weeks plus 27 weeks).

Similarly:
1. You install an 8-week 1000-session AnyConnect Premium license, and use it for 2 weeks (6 weeks remain).
2. You then install another 8-week 1000-session license, and the licenses combine to be 1000-sessions for
14 weeks (8 weeks plus 6 weeks).

If the licenses are not identical (for example, a 1000-session AnyConnect Premium license vs. a 2500-session
license), then the licenses are not combined. Because only one time-based license per feature can be active,
only one of the licenses can be active.
Although non-identical licenses do not combine, when the current license expires, the ASA automatically
activates an installed license of the same feature if available.
Related Topics
Activate or Deactivate Keys, on page 65
Time-Based License Expiration, on page 52

Time-Based License Expiration

When the current license for a feature expires, the ASA automatically activates an installed license of the
same feature if available. If there are no other time-based licenses available for the feature, then the permanent
license is used.
If you have more than one additional time-based license installed for a feature, then the ASA uses the first
license it finds; which license is used is not user-configurable and depends on internal operations. If you prefer
to use a different time-based license than the one the ASA activated, then you must manually activate the
license you prefer.
For example, you have a time-based 2500-session AnyConnect Premium license (active), a time-based
1000-session AnyConnect Premium license (inactive), and a permanent 500-session AnyConnect Premium
license. While the 2500-session license expires, the ASA activates the 1000-session license. After the
1000-session license expires, the ASA uses the 500-session permanent license.
Related Topics
Activate or Deactivate Keys, on page 65

License Notes
The following sections include additional information about licenses.

AnyConnect Plus and Apex Licenses

The AnyConnect Plus or Apex license is a multi-use license that you can apply to multiple ASAs, all of which
share a user pool as specified by the license. See https://www.cisco.com/go/license, and assign the PAK
separately to each ASA. When you apply the resulting activation key to an ASA, it toggles on the VPN features
to the maximum allowed, but the actual number of unique users across all ASAs sharing the license should
not exceed the license limit. For more information, see:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
52
 Getting Started with the ASA
Other VPN License

• Cisco AnyConnect Ordering Guide

• AnyConnect Licensing Frequently Asked Questions (FAQ)

Note The AnyConnect Apex license is required for multiple context mode. Moreover, in multiple context mode,
this license must be applied to each unit in a failover pair; the license is not aggregated.

Other VPN License

Other VPN sessions include the following VPN types:
• IPsec remote access VPN using IKEv1
• IPsec site-to-site VPN using IKEv1
• IPsec site-to-site VPN using IKEv2

This license is included in the Base license.

Total VPN Sessions Combined, All Types

• Although the maximum VPN sessions add up to more than the maximum VPN AnyConnect and Other
VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum
VPN sessions, you can overload the ASA, so be sure to size your network appropriately.
• If you start a clientless SSL VPN session and then start an AnyConnect client session from the portal, 1
session is used in total. However, if you start the AnyConnect client first (from a standalone client, for
example) and then log into the clientless SSL VPN portal, then 2 sessions are used.

VPN Load Balancing

VPN load balancing requires a Strong Encryption (3DES/AES) License.

Legacy VPN Licenses

Refer to the Supplemental end User License Agreement for AnyConnect for all relevant information on
licensing.

Note The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy
license.

Encryption License
The DES license cannot be disabled. If you have the 3DES license installed, DES is still available. To prevent
the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to
use only strong encryption.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
53
 Getting Started with the ASA
Carrier License

Carrier License
The Carrier license enables the following inspection features:
• Diameter
• GTP/GPRS
• SCTP

Total TLS Proxy Sessions

Each TLS proxy session for Encrypted Voice Inspection is counted against the TLS license limit.
Other applications that use TLS proxy sessions do not count toward the TLS limit, for example, Mobility
Advantage Proxy (which does not require a license).
Some applications might use multiple sessions for a connection. For example, if you configure a phone with
a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections.
You independently set the TLS proxy limit using the tls-proxy maximum-sessions command or in ASDM,
using the Configuration > Firewall > Unified Communications > TLS Proxy pane. To view the limits of
your model, enter the tls-proxy maximum-sessions ? command. When you apply a TLS proxy license that
is higher than the default TLS proxy limit, the ASA automatically sets the TLS proxy limit to match the
license. The TLS proxy limit takes precedence over the license limit; if you set the TLS proxy limit to be less
than the license, then you cannot use all of the sessions in your license.

Note For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are
limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the
TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license
is restricted for export: K8 is unrestricted, and K9 is restricted.
If you clear the configuration (using the clear configure all command, for example), then the TLS proxy
limit is set to the default for your model; if this default is lower than the license limit, then you see an error
message to use the tls-proxy maximum-sessions command to raise the limit again (in ASDM, use the TLS
Proxy pane). If you use failover and enter the write standby command or in ASDM, use File > Save Running
Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear
configure all command is generated on the secondary unit automatically, so you may see the warning message
on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the
primary unit, you can ignore the warning.

You might also use SRTP encryption sessions for your connections:
• For K8 licenses, SRTP sessions are limited to 250.
• For K9 licenses, there is no limit.

Note Only calls that require encryption/decryption for media are counted toward the SRTP limit; if passthrough is
set for the call, even if both legs are SRTP, they do not count toward the limit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
54
 Getting Started with the ASA
VLANs, Maximum

VLANs, Maximum
For an interface to count against the VLAN limit, you must assign a VLAN to it. For example:

interface gigabitethernet 0/0.100

vlan 100

Botnet Traffic Filter License

Requires a Strong Encryption (3DES/AES) License to download the dynamic database.

IPS Module License

The IPS module license lets you run the IPS software module on the ASA. You also need the IPS signature
subscription on the IPS side.
See the following guidelines:
• To buy the IPS signature subscription you need to have the ASA with IPS pre-installed (the part number
must include “IPS”, for example ASA5515-IPS-K9); you cannot buy the IPS signature subscription for
a non-IPS part number ASA.
• For failover, you need the IPS signature subscription on both units; this subscription is not shared in
failover, because it is not an ASA license.
• For failover, the IPS signature subscription requires a unique IPS module license per unit. Like other
ASA licenses, the IPS module license is technically shared in the failover cluster license. However,
because of the IPS signature subscription requirements, you must buy a separate IPS module license for
each unit in failover.

Shared AnyConnect Premium Licenses (AnyConnect 3 and Earlier)

Note The shared license feature on the ASA is not supported with AnyConnect 4 and later licensing. AnyConnect
licenses are shared and no longer require a shared server or participant license.

A shared license lets you purchase a large number of AnyConnect Premium sessions and share the sessions
as needed among a group of ASAs by configuring one of the ASAs as a shared licensing server, and the rest
as shared licensing participants.

Failover or ASA Cluster Licenses

With some exceptions, failover and cluster units do not require the same license on each unit. For earlier
versions, see the licensing document for your version.

Failover License Requirements and Exceptions

Failover units do not require the same license on each unit. If you have licenses on both units, they combine
into a single running failover cluster license. There are some exceptions to this rule. See the following table
for precise licensing requirements for failover.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
55
 Getting Started with the ASA
Failover License Requirements and Exceptions

Model License Requirement

ASA 5506-X and ASA 5506W-X • Active/Standby—Security Plus License.

• Active/Active—No Support.

Note Each unit must have the same encryption license.

ASA 5512-X through ASA 5555-X • ASA 5512-X—Security Plus License.

• Other models—Base License.

Note • Each unit must have the same encryption license.

• In multiple context mode, each unit must have the
the same AnyConnect Apex license.
• Each unit must have the same IPS module license.
You also need the IPS signature subscription on
the IPS side for both units. See the following
guidelines:
• To buy the IPS signature subscription you
need to have the ASA with IPS pre-installed
(the part number must include “IPS”, for
example ASA5525-IPS-K9); you cannot buy
the IPS signature subscription for a non-IPS
part number ASA.
• You need the IPS signature subscription on
both units; this subscription is not shared in
failover, because it is not an ASA license.
• The IPS signature subscription requires a
unique IPS module license per unit. Like
other ASA licenses, the IPS module license
is technically shared in the failover cluster
license. However, because of the IPS
signature subscription requirements, you
must buy a separate IPS module license for
each unit in.

ASAv See Failover Licenses for the ASAv, on page 117.

Firepower 4100/9300 See Failover Licenses for the ASA on the Firepower 4100/9300
Chassis, on page 117.

All other models Base License or Standard License.

Note • Each unit must have the same encryption license.
• In multiple context mode, each unit must have the
the same AnyConnect Apex license.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
56
 Getting Started with the ASA
ASA Cluster License Requirements and Exceptions

Note A valid permanent key is required; in rare instances, your PAK authentication key can be removed. If your
key consists of all 0’s, then you need to reinstall a valid authentication key before failover can be enabled.

ASA Cluster License Requirements and Exceptions

Cluster units do not require the same license on each unit. Typically, you buy a license only for the master
unit; slave units inherit the master license. If you have licenses on multiple units, they combine into a single
running ASA cluster license.
There are exceptions to this rule. See the following table for precise licensing requirements for clustering.

Model License Requirement

ASA 5585-X Cluster License, supports up to 16 units.

Note Each unit must have the same encryption license; each
unit must have the same 10 GE I/O/Security Plus
license (ASA 5585-X with SSP-10 and -20).

ASA 5516-X Base license, supports 2 units.

Note Each unit must have the same encryption license.

ASA 5512-X Security Plus license, supports 2 units.

Note Each unit must have the same encryption license.

ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X Base License, supports 2 units.
Note Each unit must have the same encryption license.

Firepower 4100/9300 Chassis See ASA Cluster Licenses for the ASA on the Firepower
4100/9300 Chassis, on page 118.

All other models No support.

How Failover or ASA Cluster Licenses Combine

For failover pairs or ASA clusters, the licenses on each unit are combined into a single running cluster license.
If you buy separate licenses for each unit, then the combined license uses the following rules:
• For licenses that have numerical tiers, such as the number of sessions, the values from each unit’s licenses
are combined up to the platform limit. If all licenses in use are time-based, then the licenses count down
simultaneously.
For example, for failover:
• You have two ASAs with 10 TLS Proxy sessions installed on each; the licenses will be combined
for a total of 20 TLS Proxy sessions.
• You have an ASA 5545-X with 1000 TLS Proxy sessions, and another with 2000 sessions; because
the platform limit is 2000, the combined license allows 2000 TLS Proxy sessions.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
57
 Getting Started with the ASA
Loss of Communication Between Failover or ASA Cluster Units

• You have two ASA 5545-X ASAs, one with 20 contexts and the other with 10 contexts; the combined
license allows 30 contexts. For Active/Active failover, the contexts are divided between the two
units. One unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total
of 30.

For example, for ASA clustering:

• You have 2 ASA 5516-X ASAs with the default 2 contexts. Because the platform limit is 5, the
combined license allows a maximum of 4 contexts. Therefore, you can configure up to 4 contexts
on the primary unit; each secondary unit will also have 4 contexts through configuration replication.
• You have four ASA 5516-X ASAs, three units with 5 contexts each, and one unit with the default
2 contexts. Because the platform limit is 5, the licenses will be combined for a total of 5 contexts.
Therefore, you can configure up to 5 contexts on the primary unit; each secondary unit will also
have 5 contexts through configuration replication.

• For licenses that have a status of enabled or disabled, then the license with the enabled status is used.
• For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration is
the combined duration of all licenses. The primary/master unit counts down its license first, and when
it expires, the secondary/slave unit(s) start counting down its license, and so on. This rule also applies
to Active/Active failover and ASA clustering, even though all units are actively operating.
For example, if you have 48 weeks left on the Botnet Traffic Filter license on two units, then the combined
duration is 96 weeks.

Related Topics
Monitoring PAK Licenses, on page 90

Loss of Communication Between Failover or ASA Cluster Units

If the units lose communication for more than 30 days, then each unit reverts to the license installed locally.
During the 30-day grace period, the combined running license continues to be used by all units.
If you restore communication during the 30-day grace period, then for time-based licenses, the time elapsed
is subtracted from the primary/master license; if the primary/master license becomes expired, only then does
the secondary/slave license start to count down.
If you do not restore communication during the 30-day period, then for time-based licenses, time is subtracted
from all unit licenses, if installed. They are treated as separate licenses and do not benefit from the combined
license. The time elapsed includes the 30-day grace period.
For example:
1. You have a 52-week Botnet Traffic Filter license installed on two units. The combined running license
allows a total duration of 104 weeks.
2. The units operate as a failover unit/ASA cluster for 10 weeks, leaving 94 weeks on the combined license
(42 weeks on the primary/master, and 52 weeks on the secondary/slave).
3. If the units lose communication (for example the primary/master unit fails), the secondary/slave unit
continues to use the combined license, and continues to count down from 94 weeks.
4. The time-based license behavior depends on when communication is restored:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
58
 Getting Started with the ASA
Upgrading Failover Pairs

• Within 30 days—The time elapsed is subtracted from the primary/master unit license. In this case,
communication is restored after 4 weeks. Therefore, 4 weeks are subtracted from the primary/master
license leaving 90 weeks combined (38 weeks on the primary, and 52 weeks on the secondary).
• After 30 days—The time elapsed is subtracted from both units. In this case, communication is restored
after 6 weeks. Therefore, 6 weeks are subtracted from both the primary/master and secondary/slave
licenses, leaving 84 weeks combined (36 weeks on the primary/master, and 46 weeks on the
secondary/slave).

Upgrading Failover Pairs

Because failover pairs do not require the same license on both units, you can apply new licenses to each unit
without any downtime. If you apply a permanent license that requires a reload, then you can fail over to the
other unit while you reload. If both units require reloading, then you can reload them separately so that you
have no downtime.
Related Topics
Activate or Deactivate Keys, on page 65

No Payload Encryption Models

You can purchase some models with No Payload Encryption. For export to some countries, payload encryption
cannot be enabled on the Cisco ASA series. The ASA software senses a No Payload Encryption model, and
disables the following features:
• Unified Communications
• VPN

You can still install the Strong Encryption (3DES/AES) license for use with management connections. For
example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic
database for the Botnet Traffic Filter (which uses SSL).
When you view the license, VPN and Unified Communications licenses will not be listed.
Related Topics
Monitoring PAK Licenses, on page 90

Licenses FAQ
Can I activate multiple time-based licenses, for example, AnyConnect Premium and Botnet Traffic
Filter?
Yes. You can use one time-based license per feature at a time.
Can I “stack” time-based licenses so that when the time limit runs out, it will automatically use the next
license?
Yes. For identical licenses, the time limit is combined when you install multiple time-based licenses. For
non-identical licenses (for example, a 1000-session AnyConnect Premium license and a 2500-session
license), the ASA automatically activates the next time-based license it finds for the feature.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
59
 Getting Started with the ASA
Guidelines for PAK Licenses

Can I install a new permanent license while maintaining an active time-based license?
Yes. Activating a permanent license does not affect time-based licenses.
For failover, can I use a shared licensing server as the primary unit, and the shared licensing backup
server as the secondary unit?
No. The secondary unit has the same running license as the primary unit; in the case of the shared licensing
server, they require a server license. The backup server requires a participant license. The backup server
can be in a separate failover pair of two backup servers.
Do I need to buy the same licenses for the secondary unit in a failover pair?
No. Starting with Version 8.3(1), you do not have to have matching licenses on both units. Typically,
you buy a license only for the primary unit; the secondary unit inherits the primary license when it
becomes active. In the case where you also have a separate license on the secondary unit (for example,
if you purchased matching licenses for pre-8.3 software), the licenses are combined into a running failover
cluster license, up to the model limits.
Can I use a time-based or permanent AnyConnect Premium license in addition to a shared AnyConnect
Premium license?
Yes. The shared license is used only after the sessions from the locally installed license (time-based or
permanent) are used up.

Note On the shared licensing server, the permanent AnyConnect Premium license is not used; you can however
use a time-based license at the same time as the shared licensing server license. In this case, the time-based
license sessions are available for local AnyConnect Premium sessions only; they cannot be added to the
shared licensing pool for use by participants.

Guidelines for PAK Licenses

Context Mode Guidelines
In multiple context mode, apply the activation key in the system execution space.

Failover Guidelines
See Failover or ASA Cluster Licenses, on page 55.

Model Guidelines
• Smart Licensing is supported on the ASAv only.
• Shared licenses are not supported on the ASAv, ASA 5506-X, ASA 5508-X, and ASA 5516-X.
• The ASA 5506-X and ASA 5506W-X do not support time-based licenses.

Upgrade and Downgrade Guidelines

Your activation key remains compatible if you upgrade to the latest version from any previous version.
However, you might have issues if you want to maintain downgrade capability:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
60
Getting Started with the ASA
Guidelines for PAK Licenses

• Downgrading to Version 8.1 or earlier—After you upgrade, if you activate additional feature licenses
that were introduced before 8.2, then the activation key continues to be compatible with earlier versions
if you downgrade. However if you activate feature licenses that were introduced in 8.2 or later, then the
activation key is not backwards compatible. If you have an incompatible license key, then see the following
guidelines:
• If you previously entered an activation key in an earlier version, then the ASA uses that key (without
any of the new licenses you activated in Version 8.2 or later).
• If you have a new system and do not have an earlier activation key, then you need to request a new
activation key compatible with the earlier version.

• Downgrading to Version 8.2 or earlier—Version 8.3 introduced more robust time-based key usage as
well as failover license changes:
• If you have more than one time-based activation key active, when you downgrade, only the most
recently activated time-based key can be active. Any other keys are made inactive. If the last
time-based license is for a feature introduced in 8.3, then that license still remains the active license
even though it cannot be used in earlier versions. Reenter the permanent key or a valid time-based
key.
• If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even
if the keys are matching, the license used will no longer be a combined license.
• If you have one time-based license installed, but it is for a feature introduced in 8.3, then after you
downgrade, that time-based license remains active. You need to reenter the permanent key to disable
the time-based license.

Additional Guidelines
• The activation key is not stored in your configuration file; it is stored as a hidden file in flash memory.
• The activation key is tied to the serial number of the device. Feature licenses cannot be transferred
between devices (except in the case of a hardware failure). If you have to replace your device due to a
hardware failure, and it is covered by Cisco TAC, contact the Cisco Licensing Team to have your existing
license transferred to the new serial number. The Cisco Licensing Team will ask for the Product
Authorization Key reference number and existing serial number.
• The serial number used for licensing is the one seen in the show version output. This serial number is
different from the chassis serial number printed on the outside of your hardware. The chassis serial
number is used for technical support, but not for licensing.
• Once purchased, you cannot return a license for a refund or for an upgraded license.
• On a single unit, you cannot add two separate licenses for the same feature together; for example, if you
purchase a 25-session SSL VPN license, and later purchase a 50-session license, you cannot use 75
sessions; you can use a maximum of 50 sessions. (You may be able to purchase a larger license at an
upgrade price, for example from 25 sessions to 75 sessions; this kind of upgrade should be distinguished
from adding two separate licenses together).
• Although you can activate all license types, some features are incompatible with each other. In the case
of the AnyConnect Essentials license, the license is incompatible with the following licenses: AnyConnect
Premium license, shared AnyConnect Premium license, and Advanced Endpoint Assessment license.
By default, if you install the AnyConnect Essentials license (if it is available for your model), it is used

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
61
 Getting Started with the ASA
Configure PAK Licenses

instead of the above licenses. You can disable the AnyConnect Essentials license in the configuration to
restore use of the other licenses using the webvpn, and then the no anyconnect-essentials command.

Configure PAK Licenses

This section describes how to obtain an activation key and how to active it. You can also deactivate a key.

Order License PAKs and Obtain an Activation Key

To install a license on the ASA, you need Product Authorization Keys, which you can then register with
Cisco.com to obtain an activation key. You can then enter the activation key on the ASA. You need a separate
Product Authorization Key for each feature license. The PAKs are combined to give you a single activation
key. You may have received all of your license PAKs in the box with your device. The ASA has the Base or
Security Plus license pre-installed, along with the Strong Encryption (3DES/AES) license if you qualify for
its use. If you need to manually request the Strong Encryption license (which is free), see
http://www.cisco.com/go/license.

Before you begin

When you purchase 1 or more licenses for the device, you manage them in the Cisco Smart Software Manager:
https://software.cisco.com/#module/SmartLicensing
If you do not yet have an account, set up a new account. The Smart Software Manager lets you create a master
account for your organization.

Procedure

Step 1 To purchase additional licenses, see http://www.cisco.com/go/ccw. See the following AnyConnect ordering
guide and FAQ:
• Cisco AnyConnect Ordering Guide
• AnyConnect Licensing Frequently Asked Questions (FAQ)

After you order a license, you will then receive an email with a Product Authorization Key (PAK). For the
AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same
pool of user sessions. The PAK email can take several days in some cases.
The ASA FirePOWER module uses a separate licensing mechanism from the ASA. See the quick start guide
for your model for more information.

Step 2 Obtain the serial number for your ASA by entering the following command.
show version | grep Serial
The serial number used for licensing is different from the chassis serial number printed on the outside of your
hardware. The chassis serial number is used for technical support, but not for licensing.

Step 3 To obtain the activation key, go to the following licensing website:

http://www.cisco.com/go/license

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
62
 Getting Started with the ASA
Obtain a Strong Encryption License

Step 4 Enter the following information, when prompted:

• Product Authorization Key (if you have multiple keys, enter one of the keys first. You have to enter each
key as a separate process.)
• The serial number of your ASA
• Your e-mail address

An activation key is automatically generated and sent to the e-mail address that you provide. This key includes
all features you have registered so far for permanent licenses. For time-based licenses, each license has a
separate activation key.

Step 5 If you have additional Product Authorization Keys, repeat the process for each Product Authorization Key.
After you enter all of the Product Authorization Keys, the final activation key provided includes all of the
permanent features you registered.
Step 6 Install the activation key according to Activate or Deactivate Keys, on page 65.

Obtain a Strong Encryption License

To use ASDM (and many other features), you need to install the Strong Encryption (3DES/AES) license. If
your ASA did not come with the Strong Encryption license pre-installed, you can request one for free. You
must qualify for a Strong Encryption license based on your country.

Procedure

Step 1 Obtain the serial number for your ASA by entering the following command:
show version | grep Serial
This serial number is different from the chassis serial number printed on the outside of your hardware. The
chassis serial number is used for technical support, but not for licensing.

Step 2 See https://www.cisco.com/go/license, and click Get Other Licenses.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
63
 Getting Started with the ASA
Obtain a Strong Encryption License

Figure 1: Get Other Licenses

Step 3 Choose IPS, Crypto, Other.

Figure 2: IPS, Crypto, Other

Step 4 In the Search by Keyword field, enter asa, and select Cisco ASA 3DES/AES License.
Figure 3: Cisco ASA 3DES/AES License

Step 5 Select your Smart Account, Virtual Account, enter the ASA Serial Number, and click Next.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
64
 Getting Started with the ASA
Activate or Deactivate Keys

Figure 4: Smart Account, Virtual Account, and Serial Number

Step 6 Your Send To email address and End User name are auto-filled; enter additional email addresses if needed.
Check the I Agree check box, and click Submit.
Figure 5: Submit

Step 7 You will then receive an email with the activation key, but you can also download the key right away from
the Manage > Licenses area.
Step 8 Apply the activation key according to Activate or Deactivate Keys, on page 65.

Activate or Deactivate Keys

This section describes how to enter a new activation key, and how to activate and deactivate time-based keys.

Before you begin

• If you are already in multiple context mode, enter the activation key in the system execution space.
• Some permanent licenses require you to reload the ASA after you activate them. The following table
lists the licenses that require reloading.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
65
 Getting Started with the ASA
Configure a Shared License (AnyConnect 3 and Earlier)

Table 2: Permanent License Reloading Requirements

Model License Action Requiring Reload

All models Downgrading the Encryption license.

Procedure

Step 1 Apply an activation key to the ASA:

activation-key key [activate | deactivate]
Example:

ciscoasa# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490

The key is a five-element hexadecimal string with one space between each element. The leading 0x specifier
is optional; all values are assumed to be hexadecimal.
You can install one permanent key, and multiple time-based keys. If you enter a new permanent key, it
overwrites the already installed one.
The activate and deactivate keywords are available for time-based keys only. If you do not enter any value,
activate is the default. The last time-based key that you activate for a given feature is the active one. To
deactivate any active time-based key, enter the deactivate keyword. If you enter a key for the first time, and
specify deactivate, then the key is installed on the ASA in an inactive state.

Step 2 (Might be required.) Reload the ASA:

reload
Some permanent licenses require you to reload the ASA after entering the new activation key. If you need to
reload, you will see the following message:

WARNING: The running activation key was not updated with the requested key.
The flash activation key was updated with the requested key, and will become
active after the next reload.

Related Topics
Time-Based Licenses, on page 50

Configure a Shared License (AnyConnect 3 and Earlier)

Note The shared license feature on the ASA is not supported with AnyConnect 4 and later licensing. AnyConnect
licenses are shared and no longer require a shared server or participant license.

This section describes how to configure the shared licensing server and participants.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
66
 Getting Started with the ASA
About Shared Licenses

About Shared Licenses

A shared license lets you purchase a large number of AnyConnect Premium sessions and share the sessions
as needed among a group of ASAs by configuring one of the ASAs as a shared licensing server, and the rest
as shared licensing participants.

About the Shared Licensing Server and Participants

The following steps describe how shared licenses operate:
1. Decide which ASA should be the shared licensing server, and purchase the shared licensing server license
using that device serial number.
2. Decide which ASAs should be shared licensing participants, including the shared licensing backup server,
and obtain a shared licensing participant license for each device, using each device serial number.
3. (Optional) Designate a second ASA as a shared licensing backup server. You can only specify one backup
server.

Note The shared licensing backup server only needs a participant license.

4. Configure a shared secret on the shared licensing server; any participants with the shared secret can use
the shared license.
5. When you configure the ASA as a participant, it registers with the shared licensing server by sending
information about itself, including the local license and model information.

Note The participant needs to be able to communicate with the server over the IP network; it does not have to be
on the same subnet.

6. The shared licensing server responds with information about how often the participant should poll the
server.
7. When a participant uses up the sessions of the local license, it sends a request to the shared licensing
server for additional sessions in 50-session increments.
8. The shared licensing server responds with a shared license. The total sessions used by a participant cannot
exceed the maximum sessions for the platform model.

Note The shared licensing server can also participate in the shared license pool. It does not need a participant license
as well as the server license to participate.

a. If there are not enough sessions left in the shared license pool for the participant, then the server
responds with as many sessions as available.
b. The participant continues to send refresh messages requesting more sessions until the server can
adequately fulfill the request.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
67
 Getting Started with the ASA
Communication Issues Between Participant and Server

9. When the load is reduced on a participant, it sends a message to the server to release the shared sessions.

Note The ASA uses SSL between the server and participant to encrypt all communications.

Communication Issues Between Participant and Server

See the following guidelines for communication issues between the participant and server:
• If a participant fails to send a refresh after 3 times the refresh interval, then the server releases the sessions
back into the shared license pool.
• If the participant cannot reach the license server to send the refresh, then the participant can continue to
use the shared license it received from the server for up to 24 hours.
• If the participant is still not able to communicate with a license server after 24 hours, then the participant
releases the shared license, even if it still needs the sessions. The participant leaves existing connections
established, but cannot accept new connections beyond the license limit.
• If a participant reconnects with the server before 24 hours expires, but after the server expired the
participant sessions, then the participant needs to send a new request for the sessions; the server responds
with as many sessions as can be reassigned to that participant.

About the Shared Licensing Backup Server

The shared licensing backup server must register successfully with the main shared licensing server before it
can take on the backup role. When it registers, the main shared licensing server syncs server settings as well
as the shared license information with the backup, including a list of registered participants and the current
license usage. The main server and backup server sync the data at 10 second intervals. After the initial sync,
the backup server can successfully perform backup duties, even after a reload.
When the main server goes down, the backup server takes over server operation. The backup server can operate
for up to 30 continuous days, after which the backup server stops issuing sessions to participants, and existing
sessions time out. Be sure to reinstate the main server within that 30-day period. Critical-level syslog messages
are sent at 15 days, and again at 30 days.
When the main server comes back up, it syncs with the backup server, and then takes over server operation.
When the backup server is not active, it acts as a regular participant of the main shared licensing server.

Note When you first launch the main shared licensing server, the backup server can only operate independently for
5 days. The operational limit increases day-by-day, until 30 days is reached. Also, if the main server later
goes down for any length of time, the backup server operational limit decrements day-by-day. When the main
server comes back up, the backup server starts to increment again day-by-day. For example, if the main server
is down for 20 days, with the backup server active during that time, then the backup server will only have a
10-day limit left over. The backup server “recharges” up to the maximum 30 days after 20 more days as an
inactive backup. This recharging function is implemented to discourage misuse of the shared license.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
68
 Getting Started with the ASA
Failover and Shared Licenses

Failover and Shared Licenses

This section describes how shared licenses interact with failover.

Failover and Shared License Servers

This section describes how the main server and backup server interact with failover. Because the shared
licensing server is also performing normal duties as the ASA, including performing functions such as being
a VPN gateway and firewall, then you might need to configure failover for the main and backup shared
licensing servers for increased reliability.

Note The backup server mechanism is separate from, but compatible with, failover.
Shared licenses are supported only in single context mode, so Active/Active failover is not supported.

For Active/Standby failover, the primary unit acts as the main shared licensing server, and the standby unit
acts as the main shared licensing server after failover. The standby unit does not act as the backup shared
licensing server. Instead, you can have a second pair of units acting as the backup server, if desired.
For example, you have a network with 2 failover pairs. Pair #1 includes the main licensing server. Pair #2
includes the backup server. When the primary unit from Pair #1 goes down, the standby unit immediately
becomes the new main licensing server. The backup server from Pair #2 never gets used. Only if both units
in Pair #1 go down does the backup server in Pair #2 come into use as the shared licensing server. If Pair #1
remains down, and the primary unit in Pair #2 goes down, then the standby unit in Pair #2 comes into use as
the shared licensing server (see the following figure).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
69
 Getting Started with the ASA
Failover and Shared License Participants

Figure 6: Failover and Shared License Servers

The standby backup server shares the same operating limits as the primary backup server; if the standby unit
becomes active, it continues counting down where the primary unit left off.
Related Topics
About the Shared Licensing Backup Server, on page 68

Failover and Shared License Participants

For participant pairs, both units register with the shared licensing server using separate participant IDs. The
active unit syncs its participant ID with the standby unit. The standby unit uses this ID to generate a transfer
request when it switches to the active role. This transfer request is used to move the shared sessions from the
previously active unit to the new active unit.

Maximum Number of Participants

The ASA does not limit the number of participants for the shared license; however, a very large shared network
could potentially affect the performance on the licensing server. In this case, you can increase the delay
between participant refreshes, or you can create two shared networks.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
70
 Getting Started with the ASA
Configure the Shared Licensing Server

Configure the Shared Licensing Server

This section describes how to configure the ASA to be a shared licensing server.

Before you begin

The server must have a shared licensing server key.

Procedure

Step 1 Set the shared secret:

license-server secret secret
Example:

ciscoasa(config)# license-server secret farscape

The secret is a string between 4 and 128 ASCII characters. Any participant with this secret can use the licensing
server.

Step 2 (Optional) Set the refresh interval:

license-server refresh-interval seconds
Example:

ciscoasa(config)# license-server refresh-interval 100

The interval is between 10 and 300 seconds; this value is provided to participants to set how often they should
communicate with the server. The default is 30 seconds.

Step 3 (Optional) Set the port on which the server listens for SSL connections from participants:
license-server port port
Example:

ciscoasa(config)# license-server port 40000

The port is between 1 and 65535. The default is TCP port 50554.

Step 4 (Optional) Identify the backup server IP address and serial number:
license-server backup address backup-id serial_number [ha-backup-id ha_serial_number]
Example:

ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id

JMX1378N0W3

If the backup server is part of a failover pair, identify the standby unit serial number as well. You can only
identify 1 backup server and its optional standby unit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
71
 Getting Started with the ASA
Configure the Shared Licensing Backup Server (Optional)

Step 5 Enable this unit to be the shared licensing server:

license-server enable interface_name
Example:

ciscoasa(config)# license-server enable inside

Specify the interface on which participants contact the server. You can repeat this command for as many
interfaces as desired.

Examples
The following example sets the shared secret, changes the refresh interval and port, configures a
backup server, and enables this unit as the shared licensing server on the inside interface and dmz
interface:

ciscoasa(config)# license-server secret farscape

ciscoasa(config)# license-server refresh-interval 100
ciscoasa(config)# license-server port 40000
ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id
JMX1378N0W3
ciscoasa(config)# license-server enable inside
ciscoasa(config)# license-server enable dmz

Configure the Shared Licensing Backup Server (Optional)

This section enables a shared license participant to act as the backup server if the main server goes down.

Before you begin

The backup server must have a shared licensing participant key.

Procedure

Step 1 Identify the shared licensing server IP address and shared secret:
license-server address address secret secret [port port]
Example:

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

If you changed the default port in the server configuration, set the port for the backup server to match.

Step 2 Enable this unit to be the shared licensing backup server:

license-server backup enable interface_name
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
72
 Getting Started with the ASA
Configure the Shared Licensing Participant

ciscoasa(config)# license-server backup enable inside

Specify the interface on which participants contact the server. You can repeat this command for as many
interfaces as desired.

Examples
The following example identifies the license server and shared secret, and enables this unit as the
backup shared license server on the inside interface and dmz interface:

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

ciscoasa(config)# license-server backup enable inside
ciscoasa(config)# license-server backup enable dmz

Configure the Shared Licensing Participant

This section configures a shared licensing participant to communicate with the shared licensing server.

Before you begin

The participant must have a shared licensing participant key.

Procedure

Step 1 Identify the shared licensing server IP address and shared secret:
license-server address address secret secret [port port]
Example:

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

If you changed the default port in the server configuration, set the port for the participant to match.

Step 2 (Optional) If you configured a backup server, enter the backup server address:
license-server backup address address
Example:

ciscoasa(config)# license-server backup address 10.1.1.2

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
73
 Getting Started with the ASA
Supported Feature Licenses Per Model

Examples
The following example sets the license server IP address and shared secret, as well as the backup
license server IP address:

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

ciscoasa(config)# license-server backup address 10.1.1.2

Supported Feature Licenses Per Model

This section describes the licenses available for each model as well as important notes about licenses.

Licenses Per Model

This section lists the feature licenses available for each model:
Items that are in italics are separate, optional licenses that can replace the Base (or Security Plus, and so on)
license version. You can mix and match optional licenses.

Note Some features are incompatible with each other. See the individual feature chapters for compatibility
information.
If you have a No Payload Encryption model, then some of the features below are not supported. See No
Payload Encryption Models, on page 59 for a list of unsupported features.

For detailed information about licenses, see License Notes, on page 52.

ASA 5506-X and ASA 5506W-X License Features

The following table shows the licensed features for the ASA 5506-X and ASA 5506W-X.

Licenses Base License Security Plus License

Firewall Licenses

Botnet No support No Support

Traffic
Filter

Firewall 20,000 50,000

Conns,
Concurrent

Carrier No Support No Support

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
74
 Getting Started with the ASA
ASA 5506H-X License Features

Licenses Base License Security Plus License

Total 160 160

TLS
Proxy
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex Disabled Optional AnyConnect Plus or Apex
peers license: 50 maximum license: 50 maximum

Other 10 50
VPN
Peers

Total 50 50
VPN
Peers,
combined
all types

VPN No support No support

Load
Balancing

General Licenses

Encryption Base (DES) Opt. lic.: Strong (3DES/AES) Base (DES) Opt. lic.: Strong (3DES/AES)

Failover No support Active/Standby

Security No support No support

Contexts

Clustering No Support No Support

VLANs, 5 30
Maximum

ASA 5506H-X License Features

The following table shows the licensed features for the ASA 5506H-X.

Licenses Base License

Firewall Licenses

Botnet Traffic No Support

Filter

Firewall Conns, 50,000

Concurrent

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
75
 Getting Started with the ASA
ASA 5508-X License Features

Licenses Base License

Carrier No Support

Total UC Proxy 160

Sessions

VPN Licenses

AnyConnect Plus 50
or Apex license
(purchased
separately),
maximum
premium peers

Total VPN Peers, 50

combined all
types

Other VPN Peers 50

VPN Load Enabled

Balancing

General Licenses

Encryption Base (DES) Opt. lic.: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security Contexts No Support

Clustering No Support

VLANs, 30
Maximum

ASA 5508-X License Features

The following table shows the licensed features for the ASA 5508-X.

Licenses Base License

Firewall Licenses

Botnet Traffic No Support

Filter

Firewall Conns, 100,000

Concurrent

Carrier No Support

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
76
 Getting Started with the ASA
ASA 5512-X License Features

Licenses Base License

Total TLS Proxy 320

Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 100 maximum

peers

Total VPN Peers, 100

combined all
types

Other VPN Peers 100

VPN Load Enabled

Balancing

General Licenses

Encryption Base (DES) Opt. lic.: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security Contexts 2 Optional licenses: 5

Clustering No Support

VLANs, 50
Maximum

ASA 5512-X License Features

The following table shows the licensed features for the ASA 5512-X.

Licenses Base License Security Plus License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available Disabled Optional Time-based license: Available
Traffic
Filter

Firewall 100,000 250,000

Conns,
Concurrent

Carrier No support No Support

Total 2 Optional licenses: 2 Optional licenses:

TLS
Proxy 24 50 100 250 500 24 50 100 250 500
Sessions

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
77
 Getting Started with the ASA
ASA 5515-X License Features

Licenses Base License Security Plus License

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex Disabled Optional AnyConnect Plus or Apex
peers license: 250 maximum license: 250 maximum

Other 250 250

VPN
Peers

Total 250 250

VPN
Peers,
combined
all types

VPN No support Enabled

Load
Balancing

General Licenses

Encryption Base (DES) Opt. lic.: Strong (3DES/AES) Base (DES) Opt. lic.: Strong (3DES/AES)

Failover No support Active/Standby or Active/Active

Security No support 2 Optional licenses: 5

Contexts

Clustering No Support 2

IPS Disabled Optional license: Available Disabled Optional license: Available

Module

VLANs, 50 100
Maximum

ASA 5515-X License Features

The following table shows the licensed features for the ASA 5515-X.

Licenses Base License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

Firewall 250,000
Conns,
Concurrent

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
78
 Getting Started with the ASA
ASA 5516-X License Features

Licenses Base License

Carrier No Support

Total 2 Optional licenses: 24 50 100 250 500

TLS
Proxy
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 250 maximum

peers

Other 250
VPN
Peers

Total 250
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5

Contexts

Clustering 2

IPS Disabled Optional license: Available

Module

VLANs, 100
Maximum

ASA 5516-X License Features

The following table shows the licensed features for the ASA 5516-X.

Licenses Base License

Firewall Licenses

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
79
 Getting Started with the ASA
ASA 5525-X License Features

Licenses Base License

Botnet Traffic No Support

Filter

Firewall Conns, 250,000

Concurrent

Carrier No Support

Total TLS Proxy 1000

Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 300 maximum

peers

Other VPN Peers 300

Total VPN Peers, 300

combined all
types

VPN Load Enabled

Balancing

General Licenses

Encryption Base (DES) Opt. lic.: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security Contexts 2 Optional licenses: 5

Clustering 2

VLANs, 150
Maximum

ASA 5525-X License Features

The following table shows the licensed features for the ASA 5525-X.

Licenses Base License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
80
 Getting Started with the ASA
ASA 5545-X License Features

Licenses Base License

Firewall 500,000
Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses: 24 50 100 250 500 750 1000

TLS
Proxy
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 750 maximum

peers

Other 750
VPN
Peers

Total 750
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5 10 20

Contexts

Clustering 2

IPS Disabled Optional license: Available

Module

VLANs, 200
Maximum

ASA 5545-X License Features

The following table shows the licensed features for the ASA 5545-X.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
81
 Getting Started with the ASA
ASA 5545-X License Features

Licenses Base License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

Firewall 750,000
Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses: 24 50 100 250 500 750 1000 2000

TLS
Proxy
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 2500 maximum

peers

Other 2500
VPN
Peers

Total 2500
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5 10 20 50

Contexts

Clustering 2

IPS Disabled Optional license: Available

Module

VLANs, 300
Maximum

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
82
 Getting Started with the ASA
ASA 5555-X License Features

ASA 5555-X License Features

The following table shows the licensed features for the ASA 5555-X.

Licenses Base License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

Firewall 1,000,000
Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses:

TLS
Proxy 24 50 100 250 500 750 1000 2000 3000
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 5000 maximum

peers

Other 5000
VPN
Peers

Total 5000
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5 10 20 50 100

Contexts

Clustering 2

IPS Disabled Optional license: Available

Module

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
83
 Getting Started with the ASA
ASA 5585-X with SSP-10 License Features

Licenses Base License

VLANs, 500
Maximum

ASA 5585-X with SSP-10 License Features

The following table shows the licensed features for the ASA 5585-X with SSP-10.
You can use two SSPs of the same level in the same chassis. Mixed-level SSPs are not supported (for example,
an SSP-10 with an SSP-20 is not supported). Each SSP acts as an independent device, with separate
configurations and management. You can use the two SSPs as a failover pair if desired.

Licenses Base and Security Plus Licenses

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

Firewall 1,000,000
Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses:

TLS
Proxy 24 50 100 250 500 750 1000 2000 3000
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 5000 maximum

peers

Other 5000
VPN
Peers

Total 5000
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
84
 Getting Started with the ASA
ASA 5585-X with SSP-20 License Features

Licenses Base and Security Plus Licenses

10 GE Base License: Disabled; fiber ifcs run at 1 GE Security Plus License: Enabled; fiber ifcs run at 10 GE
I/O

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5 10 20 50 100

Contexts

Clustering Disabled Optional license: Available for 16 units

VLANs, 1024
Maximum

ASA 5585-X with SSP-20 License Features

The following table shows the licensed features for the ASA 5585-X with SSP-20.
You can use two SSPs of the same level in the same chassis. Mixed-level SSPs are not supported (for example,
an SSP-20 with an SSP-40 is not supported). Each SSP acts as an independent device, with separate
configurations and management. You can use the two SSPs as a failover pair if desired.

Note With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of
Phone Proxy sessions is 5000.

Licenses Base and Security Plus Licenses

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

Firewall 2,000,000
Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses:

TLS
Proxy 24 50 100 250 500 750 1000 2000 3000 5000 10,000
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 10,000 maximum

peers

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
85
 Getting Started with the ASA
ASA 5585-X with SSP-40 and -60 License Features

Licenses Base and Security Plus Licenses

Other 10,000
VPN
Peers

Total 10,000
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

10 GE Base License: Disabled; fiber ifcs run at 1 GE Security Plus License: Enabled; fiber ifcs run at 10 GE
I/O

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5 10 20 50 100 250

Contexts

Clustering Disabled Optional license: Available for 16 units

VLANs, 1024
Maximum

ASA 5585-X with SSP-40 and -60 License Features

The following table shows the licensed features for the ASA 5585-X with SSP-40 and -60.
You can use two SSPs of the same level in the same chassis. Mixed-level SSPs are not supported (for example,
an SSP-40 with an SSP-60 is not supported). Each SSP acts as an independent device, with separate
configurations and management. You can use the two SSPs as a failover pair if desired.

Note With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of
Phone Proxy sessions is 5000.

Licenses Base License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
86
 Getting Started with the ASA
ASASM License Features

Licenses Base License

Firewall 5585-X with SSP-40: 4,000,000 5585-X with SSP-60: 10,000,000

Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses:

TLS
Proxy 24 50 100 250 500 750 1000 2000 3000 5000 10,000
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 10,000 maximum

peers

Other 10,000
VPN
Peers

Total 10,000
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

10 GE Enabled; fiber ifcs run at 10 GE

I/O

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses: 5 10 20 50 100 250

Contexts

Clustering Disabled Optional license: Available for 16 units

VLANs, 1024
Maximum

ASASM License Features

The following table shows the licensed features for the ASA Services Module.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
87
 Getting Started with the ASA
ASASM License Features

Note With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of
Phone Proxy sessions is 5000.

Licenses Base License

Firewall Licenses

Botnet Disabled Optional Time-based license: Available

Traffic
Filter

Firewall 10,000,000
Conns,
Concurrent

Carrier Disabled Optional license: Available

Total 2 Optional licenses:

TLS
Proxy 24 50 100 250 500 750 1000 2000 3000 5000 10,000
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex license: 10,000 maximum

peers

Other 10,000
VPN
Peers

Total 10,000
VPN
Peers,
combined
all types

VPN Enabled
Load
Balancing

General Licenses

Encryption Base (DES) Optional license: Strong (3DES/AES)

Failover Active/Standby or Active/Active

Security 2 Optional licenses:

Contexts
5 10 20 50 100 250

Clustering No support

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
88
 Getting Started with the ASA
ISA 3000 License Features

Licenses Base License

VLANs, 1000
Maximum

ISA 3000 License Features

The following table shows the licensed features for the ISA 3000.

Licenses Base License Security Plus License

Firewall Licenses

Botnet No support No Support

Traffic
Filter

Firewall 20,000 50,000

Conns,
Concurrent

Carrier No Support No Support

Total 160 160

TLS
Proxy
Sessions

VPN Licenses

AnyConnect Disabled Optional AnyConnect Plus or Apex Disabled Optional AnyConnect Plus or Apex
peers license: 25 maximum license: 25 maximum

Other 10 50
VPN
Peers

Total 25 50
VPN
Peers,
combined
all types

VPN No support No support

Load
Balancing

General Licenses

Encryption Base (DES) Opt. lic.: Strong (3DES/AES) Base (DES) Opt. lic.: Strong (3DES/AES)

Failover No support Active/Standby

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
89
 Getting Started with the ASA
Monitoring PAK Licenses

Licenses Base License Security Plus License

Security No support No Support

Contexts

Clustering No Support No Support

VLANs, 5 25
Maximum

Monitoring PAK Licenses

This section describes how to view license information.

Viewing Your Current License

This section describes how to view your current license, and for time-based activation keys, how much time
the license has left.

Before you begin

If you have a No Payload Encryption model, then you view the license, VPN and Unified Communications
licenses will not be listed. See No Payload Encryption Models, on page 59 for more information.

Procedure

Show the permanent license, active time-based licenses, and the running license, which is a combination of
the permanent license and active time-based licenses:
show activation-key [detail]
The detail keyword also shows inactive time-based licenses.
For failover or cluster units, this command also shows the “cluster” license, which is the combined keys of
all units.

Examples
Example 1: Standalone Unit Output for the show activation-key command
The following is sample output from the show activation-key command for a standalone unit that
shows the running license (the combined permanent license and time-based licenses), as well as each
active time-based license:

ciscoasa# show activation-key

Serial Number: JMX1232L11M

Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
90
Getting Started with the ASA
Viewing Your Current License

Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285

Running Timebased Activation Key: 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Enabled perpetual
Shared AnyConnect Premium Peers : 12000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 12 62 days
Total UC Proxy Sessions : 12 62 days
Botnet Traffic Filter : Enabled 646 days
Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.

Active Timebased Activation Key:

0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter : Enabled 646 days

0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2

Total UC Proxy Sessions : 10 62 days

Example 2: Standalone Unit Output for show activation-key detail

The following is sample output from the show activation-key detail command for a standalone unit
that shows the running license (the combined permanent license and time-based licenses), as well
as the permanent license and each installed time-based license (active and inactive):

ciscoasa# show activation-key detail

Serial Number: 88810093382

Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
91
 Getting Started with the ASA
Viewing Your Current License

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled 39 days
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5512-X Security Plus license.

Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled 39 days
Intercompany Media Engine : Disabled perpetual

The flash permanent activation key is the SAME as the running permanent key.

Active Timebased Activation Key:

0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter : Enabled 39 days

Inactive Timebased Activation Key:

0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3
AnyConnect Premium Peers : 25 7 days

Example 3: Primary Unit Output in a Failover Pair for show activation-key detail
The following is sample output from the show activation-key detail command for the primary
failover unit that shows:
• The primary unit license (the combined permanent license and time-based licenses).
• The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that
reflect the combination of the primary and secondary licenses are in bold.
• The primary unit permanent license.
• The primary unit installed time-based licenses (active and inactive).

ciscoasa# show activation-key detail

Serial Number: P3000000171

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
92
Getting Started with the ASA
Viewing Your Current License

Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c

Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 12 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled 33 days
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 12 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Enabled 33 days
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
93
 Getting Started with the ASA
Viewing Your Current License

Other VPN Peers : 750 perpetual

Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

The flash permanent activation key is the SAME as the running permanent key.

Active Timebased Activation Key:

0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter : Enabled 33 days

Inactive Timebased Activation Key:

0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3
Security Contexts : 2 7 days
AnyConnect Premium Peers : 100 7 days

0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4

Total UC Proxy Sessions : 100 14 days

Example 4: Secondary Unit Output in a Failover Pair for show activation-key detail
The following is sample output from the show activation-key detail command for the secondary
failover unit that shows:
• The secondary unit license (the combined permanent license and time-based licenses).
• The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that
reflect the combination of the primary and secondary licenses are in bold.
• The secondary unit permanent license.
• The secondary installed time-based licenses (active and inactive). This unit does not have any
time-based licenses, so none display in this sample output.

ciscoasa# show activation-key detail

Serial Number: P3000000011

Running Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
94
Getting Started with the ASA
Viewing Your Current License

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Enabled 33 days
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

The flash permanent activation key is the SAME as the running permanent key.

Example 5: Primary Unit Output for the ASA Services Module in a Failover Pair for show
activation-key

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
95
 Getting Started with the ASA
Viewing Your Current License

The following is sample output from the show activation-key command for the primary failover
unit that shows:
• The primary unit license (the combined permanent license and time-based licenses).
• The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that
reflect the combination of the primary and secondary licenses are in bold.
• The primary unit installed time-based licenses (active and inactive).

ciscoasa# show activation-key

erial Number: SAL144705BF

Running Permanent Activation Key: 0x4d1ed752 0xc8cfeb37 0xf4c38198 0x93c04c28 0x4a1c049a
Running Timebased Activation Key: 0xbc07bbd7 0xb15591e0 0xed68c013 0xd79374ff 0x44f87880

Licensed features for this platform:

Maximum Interfaces : 1024 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
DES : Enabled perpetual
3DES-AES : Enabled perpetual
Security Contexts : 25 perpetual
GTP/GPRS : Enabled perpetual
Botnet Traffic Filter : Enabled 330 days

This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.

Failover cluster licensed features for this platform:

Maximum Interfaces : 1024 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
DES : Enabled perpetual
3DES-AES : Enabled perpetual
Security Contexts : 50 perpetual
GTP/GPRS : Enabled perpetual
Botnet Traffic Filter : Enabled 330 days
This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.

The flash permanent activation key is the SAME as the running permanent key.

Active Timebased Activation Key:

0xbc07bbd7 0xb15591e0 0xed68c013 0xd79374ff 0x44f87880
Botnet Traffic Filter : Enabled 330 days

Example 6: Secondary Unit Output for the ASA Services Module in a Failover Pair for show
activation-key
The following is sample output from the show activation-key command for the secondary failover
unit that shows:
• The secondary unit license (the combined permanent license and time-based licenses).
• The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that
reflect the combination of the primary and secondary licenses are in bold.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
96
Getting Started with the ASA
Viewing Your Current License

• The secondary installed time-based licenses (active and inactive). This unit does not have any
time-based licenses, so none display in this sample output.

ciscoasa# show activation-key detail

Serial Number: SAD143502E3

Running Permanent Activation Key: 0xf404c46a 0xb8e5bd84 0x28c1b900 0x92eca09c 0x4e2a0683

Licensed features for this platform:

Maximum Interfaces : 1024 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
DES : Enabled perpetual
3DES-AES : Enabled perpetual
Security Contexts : 25 perpetual
GTP/GPRS : Disabled perpetual
Botnet Traffic Filter : Disabled perpetual

This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.

Failover cluster licensed features for this platform:

Maximum Interfaces : 1024 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
DES : Enabled perpetual
3DES-AES : Enabled perpetual
Security Contexts : 50 perpetual
GTP/GPRS : Enabled perpetual
Botnet Traffic Filter : Enabled 330 days

This platform has an WS-SVC-ASA-SM1 No Payload Encryption license.

The flash permanent activation key is the SAME as the running permanent key.

Example 7: Output in a Cluster for show activation-key

ciscoasa# show activation-key

Serial Number: JMX1504L2TD
Running Permanent Activation Key: 0x4a3eea7b 0x54b9f61a 0x4143a90c 0xe5849088 0x4412d4a9

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
97
 Getting Started with the ASA
Monitoring the Shared License

Intercompany Media Engine : Disabled perpetual

Cluster : Enabled perpetual

This platform has an ASA 5585-X base license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA 5585-X base license.

The flash permanent activation key is the SAME as the running permanent key.

Monitoring the Shared License

To monitor the shared license, enter one of the following commands.
• show shared license [detail | client [hostname] | backup]
Shows shared license statistics. Optional keywords are available only for the licensing server: the detail
keyword shows statistics per participant. To limit the display to one participant, use the client keyword.
The backup keyword shows information about the backup server.
To clear the shared license statistics, enter the clear shared license command.
The following is sample output from the show shared license command on the license participant:

ciscoasa> show shared license

Primary License Server : 10.3.32.20
Version : 1
Status : Inactive

Shared license utilization:

SSLVPN:
Total for network : 5000
Available : 5000
Utilized : 0
This device:
Platform limit : 250
Current usage : 0
High usage : 0
Messages Tx/Rx/Error:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
98
Getting Started with the ASA
Monitoring the Shared License

Registration : 0 / 0 / 0
Get : 0 / 0 / 0
Release : 0 / 0 / 0
Transfer : 0 / 0 / 0

The following is sample output from the show shared license detail command on the license server:

ciscoasa> show shared license detail

Backup License Server Info:

Device ID : ABCD
Address : 10.1.1.2
Registered : NO
HA peer ID : EFGH
Registered : NO
Messages Tx/Rx/Error:
Hello : 0 / 0 / 0
Sync : 0 / 0 / 0
Update : 0 / 0 / 0

Shared license utilization:

SSLVPN:
Total for network : 500
Available : 500
Utilized : 0
This device:
Platform limit : 250
Current usage : 0
High usage : 0
Messages Tx/Rx/Error:
Registration : 0 / 0 / 0
Get : 0 / 0 / 0
Release : 0 / 0 / 0
Transfer : 0 / 0 / 0

Client Info:

Hostname : 5540-A
Device ID : XXXXXXXXXXX
SSLVPN:
Current usage : 0
High : 0
Messages Tx/Rx/Error:
Registration : 1 / 1 / 0
Get : 0 / 0 / 0
Release : 0 / 0 / 0
Transfer : 0 / 0 / 0
...

• show activation-key
Shows the licenses installed on the ASA. The show version command also shows license information.
• show vpn-sessiondb
Shows license information about VPN sessions.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
99
 Getting Started with the ASA
History for PAK Licenses

History for PAK Licenses

Feature Name Platform Releases Description

Increased Connections and VLANs 7.0(5) Increased the following limits:

• ASA5510 Base license connections
from 32000 to 5000; VLANs from 0
to 10.
• ASA5510 Security Plus license
connections from 64000 to 130000;
VLANs from 10 to 25.
• ASA5520 connections from 130000
to 280000; VLANs from 25 to 100.
• ASA5540 connections from 280000
to 400000; VLANs from 100 to 200.

SSL VPN Licenses 7.1(1) SSL VPN licenses were introduced.

Increased SSL VPN Licenses 7.2(1) A 5000-user SSL VPN license was
introduced for the ASA 5550 and above.

Increased interfaces for the Base license on 7.2(2) For the Base license on the ASA 5510, the
the ASA 5510 maximum number of interfaces was
increased from 3 plus a management
interface to unlimited interfaces.

Increased VLANs 7.2(2) The maximum number of VLANs for the

Security Plus license on the ASA 5505 was
increased from 5 (3 fully functional; 1
failover; one restricted to a backup
interface) to 20 fully functional interfaces.
In addition, the number of trunk ports was
increased from 1 to 8. Now there are 20
fully functional interfaces, you do not need
to use the backup interface command to
cripple a backup ISP interface; you can use
a fully functional interface for it. The
backup interface command is still useful
for an Easy VPN configuration.
VLAN limits were also increased for the
ASA 5510 (from 10 to 50 for the Base
license, and from 25 to 100 for the Security
Plus license), the ASA 5520 (from 100 to
150), the ASA 5550 (from 200 to 250).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
100
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

Gigabit Ethernet Support for the ASA 5510 7.2(3) The ASA 5510 now supports Gigabit
Security Plus License Ethernet (1000 Mbps) for the Ethernet 0/0
and 0/1 ports with the Security Plus license.
In the Base license, they continue to be used
as Fast Ethernet (100 Mbps) ports. Ethernet
0/2, 0/3, and 0/4 remain as Fast Ethernet
ports for both licenses.
Note The interface names remain
Ethernet 0/0 and Ethernet 0/1.

Use the speed command to change the

speed on the interface and use the show
interface command to see what speed is
currently configured for each interface.

Advanced Endpoint Assessment License 8.0(2) The Advanced Endpoint Assessment license
was introduced. As a condition for the
completion of a Cisco AnyConnect or
clientless SSL VPN connections, the remote
computer scans for a greatly expanded
collection of antivirus and antispyware
applications, firewalls, operating systems,
and associated updates. It also scans for any
registry entries, filenames, and process
names that you specify. It sends the scan
results to the ASA. The ASA uses both the
user login credentials and the computer scan
results to assign a Dynamic Access Policy
(DAP).
With an Advanced Endpoint Assessment
License, you can enhance Host Scan by
configuring an attempt to update
noncompliant computers to meet version
requirements.
Cisco can provide timely updates to the list
of applications and versions that Host Scan
supports in a package that is separate from
Cisco Secure Desktop.

VPN Load Balancing for the ASA 5510 8.0(2) VPN load balancing is now supported on
the ASA 5510 Security Plus license.

AnyConnect for Mobile License 8.0(3) The AnyConnect for Mobile license was
introduced. It lets Windows mobile devices
connect to the ASA using the AnyConnect
client.

Time-based Licenses 8.0(4)/8.1(2) Support for time-based licenses was

introduced.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
101
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

Increased VLANs for the ASA 5580 8.1(2) The number of VLANs supported on the
ASA 5580 are increased from 100 to 250.

Unified Communications Proxy Sessions 8.0(4) The UC Proxy sessions license was
license introduced. Phone Proxy, Presence
Federation Proxy, and Encrypted Voice
Inspection applications use TLS proxy
sessions for their connections. Each TLS
proxy session is counted against the UC
license limit. All of these applications are
licensed under the UC Proxy umbrella, and
can be mixed and matched.
This feature is not available in Version 8.1.

Botnet Traffic Filter License 8.2(1) The Botnet Traffic Filter license was
introduced. The Botnet Traffic Filter
protects against malware network activity
by tracking connections to known bad
domains and IP addresses.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
102
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

AnyConnect Essentials License 8.2(1) The AnyConnect Essentials License was

introduced. This license enables
AnyConnect VPN client access to the ASA.
This license does not support browser-based
SSL VPN access or Cisco Secure Desktop.
For these features, activate an AnyConnect
Premium license instead of the AnyConnect
Essentials license.
Note With the AnyConnect Essentials
license, VPN users can use a
Web browser to log in, and
download and start
(WebLaunch) the AnyConnect
client.

The AnyConnect client software offers the

same set of client features, whether it is
enabled by this license or an AnyConnect
Premium license.
The AnyConnect Essentials license cannot
be active at the same time as the following
licenses on a given ASA: AnyConnect
Premium license (all types) or the
Advanced Endpoint Assessment license.
You can, however, run AnyConnect
Essentials and AnyConnect Premium
licenses on different ASAs in the same
network.
By default, the ASA uses the AnyConnect
Essentials license, but you can disable it to
use other licenses by using the webvpn,
and then the no anyconnect-essentials
command.

SSL VPN license changed to AnyConnect 8.2(1) The SSL VPN license name was changed
Premium SSL VPN Edition license to the AnyConnect Premium SSL VPN
Edition license.

Shared Licenses for SSL VPN 8.2(1) Shared licenses for SSL VPN were
introduced. Multiple ASAs can share a pool
of SSL VPN sessions on an as-needed
basis.

Mobility Proxy application no longer 8.2(2) The Mobility Proxy no longer requires the
requires Unified Communications Proxy UC Proxy license.
license

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
103
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

10 GE I/O license for the ASA 5585-X with 8.2(3) We introduced the 10 GE I/O license for
SSP-20 the ASA 5585-X with SSP-20 to enable
10-Gigabit Ethernet speeds for the fiber
ports. The SSP-60 supports 10-Gigabit
Ethernet speeds by default.
Note The ASA 5585-X is not
supported in 8.3(x).

10 GE I/O license for the ASA 5585-X with 8.2(4) We introduced the 10 GE I/O license for
SSP-10 the ASA 5585-X with SSP-10 to enable
10-Gigabit Ethernet speeds for the fiber
ports. The SSP-40 supports 10-Gigabit
Ethernet speeds by default.
Note The ASA 5585-X is not
supported in 8.3(x).

Non-identical failover licenses 8.3(1) Failover licenses no longer need to be

identical on each unit. The license used for
both units is the combined license from the
primary and secondary units.
We modified the following commands:
show activation-key and show version.

Stackable time-based licenses 8.3(1) Time-based licenses are now stackable. In

many cases, you might need to renew your
time-based license and have a seamless
transition from the old license to the new
one. For features that are only available
with a time-based license, it is especially
important that the license not expire before
you can apply the new license. The ASA
allows you to stack time-based licenses so
that you do not have to worry about the
license expiring or about losing time on
your licenses because you installed the new
one early.

Intercompany Media Engine License 8.3(1) The IME license was introduced.

Multiple time-based licenses active at the 8.3(1) You can now install multiple time-based
same time licenses, and have one license per feature
active at a time.
We modified the following commands:
show activation-key and show version.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
104
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

Discrete activation and deactivation of 8.3(1) You can now activate or deactivate
time-based licenses. time-based licenses using a command.
We modified the following commands:
activation-key [activate | deactivate].

AnyConnect Premium SSL VPN Edition 8.3(1) The AnyConnect Premium SSL VPN
license changed to AnyConnect Premium Edition license name was changed to the
SSL VPN license AnyConnect Premium SSL VPN license.

No Payload Encryption image for export 8.3(2) If you install the No Payload Encryption
software on the ASA 5505 through 5550,
then you disable Unified Communications,
strong encryption VPN, and strong
encryption management protocols.
Note This special image is only
supported in 8.3(x); for No
Payload Encryption support in
8.4(1) and later, you need to
purchase a special hardware
version of the ASA.

Increased contexts for the ASA 5550, 5580, 8.4(1) For the ASA 5550 and ASA 5585-X with
and 5585-X SSP-10, the maximum contexts was
increased from 50 to 100. For the ASA
5580 and 5585-X with SSP-20 and higher,
the maximum was increased from 50 to
250.

Increased VLANs for the ASA 5580 and 8.4(1) For the ASA 5580 and 5585-X, the
5585-X maximum VLANs was increased from 250
to 1024.

Increased connections for the ASA 5580 8.4(1) We increased the firewall connection limits:
and 5585-X
• ASA 5580-20—1,000,000 to
2,000,000.
• ASA 5580-40—2,000,000 to
4,000,000.
• ASA 5585-X with SSP-10: 750,000
to 1,000,000.
• ASA 5585-X with SSP-20: 1,000,000
to 2,000,000.
• ASA 5585-X with SSP-40: 2,000,000
to 4,000,000.
• ASA 5585-X with SSP-60: 2,000,000
to 10,000,000.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
105
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

AnyConnect Premium SSL VPN license 8.4(1) The AnyConnect Premium SSL VPN
changed to AnyConnect Premium license license name was changed to the
AnyConnect Premium license. The license
information display was changed from
“SSL VPN Peers” to “AnyConnect
Premium Peers.”

Increased AnyConnect VPN sessions for 8.4(1) The AnyConnect VPN session limit was
the ASA 5580 increased from 5,000 to 10,000.

Increased Other VPN sessions for the ASA 8.4(1) The other VPN session limit was increased
5580 from 5,000 to 10,000.

IPsec remote access VPN using IKEv2 8.4(1) IPsec remote access VPN using IKEv2 was
added to the AnyConnect Essentials and
AnyConnect Premium licenses.
Note The following limitation exists
in our support for IKEv2 on the
ASA: We currently do not
support duplicate security
associations.

IKEv2 site-to-site sessions were added to

the Other VPN license (formerly IPsec
VPN). The Other VPN license is included
in the Base license.

No Payload Encryption hardware for export 8.4(1) For models available with No Payload
Encryption (for example, the ASA 5585-X),
the ASA software disables Unified
Communications and VPN features, making
the ASA available for export to certain
countries.

Dual SSPs for SSP-20 and SSP-40 8.4(2) For SSP-40 and SSP-60, you can use two
SSPs of the same level in the same chassis.
Mixed-level SSPs are not supported (for
example, an SSP-40 with an SSP-60 is not
supported). Each SSP acts as an
independent device, with separate
configurations and management. You can
use the two SSPs as a failover pair if
desired. When using two SSPs in the
chassis, VPN is not supported; note,
however, that VPN has not been disabled.

IPS Module license for the ASA 5512-X 8.6(1) The IPS SSP software module on the ASA
through ASA 5555-X 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, and ASA 5555-X requires the IPS
module license.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
106
 Getting Started with the ASA
History for PAK Licenses

Feature Name Platform Releases Description

Clustering license for the ASA 5580 and 9.0(1) A clustering license was added for the ASA
ASA 5585-X. 5580 and ASA 5585-X.

Support for VPN on the ASASM 9.0(1) The ASASM now supports all VPN
features.

Unified communications support on the 9.0(1) The ASASM now supports all Unified
ASASM Communications features.

ASA 5585-X Dual SSP support for the 9.0(1) The ASA 5585-X now supports dual SSPs
SSP-10 and SSP-20 (in addition to the using all SSP models (you can use two
SSP-40 and SSP-60); VPN support for Dual SSPs of the same level in the same chassis).
SSPs VPN is now supported when using dual
SSPs.

ASA 5500-X support for clustering 9.1(4) The ASA 5512-X, ASA 5515-X, ASA
5525-X, ASA 5545-X, and ASA 5555-X
now support 2-unit clusters. Clustering for
2 units is enabled by default in the base
license; for the ASA 5512-X, you need the
Security Plus license.

Support for 16 cluster members for the 9.2(1) The ASA 5585-X now supports 16-unit
ASA 5585-X clusters.

ASAv4 and ASAv30 Standard and 9.2(1) The ASAv was introduced with a simple
Premium model licenses introduced licensing scheme: ASAv4 and ASAv30
permanent licenses in Standard or Premium
levels. No add-on licenses are available.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
107
 Getting Started with the ASA
History for PAK Licenses

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
108
 CHAPTER 4
Licenses: Smart Software Licensing (ASAv, ASA
on Firepower)
Cisco Smart Software Licensing lets you purchase and manage a pool of licenses centrally. Unlike product
authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy
or retire ASAs without having to manage each unit’s license key. Smart Software Licensing also lets you see
your license usage and needs at a glance.

Note Smart Software Licensing is only supported on the ASAv and ASA Firepower chassis. Other models use PAK
licenses. See About PAK Licenses, on page 49.

• About Smart Software Licensing, on page 109

• Prerequisites for Smart Software Licensing, on page 119
• Guidelines for Smart Software Licensing, on page 120
• Defaults for Smart Software Licensing, on page 120
• ASAv: Configure Smart Software Licensing, on page 120
• Firepower 4100/9300 Chassis: Configure Smart Software Licensing, on page 130
• Licenses Per Model, on page 132
• Monitoring Smart Software Licensing, on page 135
• History for Smart Software Licensing, on page 139

About Smart Software Licensing

This section describes how Smart Software Licensing works.

Smart Software Licensing for the ASA on the Firepower 4100/9300 Chassis
For the ASA on the Firepower 4100/9300 chassis, Smart Software Licensing configuration is split between
the Firepower 4100/9300 chassis supervisor and the ASA.
• Firepower 4100/9300 chassis—Configure all Smart Software Licensing infrastructure on the chassis,
including parameters for communicating with the License Authority. The Firepower 4100/9300 chassis
itself does not require any licenses to operate.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
109
 Getting Started with the ASA
Smart Software Manager and Accounts

Note Inter-chassis clustering requires that you enable the same Smart Licensing method
on each chassis in the cluster.

• ASA Application—Configure all license entitlements in the ASA.

Smart Software Manager and Accounts

When you purchase 1 or more licenses for the device, you manage them in the Cisco Smart Software Manager:
https://software.cisco.com/#module/SmartLicensing
The Smart Software Manager lets you create a master account for your organization.

Note If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets
you create a master account for your organization.

By default, your licenses are assigned to the Default Virtual Account under your master account. As the
account administrator, you can optionally create additional virtual accounts; for example, you can create
accounts for regions, departments, or subsidiaries. Multiple virtual accounts let you more easily manage large
numbers of licenses and devices.

Offline Management
If your devices do not have internet access, and cannot register with the License Authority, you can configure
offline licensing.

Permanent License Reservation

If your devices cannot access the internet for security reasons, you can optionally request permanent licenses
for each ASA. Permanent licenses do not require periodic access to the License Authority. Like PAK licenses,
you will purchase a license and install the license key for the ASA. Unlike a PAK license, you obtain and
manage the licenses with the Smart Software Manager. You can easily switch between regular smart licensing
mode and permanent license reservation mode.
ASAv Permanent License Reservation
You can obtain a model-specific license that enables all features: Standard tier with the correct maximum
throughput for your model.
• ASAv5
• ASAv10
• ASAv30

You must choose the model level that you want to use during ASAv deployment. That model level determines
the license you request. If you later want to change the model level of a unit, you will have to return the current
license and request a new license at the correct model level. To change the model of an already deployed

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
110
 Getting Started with the ASA
Satellite Server

ASAv, from the hypervisor you can change the vCPUs and DRAM settings to match the new model
requirements; see the ASAv quick start guide for these values.
If you stop using a license, you must return the license by generating a return code on the ASAv, and then
entering that code into the Smart Software Manager. Make sure you follow the return process correctly so
you do not pay for unused licenses.
Permanent license reservation is not supported for the Azure hypervisor.
Firepower 4100/9300 chassis Permanent License Reservation
You can obtain a license that enables all features: Standard tier with maximum Security Contexts and the
Carrier license. The license is managed on the Firepower 4100/9300 chassis, but you also need to request the
entitlements in the ASA configuration so that the ASA allows their use.
If you stop using a license, you must return the license by generating a return code on the Firepower 4100/9300
chassis, and then entering that code into the Smart Software Manager. Make sure you follow the return process
correctly so you do not pay for unused licenses.

Satellite Server
If your devices cannot access the internet for security reasons, you can optionally install a local Smart Software
Manager satellite server as a virtual machine (VM). The satellite provides a subset of Smart Software Manager
functionality, and allows you to provide essential licensing services for all your local devices. Only the satellite
needs to connect periodically to the main License Authority to sync your license usage. You can sync on a
schedule or you can sync manually.
You can perform the following functions on the satellite server:
• Activate or register a license
• View your company's licenses
• Transfer licenses between company entities

For more information, see Smart Software Manager satellite.

Licenses and Devices Managed per Virtual Account

Licenses and devices are managed per virtual account: only that virtual account’s devices can use the licenses
assigned to the account. If you need additional licenses, you can transfer an unused license from another
virtual account. You can also transfer devices between virtual accounts.
For the ASA on the Firepower 4100/9300 chassis—Only the chassis registers as a device, while the ASA
applications in the chassis request their own licenses. For example, for a Firepower 9300 chassis with 3 security
modules, the chassis counts as one device, but the modules use 3 separate licenses.

Evaluation License
ASAv
The ASAv does not support an evaluation mode. Before the ASAv registers with the Licensing Authority, it
operates in a severely rate-limited state.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
111
 Getting Started with the ASA
Smart Software Manager Communication

Firepower 4100/9300 Chassis

The Firepower 4100/9300 chassis supports two types of evaluation license:
• Chassis-level evaluation mode—Before the Firepower 4100/9300 chassis registers with the Licensing
Authority, it operates for 90 days (total usage) in evaluation mode. The ASA cannot request specific
entitlements in this mode; only default entitlements are enabled. When this period ends, the Firepower
4100/9300 chassis becomes out-of-compliance.
• Entitlement-based evaluation mode—After the Firepower 4100/9300 chassis registers with the Licensing
Authority, you can obtain time-based evaluation licenses that can be assigned to the ASA. In the ASA,
you request entitlements as usual. When the time-based license expires, you need to either renew the
time-based license or obtain a permanent license.

Note You cannot receive an evaluation license for Strong Encryption (3DES/AES); you must register with the
License Authority and obtain a permanent license to receive the export-compliance token that enables the
Strong Encryption (3DES/AES) license.

Smart Software Manager Communication

This section describes how your device communicates with the Smart Software Manager.

Device Registration and Tokens

For each virtual account, you can create a registration token. This token is valid for 30 days by default. Enter
this token ID plus entitlement levels when you deploy each device, or when you register an existing device.
You can create a new token if an existing token is expired.

Note Firepower 4100/9300 chassis—Device registration is configured in the chassis, not on the ASA logical device.

At startup after deployment, or after you manually configure these parameters on an existing device, the device
registers with the Cisco License Authority. When the device registers with the token, the License Authority
issues an ID certificate for communication between the device and the License Authority. This certificate is
valid for 1 year, although it will be renewed every 6 months.

Periodic Communication with the License Authority

The device communicates with the License Authority every 30 days. If you make changes in the Smart Software
Manager, you can refresh the authorization on the device so the change takes place immediately. Or you can
wait for the device to communicate as scheduled.
You can optionally configure an HTTP proxy.

ASAv
The ASAv must have internet access either directly or through an HTTP proxy at least every 90 days. Normal
license communication occurs every 30 days, but with the grace period, your device will stay compliant for

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
112
 Getting Started with the ASA
Out-of-Compliance State

up to 90 days without calling home. After the grace period, you should contact the Licensing Authority, or
your ASAv will be out-of-compliance.

Firepower 4100/9300
The Firepower 4100/9300 must have internet access either directly or through an HTTP proxy at least every
90 days. Normal license communication occurs every 30 days, but with the grace period, your device will
operate for up to 90 days without calling home. After the grace period, you must contact the Licensing
Authority, or you will not be able to make configuration changes to features requiring special licenses; operation
is otherwise unaffected.

Out-of-Compliance State
The device can become out of compliance in the following situations:
• Over-utilization—When the device uses unavailable licenses.
• License expiration—When a time-based license expires.
• Lack of communication—When the device cannot reach the Licensing Authority for re-authorization.

To verify whether your account is in, or approaching, an Out-of-Compliance state, you must compare the
entitlements currently in use by your device against those in your Smart Account.
In an out-of-compliance state, the device might be limited, depending on the model:
• ASAv—The ASAv is not affected.
• Firepower 4100/9300—You will not be able to make configuration changes to features requiring special
licenses, but operation is otherwise unaffected. For example, existing contexts over the Standard license
limit can continue to run, and you can modify their configuration, but you will not be able to add a new
context.

Smart Call Home Infrastructure

By default, a Smart Call Home profile exists in the configuration that specifies the URL for the Licensing
Authority. You cannot remove this profile. Note that the only configurable option for the License profile is
the destination address URL for the License Authority. Unless directed by Cisco TAC, you should not change
the License Authority URL.

Note For the Firepower 4100/9300 chassis, Smart Call Home for licensing is configured in the Firepower 4100/9300
chassis supervisor, not on the ASA.

You cannot disable Smart Call Home for Smart Software Licensing. For example, even if you disable Smart
Call Home using the no service call-home command, Smart Software Licensing is not disabled.
Other Smart Call Home functions are not turned on unless you specifically configure them.

Smart License Certificate Management

The ASA automatically creates a trustpoint containing the certificate of the CA that issued the Smart Call
Home server certificate. To avoid service interruption if the issuing hierarchy of the server certificate changes,

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
113
 Getting Started with the ASA
License Notes

configure the auto-update command to enable the automatic update of the trustpool bundle at periodic
intervals.
The server certificate received from a Smart License Server must contain "ServAuth" in the Extended Key
Usage field. This check will be done on non self-signed certificates only; self-signed certificates do not provide
any value in this field.

License Notes
The following table includes additional information about licenses.

AnyConnect Plus and Apex Licenses

The AnyConnect Plus or Apex license is a multi-use license that you can apply to multiple ASAs, all of which
share a user pool as specified by the license. Devices that use Smart Licensing do not require any AnyConnect
license to be physically applied to the actual platform. The same licenses must still be purchased, and you
must still link the Contract number to your Cisco.com ID for SW Center access and technical support. For
more information, see:
• Cisco AnyConnect Ordering Guide
• AnyConnect Licensing Frequently Asked Questions (FAQ)

Other VPN License

Other VPN sessions include the following VPN types:
• IPsec remote access VPN using IKEv1
• IPsec site-to-site VPN using IKEv1
• IPsec site-to-site VPN using IKEv2

This license is included in the Base license.

Total VPN Sessions Combined, All Types

• Although the maximum VPN sessions add up to more than the maximum VPN AnyConnect and Other
VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum
VPN sessions, you can overload the ASA, so be sure to size your network appropriately.
• If you start a clientless SSL VPN session and then start an AnyConnect client session from the portal, 1
session is used in total. However, if you start the AnyConnect client first (from a standalone client, for
example) and then log into the clientless SSL VPN portal, then 2 sessions are used.

Encryption License

Strong Encryption: ASAv

Strong Encryption (3DES/AES) is available for management connections before you connect to the License
Authority or Satellite server, so you can launch ASDM and connect to the License Authority. For
through-the-box traffic, throughput is severely limited until you connect to the License Authority and obtain
the Strong Encryption license.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
114
 Getting Started with the ASA
Carrier License

When you request the registration token for the ASAv from your Smart Software Licensing account, check
the Allow export-controlled functionality on the products registered with this token check box so that
the Strong Encryption (3DES/AES) license is applied (your account must be qualified for its use). If the ASAv
becomes out-of-compliance later, as long as the export compliance token was successfully applied, the ASAv
will retain the license and not revert to the rate-limited state. The license is removed if you re-register the
ASAv, and export compliance is disabled, or if you restore the ASAv to factory default settings.
If you initially register the ASAv without strong encryption and later add strong encryption, then you must
reload the ASAv for the new license to take effect.
For pre-2.3.0 Satellite server versions, you must manually request the Strong Encryption license in the ASA
configuration (the export compliance token is not supported); in this case, if the ASAv becomes
out-of-compliance, throughput is severely limited.

Strong Encryption: Firepower 4100/9300 Chassis

When you request the registration token for the Firepower chassis from your Smart Software Licensing
account, check the Allow export-controlled functionality on the products registered with this token check
box so that the Strong Encryption (3DES/AES) license is applied (your account must be qualified for its use).
When the ASA is deployed as a logical device, it inherits the Strong Encryption license from the chassis, so
you can launch ASDM and use other features for through traffic immediately. If the ASA becomes
out-of-compliance later, as long as the export compliance token was successfully applied, the ASA will
continue to allow through the box traffic. The license is removed if you re-register the chassis, and export
compliance is disabled, or if you restore the chassis to factory default settings.
If you initially register the chassis without strong encryption and later add strong encryption, then you must
reload the ASA application for the new license to take effect.
For pre-2.3.0 Satellite server versions that do not support the export-compliance token: You must manually
request the Strong Encryption license in the ASA configuration using the CLI because ASDM requires 3DES.
If the ASA becomes out-of-compliance, neither management traffic nor through-traffic requiring this license
will be allowed.

DES: All Models

The DES license cannot be disabled. If you have the 3DES license installed, DES is still available. To prevent
the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to
use only strong encryption.

Carrier License
The Carrier license enables the following inspection features:
• Diameter
• GTP/GPRS
• SCTP

Total TLS Proxy Sessions

Each TLS proxy session for Encrypted Voice Inspection is counted against the TLS license limit.
Other applications that use TLS proxy sessions do not count toward the TLS limit, for example, Mobility
Advantage Proxy (which does not require a license).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
115
 Getting Started with the ASA
VLANs, Maximum

Some applications might use multiple sessions for a connection. For example, if you configure a phone with
a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections.
You independently set the TLS proxy limit using the tls-proxy maximum-sessions command or in ASDM,
using the Configuration > Firewall > Unified Communications > TLS Proxy pane. To view the limits of
your model, enter the tls-proxy maximum-sessions ? command. When you apply a TLS proxy license that
is higher than the default TLS proxy limit, the ASA automatically sets the TLS proxy limit to match the
license. The TLS proxy limit takes precedence over the license limit; if you set the TLS proxy limit to be less
than the license, then you cannot use all of the sessions in your license.

Note For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are
limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the
TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license
is restricted for export: K8 is unrestricted, and K9 is restricted.
If you clear the configuration (using the clear configure all command, for example), then the TLS proxy
limit is set to the default for your model; if this default is lower than the license limit, then you see an error
message to use the tls-proxy maximum-sessions command to raise the limit again (in ASDM, use the TLS
Proxy pane). If you use failover and enter the write standby command or in ASDM, use File > Save Running
Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear
configure all command is generated on the secondary unit automatically, so you may see the warning message
on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the
primary unit, you can ignore the warning.

You might also use SRTP encryption sessions for your connections:
• For K8 licenses, SRTP sessions are limited to 250.
• For K9 licenses, there is no limit.

Note Only calls that require encryption/decryption for media are counted toward the SRTP limit; if passthrough is
set for the call, even if both legs are SRTP, they do not count toward the limit.

VLANs, Maximum
For an interface to count against the VLAN limit, you must assign a VLAN to it. For example:

interface gigabitethernet 0/0.100

vlan 100

Botnet Traffic Filter License

Requires a Strong Encryption (3DES/AES) License to download the dynamic database.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
116
 Getting Started with the ASA
Failover or ASA Cluster Licenses

Failover or ASA Cluster Licenses

Failover Licenses for the ASAv
The standby unit requires the same model license as the primary unit.

Failover Licenses for the ASA on the Firepower 4100/9300 Chassis

Each Firepower 4100/9300 chassis must be registered with the License Authority or satellite server. There is
no extra cost for the secondary unit. For permanent license reservation, you must purchase separate licenses
for each chassis.
Each ASA must have the same encryption license. For regular Smart Software Manager users, the Strong
Encryption license is automatically enabled for qualified customers when you apply the registration token on
the Firepower 4100/9300 chassis. For older Cisco Smart Software Manager satellite deployments, see below.
In the ASA licensing configuration, other licenses do not need to match on each failover unit, and you can
configure licensing separately on each unit. Each unit requests its own licenses from the server. The licenses
requested by both units are aggregated into a single failover license that is shared by the failover pair, and
this aggregated licenese is cached on the standby unit to be used if it becomes the active unit in the future.
Typically, you only need to configure licenses on the primary unit.
Each license type is managed as follows:
• Standard—Each unit includes the Standard license by default, so for a failover pair, 2 Standard licenses
are requested from the server.
• Context—Each unit can request its own Context license. However, the Standard license includes 10
contexts by default and is present on both units. The value from each unit’s Standard license plus the
value of any optional Context licenses on both units are combined up to the platform limit. For example:
• The Standard license includes 10 contexts; for 2 units, these licenses add up to 20 contexts.You
configure a 250-Context license on the primary unit in an Active/Standby pair. Therefore, the
aggregated failover license includes 270 contexts. However, because the platform limit for one unit
is 250, the combined license allows a maximum of 250 contexts only. In this case, you should only
configure the primary Context license to be 230 contexts.
• The Standard license includes 10 contexts; for 2 units, these licenses add up to 20 contexts. You
configure a 10-Context license on the primary unit in an Active/Active pair, and a 10-Context license
on the secondary unit. Therefore, the aggregated failover license includes 40 contexts. One unit can
use 22 contexts and the other unit can use 18 contexts, for example, for a total of 40. Because the
platform limit for one unit is 250, the combined license allows a maximum of 250 contexts; the 40
contexts are within the limit.

• Carrier—Only one unit needs to request this license, and both units can use it.
• Strong Encryption (3DES) (for a pre-2.3.0 Cisco Smart Software Manager satellite deployment
only)—Each unit must request its own license from the server; unlike the other license configurations,
this configuration is replicated to the standby unit. For Smart Software Manager satellite deployments,
to use ASDM and other strong encryption features, after you deploy the cluster you must enable the
Strong Encryption (3DES) license on the primary unit using the ASA CLI. The Strong Encryption (3DES)
license is not available with any type of evaluation license.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
117
 Getting Started with the ASA
ASA Cluster Licenses for the ASA on the Firepower 4100/9300 Chassis

ASA Cluster Licenses for the ASA on the Firepower 4100/9300 Chassis
Each Firepower 4100/9300 chassis must be registered with the License Authority or satellite server. There is
no extra cost for slave units. For permanent license reservation, you must purchase separate licenses for each
chassis.
The Strong Encryption license is automatically enabled for qualified customers when you apply the registration
token. When using the token, each chassis must have the same encryption license. For the optional Strong
Encryption (3DES/AES) feature license enabled in the ASA configuration, see below.
In the ASA license configuration, you can only configure smart licensing on the master unit. The configuration
is replicated to the slave units, but for some licenses, they do not use the configuration; it remains in a cached
state, and only the master unit requests the license. The licenses are aggregated into a single cluster license
that is shared by the cluster units, and this aggregated license is also cached on the slave units to be used if
one of them becomes the master unit in the future. Each license type is managed as follows:
• Standard—Only the master unit requests the Standard license from the server. Because the slave units
have the Standard license enabled by default, they do not need to register with the server to use it.
• Context—Only the master unit requests the Context license from the server. The Standard license includes
10 contexts by default and is present on all cluster members. The value from each unit’s Standard license
plus the value of the Context license on the master unit are combined up to the platform limit in an
aggregated cluster license. For example:
• You have 6 Firepower 9300 modules in the cluster. The Standard license includes 10 contexts; for
6 units, these licenses add up to 60 contexts. You configure an additional 20-Context license on the
master unit. Therefore, the aggregated cluster license includes 80 contexts. Because the platform
limit for one module is 250, the combined license allows a maximum of 250 contexts; the 80 contexts
are within the limit. Therefore, you can configure up to 80 contexts on the master unit; each slave
unit will also have 80 contexts through configuration replication.
• You have 3 Firepower 4110 units in the cluster. The Standard license includes 10 contexts; for 3
units, these licenses add up to 30 contexts. You configure an additional 250-Context license on the
master unit. Therefore, the aggregated cluster license includes 280 contexts. Because the platform
limit for one unit is 250, the combined license allows a maximum of 250 contexts; the 280 contexts
are over the limit. Therefore, you can only configure up to 250 contexts on the master unit; each
slave unit will also have 250 contexts through configuration replication. In this case, you should
only configure the master Context license to be 220 contexts.

• Carrier—Required for Distributed S2S VPN. This license is a per-unit entitlement, and each unit requests
its own license from the server. This license configuration is replicated to the slave units.
• Strong Encryption (3DES) (for pre-2.3.0 Cisco Smart Software Manager satellite deployment, or for
tracking purposes)—This license is a per-unit entitlement, and each unit requests its own license from
the server.

If a new master unit is elected, the new master unit continues to use the aggregated license. It also uses the
cached license configuration to re-request the master license. When the old master unit rejoins the cluster as
a slave unit, it releases the master unit license entitlement. Before the slave unit releases the license, the master
unit's license might be in a non-compliant state if there are no available licenses in the account. The retained
license is valid for 30 days, but if it is still non-compliant after the grace period, you will not be able to make
configuration changes to features requiring special licenses; operation is otherwise unaffected. The new active
unit sends an entitlement authorization renewal request every 12 hours until the license is compliant. You
should refrain from making configuration changes until the license requests are completely processed. If a

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
118
 Getting Started with the ASA
Prerequisites for Smart Software Licensing

unit leaves the cluster, the cached master configuration is removed, while the per-unit entitlements are retained.
In particular, you would need to re-request the Context license on non-cluster units.

Prerequisites for Smart Software Licensing

• ASAv: Ensure internet access, or HTTP proxy access from the device. Alternatively, you can use
Permanent License Reservation.
• ASAv: Configure a DNS server so the device can resolve the name of the License Authority.
• ASAv: Set the clock for the device.
• ASAv: Permanent license reservation is not supported for the Azure hypervisor.
• Firepower 4100/9300 chassis: Configure the Smart Software Licensing infrastructure on the Firepower
4100/9300 chassis before you configure the ASA licensing entitlements.
• Create a master account on the Cisco Smart Software Manager:
https://software.cisco.com/#module/SmartLicensing
If you do not yet have an account, click the link to set up a new account. The Smart Software Manager
lets you create a master account for your organization.
• When you bought your device from Cisco or a reseller, your licenses should have been linked to your
Smart Software License account. However, if you need to add licenses yourself, use the Find Products
and Solutions search field on the Cisco Commerce Workspace. Search for the following license PIDs:
Figure 7: License Search

ASAv PIDs:
• ASAv5—L-ASAV5S-K9=
• ASAv10—L-ASAV10S-K9=
• ASAv30—L-ASAV30S-K9=
• ASAv50—L-ASAV50S-K9=

Firepower 4100 PIDs:

Firepower 9300 PIDs:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
119
 Getting Started with the ASA
Guidelines for Smart Software Licensing

Guidelines for Smart Software Licensing

• Only Smart Software Licensing is supported. For older software on the ASAv, if you upgrade an existing
PAK-licensed ASAv, then the previously installed activation key will be ignored, but retained on the
device. If you downgrade the ASAv, the activation key will be reinstated.
• For permanent license reservation, you must return the license before you decommission the device. If
you do not officially return the license, the license remains in a used state and cannot be reused for a new
device.

Defaults for Smart Software Licensing

ASAv
• The ASAv default configuration includes a Smart Call Home profile called “License” that specifies the
URL for the Licensing Authority.

call-home
profile License
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

• When you deploy the ASAv, you set the feature tier and throughput level. Only the standard level is
available at this time. For permanent license reservation, you do not need to set these parameters. When
you enable permanent license reservation, these command are removed from the configuration.

license smart
feature tier standard
throughput level {100M | 1G | 2G}

• Also during deployment, you can optionally configure an HTTP proxy.

call-home
http-proxy ip_address port port

ASA on the Firepower 4100/9300 Chassis

There is no default configuration. You must manually enable the standard license tier and other optional
licenses.

ASAv: Configure Smart Software Licensing

This section describes how to configure Smart Software Licensing for the ASAv. Choose one of the following
methods:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
120
 Getting Started with the ASA
ASAv: Configure Regular Smart Software Licensing

Procedure

Step 1 ASAv: Configure Regular Smart Software Licensing, on page 121.

Step 2 ASAv: Configure Satellite Smart Software Licensing, on page 124.
Step 3 ASAv: Configure Permanent License Reservation, on page 126.

ASAv: Configure Regular Smart Software Licensing

When you deploy the ASAv, you can pre-configure the device and include a registration token so it registers
with the License Authority and enables Smart Software Licensing. If you need to change your HTTP proxy
server, license entitlement, or register the ASAv (for example, if you did not include the ID token in the Day0
configuration), perform this task.

Note You may have pre-configured the HTTP proxy and license entitlements when you deployed your ASAv. You
may also have included the registration token with your Day0 configuration when you deployed the ASAv;
if so, you do not need to re-register using this procedure.

Procedure

Step 1 In the Smart Software Manager (Cisco Smart Software Manager), request and copy a registration token for
the virtual account to which you want to add this device.
a) Click Inventory.
Figure 8: Inventory

b) On the General tab, click New Token.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
121
 Getting Started with the ASA
ASAv: Configure Regular Smart Software Licensing

Figure 9: New Token

c) On the Create Registration Token dialog box enter the following settings, and then click Create Token:
• Description
• Expire After—Cisco recommends 30 days.
• Allow export-controlled functionaility on the products registered with this token—Enables the
export-compliance flag.

Figure 10: Create Registration Token

The token is added to your inventory.

d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID
to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
122
Getting Started with the ASA
ASAv: Configure Regular Smart Software Licensing

Figure 11: View Token

Figure 12: Copy Token

Step 2 (Optional) On the ASAv, specify the HTTP Proxy URL:

call-home
http-proxy ip_address port port
If your network uses an HTTP proxy for internet access, you must configure the proxy address for Smart
Software Licensing. This proxy is also used for Smart Call Home in general.
Example:

ciscoasa(config)# call-home
ciscoasa(cfg-call-home)# http-proxy 10.1.1.1 port 443

Step 3 Configure the license entitlements.

a) Enter license smart configuration mode:
license smart
Example:

ciscoasa(config)# license smart

ciscoasa(config-smart-lic)#

b) Set the feature tier:

feature tier standard
Only the standard tier is available.
c) Set the throughput level:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
123
 Getting Started with the ASA
ASAv: Configure Satellite Smart Software Licensing

throughput level {100M | 1G | 2G}

Example:

ciscoasa(config-smart-lic)# throughput level 2G

a) Exit license smart mode to apply your changes:

exit
Your changes do not take effect until you exit the license smart configuration mode, either by explicitly
exiting the mode (exit or end) or by entering any command that takes you to a different mode.
Example:

ciscoasa(config-smart-lic)# exit
ciscoasa(config)#

Step 4 Register the ASAv with the License Authority.

When you register the ASAv, the License Authority issues an ID certificate for communication between the
ASAv and the License Authority. It also assigns the ASAv to the appropriate virtual account. Normally, this
procedure is a one-time instance. However, you might need to later re-register the ASAv if the ID certificate
expires because of a communication problem, for example.
a) Enter the registration token on the ASAv:
license smart register idtoken id_token [force]
Example:
Use the force keyword to register an ASAv that is already registered, but that might be out of sync with
the License Authority. For example, use force if the ASAv was accidentally removed from the Smart
Software Manager.
The ASAv attempts to register with the License Authority and request authorization for the configured
license entitlements.
Example:

ciscoasa# license smart register idtoken YjE3Njc5MzYtMGQzMi00OTA4

LWJhODItNzBhMGQ5NGRlYjUxLTE0MTQ5NDAy%0AODQzNzl8NXk2bzV3SDE0ZkgwQk
dYRmZ1NTNCNGlvRnBHUFpjcm02WTB4TU4w%0Ac2NnMD0%3D%0A

ASAv: Configure Satellite Smart Software Licensing

This procedure applies for an ASAv using a satellite Smart Software Licensing server.

Before you begin

Download the Smart Software Manager satellite OVA file from Cisco.com and install and configure it on a
VMwareESXi server. For more information, see Smart Software Manager satellite.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
124
Getting Started with the ASA
ASAv: Configure Satellite Smart Software Licensing

Procedure

Step 1 Request a registration token on the satellite server.

Step 2 (Optional) On the ASA, specify the HTTP Proxy URL:
call-home
http-proxy ip_address port port
If your network uses an HTTP proxy for internet access, you must configure the proxy address for Smart
Software Licensing. This proxy is also used for Smart Call Home in general.
Example:

ciscoasa(config)# call-home
ciscoasa(cfg-call-home)# http-proxy 10.1.1.1 port 443

Step 3 Change the license server URL to go to the satellite server.

call-home
profile License
destination address http https://satellite_ip_address/Transportgateway/services/DeviceRequestHandler
Example:

ciscoasa(config)# call-home
ciscoasa(cfg-call-home)# profile License
ciscoasa(cfg-call-home-profile) destination address http
https://10.1.5.5/Transportgateway/services/DeviceRequestHandler

Step 4 Register the ASA using the token you requested in Step 1:
license smart register idtoken id_token
Example:

ciscoasa# license smart register idtoken YjE3Njc5MzYtMGQzMi00OTA4

LWJhODItNzBhMGQ5NGRlYjUxLTE0MTQ5NDAy%0AODQzNzl8NXk2bzV3SDE0ZkgwQk
dYRmZ1NTNCNGlvRnBHUFpjcm02WTB4TU4w%0Ac2NnMD0%3D%0A

The ASA registers with the satellite server and requests authorization for the configured license entitlements.
The satellite server also applies the Strong Encryption (3DES/AES) license if your account allows. Use the
show license summary command to check the license status and usage.
Example:

ciscoasa# show license summary

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: Biz1
Virtual Account: IT
Export-Controlled Functionality: Allowed

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
125
 Getting Started with the ASA
ASAv: Configure Permanent License Reservation

Last Renewal Attempt: None

Next Renewal Attempt: Mar 19 20:26:29 2018 UTC

License Authorization:
Status: AUTHORIZED
Last Communication Attempt: SUCCEEDED
Next Communication Attempt: Oct 23 01:41:26 2017 UTC

License Usage:
License Entitlement tag Count Status
-----------------------------------------------------------------------------
regid.2014-08.com.ci... (FP2110-ASA-Std) 1 AUTHORIZED

ASAv: Configure Permanent License Reservation

You can assign a permanent license to an ASAv. This section also describes how to return a license if you
retire the ASAv or change model tiers and need a new license.

Procedure

Step 1 Install the ASAv Permanent License, on page 126

Step 2 (Optional) (Optional) Return the ASAv Permanent License, on page 128

Install the ASAv Permanent License

For ASAvs that do not have Internet access, you can request a permanent license from the Smart Software
Manager.

Note For permanent license reservation, you must return the license before you decommission the ASAv. If you
do not officially return the license, the license remains in a used state and cannot be reused for a new ASAv.
See (Optional) Return the ASAv Permanent License, on page 128.

Note If you clear your configuration after you install the permanent license (for example using write erase), then
you only need to reenable permanent license reservation using the license smart reservation command
without any arguments as shown in step 1; you do not need to complete the rest of this procedure.

Before you begin

• Purchase permanent licenses so they are available in the Smart Software Manager. Not all accounts are
approved for permanent license reservation. Make sure you have approval from Cisco for this feature
before you attempt to configure it.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
126
Getting Started with the ASA
Install the ASAv Permanent License

• You must request a permanent license after the ASAv starts up; you cannot install a permanent license
as part of the Day 0 configuration.

Procedure

Step 1 At the ASAv CLI, enable permanent license reservation:

license smart reservation
Example:

ciscoasa (config)# license smart reservation

ciscoasa (config)#

The following commands are removed:

license smart
feature tier standard
throughput level {100M | 1G | 2G}

To use regular smart licensing, use the no form of this command, and re-enter the above commands. Other
Smart Call Home configuration remains intact but unused, so you do not need to re-enter those commands.

Step 2 Request the license code to enter in the Smart Software Manager:
license smart reservation request universal
Example:

ciscoasa# license smart reservation request universal

Enter this request code in the Cisco Smart Software Manager portal:
ABP:ASAv,S:9AU5ET6UQHD{A8ug5/1jRDaSp3w8uGlfeQ{53C13E
ciscoasa#

You must choose the model level (ASAv5/ASAv10/ASAv30) that you want to use during ASAv deployment.
That model level determines the license you request. If you later want to change the model level of a unit,
you will have to return the current license and request a new license at the correct model level. To change the
model of an already deployed ASAv, from the hypervisor you can change the vCPUs and DRAM settings to
match the new model requirements; see the ASAv quick start guide for these values. To view your current
model, use the show vm command.
If you re-enter this command, then the same code is displayed, even after a reload. If you have not yet entered
this code into the Smart Software Manager and want to cancel the request, enter:
license smart reservation cancel
If you disable permanent license reservation, then any pending requests are canceled. If you already entered
the code into the Smart Software Manager, then you must complete this procedure to apply the license to the
ASAv, after which point you can return the license if desired. See (Optional) Return the ASAv Permanent
License, on page 128.

Step 3 Go to the Smart Software Manager Inventory screen, and click the Licenses tab:
https://software.cisco.com/#SmartLicensing-Inventory

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
127
 Getting Started with the ASA
(Optional) Return the ASAv Permanent License

The Licenses tab displays all existing licenses related to your account, both regular and permanent.

Step 4 Click License Reservation, and type the ASAv code into the box. Click Reserve License.
The Smart Software Manager generates an authorization code. You can download the code or copy it to the
clipboard. At this point, the license is now in use according to the Smart Software Manager.
If you do not see the License Reservation button, then your account is not authorized for permanent license
reservation. In this case, you should disable permanent license reservation and re-enter the regular smart
license commands.

Step 5 On the ASAv, enter the authorization code:

license smart reservation install code
Example:

ciscoasa# license smart reservation install AAu3431rGRS00Ig5HQl2vpzg{MEYCIQCBw$

ciscoasa#

Your ASAv is now fully licensed.

(Optional) Return the ASAv Permanent License

If you no longer need a permanent license (for example, you are retiring an ASAv or changing its model level
so it needs a new license), you must officially return the license to the Smart Software Manager using this
procedure. If you do not follow all steps, then the license stays in a used state and cannot easily be freed up
for use elsewhere.

Procedure

Step 1 On the ASAv, generate a return code:

license smart reservation return
Example:

ciscoasa# license smart reservation return

Enter this return code in the Cisco Smart Software Manager portal:
Au3431rGRS00Ig5HQl2vpcg{uXiTRfVrp7M/zDpirLwYCaq8oSv60yZJuFDVBS2QliQ=

The ASAv immediately becomes unlicensed and moves to the Evaluation state. If you need to view this code
again, re-enter this command. Note that if you request a new permanent license (license smart reservation
request universal) or change the ASAv model level (by powering down and changing the vCPUs/RAM),
then you cannot re-display this code. Be sure to capture the code to complete the return.

Step 2 View the ASAv universal device identifier (UDI) so you can find this ASAv instance in the Smart Software
Manager:
show license udi
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
128
 Getting Started with the ASA
(Optional) Deregister the ASAv (Regular and Satellite)

ciscoasa# show license udi

UDI: PID:ASAv,SN:9AHV3KJBEKE
ciscoasa#

Step 3 Go to the Smart Software Manager Inventory screen, and click the Product Instances tab:
https://software.cisco.com/#SmartLicensing-Inventory
The Product Instances tab displays all licensed products by the UDI.

Step 4 Find the ASAv you want to unlicense, choose Actions > Remove, and type the ASAv return code into the
box. Click Remove Product Instance.
The permanent license is returned to the available pool.

(Optional) Deregister the ASAv (Regular and Satellite)

Deregistering the ASAv removes the ASAv from your account. All license entitlements and certificates on
the ASAv are removed. You might want to deregister to free up a license for a new ASAv. Alternatively, you
can remove the ASAv from the Smart Software Manager.

Procedure

Deregister the ASAv:

license smart deregister
The ASAv then reloads.

(Optional) Renew the ASAv ID Certificate or License Entitlement (Regular and

Satellite)
By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed
every 30 days. You might want to manually renew the registration for either of these items if you have a
limited window for Internet access, or if you make any licensing changes in the Smart Software Manager, for
example.

Procedure

Step 1 Renew the ID certificate:

license smart renew id

Step 2 Renew the license entitlement:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
129
 Getting Started with the ASA
Firepower 4100/9300 Chassis: Configure Smart Software Licensing

license smart renew auth

Firepower 4100/9300 Chassis: Configure Smart Software

Licensing
This procedure applies for a chassis using the License Authority, Satellite server users, or for Permanent
License Reservation; see the FXOS configuration guide to configure your method as a prerequisite..
For Permanent License Reservation, the license enables all features: Standard tier with maximum Security
Contexts and the Carrier license. However, for the ASA to "know" to use these features, you need to enable
them on the ASA.

Note For pre-2.3.0 Smart Software Manager satellite users: The Strong Encryption (3DES/AES) license is not
enabled by default so you cannot use ASDM to configure your ASA until you request the Strong Encryption
license using the ASA CLI. Other strong encryption features are also not available until you do so, including
VPN.

Before you begin

For an ASA cluster, you need to access the primary unit for configuration. Check the Firepower Chassis
Manager to see which unit is the primary. You can also check from the ASA CLI, as shown in this procedure.

Procedure

Step 1 Connect to the Firepower 4100/9300 chassis CLI (console or SSH), and then session to the ASA:

connect module slot console

connect asa

Example:

Firepower> connect module 1 console

Firepower-module1> connect asa

asa>

The next time you connect to the ASA console, you go directly to the ASA; you do not need to enter connect
asa again.
For an ASA cluster, you only need to access the master unit for license configuration and other configuration.
Typically, the master unit is in slot 1, so you should connect to that module first.

Step 2 At the ASA CLI, enter global configuration mode. By default, the enable password is blank.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
130
Getting Started with the ASA
Firepower 4100/9300 Chassis: Configure Smart Software Licensing

enable
configure terminal

Example:

asa> enable
Password:
asa# configure terminal
asa(config)#

Step 3 If required, for an ASA cluster confirm that this unit is the primary unit:
show cluster info
Example:

asa(config)# show cluster info

Cluster stbu: On
This is "unit-1-1" in state SLAVE
ID : 0
Version : 9.5(2)
Serial No.: P3000000025
CCL IP : 127.2.1.1
CCL MAC : 000b.fcf8.c192
Last join : 17:08:59 UTC Sep 26 2015
Last leave: N/A
Other members in the cluster:
Unit "unit-1-2" in state SLAVE
ID : 1
Version : 9.5(2)
Serial No.: P3000000001
CCL IP : 127.2.1.2
CCL MAC : 000b.fcf8.c162
Last join : 19:13:11 UTC Sep 23 2015
Last leave: N/A
Unit "unit-1-3" in state MASTER
ID : 2
Version : 9.5(2)
Serial No.: JAB0815R0JY
CCL IP : 127.2.1.3
CCL MAC : 000f.f775.541e
Last join : 19:13:20 UTC Sep 23 2015
Last leave: N/A

If a different unit is the primary unit, exit the connection and connect to the correct unit. See below for
information about exiting the connection.

Step 4 Enter license smart configuration mode:

license smart
Example:

ciscoasa(config)# license smart

ciscoasa(config-smart-lic)#

Step 5 Set the feature tier:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
131
 Getting Started with the ASA
Licenses Per Model

feature tier standard

Only the standard tier is available. A tier license is a prerequisite for adding other feature licenses.

Step 6 Request one or more of the following features:

• Carrier (GTP/GPRS, Diameter, and SCTP inspection)
feature carrier
• Security Contexts
feature context <1-248>
For Permanent License Reservation, you can specify the maximum contexts (248).
• For pre 2.3.0 satellite server users only: Strong Encryption (3DES/AES)
feature strong-encryption

Example:

ciscoasa(config-smart-lic)# feature carrier

ciscoasa(config-smart-lic)# feature context 50

Step 7 To exit the ASA console, enter ~ at the prompt to exit to the Telnet application. Enter quit to exit back to the
supervisor CLI.

Licenses Per Model

This section lists the license entitlements available for the ASAv and Firepower 4100/9300 chassis ASA
security module.

ASAv
The following table shows the licensed features for the ASAv series.

Licenses Standard License

Firewall Licenses

Botnet Traffic Filter Enabled

Firewall Conns, Concurrent ASAv5: 50,000

ASAv10: 100,000
ASAv30: 500,000

Carrier Enabled

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
132
Getting Started with the ASA
ASAv

Licenses Standard License

Total TLS Proxy Sessions ASAv5: 500

ASAv10: 500
ASAv30: 1000

VPN Licenses

AnyConnect peers Disabled Optional AnyConnect Plus or Apex

license, Maximums:
ASAv5: 50
ASAv10: 250
ASAv30: 750

Other VPN Peers ASAv5: 50

ASAv10: 250
ASAv30: 1000

Total VPN Peers, combined all ASAv5: 50

types
ASAv10: 250
ASAv30: 1000

General Licenses

Throughput Level ASAv5: 100 Mbps

ASAv10: 1 Gbps
ASAv30: 2 Gbps

Encryption Base (DES) or Strong (3DES/AES), depending on the account's export

compliance setting

Failover Active/Standby

Security Contexts No support

Clustering No support

VLANs, Maximum ASAv5: 25

ASAv10: 50
ASAv30: 200

RAM, vCPUs ASAv5: 1 GB, 1 vCPU

ASAv10: 2 GB, 1 vCPU
ASAv30: 8 GB, 4 vCPUs

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
133
 Getting Started with the ASA
Firepower 4100 Series ASA Application

Firepower 4100 Series ASA Application

The following table shows the licensed features for the Firepower 4100 series ASA application.

Licenses Standard License

Firewall Licenses

Botnet Traffic Filter No Support.

Firewall Conns, Concurrent Firepower 4110: 10,000,000

Firepower 4120: 15,000,000
Firepower 4140: 25,000,000
Firepower 4150: 35,000,000

Carrier Disabled Optional License: Carrier

Total TLS Proxy Sessions Firepower 4110: 10,000

All others: 15,000

VPN Licenses

AnyConnect peers Disabled Optional AnyConnect Plus or Apex

license:
Firepower 4110: 10,000
All others: 20,000

Other VPN Peers Firepower 4110: 10,000

All others: 20,000

Total VPN Peers, combined all Firepower 4110: 10,000

types
All others: 20,000

General Licenses

Encryption Base (DES) or Strong (3DES/AES), depending on the account's export

compliance setting

Security Contexts 10 Optional License: Maximum of 250,

in increments of 10

Clustering Enabled

VLANs, Maximum 1024

Firepower 9300 ASA Application

The following table shows the licensed features for the Firepower 9300 ASA application.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
134
 Getting Started with the ASA
Monitoring Smart Software Licensing

Licenses Standard License

Firewall Licenses

Botnet Traffic Filter No Support.

Firewall Conns, Concurrent Firepower 9300 SM-44: 60,000,000, up to 70,000,000 for a chassis with
3 modules
Firepower 9300 SM-36: 60,000,000, up to 70,000,000 for a chassis with
3 modules
Firepower 9300 SM-24: 55,000,000, up to 70,000,000 for a chassis with
3 modules

Carrier Disabled Optional License: Carrier

Total TLS Proxy Sessions 15,000

VPN Licenses

AnyConnect peers Disabled Optional AnyConnect Plus or Apex

license: 20,000 maximum

Other VPN Peers 20,000

Total VPN Peers, combined all 20,000

types

General Licenses

Encryption Base (DES) or Strong (3DES/AES), depending on the account's export

compliance setting

Security Contexts 10 Optional License: Maximum of 250,

in increments of 10

Clustering Enabled

VLANs, Maximum 1024

Monitoring Smart Software Licensing

You can monitor the license features, status, and certificate, as well as enable debug messages.

Viewing Your Current License

See the following commands for viewing your license:
• show license features
The following example shows an ASAv with only a base license (no current license entitlement):

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
135
 Getting Started with the ASA
Viewing Smart License Status

Serial Number: 9AAHGX8514R

ASAv Platform License State: Unlicensed

No active entitlement: no feature tier configured

Licensed features for this platform:

Maximum Physical Interfaces : 10 perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

Viewing Smart License Status

See the following commands for viewing license status:
• show license all
Displays the state of Smart Software Licensing, Smart Agent version, UDI information, Smart Agent
state, global compliance status, the entitlements status, licensing certificate information, and scheduled
Smart Agent tasks.
The following example shows an ASAv license:

ciscoasa# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: ASA
Virtual Account: ASAv Internal Users
Export-Controlled Functionality: Not Allowed
Initial Registration: SUCCEEDED on Sep 21 20:26:29 2015 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Mar 19 20:26:28 2016 UTC
Registration Expires: Sep 20 20:23:25 2016 UTC

License Authorization:
Status: AUTHORIZED on Sep 21 21:17:35 2015 UTC
Last Communication Attempt: SUCCEEDED on Sep 21 21:17:35 2015 UTC
Next Communication Attempt: Sep 24 00:44:10 2015 UTC

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
136
Getting Started with the ASA
Viewing Smart License Status

Communication Deadline: Dec 20 21:14:33 2015 UTC

License Usage
==============

regid.2014-08.com.cisco.ASAv-STD-1G,1.0_4fd3bdbd-29ae-4cce-ad82-45ad3db1070c
(ASAv-STD-1G):
Description: This entitlement tag was created via Alpha Extension application
Count: 1
Version: 1.0
Status: AUTHORIZED

Product Information
===================
UDI: PID:ASAv,SN:9AHV3KJBEKE

Agent Version
=============
Smart Agent for Licensing: 1.6_reservation/36

• show license status

Shows the smart license status.
The following example shows the status for an ASAv using regular smart software licensing:

ciscoasa# show license status

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: ASA
Virtual Account: ASAv Internal Users
Export-Controlled Functionality: Not Allowed
Initial Registration: SUCCEEDED on Sep 21 20:26:29 2015 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Mar 19 20:26:28 2016 UTC
Registration Expires: Sep 20 20:23:25 2016 UTC

License Authorization:
Status: AUTHORIZED on Sep 23 01:41:26 2015 UTC
Last Communication Attempt: SUCCEEDED on Sep 23 01:41:26 2015 UTC
Next Communication Attempt: Oct 23 01:41:26 2015 UTC
Communication Deadline: Dec 22 01:38:25 2015 UTC

The following example shows the status for an ASAv using permanent license reservation:

ciscoasa# show license status

Smart Licensing is ENABLED

License Reservation is ENABLED

Registration:
Status: REGISTERED - UNIVERSAL LICENSE RESERVATION
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Jan 28 16:42:45 2016 UTC

License Authorization:
Status: AUTHORIZED - RESERVED on Jan 28 16:42:45 2016 UTC

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
137
 Getting Started with the ASA
Viewing Smart License Status

Licensing HA configuration error:

No Reservation Ha config error

• show license summary

Shows a summary of smart license status and usage.
The following example shows the summary for an ASAv using regular smart software licensing:

ciscoasa# show license summary

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: ASA
Virtual Account: ASAv Internal Users
Export-Controlled Functionality: Not Allowed
Last Renewal Attempt: None
Next Renewal Attempt: Mar 19 20:26:29 2016 UTC

License Authorization:
Status: AUTHORIZED
Last Communication Attempt: SUCCEEDED
Next Communication Attempt: Oct 23 01:41:26 2015 UTC

License Usage:
License Entitlement tag Count Status
-----------------------------------------------------------------------------
regid.2014-08.com.ci... (ASAv-STD-1G) 1 AUTHORIZED

The following example shows the summary for an ASAv using permanent license reservation:

ciscoasa# show license summary

Smart Licensing is ENABLED

Registration:
Status: REGISTERED - UNIVERSAL LICENSE RESERVATION
Export-Controlled Functionality: Allowed

License Authorization:
Status: AUTHORIZED - RESERVED

• show license usage

Shows the smart license usage.
The following example shows the usage for an ASAv:

ciscoasa# show license usage

License Authorization:
Status: AUTHORIZED on Sep 23 01:41:26 2015 UTC

regid.2014-08.com.cisco.ASAv-STD-1G,1.0_4fd3bdbd-29ae-4cce-ad82-45ad3db1070c
(ASAv-STD-1G):
Description: This entitlement tag was created via Alpha Extension application
Count: 1
Version: 1.0

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
138
 Getting Started with the ASA
Viewing the UDI

Status: AUTHORIZED

Viewing the UDI

See the following command to view the universal product identifier (UDI):
show license udi
The following example shows the UDI for the ASAv:

ciscoasa# show license udi

UDI: PID:ASAv,SN:9AHV3KJBEKE
ciscoasa#

Debugging Smart Software Licensing

See the following commands for debugging clustering:
• debug license agent {error | trace | debug | all}
Turns on debugging from the Smart Agent.
• debug license level
Turns on various levels of Smart Software Licensing Manager debugs.

History for Smart Software Licensing

Feature Name Platform Releases Description

Permanent License Reservation for the 9.6(2) Due to an update to the Smart Agent (to
ASAv Short String enhancement 1.6.4), the request and authorization codes
now use shorter strings.
We did not modify any commands.

Satellite Server support for the ASAv 9.6(2) If your devices cannot access the internet
for security reasons, you can optionally
install a local Smart Software Manager
satellite server as a virtual machine (VM).
We did not modify any commands.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
139
 Getting Started with the ASA
History for Smart Software Licensing

Feature Name Platform Releases Description

Permanent License Reservation for the 9.6(2) For highly secure environments where
ASA on the Firepower 4100/9300 chassis communication with the Cisco Smart
Software Manager is not allowed, you can
request a permanent license for the ASA
on the Firepower 9300 and Firepower 4100.
All available license entitlements are
included in the permanent license, including
the Standard Tier, Strong Encryption (if
qualified), Security Contexts, and Carrier
licenses. Requires FXOS 2.0.1.
All configuration is performed on the
Firepower 4100/9300 chassis; no
configuration is required on the ASA.

Permanent License Reservation for the 9.5(2.200) For highly secure environments where
ASAv communication with the Cisco Smart
9.6(2)
Software Manager is not allowed, you can
request a permanent license for the ASAv.
In 9.6(2), we also added support for this
feature for the ASAv on Amazon Web
Services. This feature is not supported for
Microsoft Azure.
We introduced the following commands:
license smart reservation, license smart
reservation cancel, license smart
reservation install, license smart
reservation request universal, license
smart reservation return

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
140
 Getting Started with the ASA
History for Smart Software Licensing

Feature Name Platform Releases Description

Smart Agent Upgrade to v1.6 9.5(2.200) The smart agent was upgraded from
Version 1.1 to Version 1.6. This upgrade
9.6(2)
supports permanent license reservation and
also supports setting the Strong Encryption
(3DES/AES) license entitlement according
to the permission set in your license
account.
Note If you downgrade from Version
9.5(2.200), the ASAv does not
retain the licensing registration
state. You need to re-register
with the license smart register
idtoken id_token force
command; obtain the ID token
from the Smart Software
Manager.

We introduced the following commands:

show license status, show license
summary, show license udi, show license
usage
We modified the following commands:
show license all, show tech-support
license
We deprecated the following commands:
show license cert, show license
entitlement, show license pool, show
license registration

Strong Encryption (3DES) license 9.5(2.1) For regular Cisco Smart Software Manager
automatically applied for the ASA on the users, the Strong Encryption license is
Firepower 9300 automatically enabled for qualified
customers when you apply the registration
token on the Firepower 9300.
Note If you are using the Smart
Software Manager satellite
deployment, to use ASDM and
other strong encryption features,
after you deploy the ASA you
must enable the Strong
Encryption (3DES) license using
the ASA CLI.

This feature requires FXOS 1.1.3.

We removed the following command for
non-satellite configurations: feature
strong-encryption

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
141
 Getting Started with the ASA
History for Smart Software Licensing

Feature Name Platform Releases Description

Validation of the Smart Call Home/Smart 9.5(2) Smart licensing uses the Smart Call Home
Licensing certificate if the issuing hierarchy infrastructure. When the ASA first
of the server certificate changes configures Smart Call Home anonymous
reporting in the background, it
automatically creates a trustpoint containing
the certificate of the CA that issued the
Smart Call Home server certificate. The
ASA now supports validation of the
certificate if the issuing hierarchy of the
server certificate changes; you can enable
the automatic update of the trustpool bundle
at periodic intervals.
We introduced the following command:
auto-import

New Carrier license 9.5(2) The new Carrier license replaces the
existing GTP/GPRS license, and also
includes support for SCTP and Diameter
inspection. For the ASA on the Firepower
9300, the feature mobile-sp command will
automatically migrate to the feature
carrier command.
We introduced or modified the following
commands: feature carrier, show
activation-key, show license, show
tech-support, show version

Cisco Smart Software Licensing for the 9.4(1.150) We introduced Smart Software Licensing
ASA on the Firepower 9300 for the ASA on the Firepower 9300.
We introduced the following commands:
feature strong-encryption, feature
mobile-sp, feature context

Cisco Smart Software Licensing for the 9.3(2) Smart Software Licensing lets you purchase
ASAv and manage a pool of licenses. Unlike PAK
licenses, smart licenses are not tied to a
specific serial number. You can easily
deploy or retire ASAvs without having to
manage each unit’s license key. Smart
Software Licensing also lets you see your
license usage and needs at a glance.
We introduced the following commands:
clear configure license, debug license
agent, feature tier, http-proxy, license
smart, license smart deregister, license
smart register, license smart renew, show
license, show running-config license,
throughput level

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
142
 CHAPTER 5
Logical Devices for the Firepower 4100/9300
The Firepower 4100/9300 is a flexible security platform on which you can install one or more logical devices.
This chapter describes basic interface configuration and how to add a standalone or High Availability logical
device using the Firepower Chassis Manager. To add a clustered logical device, see ASA Cluster for the
Firepower 4100/9300 Chassis, on page 383. To use the FXOS CLI, see the FXOS CLI configuration guide.
For more advanced FXOS procedures and troubleshooting, see the FXOS configuration guide.
• About Firepower Interfaces, on page 143
• About Logical Devices, on page 144
• Requirements and Prerequisites for Hardware and Software Combinations, on page 145
• Guidelines and Limitations for Logical Devices, on page 145
• Configure Interfaces, on page 147
• Configure Logical Devices, on page 151
• History for Logical Devices, on page 160

About Firepower Interfaces

The Firepower 4100/9300 chassis supports physical interfaces and EtherChannel (port-channel) interfaces.
EtherChannel interfaces can include up to 16 member interfaces of the same type.

Chassis Management Interface

The chassis management interface is used for management of the FXOS Chassis by SSH or Firepower Chassis
Manager. This interface is separate from the mgmt-type interface that you assign to the logical devices for
application management.
To configure parameters for this interface, you must configure them from the CLI. To view information about
this interface in the FXOS CLI, connect to local management and show the management port:
Firepower # connect local-mgmt
Firepower(local-mgmt) # show mgmt-port
Note that the chassis management interface remains up even if the physical cable or SFP module are unplugged,
or if the mgmt-port shut command is performed.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
143
 Getting Started with the ASA
Interface Types

Interface Types
Each interface can be one of the following types:
• Data—Use for regular data. Data interfaces cannot be shared between logical devices, and logical devices
cannot communicate over the backplane to other logical devices. For traffic on Data interfaces, all traffic
must exit the chassis on one interface and return on another interface to reach another logical device.
• Mgmt—Use to manage application instances. These interfaces can be shared by one or more logical
devices to access external hosts; logical devices cannot communicate over this interface with other logical
devices that share the interface. You can only assign one management interface per logical device.
• Firepower-eventing—Use as a secondary management interface for FTD devices. To use this interface,
you must configure its IP address and other parameters at the FTD CLI. For example, you can separate
management traffic from events (such as web events). See the "Management Interfaces" section in the
Firepower Management Center configuration guide System Configuration chapter. Firepower-eventing
interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot
communicate over this interface with other logical devices that share the interface.
• Cluster—Use as the cluster control link for a clustered logical device. By default, the cluster control link
is automatically created on Port-channel 48. The Cluster type is only supported on EtherChannel interfaces.

Independent Interface States in the Chassis and in the Application

You can administratively enable and disable interfaces in both the chassis and in the application. For an
interface to be operational, the interface must be enabled in both operating systems. Because the interface
state is controlled independently, you may have a mismatch between the chassis and application.

About Logical Devices

A logical device lets you run one application instance (either ASA or Firepower Threat Defense) and also one
optional decorator application (Radware DefensePro) to form a service chain .
When you add a logical device, you also define the application instance type and version, assign interfaces,
and configure bootstrap settings that are pushed to the application configuration.

Note For the Firepower 9300, you must install the same application instance type (ASA or FTD) on all modules
in the chassis; different types are not supported at this time. Note that modules can run different versions of
an application instance type.
For the Firepower 9300, you must install the same application instance type (ASA or FTD) on all modules
in the chassis; different types are not supported at this time. Note that modules can run different versions of
an application instance type.

Standalone and Clustered Logical Devices

You can add the following logical device types:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
144
 Getting Started with the ASA
Requirements and Prerequisites for Hardware and Software Combinations

• Standalone—A standalone logical device operates as a standalone unit or as a unit in a High Availability
pair.
• Cluster—A clustered logical device lets you group multiple units together, providing all the convenience
of a single device (management, integration into a network) while achieving the increased throughput
and redundancy of multiple devices. Multiple module devices, like the Firepower 9300, support
intra-chassis clustering. For the Firepower 9300, all three modules must participate in the cluster.

Requirements and Prerequisites for Hardware and Software

Combinations
The Firepower 4100/9300 supports multiple models, security modules, application types, and high availability
and scalability features. See the following requirements for allowed combinations.

Firepower 9300 Requirements

The Firepower 9300 includes 3 security module slots and multiple types of security modules. See the following
requirements:
• Security Module Types—All modules in the Firepower 9300 must be the same type.
• Clustering—All security modules in the cluster, whether it is intra-chassis or inter-chassis, must be the
same type. You can have different quantities of installed security modules in each chassis, although all
modules present in the chassis must belong to the cluster including any empty slots. For example, you
can install 2 SM-36s in chassis 1, and 3 SM-36s in chassis 2.
• High Availability—High Availability is only supported between same-type modules on the Firepower
9300.
• ASA and FTD application types—You can only install one application type on the chassis, ASA or FTD.
• ASA or FTD versions—You can run different versions of an application instance type on separate
modules. For example, you can install FTD 6.3 on module 1, FTD 6.4 on module 2, and FTD 6.5 on
module 3.

Firepower 4100 Requirements

The Firepower 4100 comes in multiple models. See the following requirements:
• Clustering—All chassis in the cluster must be the same model.
• High Availability—High Availability is only supported between same-type models.
• ASA and FTD application types—The Firepower 4100 can only run a single application type.

Guidelines and Limitations for Logical Devices

See the following sections for guidelines and limitations.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
145
 Getting Started with the ASA
Guidelines and Limitations for Firepower Interfaces

Guidelines and Limitations for Firepower Interfaces

Inline Sets for FTD
• Link state propagation is supported.

Hardware Bypass
• Supported for the FTD; you can use them as regular interfaces for the ASA.
• The FTD only supports Hardware Bypass with inline sets.
• Hardware Bypass-capable interfaces cannot be configured for breakout ports.
• You cannot include Hardware Bypass interfaces in an EtherChannel and use them for Hardware Bypass;
you can use them as regular interfaces in an EtherChannel.
• Hardware Bypass is not supported with High Availability.

Default MAC Addresses

Default MAC address assignments depend on the type of interface.
• Physical interfaces—The physical interface uses the burned-in MAC address.
• EtherChannels—For an EtherChannel, all interfaces that are part of the channel group share the same
MAC address. This feature makes the EtherChannel transparent to network applications and users,
because they only see the one logical connection; they have no knowledge of the individual links. The
port-channel interface uses a unique MAC address from a pool; interface membership does not affect
the MAC address.

General Guidelines and Limitations

Firewall Mode
You can set the firewall mode to routed or transparent in the bootstrap configuration for the FTD. For the
ASA, you can change the firewall mode to transparent after you deploy. See Change the ASA to Transparent
Firewall Mode, on page 157.

High Availability
• Configure high availability within the application configuration.
• You can use any data interfaces as the failover and state links.

Context Mode
• Multiple context mode is only supported on the ASA.
• Enable multiple context mode in the ASA after you deploy.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
146
 Getting Started with the ASA
Requirements and Prerequisites for High Availability

Requirements and Prerequisites for High Availability

• The two units in a High Availability Failover configuration must:
• Be on a separate chassis; intra-chassis High Availability for the Firepower 9300 is not supported.
• Be the same model.
• Have the same interfaces assigned to the High Availability logical devices.
• Have the same number and types of interfaces. All interfaces must be preconfigured in FXOS
identically before you enable High Availability.

• For High Availability system requirements, see Failover System Requirements, on page 232.

Configure Interfaces
By default, physical interfaces are disabled. You can enable interfaces, add EtherChannels, and edit interface
properties.

Note If you remove an interface in FXOS (for example, if you remove a network module, remove an EtherChannel,
or reassign an interface to an EtherChannel), then the ASA configuration retains the original commands so
that you can make any necessary adjustments; removing an interface from the configuration can have wide
effects. You can manually remove the old interface configuration in the ASA OS.

Configure a Physical Interface

You can physically enable and disable interfaces, as well as set the interface speed and duplex. To use an
interface, it must be physically enabled in FXOS and logically enabled in the application.

Before you begin

• Interfaces that are already a member of an EtherChannel cannot be modified individually. Be sure to
configure settings before you add it to the EtherChannel.

Procedure

Step 1 Enter interface mode.

scope eth-uplink

scope fabric a

Step 2 Enable the interface.

enter interface interface_id

enable

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
147
 Getting Started with the ASA
Configure a Physical Interface

Example:

Firepower /eth-uplink/fabric # enter interface Ethernet1/8

Firepower /eth-uplink/fabric/interface # enable

Note Interfaces that are already a member of a port-channel cannot be modified individually. If you use
the enter interface or scope interface command on an interface that is a member of a port channel,
you will receive an error stating that the object does not exist. You should edit interfaces using the
enter interface command before you add them to a port-channel.

Step 3 (Optional) Set the interface type.

set port-type {data | mgmt | firepower-eventing | cluster}
Example:

Firepower /eth-uplink/fabric/interface # set port-type mgmt

The data keyword is the default type. Do not choose the cluster keyword; by default, the cluster control link
is automatically created on Port-channel 48.

Step 4 Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}
Example:

Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 5 Set the interface speed.

set admin-speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}
Example:

Firepower /eth-uplink/fabric/interface* # set admin-speed 1gbps

Step 6 Set the interface duplex mode.

set admin-duplex {fullduplex | halfduplex}
Example:

Firepower /eth-uplink/fabric/interface* # set admin-duplex halfduplex

Step 7 If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy,
apply it to the interface.
set flow-control-policy name
Example:

Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
148
 Getting Started with the ASA
Add an EtherChannel (Port Channel)

Step 8 Save the configuration.

commit-buffer
Example:

Firepower /eth-uplink/fabric/interface* # commit-buffer

Firepower /eth-uplink/fabric/interface #

Add an EtherChannel (Port Channel)

An EtherChannel (also known as a port channel) can include up to 16 member interfaces of the same type.
The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation
Control Protocol Data Units (LACPDUs) between two network devices.
The Firepower 4100/9300 chassis only supports EtherChannels in Active LACP mode so that each member
interface sends and receives LACP updates. An active EtherChannel can establish connectivity with either
an active or a passive EtherChannel. You should use the active mode unless you need to minimize the amount
of LACP traffic.
LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention.
It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct
channel group.
When the Firepower 4100/9300 chassis creates an EtherChannel, the EtherChannel stays in a Suspended
state until you assign it to a logical device, even if the physical link is up. The EtherChannel will be brought
out of this Suspended state in the following situations:
• The EtherChannel is added as a data or management interface for a standalone logical device
• The EtherChannel is added as a management interface or cluster control link for a logical device that is
part of a cluster
• The EtherChannel is added as a data interface for a logical device that is part of a cluster and at least one
unit has joined the cluster

Note that the EtherChannel does not come up until you assign it to a logical device. If the EtherChannel is
removed from the logical device or the logical device is deleted, the EtherChannel will revert to a Suspended
state.

Procedure

Step 1 Enter interface mode:

scope eth-uplink

scope fabric a

Step 2 Create the port-channel:

create port-channel id

enable

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
149
 Getting Started with the ASA
Add an EtherChannel (Port Channel)

Step 3 Assign member interfaces:

create member-port interface_id
Example:

Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1

Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/3
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/4
Firepower /eth-uplink/fabric/port-channel/member-port* # exit

Step 4 (Optional) Set the interface type.

set port-type {data | mgmt | firepower-eventing | cluster}
Example:

Firepower /eth-uplink/fabric/port-channel # set port-type data

The data keyword is the default type. Do not choose the cluster keyword unless you want to use this
port-channel as the cluster control link instead of the default.

Step 5 (Optional) Set the interface speed for all members of the port-channel.
set speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}
Example:

Firepower /eth-uplink/fabric/port-channel* # set speed 1gbps

Step 6 (Optional) Set the duplex for all members of the port-channel.
set duplex {fullduplex | halfduplex}
Example:

Firepower /eth-uplink/fabric/port-channel* # set duplex fullduplex

Step 7 Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}
Example:

Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 8 If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy,
apply it to the interface.
set flow-control-policy name
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
150
 Getting Started with the ASA
Configure Logical Devices

Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 9 Commit the configuration:

commit-buffer

Configure Logical Devices

Add a standalone logical device or a High Availability pair on the Firepower 4100/9300 chassis.
For clustering, see #unique_215.

Add a Standalone ASA

Standalone logical devices work either alone or in a High Availability pair. On the Firepower 9300 with
multiple security modules, you can deploy either a cluster or standalone devices. The cluster must use all
modules, so you cannot mix and match a 2-module cluster plus a single standalone device, for example.
You can deploy a routed firewall mode ASA from the Firepower 4100/9300 chassis. To change the ASA to
transparent firewall mode, complete this procedure, and then see Change the ASA to Transparent Firewall
Mode, on page 157.
For multiple context mode, you must first deploy the logical device, and then enable multiple context mode
in the ASA application.

Before you begin

• Download the application image you want to use for the logical device from Cisco.com, and then download
that image to the Firepower 4100/9300 chassis.

Note For the Firepower 9300, you must install the same application instance type (ASA
or FTD) on all modules in the chassis; different types are not supported at this
time. Note that modules can run different versions of an application instance type.
For the Firepower 9300, you must install the same application instance type (ASA
or FTD) on all modules in the chassis; different types are not supported at this
time. Note that modules can run different versions of an application instance type.

• Configure a management interface to use with the logical device. The management interface is required.
Note that this management interface is not the same as the chassis management port that is used only for
chassis management (in FXOS, you might see it displayed as MGMT, management0, or other similar
names).
• Gather the following information:
• Interface IDs for this device
• Management interface IP address and network mask

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
151
 Getting Started with the ASA
Add a Standalone ASA

• Gateway IP address

Procedure

Step 1 Enter security services mode.

scope ssa
Example:

Firepower# scope ssa

Firepower /ssa #

Step 2 Set the application instance image version.

a) View available images. Note the Version number that you want to use.
show app
Example:

Firepower /ssa # show app

Name Version Author Supported Deploy Types CSP Type Is Default
App
---------- --------------- ---------- ---------------------- -----------
--------------
asa 9.9.1 cisco Native Application No
asa 9.10.1 cisco Native Application Yes
ftd 6.2.3 cisco Native Application Yes

b) Set the scope to the security module/engine slot.

scope slot slot_id
The slot_id is always 1 for the Firepower 4100, and 1, 2, or 3 for the Firepower 9300.
Example:

Firepower /ssa # scope slot 1

Firepower /ssa/slot #

c) Create the application instance.

enter app-instance asa
Example:

Firepower /ssa/slot # enter app-instance asa

Firepower /ssa/slot/app-instance* #

d) Set the ASA image version.

set startup-version version
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
152
Getting Started with the ASA
Add a Standalone ASA

Firepower /ssa/slot/app-instance* # set startup-version 9.10.1

e) Exit to slot mode.

exit
Example:

Firepower /ssa/slot/app-instance* # exit

Firepower /ssa/slot* #

f) Exit to ssa mode.

exit
Example:

Firepower /ssa/slot* # exit

Firepower /ssa* #

Example:

Firepower /ssa # scope slot 1

Firepower /ssa/slot # enter app-instance asa
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* #

Step 3 Create the logical device.

enter logical-device device_name asa slot_id standalone
Example:

Firepower /ssa # enter logical-device ASA1 asa 1 standalone

Firepower /ssa/logical-device* #

Step 4 Assign the management and data interfaces to the logical device. Repeat for each interface.
create external-port-link name interface_id asa
set description description
exit
• name—The name is used by the Firepower 4100/9300 chassis supervisor; it is not the interface name
used in the ASA configuration.
• description—Use quotes (") around phrases with spaces.

The management interface is not the same as the chassis management port. You will later enable and configure
the data interfaces on the ASA, including setting the IP addresses.
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
153
 Getting Started with the ASA
Add a Standalone ASA

Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa

Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit

Step 5 Configure the management bootstrap information.

a) Create the bootstrap object.
create mgmt-bootstrap asa
Example:

Firepower /ssa/logical-device* # create mgmt-bootstrap asa

Firepower /ssa/logical-device/mgmt-bootstrap* #

b) Specify the admin password.

create bootstrap-key-secret PASSWORD
set value
Enter a value: password
Confirm the value: password
exit
Example:
The pre-configured ASA admin user is useful for password recovery; if you have FXOS access, you can
reset the admin user password if you forget it.
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD

Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
Enter a value: floppylampshade
Confirm the value: floppylampshade
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* #

c) Configure the IPv4 management interface settings.

create ipv4 slot_id default
set ip ip_address mask network_mask
set gateway gateway_address
exit
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
154
Getting Started with the ASA
Add a Standalone ASA

Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.10.10.34 mask 255.255.255.0

Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.10.10.1
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* #

d) Configure the IPv6 management interface settings.

create ipv6 slot_id default
set ip ip_address prefix-length prefix
set gateway gateway_address
exit
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv6 1 default

Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set ip 2001:0DB8:BA98::3210
prefix-length 64
Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set gateway 2001:0DB8:BA98::3211
Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* #

e) Exit the management bootstrap mode.

exit
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # exit

Firepower /ssa/logical-device* #

Step 6 Save the configuration.

commit-buffer
The chassis deploys the logical device by downloading the specified software version and pushing the bootstrap
configuration and management interface settings to the application instance. Check the status of the deployment
using the show app-instance command. The application instance is running and ready to use when the Admin
State is Enabled and the Oper State is Online.
Example:

Firepower /ssa/logical-device* # commit-buffer

Firepower /ssa/logical-device # exit
Firepower /ssa # show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version
Deploy Type Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- ---------------
----------- ------------ --------------- ------------
asa asa1 2 Disabled Not Installed 9.12.1
Native Not Applicable None
ftd ftd1 1 Enabled Online 6.4.0.49 6.4.0.49
Container Default-Small Not Applicable None

Step 7 See the ASA configuration guide to start configuring your security policy.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
155
 Getting Started with the ASA
Add a High Availability Pair

Example

Firepower# scope ssa

Firepower /ssa # scope slot 1
Firepower /ssa/slot # enter app-instance asa
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* # create logical-device MyDevice1 asa 1 standalone
Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa
Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create mgmt-bootstrap asa
Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
Enter a value: secretglassine
Confirm the value: secretglassine
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.0.0.1
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.0.0.31 mask 255.255.255.0
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # commit-buffer
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key #

Add a High Availability Pair

or ASA High Availability (also known as failover) is configured within the application, not in FXOS. However,
to prepare your chassis for high availability, see the following steps.

Before you begin

See Failover System Requirements, on page 232.

Procedure

Step 1 Allocate the same interfaces to each logical device.

Step 2 Allocate 1 or 2 data interfaces for the failover and state link(s).
These interfaces exchange high availability traffic between the 2 chassis. We recommend that you use a 10
GB data interface for a combined failover and state link. If you have available interfaces, you can use separate
failover and state links; the state link requires the most bandwidth. You cannot use the management-type
interface for the failover or state link. We recommend that you use a switch between the chassis, with no other
device on the same network segment as the failover interfaces.

Step 3 Enable High Availability on the logical devices. See Failover for High Availability, on page 231.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
156
 Getting Started with the ASA
Change the ASA to Transparent Firewall Mode

Step 4 If you need to make interface changes after you enable High Availability, perform the changes on the standby
unit first, and then perform the changes on the active unit.
Note For the ASA, if you remove an interface in FXOS (for example, if you remove a network module,
remove an EtherChannel, or reassign an interface to an EtherChannel), then the ASA configuration
retains the original commands so that you can make any necessary adjustments; removing an interface
from the configuration can have wide effects. You can manually remove the old interface
configuration in the ASA OS.

Change the ASA to Transparent Firewall Mode

You can only deploy a routed firewall mode ASA from the Firepower 4100/9300 chassis. To change the ASA
to transparent firewall mode, complete the initial deployment, and then change the firewall mode within the
ASA CLI. For standalone ASAs, because changing the firewall mode erases the configuration, you must then
redeploy the configuration from the Firepower 4100/9300 chassis to regain the bootstrap configuration. The
ASA then remains in transparent mode with a working bootstrap configuration. For clustered ASAs, the
configuration is not erased, so you do not need to redeploy the bootstrap configuration from FXOS.

Procedure

Step 1 Connect to the ASA console according to Connect to the Console of the Application, on page 159. For a cluster,
connect to the primary unit. For a failover pair, connect to the active unit.
Step 2 Enter configuration mode:
enable
configure terminal
By default, the enable password is blank.

Step 3 Set the firewall mode to transparent:

firewall transparent

Step 4 Save the configuration:

write memory
For a cluster or failover pair, this configuration is replicated to secondary units:

asa(config)# firewall transparent

asa(config)# write memory
Building configuration...
Cryptochecksum: 9f831dfb 60dffa8c 1d939884 74735b69

3791 bytes copied in 0.160 secs

[OK]
asa(config)#
Beginning configuration replication to Slave unit-1-2
End Configuration Replication to slave.

asa(config)#

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
157
 Getting Started with the ASA
Change an Interface on an ASA Logical Device

Step 5 On the Firepower Chassis Manager Logical Devices page, click the Edit icon to edit the ASA.
The Provisioning page appears.

Step 6 Click the device icon to edit the bootstrap configuration. Change any value in your configuration, and click
OK.
You must change the value of at least one field, for example, the Password field.
You see a warning about changing the bootstrap configuration; click Yes.

Step 7 Click Save to redeploy the configuration to the ASA. For an inter-chassis cluster or for a failover pair, repeat
steps 5 through 7 to redeploy the bootstrap configuration on each chassis.
Wait several minutes for the chassis/security modules to reload, and for the ASA to become operational again.
The ASA now has an operational bootstrap configuration, but remains in transparent mode.

Change an Interface on an ASA Logical Device

You can allocate, unallocate, or replace a management interface on an ASA logical device. ASDM discovers
the new interfaces automatically.
Adding a new interface, or deleting an unused interface has minimal impact on the ASA configuration.
However, if you remove an allocated interface in FXOS (for example, if you remove a network module,
remove an EtherChannel, or reassign an allocated interface to an EtherChannel), and the interface is used in
your security policy, removal will impact the ASA configuration. In this case, the ASA configuration retains
the original commands so that you can make any necessary adjustments. You can manually remove the old
interface configuration in the ASA OS.

Note You can edit the membership of an allocated EtherChannel without impacting the logical device.

Before you begin

• Configure your interfaces and add any EtherChannels according to Configure a Physical Interface, on
page 147 and Add an EtherChannel (Port Channel), on page 149.
• If you want to add an already-allocated interface to an EtherChannel (for example, all interfaces are
allocated by default to a cluster), you need to unallocate the interface from the logical device first, then
add the interface to the EtherChannel. For a new EtherChannel, you can then allocate the EtherChannel
to the device.
• For clustering or failover, make sure you add or remove the interface on all units. We recommend that
you make the interface changes on the slave/standby unit(s) first, and then on the master/active unit. New
interfaces are added in an administratively down state, so they do not affect interface monitoring.

Procedure

Step 1 Enter security services mode:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
158
 Getting Started with the ASA
Connect to the Console of the Application

Firepower# scope ssa

Step 2 Edit the logical device:

Firepower /ssa # scope logical-device device_name

Step 3 Unallocate an interface from the logical device:

Firepower /ssa/logical-device # delete external-port-link name
Enter the show external-port-link command to view interface names.
For a management interface, delete the current interface then commit your change using the commit-buffer
command before you add the new management interface.

Step 4 Allocate a new interface to the logical device:

Firepower /ssa/logical-device* # create external-port-link name interface_id asa

Step 5 Commit the configuration:

commit-buffer
Commits the transaction to the system configuration.

Connect to the Console of the Application

Use the following procedure to connect to the console of the application.

Procedure

Step 1 Connect to the module CLI.

connect module slot_number console
To connect to the security engine of a device that does not support multiple security modules, always use 1
as the slot_number.
Example:

Firepower# connect module 1 console

Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>

Step 2 Connect to the application console. Enter the appropriate command for your device.
connect asa
connect ftd

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
159
 Getting Started with the ASA
History for Logical Devices

connect vdp
Example:

Firepower-module1> connect asa

Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

Step 3 Exit the application console to the FXOS module CLI.

• ASA—Enter Ctrl-a, d
• FTD—Enter
• vDP—Enter Ctrl-], .

Step 4 Return to the supervisor level of the FXOS CLI.

a) Enter ~
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

History for Logical Devices

Feature Version Details

Support for the Firepower 4100 series 9.6(1) With FXOS 1.1.4, the ASA supports
inter-chassis clustering on the Firepower
4100 series.
We did not modify any commands.

Inter-chassis clustering for 6 modules, and 9.5(2.1) With FXOS 1.1.3, you can now enable
inter-site clustering for the Firepower 9300 inter-chassis, and by extension inter-site
ASA application clustering. You can include up to 6 modules
in up to 6 chassis.
We did not modify any commands.

Intra-chassis ASA Clustering for the 9.4(1.150) You can cluster up to 3 security modules
Firepower 9300 within the Firepower 9300 chassis. All
modules in the chassis must belong to the
cluster.
We introduced the following commands:
cluster replication delay, debug
service-module, management-only
individual, show cluster chassis

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
160
 CHAPTER 6
Transparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works
in each firewall mode.
You can set the firewall mode independently for each context in multiple context mode.
• About the Firewall Mode, on page 161
• Default Settings, on page 167
• Guidelines for Firewall Mode, on page 168
• Set the Firewall Mode, on page 169
• Examples for Firewall Mode, on page 170
• History for the Firewall Mode, on page 180

About the Firewall Mode

The ASA supports two firewall modes: Routed Firewall mode and Transparent Firewall mode.

About Routed Firewall Mode

In routed mode, the ASA is considered to be a router hop in the network. Each interface that you want to route
between is on a different subnet. You can share Layer 3 interfaces between contexts.

About Transparent Firewall Mode

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the
wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other
firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place.
Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside
interfaces for a network, and the ASA uses bridging techniques to pass traffic between the interfaces. Each
bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network.
You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot
communicate with each other.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
161
 Getting Started with the ASA
Using the Transparent Firewall in Your Network

Using the Transparent Firewall in Your Network

The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you can
easily introduce a transparent firewall into an existing network.
The following figure shows a typical transparent firewall network where the outside devices are on the same
subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router.
Figure 13: Transparent Firewall Network

About Bridge Groups

A bridge group is a group of interfaces that the ASA bridges instead of routes. Bridge groups are only supported
in Transparent Firewall Mode. Like any other firewall interfaces, access control between interfaces is controlled,
and all of the usual firewall checks are in place.

Bridge Virtual Interface (BVI)

Each bridge group includes a Bridge Virtual Interface (BVI). The ASA uses the BVI IP address as the source
address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the
bridge group member interfaces. The BVI does not support traffic on secondary networks; only traffic on the
same network as the BVI IP address is supported.
Only bridge group member interfaces are named and can be used with interface-based features.

Bridge Groups in Transparent Firewall Mode

Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within
the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group
in the ASA. Although the bridging functions are separate for each bridge group, many other functions are
shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
162
 Getting Started with the ASA
Management Interface

configuration. For complete security policy separation, use security contexts with one bridge group in each
context.
You can include multiple interfaces per bridge group. See Guidelines for Firewall Mode, on page 168 for the
exact number of bridge groups and interfaces supported. If you use more than 2 interfaces per bridge group,
you can control communication between multiple segments on the same network, and not just between inside
and outside. For example, if you have three inside segments that you do not want to communicate with each
other, you can put each segment on a separate interface, and only allow them to communicate with the outside
interface. Or you can customize the access rules between interfaces to allow only as much access as desired.
The following figure shows two networks connected to the ASA, which has two bridge groups.
Figure 14: Transparent Firewall Network with Two Bridge Groups

Management Interface
In addition to each Bridge Virtual Interface (BVI) IP address, you can add a separate Management slot/port
interface that is not part of any bridge group, and that allows only management traffic to the ASA. For more
information, see Management Interface, on page 444.

Allowing Layer 3 Traffic

• Unicast IPv4 and IPv6 traffic is allowed through the bridge group automatically from a higher security
interface to a lower security interface, without an access rule.
• For Layer 3 traffic traveling from a low to a high security interface, an access rule is required on the low
security interface.
• ARPs are allowed through the bridge group in both directions without an access rule. ARP traffic can
be controlled by ARP inspection.
• IPv6 neighbor discovery and router solicitation packets can be passed using access rules.
• Broadcast and multicast traffic can be passed using access rules.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
163
 Getting Started with the ASA
Allowed MAC Addresses

Allowed MAC Addresses

The following destination MAC addresses are allowed through the bridge group if allowed by your access
policy (see Allowing Layer 3 Traffic, on page 163). Any MAC address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Passing Traffic Not Allowed in Routed Mode

In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an access rule. The
bridge group, however, can allow almost any traffic through using either an access rule (for IP traffic) or an
EtherType rule (for non-IP traffic):
• IP traffic—In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an
access rule, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP
relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL).
• Non-IP traffic—AppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go through
using an EtherType rule.

Note The bridge group does not pass CDP packets packets, or any packets that do not have a valid EtherType greater
than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.

BPDU Handling
To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default.To block BPDUs, you need
to configure an EtherType rule to deny them. If you are using failover, you might want to block BPDUs to
prevent the switch port from going into a blocking state when the topology changes. See Transparent Firewall
Mode Bridge Group Requirements for Failover, on page 244 for more information.

MAC Address vs. Route Lookups

For traffic within a bridge group, the outgoing interface of a packet is determined by performing a destination
MAC address lookup instead of a route lookup.
Route lookups, however, are necessary for the following situations:
• Traffic originating on the ASA—Add a default/static route on the ASA for traffic destined for a remote
network where a syslog server, for example, is located.
• Voice over IP (VoIP) and TFTP traffic with inspection enabled, and the endpoint is at least one hop
away—Add a static route on the ASA for traffic destined for the remote endpoint so that secondary
connections are successful. The ASA creates a temporary "pinhole" in the access control policy to allow
the secondary connection; and because the connection might use a different set of IP addresses than the
primary connection, the ASA needs to perform a route lookup to install the pinhole on the correct interface.
Affected applications include:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
164
Getting Started with the ASA
MAC Address vs. Route Lookups

• CTIQBE
• GTP
• H.323
• MGCP
• RTSP
• SIP
• Skinny (SCCP)
• SQL*Net
• SunRPC
• TFTP

• Traffic at least one hop away for which the ASA performs NAT—Configure a static route on the ASA
for traffic destined for the remote network. You also need a static route on the upstream router for traffic
destined for the mapped addresses to be sent to the ASA.
This routing requirement is also true for embedded IP addresses for VoIP and DNS with inspection and
NAT enabled, and the embedded IP addresses are at least one hop away. The ASA needs to identify the
correct egress interface so it can perform the translation.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
165
 Getting Started with the ASA
Unsupported Features for Bridge Groups in Transparent Mode

Figure 15: NAT Example: NAT within a Bridge Group

Unsupported Features for Bridge Groups in Transparent Mode

The following table lists the features are not supported in bridge groups in transparent mode.

Table 3: Unsupported Features in Transparent Mode

Feature Description

Dynamic DNS —

DHCPv6 stateless server Only the DHCPv4 server is supported on bridge group
member interfaces.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
166
 Getting Started with the ASA
Passing Traffic For Routed-Mode Features

Feature Description

DHCP relay The transparent firewall can act as a DHCPv4 server,

but it does not support DHCP relay. DHCP relay is
not required because you can allow DHCP traffic to
pass through using two access rules: one that allows
DCHP requests from the inside interface to the
outside, and one that allows the replies from the server
in the other direction.

Dynamic routing protocols You can, however, add static routes for traffic
originating on the ASA for bridge group member
interfaces. You can also allow dynamic routing
protocols through the ASA using an access rule.

Multicast IP routing You can allow multicast traffic through the ASA by
allowing it in an access rule.

QoS —

VPN termination for through traffic The transparent firewall supports site-to-site VPN
tunnels for management connections only on bridge
group member interfaces. It does not terminate VPN
connections for traffic through the ASA. You can pass
VPN traffic through the ASA using an access rule,
but it does not terminate non-management
connections. Clientless SSL VPN is also not
supported.

Unified Communications —

Passing Traffic For Routed-Mode Features

For features that are not directly supported on the transparent firewall, you can allow traffic to pass through
so that upstream and downstream routers can support the functionality. For example, by using an access rule,
you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that
created by IP/TV. You can also establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an access rule. Likewise, protocols like HSRP or
VRRP can pass through the ASA.

Default Settings
Default Mode
The default mode is routed mode.

Bridge Group Defaults

By default, all ARP packets are passed within the bridge group.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
167
 Getting Started with the ASA
Guidelines for Firewall Mode

Guidelines for Firewall Mode

Context Mode Guidelines
Set the firewall mode per context.

Bridge Group Guidelines (Transparent Mode)

• You can create up to 250 bridge groups, with 64 interfaces per bridge group.
• Each directly-connected network must be on the same subnet.
• The ASA does not support traffic on secondary networks; only traffic on the same network as the BVI
IP address is supported.
• For IPv4, an IP address for the BVI is required for each bridge group for both management traffic and
for traffic to pass through the ASA. IPv6 addresses are supported, but not required for the BVI.
• You can only configure IPv6 addresses manually.
• The BVI IP address must be on the same subnet as the connected network. You cannot set the subnet to
a host subnet (255.255.255.255).
• Management interfaces are not supported as bridge group members.
• In transparent mode, you must use at least 1 bridge group; data interfaces must belong to a bridge group.
• In transparent mode, do not specify the BVI IP address as the default gateway for connected devices;
devices need to specify the router on the other side of the ASA as the default gateway.
• In transparent mode, the default route, which is required to provide a return path for management traffic,
is only applied to management traffic from one bridge group network. This is because the default route
specifies an interface in the bridge group as well as the router IP address on the bridge group network,
and you can only define one default route. If you have management traffic from more than one bridge
group network, you need to specify a regular static route that identifies the network from which you
expect management traffic.
• In transparent mode, PPPoE is not supported for the Management interface.
• Bidirectional Forwarding Detection (BFD) echo packets are not allowed through the ASA when using
bridge group members. If there are two neighbors on either side of the ASA running BFD, then the ASA
will drop BFD echo packets because they have the same source and destination IP address and appear
to be part of a LAND attack.

Additional Guidelines and Limitations

• When you change firewall modes, the ASA clears the running configuration because many commands
are not supported for both modes. The startup configuration remains unchanged. If you reload without
saving, then the startup configuration is loaded, and the mode reverts back to the original setting. See
Set the Firewall Mode, on page 169 for information about backing up your configuration file.
• If you download a text configuration to the ASA that changes the mode with the firewall transparent
command, be sure to put the command at the top of the configuration; the ASA changes the mode as
soon as it reads the command and then continues reading the configuration you downloaded. If the

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
168
 Getting Started with the ASA
Set the Firewall Mode

command appears later in the configuration, the ASA clears all the preceding lines in the configuration.
See Set the ASA Image, ASDM, and Startup Configuration, on page 1022 for information about downloading
text files.

Set the Firewall Mode

This section describes how to change the firewall mode.

Note We recommend that you set the firewall mode before you perform any other configuration because changing
the firewall mode clears the running configuration.

Before you begin

When you change modes, the ASA clears the running configuration (see Guidelines for Firewall Mode, on
page 168 for more information).
• If you already have a populated configuration, be sure to back up your configuration before changing
the mode; you can use this backup for reference when creating your new configuration. See Back Up
and Restore Configurations or Other Files, on page 1024.
• Use the CLI at the console port to change the mode. If you use any other type of session, including the
ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared,
and you will have to reconnect to the ASA using the console port in any case.
• Set the mode within the context.

Note To set the firewall mode to transparent and also configure ASDM management access after the configuration
is cleared, see Configure ASDM Access, on page 27.

Procedure

Set the firewall mode to transparent:

firewall transparent
Example:

ciscoasa(config)# firewall transparent

To change the mode to routed, enter the no firewall transparent command.

Note You are not prompted to confirm the firewall mode change; the change occurs immediately.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
169
 Getting Started with the ASA
Examples for Firewall Mode

Examples for Firewall Mode

This section includes examples of how traffic moves through the ASA in the routed and transparent firewall
mode.

How Data Moves Through the ASA in Routed Firewall Mode

The following sections describe how data moves through the ASA in routed firewall mode in multiple scenarios.

An Inside User Visits a Web Server

The following figure shows an inside user accessing an outside web server.
Figure 16: Inside to Outside

The following steps describe how data moves through the ASA:
1. The user on the inside network requests a web page from www.example.com.
2. The ASA receives the packet and because it is a new session, it verifies that the packet is allowed according
to the terms of the security policy.
For multiple context mode, the ASA first classifies the packet to a context.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
170
 Getting Started with the ASA
An Outside User Visits a Web Server on the DMZ

3. The ASA translates the real address (10.1.2.27) to the mapped address 209.165.201.10, which is on the
outside interface subnet.
The mapped address could be on any subnet, but routing is simplified when it is on the outside interface
subnet.
4. The ASA then records that a session is established and forwards the packet from the outside interface.
5. When www.example.com responds to the request, the packet goes through the ASA, and because the
session is already established, the packet bypasses the many lookups associated with a new connection.
The ASA performs NAT by untranslating the global destination address to the local user address, 10.1.2.27.
6. The ASA forwards the packet to the inside user.

An Outside User Visits a Web Server on the DMZ

The following figure shows an outside user accessing the DMZ web server.
Figure 17: Outside to DMZ

The following steps describe how data moves through the ASA:
1. A user on the outside network requests a web page from the DMZ web server using the mapped address
of 209.165.201.3, which is on the outside interface subnet.
2. The ASA receives the packet and untranslates the mapped address to the real address 10.1.1.3.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
171
 Getting Started with the ASA
An Inside User Visits a Web Server on the DMZ

3. Because it is a new session, the ASA verifies that the packet is allowed according to the terms of the
security policy.
For multiple context mode, the ASA first classifies the packet to a context.
4. The ASA then adds a session entry to the fast path and forwards the packet from the DMZ interface.
5. When the DMZ web server responds to the request, the packet goes through the ASA and because the
session is already established, the packet bypasses the many lookups associated with a new connection.
The ASA performs NAT by translating the real address to 209.165.201.3.
6. The ASA forwards the packet to the outside user.

An Inside User Visits a Web Server on the DMZ

The following figure shows an inside user accessing the DMZ web server.
Figure 18: Inside to DMZ

The following steps describe how data moves through the ASA:
1. A user on the inside network requests a web page from the DMZ web server using the destination address
of 10.1.1.3.
2. The ASA receives the packet and because it is a new session, the ASA verifies that the packet is allowed
according to the terms of the security policy.
For multiple context mode, the ASA first classifies the packet to a context.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
172
 Getting Started with the ASA
An Outside User Attempts to Access an Inside Host

3. The ASA then records that a session is established and forwards the packet out of the DMZ interface.
4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets the
packet bypass the many lookups associated with a new connection.
5. The ASA forwards the packet to the inside user.

An Outside User Attempts to Access an Inside Host

The following figure shows an outside user attempting to access the inside network.
Figure 19: Outside to Inside

The following steps describe how data moves through the ASA:
1. A user on the outside network attempts to reach an inside host (assuming the host has a routable IP address).
If the inside network uses private addresses, no outside user can reach the inside network without NAT.
The outside user might attempt to reach an inside user by using an existing NAT session.
2. The ASA receives the packet and because it is a new session, it verifies if the packet is allowed according
to the security policy.
3. The packet is denied, and the ASA drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the ASA employs many technologies to
determine if a packet is valid for an already established session.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
173
 Getting Started with the ASA
A DMZ User Attempts to Access an Inside Host

A DMZ User Attempts to Access an Inside Host

The following figure shows a user in the DMZ attempting to access the inside network.
Figure 20: DMZ to Inside

The following steps describe how data moves through the ASA:
1. A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to route
the traffic on the Internet, the private addressing scheme does not prevent routing.
2. The ASA receives the packet and because it is a new session, it verifies if the packet is allowed according
to the security policy.
The packet is denied, and the ASA drops the packet and logs the connection attempt.

How Data Moves Through the Transparent Firewall

The following figure shows a typical transparent firewall implementation with an inside network that contains
a public web server. The ASA has an access rule so that the inside users can access Internet resources. Another
access rule lets the outside users access only the web server on the inside network.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
174
 Getting Started with the ASA
An Inside User Visits a Web Server

Figure 21: Typical Transparent Firewall Data Path

The following sections describe how data moves through the ASA.

An Inside User Visits a Web Server

The following figure shows an inside user accessing an outside web server.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
175
 Getting Started with the ASA
An Inside User Visits a Web Server Using NAT

Figure 22: Inside to Outside

The following steps describe how data moves through the ASA:
1. The user on the inside network requests a web page from www.example.com.
2. The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies that the packet is allowed according to the terms of the security
policy.
For multiple context mode, the ASA first classifies the packet to a context.
3. The ASA records that a session is established.
4. If the destination MAC address is in its table, the ASA forwards the packet out of the outside interface.
The destination MAC address is that of the upstream router, 209.165.201.2.
If the destination MAC address is not in the ASA table, it attempts to discover the MAC address by sending
an ARP request or a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet bypasses
the many lookups associated with a new connection.
6. The ASA forwards the packet to the inside user.

An Inside User Visits a Web Server Using NAT

The following figure shows an inside user accessing an outside web server.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
176
Getting Started with the ASA
An Inside User Visits a Web Server Using NAT

Figure 23: Inside to Outside with NAT

The following steps describe how data moves through the ASA:
1. The user on the inside network requests a web page from www.example.com.
2. The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies that the packet is allowed according to the terms of the security
policy.
For multiple context mode, the ASA first classifies the packet according to a unique interface.
3. The ASA translates the real address (10.1.2.27) to the mapped address 209.165.201.10.
Because the mapped address is not on the same network as the outside interface, then be sure the upstream
router has a static route to the mapped network that points to the ASA.
4. The ASA then records that a session is established and forwards the packet from the outside interface.
5. If the destination MAC address is in its table, the ASA forwards the packet out of the outside interface.
The destination MAC address is that of the upstream router, 10.1.2.1.
If the destination MAC address is not in the ASA table, then it attempts to discover the MAC address by
sending an ARP request and a ping. The first packet is dropped.
6. The web server responds to the request; because the session is already established, the packet bypasses
the many lookups associated with a new connection.
7. The ASA performs NAT by untranslating the mapped address to the real address, 10.1.2.27.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
177
 Getting Started with the ASA
An Outside User Visits a Web Server on the Inside Network

An Outside User Visits a Web Server on the Inside Network

The following figure shows an outside user accessing the inside web server.
Figure 24: Outside to Inside

The following steps describe how data moves through the ASA:
1. A user on the outside network requests a web page from the inside web server.
2. The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies that the packet is allowed according to the terms of the security
policy.
For multiple context mode, the ASA first classifies the packet to a context.
3. The ASA records that a session is established.
4. If the destination MAC address is in its table, the ASA forwards the packet out of the inside interface.
The destination MAC address is that of the downstream router, 209.165.201.1.
If the destination MAC address is not in the ASA table, then it attempts to discover the MAC address by
sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet bypasses
the many lookups associated with a new connection.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
178
 Getting Started with the ASA
An Outside User Attempts to Access an Inside Host

6. The ASA forwards the packet to the outside user.

An Outside User Attempts to Access an Inside Host

The following figure shows an outside user attempting to access a host on the inside network.
Figure 25: Outside to Inside

The following steps describe how data moves through the ASA:
1. A user on the outside network attempts to reach an inside host.
2. The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy.
For multiple context mode, the ASA first classifies the packet to a context.
3. The packet is denied because there is no access rule permitting the outside host, and the ASA drops the
packet.
4. If the outside user is attempting to attack the inside network, the ASA employs many technologies to
determine if a packet is valid for an already established session.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
179
 Getting Started with the ASA
History for the Firewall Mode

History for the Firewall Mode

Table 4: Feature History for Firewall Mode

Feature Name Platform Releases Feature Information

Transparent Firewall Mode 7.0(1) A transparent firewall is a Layer 2 firewall

that acts like a “bump in the wire,” or a
“stealth firewall,” and is not seen as a router
hop to connected devices.
We introduced the following commands:
firewall transparent, show firewall.

Transparent firewall bridge groups 8.4(1) If you do not want the overhead of security
contexts, or want to maximize your use of
security contexts, you can group interfaces
together in a bridge group, and then
configure multiple bridge groups, one for
each network. Bridge group traffic is
isolated from other bridge groups. You can
configure up to 8 bridge groups in single
mode or per context in multiple mode, with
4 interfaces maximum per bridge group.
Note Although you can configure
multiple bridge groups on the
ASA 5505, the restriction of 2
data interfaces in transparent
mode on the ASA 5505 means
you can only effectively use 1
bridge group.

We introduced the following commands:

interface bvi, bridge-group, show
bridge-group.

Mixed firewall mode support in multiple 8.5(1)/9.0(1) You can set the firewall mode
context mode independently for each security context in
multiple context mode, so some can run in
transparent mode while others run in routed
mode.
We modified the following command:
firewall transparent.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
180
 Getting Started with the ASA
History for the Firewall Mode

Feature Name Platform Releases Feature Information

Transparent mode bridge group maximum 9.3(1) The bridge group maximum was increased
increased to 250 from 8 to 250 bridge groups. You can
configure up to 250 bridge groups in single
mode or per context in multiple mode, with
4 interfaces maximum per bridge group.
We modified the following commands:
interface bvi, bridge-group.

Transparent mode maximum interfaces per 9.6(2) The maximum interfaces per bridge group
bridge group increased to 64 was increased from 4 to 64.
We did not modify any commands.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
181
 Getting Started with the ASA
History for the Firewall Mode

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
182
PA R T II
High Availability and Scalability
• Multiple Context Mode, on page 185
• Failover for High Availability, on page 231
• ASA Cluster, on page 287
• ASA Cluster for the Firepower 4100/9300 Chassis, on page 383
 CHAPTER 7
Multiple Context Mode
This chapter describes how to configure multiple security contexts on the Cisco ASA.
• About Security Contexts, on page 185
• Licensing for Multiple Context Mode, on page 195
• Prerequisites for Multiple Context Mode, on page 196
• Guidelines for Multiple Context Mode, on page 196
• Defaults for Multiple Context Mode, on page 197
• Configure Multiple Contexts, on page 198
• Change Between Contexts and the System Execution Space, on page 208
• Manage Security Contexts, on page 209
• Monitoring Security Contexts, on page 213
• Examples for Multiple Context Mode, on page 224
• History for Multiple Context Mode, on page 225

About Security Contexts

You can partition a single ASA into multiple virtual devices, known as security contexts. Each context acts
as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are
similar to having multiple standalone devices. For unsupported features in multiple context mode, see Guidelines
for Multiple Context Mode, on page 196.
This section provides an overview of security contexts.

Common Uses for Security Contexts

You might want to use multiple security contexts in the following situations:
• You are a service provider and want to sell security services to many customers. By enabling multiple
security contexts on the ASA, you can implement a cost-effective, space-saving solution that keeps all
customer traffic separate and secure, and also eases configuration.
• You are a large enterprise or a college campus and want to keep departments completely separate.
• You are an enterprise that wants to provide distinct security policies to different departments.
• You have any network that requires more than one ASA.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
185
 High Availability and Scalability
Context Configuration Files

Context Configuration Files

This section describes how the ASA implements multiple context mode configurations.

Context Configurations
For each context, the ASA includes a configuration that identifies the security policy, interfaces, and all the
options you can configure on a standalone device. You can store context configurations in flash memory, or
you can download them from a TFTP, FTP, or HTTP(S) server.

System Configuration
The system administrator adds and manages contexts by configuring each context configuration location,
allocated interfaces, and other context operating parameters in the system configuration, which, like a single
mode configuration, is the startup configuration. The system configuration identifies basic settings for the
ASA. The system configuration does not include any network interfaces or network settings for itself; rather,
when the system needs to access network resources (such as downloading the contexts from the server), it
uses one of the contexts that is designated as the admin context. The system configuration does include a
specialized failover interface for failover traffic only.

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then
that user has system administrator rights and can access the system and all other contexts. The admin context
is not restricted in any way, and can be used as a regular context. However, because logging into the admin
context grants you administrator privileges over all contexts, you might need to restrict access to the admin
context to appropriate users. The admin context must reside on flash memory, and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context is
created automatically as a file on the internal flash memory called admin.cfg. This context is named “admin.”
If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the ASA Classifies Packets

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to send
a packet.

Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered
to each context.

Valid Classifier Criteria

This section describes the criteria used by the classifier.

Note For management traffic destined for an interface, the interface IP address is used for classification.
The routing table is not used for packet classification.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
186
 High Availability and Scalability
Unique Interfaces

Unique Interfaces
If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In
transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets
at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses unique MAC addresses assigned to the interface
in each context. An upstream router cannot route directly to a context without unique MAC addresses. You
can enable auto-generation of MAC addresses. You can also set the MAC addresses manually when you
configure each interface.

NAT Configuration
If you do not enable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT
configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic
classification can occur regardless of the completeness of the NAT configuration.

Classification Examples
The following figure shows multiple contexts sharing an outside interface. The classifier assigns the packet
to Context B because Context B includes the MAC address to which the router sends the packet.
Figure 26: Packet Classification with a Shared Interface Using MAC Addresses

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
187
 High Availability and Scalability
Classification Examples

Note that all new incoming traffic must be classified, even from inside networks. The following figure shows
a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B
because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
Figure 27: Incoming Traffic from Inside Networks

For transparent firewalls, you must use unique interfaces. The following figure shows a packet destined to a
host on the Context B inside network from the Internet. The classifier assigns the packet to Context B because
the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
188
 High Availability and Scalability
Cascading Security Contexts

Figure 28: Transparent Firewall Contexts

Cascading Security Contexts

Placing a context directly in front of another context is called cascading contexts; the outside interface of one
context is the same interface as the inside interface of another context. You might want to cascade contexts
if you want to simplify the configuration of some contexts by configuring shared parameters in the top context.

Note Cascading contexts requires unique MAC addresses for each context interface. Because of the limitations of
classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading
contexts without unique MAC addresses.

The following figure shows a gateway context with two contexts behind the gateway.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
189
 High Availability and Scalability
Management Access to Security Contexts

Figure 29: Cascading Contexts

Management Access to Security Contexts

The ASA provides system administrator access in multiple context mode as well as access for individual
context administrators.

System Administrator Access

You can access the ASA as a system administrator in two ways:
• Access the ASA console.
From the console, you access the system execution space, which means that any commands you enter
affect only the system configuration or the running of the system (for run-time commands).
• Access the admin context using Telnet, SSH, or ASDM.

As the system administrator, you can access all contexts.

The system execution space does not support any AAA commands, but you can configure its own enable
password, as well as usernames in the local database to provide individual logins.

Context Administrator Access

You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only
access the configuration for that context. You can provide individual logins to the context.

Management Interface Usage

The Management interface is a separate interface just for management traffic.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
190
 High Availability and Scalability
About Resource Management

In routed firewall mode, you can share the Management interface across all contexts.
In transparent firewall mode, the Management interface is special. In addition to the maximum allowed
through-traffic interfaces, you can also use the Management interface as a separate management-only interface.
However, in multiple context mode, you cannot share any interfaces across transparent contexts. You can
instead use subinterfaces of the Management interface, and assign one to each context. However, only Firepower
models and the ASA 5585-X allow subinterfaces on the Management interface. For ASA models other than
the ASA 5585-X, you must use a data interface or a subinterface of a data interface, and add it to a bridge
group within the context.
For the Firepower 4100/9300 chassis transparent context, neither the Management interface nor subinterface
retains its special status. In this case, you must treat it as a data interface, and add it to a bridge group. (Note
that in single context mode, the Management interface does retain its special status.)
Another consideration about transparent mode: when you enable multiple context mode, all configured
interfaces are automatically assigned to the Admin context. For example, if your default configuration includes
the Management interface, then that interface will be assigned to the Admin context. One option is to leave
the main interface allocated to the Admin context and manage it using the native VLAN, and then use
subinterfaces to manage each context. Keep in mind that if you make the Admin context transparent, its IP
address will be removed; you have to assign it to a bridge group and assign the IP address to the BVI.

About Resource Management

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum
limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you
find that one or more contexts use too many resources, and they cause other contexts to be denied connections,
for example, then you can configure resource management to limit the use of resources per context. For VPN
resources, you must configure resource management to allow any VPN tunnels.

Resource Classes
The ASA manages resources by assigning contexts to resource classes. Each context uses the resource limits
set by the class. To use the settings of a class, assign the context to the class when you define the context. All
contexts belong to the default class if they are not assigned to another class; you do not have to actively assign
a context to default. You can only assign a context to one resource class. The exception to this rule is that
limits that are undefined in the member class are inherited from the default class; so in effect, a context could
be a member of default plus another class.

Resource Limits
You can set the limit for individual resources as a percentage (if there is a hard system limit) or as an absolute
value.
For most resources, the ASA does not set aside a portion of the resources for each context assigned to the
class; rather, the ASA sets the maximum limit for a context. If you oversubscribe resources, or allow some
resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service to other
contexts. The exception is VPN resource types, which you cannot oversubscribe, so the resources assigned
to each context are guaranteed. To accommodate temporary bursts of VPN sessions beyond the amount
assigned, the ASA supports a “burst” VPN resource type, which is equal to the remaining unassigned VPN
sessions. The burst sessions can be oversubscribed, and are available to contexts on a first-come, first-served
basis.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
191
 High Availability and Scalability
Default Class

Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to actively
assign a context to the default class.
If a context belongs to a class other than the default class, those class settings always override the default class
settings. However, if the other class has any settings that are not defined, then the member context uses the
default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent
connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you
create a class with a limit for all resources, the class uses no settings from the default class.
For most resources, the default class provides unlimited access to resources for all contexts, except for the
following limits:
• Telnet sessions—5 sessions. (The maximum per context.)
• SSH sessions—5 sessions. (The maximum per context.)
• IPsec sessions—5 sessions. (The maximum per context.)
• MAC addresses—65,535 entries. (The maximum for the system.)
• AnyConnect peers—0 sessions. (You must manually configure the class to allow any AnyConnect peers.)
• VPN site-to-site tunnels—0 sessions. (You must manually configure the class to allow any VPN sessions.)

The following figure shows the relationship between the default class and other classes. Contexts A and C
belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no
limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class,
and is by default a member of the default class.
Figure 30: Resource Classes

Use Oversubscribed Resources

You can oversubscribe the ASA by assigning more than 100 percent of a resource across all contexts (with
the exception of non-burst VPN resources). For example, you can set the Bronze class to limit connections

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
192
 High Availability and Scalability
Use Unlimited Resources

to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts
concurrently use more than the system limit, then each context gets less than the 20 percent you intended.
Figure 31: Resource Oversubscription

Use Unlimited Resources

The ASA lets you assign unlimited access to one or more resources in a class, instead of a percentage or
absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has
available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1
percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent
combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than
the 97 percent of “unassigned” connections; they can also use the 1 percent of connections not currently in
use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent
combined limit. Setting unlimited access is similar to oversubscribing the ASA, except that you have less
control over how much you oversubscribe the system.
Figure 32: Unlimited Resources

About MAC Addresses

You can manually assign MAC addresses to override the default. For multiple context mode, you can
automatically generate unique MAC addresses (for all interfaces assigned to a context).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
193
 High Availability and Scalability
MAC Addresses in Multiple Context Mode

Note You might want to assign unique MAC addresses to subinterfaces defined on the ASA, because they use the
same burned-in MAC address of the parent interface. For example, your service provider might perform access
control based on the MAC address. Also, because IPv6 link-local addresses are generated based on the MAC
address, assigning unique MAC addresses to subinterfaces allows for unique IPv6 link-local addresses, which
can avoid traffic disruption in certain instances on the ASA.

MAC Addresses in Multiple Context Mode

The MAC address is used to classify packets within a context. If you share an interface, but do not have unique
MAC addresses for the interface in each context, then other classification methods are attempted that might
not provide full coverage.
To allow contexts to share interfaces, you should enable auto-generation of virtual MAC addresses to each
shared context interface. On the ASASM only, auto-generation is enabled by default in multiple context mode.

Automatic MAC Addresses

In multiple context mode, auto-generation assigns unique MAC addresses to all interfaces assigned to a
context.
If you manually assign a MAC address and also enable auto-generation, then the manually assigned MAC
address is used. If you later remove the manual MAC address, the auto-generated address is used, if enabled.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your
network, you can manually set the MAC address for the interface.
Because auto-generated addresses (when using a prefix) start with A2, you cannot start manual MAC addresses
with A2 if you also want to use auto-generation.
The ASA generates the MAC address using the following format:
A2xx.yyzz.zzzz
Where xx.yy is a user-defined prefix or an autogenerated prefix based on the last two bytes of the interface
MAC address, and zz.zzzz is an internal counter generated by the ASA. For the standby MAC address, the
address is identical except that the internal counter is increased by 1.
For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the
hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the
ASA native form:
A24D.00zz.zzzz
For a prefix of 1009 (03F1), the MAC address is:
A2F1.03zz.zzzz

Note The MAC address format without a prefix is a legacy version. See the mac-address auto command in the
command reference for more information about the legacy format.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
194
 High Availability and Scalability
VPN Support

VPN Support
For VPN resources, you must configure resource management to allow any VPN tunnels.
You can use site-to-site VPN in multiple context mode.
For remote access VPN, you must use AnyConnect 3.x and later for SSL VPN only; there is no IKEv2 support.
You can customize flash storage per context for AnyConnect images and customizations, as well as using
shared flash memory across all contexts. For unsupported features, see Guidelines for Multiple Context Mode,
on page 196. For a detailed list of supported VPN features per ASA release, see History for Multiple Context
Mode, on page 225.

Note The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy
license.

Licensing for Multiple Context Mode

Model License Requirement

ASA 5506-X No support.

ASA 5508-X Security Plus License: 2 contexts.

Optional license: 5 contexts.

ASA 5512-X • Base License: No support.

• Security Plus License: 2 contexts.
Optional license: 5 contexts.

ASA 5515-X Base License: 2 contexts.

Optional license: 5 contexts.

ASA 5516-X Security Plus License: 2 contexts.

Optional license: 5 contexts.

ASA 5525-X Base License: 2 contexts.

Optional licenses: 5, 10, or 20 contexts.

ASA 5545-X Base License: 2 contexts.

Optional licenses: 5, 10, 20, or 50 contexts.

ASA 5555-X Base License: 2 contexts.

Optional licenses: 5, 10, 20, 50, or 100 contexts.

ASA 5585-X with SSP-10 Base License: 2 contexts.

Optional licenses: 5, 10, 20, 50, or 100 contexts.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
195
 High Availability and Scalability
Prerequisites for Multiple Context Mode

Model License Requirement

ASA 5585-X with SSP-20, -40, and -60 Base License: 2 contexts.
Optional licenses: 5, 10, 20, 50, 100, or 250 contexts.

ASASM Base License: 2 contexts.

Optional licenses: 5, 10, 20, 50, 100, or 250 contexts.

Firepower 4100 Base License: 10 contexts.

Optional licenses: up to 250 contexts, in increments of 10.

Firepower 9300 Base License: 10 contexts.

Optional licenses: up to 250 contexts, in increments of 10.

ISA 3000 No support.

ASAv No support.

Note The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy
license.

Prerequisites for Multiple Context Mode

After you are in multiple context mode, connect to the system or the admin context to access the system
configuration. You cannot configure the system from a non-admin context. By default, after you enable
multiple context mode, you can connect to the admin context by using the default management IP address.

Guidelines for Multiple Context Mode

Failover
Active/Active mode failover is only supported in multiple context mode.

IPv6
Cross-context IPv6 routing is not supported.

Unsupported Features
Multiple context mode does not support the following features:
• RIP
• OSPFv3. (OSPFv2 is supported.)

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
196
 High Availability and Scalability
Defaults for Multiple Context Mode

• Multicast routing
• Threat Detection
• Unified Communications
• QoS

Multiple context mode does not currently support the following features for remote access VPN:
• Clientless SSL VPN
• AnyConnect 2.x and earlier
• IKEv2
• IKEv1
• WebLaunch
• VLAN Mapping
• HostScan
• VPN load balancing
• Customization
• L2TP/IPsec

Additional Guidelines
• The context mode (single or multiple) is not stored in the configuration file, even though it does endure
reboots. If you need to copy your configuration to another device, set the mode on the new device to
match.
• If you store context configurations in the root directory of flash memory, on some models you might run
out of room in that directory, even though there is available memory. In this case, create a subdirectory
for your configuration files. Background: some models, such as the ASA 5585-X, use the FAT 16 file
system for internal flash memory, and if you do not use 8.3-compliant short names, or use uppercase
characters, then fewer than 512 files and folders can be stored because the file system uses up slots to
store long file names (see http://support.microsoft.com/kb/120138/en-us).

Defaults for Multiple Context Mode

• By default, the ASA is in single context mode.
• See Default Class, on page 192.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
197
 High Availability and Scalability
Configure Multiple Contexts

Configure Multiple Contexts

Procedure

Step 1 Enable or Disable Multiple Context Mode, on page 198.

Step 2 (Optional) Configure a Class for Resource Management, on page 199.
Note For VPN support, you must configure VPN resources in a resource class; the default class does not
allow VPN.

Step 3 Configure interfaces in the system execution space.

• ASA 5500-X—Basic Interface Configuration, on page 443.
• Firepower 4100/9300—Logical Devices for the Firepower 4100/9300, on page 143
• ASASM—ASASM quick start guide.

Step 4 Configure a Security Context, on page 203.

Step 5 (Optional) Assign MAC Addresses to Context Interfaces Automatically, on page 208.
Step 6 Complete interface configuration in the context. See Routed and Transparent Mode Interfaces, on page 491.

Enable or Disable Multiple Context Mode

Your ASA might already be configured for multiple security contexts depending on how you ordered it from
Cisco. If you need to convert from single mode to multiple mode, follow the procedures in this section.

Enable Multiple Context Mode

When you convert from single mode to multiple mode, the ASA converts the running configuration into two
files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the
admin context (in the root directory of the internal flash memory). The original running configuration is saved
as old_running.cfg (in the root directory of the internal flash memory). The original startup configuration is
not saved. The ASA automatically adds an entry for the admin context to the system configuration with the
name “admin.”

Before you begin

Back up your startup configuration. When you convert from single mode to multiple mode, the ASA converts
the running configuration into two files. The original startup configuration is not saved. See Back Up and
Restore Configurations or Other Files, on page 1024.

Procedure

Change to multiple context mode:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
198
 High Availability and Scalability
Restore Single Context Mode

mode multiple
Example:

ciscoasa(config)# mode multiple

You are prompted to reboot the ASA.

Restore Single Context Mode

To copy the old running configuration to the startup configuration and to change the mode to single mode,
perform the following steps.

Before you begin

Perform this procedure in the system execution space.

Procedure

Step 1 Copy the backup version of your original running configuration to the current startup configuration:
copy disk0:old_running.cfg startup-config
Example:

ciscoasa(config)# copy disk0:old_running.cfg startup-config

Step 2 Set the mode to single mode:

mode single
Example:

ciscoasa(config)# mode single

You are prompted to reboot the ASA.

Configure a Class for Resource Management

To configure a class in the system configuration, perform the following steps. You can change the value of a
particular resource limit by reentering the command with a new value.

Before you begin

• Perform this procedure in the system execution space.
• The following table lists the resource types and the limits. See also the show resource types command.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
199
 High Availability and Scalability
Configure a Class for Resource Management

Note If the System Limit is N/A, then you cannot set a percentage of the resource
because there is no hard system limit for the resource.

Table 5: Resource Names and Limits

Minimum and
Maximum Number
Resource Name Rate or Concurrent per Context System Limit Description

asdm Concurrent 1 minimum 32 ASDM management sessions.

20 maximum ASDM sessions use two HTTPS
connections: one for monitoring that is
always present, and one for making
configuration changes that is present
only when you make changes. For
example, the system limit of 32 ASDM
sessions represents a limit of 64 HTTPS
sessions.

conns Concurrent or Rate N/A Concurrent connections: See TCP or UDP connections between any
Supported Feature Licenses two hosts, including connections
Per Model, on page 74 for between one host and multiple other
the connection limit available hosts.
for your model.
Note Syslog messages are
Rate: N/A generated for whichever
limit is lower, xlates or
conns. For example, if you
set the xlates limit to 7 and
the conns to 9, then the ASA
only generates syslog
message 321001 (“Resource
'xlates' limit of 7 reached for
context 'ctx1'”) and not
321002 (“Resource 'conn
rate' limit of 5 reached for
context 'ctx1'”).

hosts Concurrent N/A N/A Hosts that can connect through the ASA.

inspects Rate N/A N/A Application inspections per second.

mac-addresses Concurrent N/A 65,535 For transparent firewall mode, the

number of MAC addresses allowed in
the MAC address table.

routes Concurrent N/A N/A Dynamic routes.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
200
 High Availability and Scalability
Configure a Class for Resource Management

Minimum and
Maximum Number
Resource Name Rate or Concurrent per Context System Limit Description

vpn burst Concurrent N/A The AnyConnect Premium The number of AnyConnect sessions
anyconnect Peers for your model minus allowed beyond the amount assigned to
the sum of the sessions a context with vpn anyconnect. For
assigned to all contexts for example, if your model supports 5000
vpn anyconnect. peers, and you assign 4000 peers across
all contexts with vpn anyconnect, then
the remaining 1000 sessions are
available for vpn burst anyconnect.
Unlike vpn anyconnect, which
guarantees the sessions to the context,
vpn burst anyconnect can be
oversubscribed; the burst pool is
available to all contexts on a first-come,
first-served basis.

vpn anyconnect Concurrent N/A See Supported Feature AnyConnect peers. You cannot
Licenses Per Model, on page oversubscribe this resource; all context
74 for the AnyConnect assignments combined cannot exceed
Premium Peers available for the model limit. The peers you assign
your model. for this resource are guaranteed to the
context.

vpn burst other Concurrent N/A The Other VPN session The number of site-to-site VPN sessions
amount for your model minus allowed beyond the amount assigned to
the sum of the sessions a context with vpn other. For example,
assigned to all contexts for if your model supports 5000 sessions,
vpn other. and you assign 4000 sessions across all
contexts with vpn other, then the
remaining 1000 sessions are available
for vpn burst other. Unlike vpn other,
which guarantees the sessions to the
context, vpn burst other can be
oversubscribed; the burst pool is
available to all contexts on a first-come,
first-served basis.

vpn other Concurrent N/A See Supported Feature Site-to-site VPN sessions. You cannot
Licenses Per Model, on page oversubscribe this resource; all context
74 for the Other VPN assignments combined cannot exceed
sessions available for your the model limit. The sessions you assign
model. for this resource are guaranteed to the
context.

ikev1 Concurrent N/A A percentage of the Other Incoming IKEv1 SA negotiations, as a

in-negotiation (percentage only) VPN sessions assigned to this percentage of the context Other VPN
context. See the vpn other limit.
resources to assign sessions
to the context.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
201
 High Availability and Scalability
Configure a Class for Resource Management

Minimum and
Maximum Number
Resource Name Rate or Concurrent per Context System Limit Description

ssh Concurrent 1 minimum 100 SSH sessions.

5 maximum

storage MB The maximum The maximum depends on Storage limit of context directory in
depends on your your specified flash memory MB. Specify the drive using the
specified flash drive storage-url command.
memory drive

syslogs Rate N/A N/A Syslog messages per second.

telnet Concurrent 1 minimum 100 Telnet sessions.

5 maximum

xlates Concurrent N/A N/A Network address translations.

Procedure

Step 1 Specify the class name and enter the class configuration mode:
class name
Example:

ciscoasa(config)# class gold

The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name.

Step 2 Set the resource limit for a resource type:

limit-resource [rate] resource_name number[%]
Example:

ciscoasa(config-class)# limit-resource rate inspects 10

• See the preceding table for a list of resource types. If you specify all, then all resources are configured
with the same value. If you also specify a value for a particular resource, the limit overrides the limit set
for all.
• Enter the rate argument to set the rate per second for certain resources.
• For most resources, specify 0 for the number to set the resource to be unlimited or to be the system limit,
if available. For VPN resources, 0 sets the limit to none.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
202
 High Availability and Scalability
Configure a Security Context

• For resources that do not have a system limit, you cannot set the percentage (%); you can only set an
absolute value.

Example
For example, to set the default class limit for conns to 10 percent instead of unlimited, and to allow
5 site-to-site VPN tunnels with 2 tunnels allowed for VPN burst, enter the following commands:

ciscoasa(config)# class default

ciscoasa(config-class)# limit-resource conns 10%
ciscoasa(config-class)# limit-resource vpn other 5
ciscoasa(config-class)# limit-resource vpn burst other 2

All other resources remain at unlimited.

To add a class called gold, enter the following commands:

ciscoasa(config)# class gold

ciscoasa(config-class)# limit-resource mac-addresses 10000
ciscoasa(config-class)# limit-resource conns 15%
ciscoasa(config-class)# limit-resource rate conns 1000
ciscoasa(config-class)# limit-resource rate inspects 500
ciscoasa(config-class)# limit-resource hosts 9000
ciscoasa(config-class)# limit-resource asdm 5
ciscoasa(config-class)# limit-resource ssh 5
ciscoasa(config-class)# limit-resource rate syslogs 5000
ciscoasa(config-class)# limit-resource telnet 5
ciscoasa(config-class)# limit-resource xlates 36000
ciscoasa(config-class)# limit-resource routes 5000
ciscoasa(config-class)# limit-resource vpn other 10
ciscoasa(config-class)# limit-resource vpn burst other 5

When a context is configured with a resource class, a check is made. A warning is generated if the
proper licenses were not installed prior to attempting VPN remote-access connections. The
administrator must then obtain an AnyConnect Apex license. For example, a warning like the following
may appear:
ciscoasa(config)# class vpn
ciscoasa(config-class)# limit-resource vpn anyconnect 10.0%
ciscoasa(config-class)# context test
Creating context 'text'...Done. (3)
ciscoasa(config-ctx)# member vpn
WARNING: Multi-mode remote access VPN support requires an AnyConnect Apex license.
Warning: An Access Context license is required for remote-access VPN support in multi-mode.
ciscoasa(config-ctx)#

Configure a Security Context

The security context definition in the system configuration identifies the context name, configuration file
URL, interfaces that a context can use, and other settings.

Before you begin

• Perform this procedure in the system execution space.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
203
 High Availability and Scalability
Configure a Security Context

• Configure interfaces. For transparent mode contexts, you cannot share interfaces between contexts, so
you might want to use subinterfaces. To plan for Management interface usage, see Management Interface
Usage, on page 190.
• ASA 5500-X—Basic Interface Configuration, on page 443.
• Firepower 4100/9300—Logical Devices for the Firepower 4100/9300, on page 143
• ASASM—ASASM quick start guide.

• If you do not have an admin context (for example, if you clear the configuration) then you must first
specify the admin context name by entering the following command:

ciscoasa(config)# admin-context name

Although this context does not exist yet in your configuration, you can subsequently enter the context
name command to continue the admin context configuration.

Procedure

Step 1 Add or modify a context:

context name
Example:

ciscoasa(config)# context admin

The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named
“customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you cannot start or
end the name with a hyphen.
Note “System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used.

Step 2 (Optional) Add a description for this context:

description text
Example:

ciscoasa(config-ctx)# description Admin Context

Step 3 Specify the interfaces you can use in the context:

To allocate an interface:
allocate-interface interface_id [mapped_name] [visible | invisible]
To allocate one or more subinterfaces:
allocate-interface interface_id.subinterface [-interface_id.subinterface] [mapped_name[-mapped_name]]
[visible | invisible]
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
204
High Availability and Scalability
Configure a Security Context

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.100 int1

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305
int3-int8

Note Do not include a space between the interface type and the port number.
• Enter these commands multiple times to specify different ranges. If you remove an allocation with the
no form of this command, then any context commands that include this interface are removed from the
running configuration.
• You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode
does not allow shared interfaces.
• The mapped_name is an alphanumeric alias for the interface that can be used within the context instead
of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For
security purposes, you might not want the context administrator to know which interfaces the context is
using. A mapped name must start with a letter, end with a letter or digit, and have as interior characters
only letters, digits, or an underscore. For example, you can use the following names: int0, inta, int_0.
• If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these
guidelines for ranges:
• The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic
portion of the mapped name must match for both ends of the range. For example, enter the following
range: int0-int10. If you enter gig0/1.1-gig0/1.5 happy1-sad5, for example, the command fails.
• The numeric portion of the mapped name must include the same quantity of numbers as the
subinterface range. For example, both ranges include 100
interfaces:gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100. If you enter
gig0/0.100-gig0/0.199 int1-int15, for example, the command fails.

• Specify visible to see the real interface ID in the show interface command if you set a mapped name.
The default invisible keyword shows only the mapped name.

Step 4 Identify the URL from which the system downloads the context configuration:
config-url url
Example:

ciscoasa(config-ctx)# config-url ftp://user1:[email protected]/configlets/test.cfg

Step 5 (Optional) Allow each context to use flash memory to store VPN packages, such as AnyConnect, as well as
providing storage for AnyConnect and clientless SSL VPN portal customizations. For example, if you are
using multiple context mode to configure an AnyConnect profile with Dynamic Access Policies, you must
plan for context specific private storage. Each context can use a private storage space as well as a shared
read-only storage space. Note: Make sure the target directory is already present on the specified disk using
the mkdir command.
storage-url {private | shared} [diskn:/]path [context_label]
Example:

ciscoasa(config)# mkdir disk1:/private-storage

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
205
 High Availability and Scalability
Configure a Security Context

ciscoasa(config)# mkdir disk1:/shared-storage

ciscoasa(config)# context admin
ciscoasa(config-ctx)# storage-url private disk1:/private-storage context
ciscoasa(config-ctx)# storage-url shared disk1:/shared-storage shared

You can specify one private storage space per context. You can read/write/delete from this directory within
the context (as well as from the system execution space). If you do not specify the disk number, the default
is disk0. Under the specified path, the ASA creates a sub-directory named after the context. For example, for
contextA if you specify disk1:/private-storage for the path, then the ASA creates a sub-directory for this
context at disk1:/private-storage/contextA/. You can also optionally name the path within the context with
a context_label, so that the file system is not exposed to context administrators. For example, if you specify
the context_label as context, then from within the context, this directory is called context:. To control how
much disk space is allowed per context, see Configure a Class for Resource Management, on page 199.
You can specify one read-only shared storage space per context, but you can create multiple shared directories.
To reduce duplication of common large files that can be shared among all contexts, such as AnyConnect
packages, you can use the shared storage space. The ASA does not create context sub-directories for this
storage space because it is a shared space for multiple contexts. Only the system execution space can write
and delete from the shared directory.

Step 6 (Optional) Assign the context to a resource class:

member class_name
Example:

ciscoasa(config-ctx)# member gold

If you do not specify a class, the context belongs to the default class. You can only assign a context to one
resource class.

Step 7 (Optional) Assign an IPS virtual sensor to this context if you have the IPS module installed:
allocate-ips sensor_name [mapped_name] [default]
Example:

ciscoasa(config-ctx)# allocate-ips sensor1 highsec

See the IPS quick start guide for detailed information about virtual sensors.
• When you add a context URL, the system immediately loads the context so that it is running, if the
configuration is available.
• Enter the allocate-interface commands before you enter the config-url command. If you enter the
config-url command first, the ASA loads the context configuration immediately. If the context contains
any commands that refer to (not yet configured) interfaces, those commands fail.
• The filename does not require a file extension, although we recommend using “.cfg”. The server must
be accessible from the admin context. If the configuration file is not available, you see the following
warning message:

WARNING: Could not fetch the URL url

INFO: Creating context with default config

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
206
High Availability and Scalability
Configure a Security Context

• For non-HTTP(S) URL locations, after you specify the URL, you can then change to the context, configure
it at the CLI, and enter the write memory command to write the file to the URL location. (HTTP(S) is
read only).
• The admin context file must be stored on the internal flash memory.
• Available URL types include: disknumber (for flash memory), ftp, http, https, or tftp.
• To change the URL, reenter the config-url command with a new URL.

Step 8 (Optional) Assign a context to a failover group in Active/Active failover:

join-failover-group {1 | 2}
Example:

ciscoasa(config-ctx)# join-failover-group 2

By default, contexts are in group 1. The admin context must always be in group 1.

Step 9 (Optional) Enable Cloud Web Security for this context:

scansafe [license key]
Example:

ciscoasa(config-ctx)# scansafe

If you do not specify a license, the context uses the license configured in the system configuration. The ASA
sends the authentication key to the Cloud Web Security proxy servers to indicate from which organization
the request comes. The authentication key is a 16-byte hexidecimal number.
See the firewall configuration guide for detailed information about ScanSafe.

Example
The following example sets the admin context to be “administrator,” creates a context called
“administrator” on the internal flash memory, and then adds two contexts from an FTP server:

ciscoasa(config)# admin-context admin

ciscoasa(config)# context admin
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.1
ciscoasa(config-ctx)# config-url disk0:/admin.cfg

ciscoasa(config-ctx)# context test

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115
int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:[email protected]/configlets/test.cfg
ciscoasa(config-ctx)# member gold

ciscoasa(config-ctx)# context sample

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
207
 High Availability and Scalability
Assign MAC Addresses to Context Interfaces Automatically

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int1

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235
int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:[email protected]/configlets/sample.cfg
ciscoasa(config-ctx)# member silver

Assign MAC Addresses to Context Interfaces Automatically

This section describes how to configure auto-generation of MAC addresses. The MAC address is used to
classify packets within a context.

Before you begin

• When you configure a nameif command for the interface in a context, the new MAC address is generated
immediately. If you enable this feature after you configure context interfaces, then MAC addresses are
generated for all interfaces immediately after you enable it. If you disable this feature, the MAC address
for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1
revert to using the MAC address of GigabitEthernet 0/1.
• In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context.

Procedure

Automatically assign private MAC addresses to each context interface:

mac-address auto [prefix prefix]
Example:

ciscoasa(config)# mac-address auto prefix 19

If you do not enter a prefix, then the ASA autogenerates the prefix based on the last two bytes of the interface
(ASA 5500-X) or backplane (ASASM) MAC address.
If you manually enter a prefix, then the prefix is a decimal value between 0 and 65535. This prefix is converted
to a four-digit hexadecimal number, and used as part of the MAC address.

Change Between Contexts and the System Execution Space

If you log in to the system execution space (or the admin context), you can change between contexts and
perform configuration and monitoring tasks within each context. The running configuration that you edit in
a configuration mode, or that is used in the copy or write commands, depends on your location. When you
are in the system execution space, the running configuration consists only of the system configuration; when
you are in a context, the running configuration consists only of that context. For example, you cannot view
all running configurations (system plus all contexts) by entering the show running-config command. Only
the current configuration displays.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
208
 High Availability and Scalability
Manage Security Contexts

Procedure

Step 1 Change to a context:

changeto context name
The prompt changes to ciscoasa/name#

Step 2 Change to the system execution space:

changeto system
The prompt changes to ciscoasa#

Manage Security Contexts

This section describes how to manage security contexts.

Remove a Security Context

You cannot remove the current admin context, unless you remove all contexts using the clear context command.

Note If you use failover, there is a delay between when you remove the context on the active unit and when the
context is removed on the standby unit. You might see an error message indicating that the number of interfaces
on the active and standby units are not consistent; this error is temporary and can be ignored.

Before you begin

Perform this procedure in the system execution space.

Procedure

Step 1 Remove a single context:

no context name
All context commands are also removed. The context configuration file is not removed from the config URL
location.

Step 2 Remove all contexts (including the admin context):

clear context
The context configuration files are not removed from the config URL locations.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
209
 High Availability and Scalability
Change the Admin Context

Change the Admin Context

The system configuration does not include any network interfaces or network settings for itself; rather, when
the system needs to access network resources (such as downloading the contexts from the server), it uses one
of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs in to the admin context, then
that user has system administrator rights and can access the system and all other contexts. The admin context
is not restricted in any way, and can be used as a regular context. However, because logging into the admin
context grants you administrator privileges over all contexts, you might need to restrict access to the admin
context to appropriate users.

Before you begin

• You can set any context to be the admin context, as long as the configuration file is stored in the internal
flash memory.
• Perform this procedure in the system execution space.

Procedure

Set the admin context:

admin-context context_name
Example:

ciscoasa(config)# admin-context administrator

Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context
are terminated. You must reconnect to the new admin context.
A few system configuration commands, including ntp server, identify an interface name that belongs to the
admin context. If you change the admin context, and that interface name does not exist in the new admin
context, be sure to update any system commands that refer to the interface.

Change the Security Context URL

This section describes how to change the context URL.

Before you begin

• You cannot change the security context URL without reloading the configuration from the new URL.
The ASA merges the new configuration with the current running configuration.
• Reentering the same URL also merges the saved configuration with the running configuration.
• A merge adds any new commands from the new configuration to the running configuration.
• If the configurations are the same, no changes occur.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
210
High Availability and Scalability
Change the Security Context URL

• If commands conflict or if commands affect the running of the context, then the effect of the merge
depends on the command. You might get errors, or you might have unexpected results. If the running
configuration is blank (for example, if the server was unavailable and the configuration was never
downloaded), then the new configuration is used.

• If you do not want to merge the configurations, you can clear the running configuration, which disrupts
any communications through the context, and then reload the configuration from the new URL.
• Perform this procedure in the system execution space.

Procedure

Step 1 (Optional, if you do not want to perform a merge) Change to the context and clear configuration:
changeto context name
clear configure all
Example:

ciscoasa(config)# changeto context ctx1

ciscoasa/ctx1(config)# clear configure all

If you want to perform a merge, skip to Step 2.

Step 2 Change to the system execution space:

changeto system
Example:

ciscoasa/ctx1(config)# changeto system

ciscoasa(config)#

Step 3 Enter the context configuration mode for the context you want to change.
context name
Example:

ciscoasa(config)# context ctx1

Step 4 Enter the new URL. The system immediately loads the context so that it is running.
config-url new_url
Example:

ciscoasa(config)# config-url ftp://user1:[email protected]/configlets/ctx1.cfg

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
211
 High Availability and Scalability
Reload a Security Context

Reload a Security Context

You can reload the context in two ways:
• Clear the running configuration and then import the startup configuration.
This action clears most attributes associated with the context, such as connections and NAT tables.
• Remove the context from the system configuration.
This action clears additional attributes, such as memory allocation, which might be useful for
troubleshooting. However, to add the context back to the system requires you to respecify the URL and
interfaces.

Reload by Clearing the Configuration

Procedure

Step 1 Change to the context that you want to reload:

changeto context name
Example:

ciscoasa(config)# changeto context ctx1

ciscoasa/ctx1(comfig)#

Step 2 Clear the running configuration:

clear configure all
This command clears all connections.

Step 3 Reload the configuration:

copy startup-config running-config
Example:

ciscoasa/ctx1(config)# copy startup-config running-config

The ASA copies the configuration from the URL specified in the system configuration. You cannot change
the URL from within a context.

Reload by Removing and Re-adding the Context

To reload the context by removing the context and then re-adding it, perform the steps.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
212
 High Availability and Scalability
Monitoring Security Contexts

Procedure

Step 1 Remove a Security Context, on page 209. Also delete config URL file from the disk
Step 2 Configure a Security Context, on page 203

Monitoring Security Contexts

This section describes how to view and monitor context information.

View Context Information

From the system execution space, you can view a list of contexts including the name, allocated interfaces,
and configuration file URL.

Procedure

Show all contexts:

show context [name | detail| count]
If you want to show information for a particular context, specify the name.
The detail option shows additional information. See the following sample outputs below for more information.
The count option shows the total number of contexts.

Example
The following is sample output from the show context command. The following sample output
shows three contexts:

ciscoasa# show context

Context Name Interfaces URL

*admin GigabitEthernet0/1.100 disk0:/admin.cfg
GigabitEthernet0/1.101
contexta GigabitEthernet0/1.200 disk0:/contexta.cfg
GigabitEthernet0/1.201
contextb GigabitEthernet0/1.300 disk0:/contextb.cfg
GigabitEthernet0/1.301
Total active Security Contexts: 3

The following table shows each field description.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
213
 High Availability and Scalability
View Resource Allocation

Table 6: show context Fields

Field Description

Context Name Lists all context names. The context name with the
asterisk (*) is the admin context.

Interfaces The interfaces assigned to the context.

URL The URL from which the ASA loads the context
configuration.

The following is sample output from the show context detail command:

ciscoasa# show context detail

Context "admin", has been created, but initial ACL rules not complete
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Flags: 0x00000013, ID: 1

Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Flags: 0x00000011, ID: 2

Context "system", is a system resource

Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257

Context "null", is a system resource

Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258

See the command reference for more information about the detail output.
The following is sample output from the show context count command:

ciscoasa# show context count

Total active contexts: 2

View Resource Allocation

From the system execution space, you can view the allocation for each resource across all classes and class
members.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
214
High Availability and Scalability
View Resource Allocation

Procedure

Show the resource allocation:

show resource allocation [detail]
This command shows the resource allocation, but does not show the actual resources being used. See View
Resource Usage, on page 218 for more information about actual resource usage.
The detail argument shows additional information. See the following sample outputs for more information.

Example
The following sample output shows the total allocation of each resource as an absolute value and as
a percentage of the available system resources:

ciscoasa# show resource allocation

Resource Total % of Avail
Conns [rate] 35000 N/A
Inspects [rate] 35000 N/A
Syslogs [rate] 10500 N/A
Conns 305000 30.50%
Hosts 78842 N/A
SSH 35 35.00%
Routes 5000 N/A
Telnet 35 35.00%
Xlates 91749 N/A
AnyConnect 1000 10%
AnyConnectBurst 200 2%
Other VPN Sessions 20 2.66%
Other VPN Burst 20 2.66%
All unlimited

The following table shows each field description.

Table 7: show resource allocation Fields

Field Description

Resource The name of the resource that you can limit.

Total The total amount of the resource that is allocated

across all contexts. The amount is an absolute number
of concurrent instances or instances per second. If you
specified a percentage in the class definition, the ASA
converts the percentage to an absolute number for this
display.

% of Avail The percentage of the total system resources that is

allocated across all contexts, if the resource has a hard
system limit. If a resource does not have a system
limit, this column shows N/A.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
215
 High Availability and Scalability
View Resource Allocation

The following is sample output from the show resource allocation detail command:

ciscoasa# show resource allocation detail

Resource Origin:
A Value was derived from the resource 'all'
C Value set in the definition of this class
D Value set in default class
Resource Class Mmbrs Origin Limit Total Total %
Conns [rate] default all CA unlimited
gold 1 C 34000 34000 N/A
silver 1 CA 17000 17000 N/A
bronze 0 CA 8500
All Contexts: 3 51000 N/A

Inspects [rate] default all CA unlimited

gold 1 DA unlimited
silver 1 CA 10000 10000 N/A
bronze 0 CA 5000
All Contexts: 3 10000 N/A

Syslogs [rate] default all CA unlimited

gold 1 C 6000 6000 N/A
silver 1 CA 3000 3000 N/A
bronze 0 CA 1500
All Contexts: 3 9000 N/A

Conns default all CA unlimited

gold 1 C 200000 200000 20.00%
silver 1 CA 100000 100000 10.00%
bronze 0 CA 50000
All Contexts: 3 300000 30.00%

Hosts default all CA unlimited

gold 1 DA unlimited
silver 1 CA 26214 26214 N/A
bronze 0 CA 13107
All Contexts: 3 26214 N/A

SSH default all C 5

gold 1 D 5 5 5.00%
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%

Telnet default all C 5

gold 1 D 5 5 5.00%
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%

Routes default all C unlimited N/A

gold 1 D unlimited 5 N/A
silver 1 CA 10 10 N/A
bronze 0 CA 5 N/A
All Contexts: 3 20 N/A

Xlates default all CA unlimited

gold 1 DA unlimited
silver 1 CA 23040 23040 N/A
bronze 0 CA 11520
All Contexts: 3 23040 N/A

mac-addresses default all C 65535

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
216
High Availability and Scalability
View Resource Allocation

gold 1 D 65535 65535 100.00%

silver 1 CA 6553 6553 9.99%
bronze 0 CA 3276
All Contexts: 3 137623 209.99%

The following table shows each field description.

Table 8: show resource allocation detail Fields

Field Description

Resource The name of the resource that you can limit.

Class The name of each class, including the default class.

The All contexts field shows the total values across
all classes.

Mmbrs The number of contexts assigned to each class.

Origin The origin of the resource limit, as follows:

• A—You set this limit with the all option, instead
of as an individual resource.
• C—This limit is derived from the member class.
• D—This limit was not defined in the member
class, but was derived from the default class. For
a context assigned to the default class, the value
will be “C” instead of “D.”

The ASA can combine “A” with “C” or “D.”

Limit The limit of the resource per context, as an absolute

number. If you specified a percentage in the class
definition, the ASA converts the percentage to an
absolute number for this display.

Total The total amount of the resource that is allocated

across all contexts in the class. The amount is an
absolute number of concurrent instances or instances
per second. If the resource is unlimited, this display
is blank.

% of Avail The percentage of the total system resources that is

allocated across all contexts in the class. If the
resource is unlimited, this display is blank. If the
resource does not have a system limit, then this
column shows N/A.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
217
 High Availability and Scalability
View Resource Usage

View Resource Usage

From the system execution space, you can view the resource usage for each context and display the system
resource usage.

Procedure

View resource usage for each context:

show resource usage [context context_name | top n | all | summary | system] [resource {resource_name |
all} | detail] [counter counter_name [count_threshold]]
• By default, all context usage is displayed; each context is listed separately.
• Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must
specify a single resource type, and not resource all, with this option.
• The summary option shows all context usage combined.
• The system option shows all context usage combined, but shows the system limits for resources instead
of the combined context limits.
• For the resource resource_name, see Configure a Class for Resource Management, on page 199 for
available resource names. See also the show resource type command. Specify all (the default) for all
types.
• The detail option shows the resource usage of all resources, including those you cannot manage. For
example, you can view the number of TCP intercepts.
• The counter counter_name is one of the following keywords:
• current—Shows the active concurrent instances or the current rate of the resource.
• denied—Shows the number of instances that were denied because they exceeded the resource limit
shown in the Limit column.
• peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics
were last cleared, either using the clear resource usage command or because the device rebooted.
• all—(Default) Shows all statistics.

• The count_threshold sets the number above which resources are shown. The default is 1. If the usage of
the resource is below the number you set, then the resource is not shown. If you specify all for the counter
name, then the count_threshold applies to the current usage.
• To show all resources, set the count_threshold to 0.

Examples
The following is sample output from the show resource usage context command, which shows the
resource usage for the admin context:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
218
High Availability and Scalability
View Resource Usage

ciscoasa# show resource usage context admin

Resource Current Peak Limit Denied Context

Telnet 1 1 5 0 admin
Conns 44 55 N/A 0 admin
Hosts 45 56 N/A 0 admin

The following is sample output from the show resource usage summary command, which shows
the resource usage for all contexts and all resources. This sample shows the limits for six contexts.

ciscoasa# show resource usage summary

Resource Current Peak Limit Denied Context

Syslogs [rate] 1743 2132 N/A 0 Summary
Conns 584 763 280000(S) 0 Summary
Xlates 8526 8966 N/A 0 Summary
Hosts 254 254 N/A 0 Summary
Conns [rate] 270 535 N/A 1704 Summary
Inspects [rate] 270 535 N/A 0 Summary
AnyConnect 2 25 1000 0 Summary
AnyConnectBurst 0 0 200 0 Summary
Other VPN Sessions 0 10 10 740 Summary
Other VPN Burst 0 10 10 730 Summary

S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage summary command, which shows
the limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context,
then the combined limit is 125. The system limit is only 100, so the system limit is shown.

ciscoasa# show resource usage summary

Resource Current Peak Limit Denied Context

Telnet 1 1 100[S] 0 Summary
SSH 2 2 100[S] 0 Summary
Conns 56 90 130000(S) 0 Summary
Hosts 89 102 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits.
The counter all 0 option is used to show resources that are not currently in use. The Denied statistics
indicate how many times the resource was denied due to the system limit, if available.

ciscoasa# show resource usage system counter all 0

Resource Current Peak Limit Denied Context

Telnet 0 0 100 0 System
SSH 0 0 100 0 System
ASDM 0 0 32 0 System
Routes 0 0 N/A 0 System
IPSec 0 0 5 0 System
Syslogs [rate] 1 18 N/A 0 System
Conns 0 1 280000 0 System
Xlates 0 0 N/A 0 System
Hosts 0 2 N/A 0 System
Conns [rate] 1 1 N/A 0 System

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
219
 High Availability and Scalability
Monitor SYN Attacks in Contexts

Inspects [rate] 0 0 N/A 0 System

AnyConnect 2 25 10000 0 System
AnyConnectBurst 0 0 200 0 System
Other VPN Sessions 0 10 750 740 System
Other VPN Burst 0 10 750 730 System

Monitor SYN Attacks in Contexts

The ASA prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent
TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating
from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which
prevents it from servicing connection requests. When the embryonic connection threshold of a connection is
crossed, the ASA acts as a proxy for the server and generates a SYN-ACK response to the client SYN request.
When the ASA receives an ACK back from the client, it can then authenticate the client and allow the
connection to the server.

Procedure

Step 1 Monitor the rate of attacks for individual contexts:

show perfmon

Step 2 Monitor the amount of resources being used by TCP intercept for individual contexts:
show resource usage detail

Step 3 Monitor the resources being used by TCP intercept for the entire system:
show resource usage summary detail

Examples
The following is sample output from the show perfmon command that shows the rate of TCP
intercepts for a context called admin.

ciscoasa/admin# show perfmon

Context:admin
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
WebSns Req 0/s 0/s
TCP Fixup 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
220
High Availability and Scalability
Monitor SYN Attacks in Contexts

TCP Intercept 322779/s 322779/s

The following is sample output from the show resource usage detail command that shows the
amount of resources being used by TCP Intercept for individual contexts. (Sample text in bold shows
the TCP intercept information.)

ciscoasa(config)# show resource usage detail

Resource Current Peak Limit Denied Context
memory 843732 847288 unlimited 0 admin
chunk:channels 14 15 unlimited 0 admin
chunk:fixup 15 15 unlimited 0 admin
chunk:hole 1 1 unlimited 0 admin
chunk:ip-users 10 10 unlimited 0 admin
chunk:list-elem 21 21 unlimited 0 admin
chunk:list-hdr 3 4 unlimited 0 admin
chunk:route 2 2 unlimited 0 admin
chunk:static 1 1 unlimited 0 admin
tcp-intercepts 328787 803610 unlimited 0 admin
np-statics 3 3 unlimited 0 admin
statics 1 1 unlimited 0 admin
ace-rules 1 1 unlimited 0 admin
console-access-rul 2 2 unlimited 0 admin
fixup-rules 14 15 unlimited 0 admin
memory 959872 960000 unlimited 0 c1
chunk:channels 15 16 unlimited 0 c1
chunk:dbgtrace 1 1 unlimited 0 c1
chunk:fixup 15 15 unlimited 0 c1
chunk:global 1 1 unlimited 0 c1
chunk:hole 2 2 unlimited 0 c1
chunk:ip-users 10 10 unlimited 0 c1
chunk:udp-ctrl-blk 1 1 unlimited 0 c1
chunk:list-elem 24 24 unlimited 0 c1
chunk:list-hdr 5 6 unlimited 0 c1
chunk:nat 1 1 unlimited 0 c1
chunk:route 2 2 unlimited 0 c1
chunk:static 1 1 unlimited 0 c1
tcp-intercept-rate 16056 16254 unlimited 0 c1
globals 1 1 unlimited 0 c1
np-statics 3 3 unlimited 0 c1
statics 1 1 unlimited 0 c1
nats 1 1 unlimited 0 c1
ace-rules 2 2 unlimited 0 c1
console-access-rul 2 2 unlimited 0 c1
fixup-rules 14 15 unlimited 0 c1
memory 232695716 232020648 unlimited 0 system
chunk:channels 17 20 unlimited 0 system
chunk:dbgtrace 3 3 unlimited 0 system
chunk:fixup 15 15 unlimited 0 system
chunk:ip-users 4 4 unlimited 0 system
chunk:list-elem 1014 1014 unlimited 0 system
chunk:list-hdr 1 1 unlimited 0 system
chunk:route 1 1 unlimited 0 system
block:16384 510 885 unlimited 0 system
block:2048 32 34 unlimited 0 system

The following sample output shows the resources being used by TCP intercept for the entire system.
(Sample text in bold shows the TCP intercept information.)

ciscoasa(config)# show resource usage summary detail

Resource Current Peak Limit Denied Context

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
221
 High Availability and Scalability
View Assigned MAC Addresses

memory 238421312 238434336 unlimited 0 Summary

chunk:channels 46 48 unlimited 0 Summary
chunk:dbgtrace 4 4 unlimited 0 Summary
chunk:fixup 45 45 unlimited 0 Summary
chunk:global 1 1 unlimited 0 Summary
chunk:hole 3 3 unlimited 0 Summary
chunk:ip-users 24 24 unlimited 0 Summary
chunk:udp-ctrl-blk 1 1 unlimited 0 Summary
chunk:list-elem 1059 1059 unlimited 0 Summary
chunk:list-hdr 10 11 unlimited 0 Summary
chunk:nat 1 1 unlimited 0 Summary
chunk:route 5 5 unlimited 0 Summary
chunk:static 2 2 unlimited 0 Summary
block:16384 510 885 unlimited 0 Summary
block:2048 32 35 unlimited 0 Summary
tcp-intercept-rate 341306 811579 unlimited 0 Summary
globals 1 1 unlimited 0 Summary
np-statics 6 6 unlimited 0 Summary
statics 2 2 N/A 0 Summary
nats 1 1 N/A 0 Summary
ace-rules 3 3 N/A 0 Summary
console-access-rul 4 4 N/A 0 Summary
fixup-rules 43 44 N/A 0 Summary

View Assigned MAC Addresses

You can view auto-generated MAC addresses within the system configuration or within the context.

View MAC Addresses in the System Configuration

This section describes how to view MAC addresses in the system configuration.

Before you begin

If you manually assign a MAC address to an interface, but also have auto-generation enabled, the auto-generated
address continues to show in the configuration even though the manual MAC address is the one that is in use.
If you later remove the manual MAC address, the auto-generated one shown will be used.

Procedure

Show the assigned MAC addresses from the system execution space:
show running-config all context [name]
The all option is required to view the assigned MAC addresses. Although the mac-address auto command
is user-configurable in global configuration mode only, the command appears as a read-only entry in context
configuration mode along with the assigned MAC address. Only allocated interfaces that are configured with
a nameif command within the context have a MAC address assigned.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
222
High Availability and Scalability
View MAC Addresses in the System Configuration

Examples
The following output from the show running-config all context admin command shows the primary
and standby MAC address assigned to the Management0/0 interface:

ciscoasa# show running-config all context admin

context admin
allocate-interface Management0/0
mac-address auto Management0/0 a24d.0000.1440 a24d.0000.1441
config-url disk0:/admin.cfg

The following output from the show running-config all context command shows all the MAC
addresses (primary and standby) for all context interfaces. Note that because the GigabitEthernet0/0
and GigabitEthernet0/1 main interfaces are not configured with a nameif command inside the contexts,
no MAC addresses have been generated for them.

ciscoasa# show running-config all context

admin-context admin
context admin
allocate-interface Management0/0
mac-address auto Management0/0 a2d2.0400.125a a2d2.0400.125b
config-url disk0:/admin.cfg
!

context CTX1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5
mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd
mac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1
mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5
mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9
mac-address auto GigabitEthernet0/0.5 a2d2.0400.11cc a2d2.0400.11cd
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3
mac-address auto GigabitEthernet0/1.1 a2d2.0400.120c a2d2.0400.120d
mac-address auto GigabitEthernet0/1.2 a2d2.0400.1210 a2d2.0400.1211
mac-address auto GigabitEthernet0/1.3 a2d2.0400.1214 a2d2.0400.1215
config-url disk0:/CTX1.cfg
!

context CTX2
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5
mac-address auto GigabitEthernet0/0.1 a2d2.0400.11ba a2d2.0400.11bb
mac-address auto GigabitEthernet0/0.2 a2d2.0400.11be a2d2.0400.11bf
mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c2 a2d2.0400.11c3
mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c6 a2d2.0400.11c7
mac-address auto GigabitEthernet0/0.5 a2d2.0400.11ca a2d2.0400.11cb
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3
mac-address auto GigabitEthernet0/1.1 a2d2.0400.120a a2d2.0400.120b
mac-address auto GigabitEthernet0/1.2 a2d2.0400.120e a2d2.0400.120f
mac-address auto GigabitEthernet0/1.3 a2d2.0400.1212 a2d2.0400.1213
config-url disk0:/CTX2.cfg
!

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
223
 High Availability and Scalability
View MAC Addresses Within a Context

View MAC Addresses Within a Context

This section describes how to view MAC addresses within a context.

Procedure

Show the MAC address in use by each interface within the context:
show interface | include (Interface)|(MAC)

Example
For example:

ciscoasa/context# show interface | include (Interface)|(MAC)

Interface GigabitEthernet1/1.1 "g1/1.1", is down, line protocol is down

MAC address a201.0101.0600, MTU 1500
Interface GigabitEthernet1/1.2 "g1/1.2", is down, line protocol is down
MAC address a201.0102.0600, MTU 1500
Interface GigabitEthernet1/1.3 "g1/1.3", is down, line protocol is down
MAC address a201.0103.0600, MTU 1500
...

Note The show interface command shows the MAC address in use; if you manually assign a MAC address
and also have auto-generation enabled, then you can only view the unused auto-generated address
from within the system configuration.

Examples for Multiple Context Mode

The following example:
• Automatically sets the MAC addresses in contexts with a custom prefix.
• Sets the default class limit for conns to 10 percent instead of unlimited, and sets the VPN other sessions
to 10, with a burst of 5.
• Creates a gold resource class.
• Sets the admin context to be “administrator.”
• Creates a context called “administrator” on the internal flash memory to be part of the default resource
class.
• Adds two contexts from an FTP server as part of the gold resource class.

ciscoasa(config)# mac-address auto prefix 19

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
224
 High Availability and Scalability
History for Multiple Context Mode

ciscoasa(config)# class default

ciscoasa(config-class)# limit-resource conns 10%
ciscoasa(config-class)# limit-resource vpn other 10
ciscoasa(config-class)# limit-resource vpn burst other 5

ciscoasa(config)# class gold

ciscoasa(config-class)# limit-resource mac-addresses 10000
ciscoasa(config-class)# limit-resource conns 15%
ciscoasa(config-class)# limit-resource rate conns 1000
ciscoasa(config-class)# limit-resource rate inspects 500
ciscoasa(config-class)# limit-resource hosts 9000
ciscoasa(config-class)# limit-resource asdm 5
ciscoasa(config-class)# limit-resource ssh 5
ciscoasa(config-class)# limit-resource rate syslogs 5000
ciscoasa(config-class)# limit-resource telnet 5
ciscoasa(config-class)# limit-resource xlates 36000
ciscoasa(config-class)# limit-resource routes 700
ciscoasa(config-class)# limit-resource vpn other 100
ciscoasa(config-class)# limit-resource vpn burst other 50

ciscoasa(config)# admin-context administrator

ciscoasa(config)# context administrator
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.1
ciscoasa(config-ctx)# config-url disk0:/admin.cfg

ciscoasa(config-ctx)# context test

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115
int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:[email protected]/configlets/test.cfg
ciscoasa(config-ctx)# member gold

ciscoasa(config-ctx)# context sample

ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235
int3-int8
ciscoasa(config-ctx)# config-url ftp://user1:[email protected]/configlets/sample.cfg
ciscoasa(config-ctx)# member gold

History for Multiple Context Mode

Table 9: History for Multiple Context Mode

Feature Name Platform Releases Feature Information

Multiple security contexts 7.0(1) Multiple context mode was introduced.

We introduced the following commands:
context, mode, and class.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
225
 High Availability and Scalability
History for Multiple Context Mode

Feature Name Platform Releases Feature Information

Automatic MAC address assignment 7.2(1) Automatic assignment of MAC address to

context interfaces was introduced.
We introduced the following command:
mac-address auto.

Resource management 7.2(1) Resource management was introduced.

We introduced the following commands:
class, limit-resource, and member.

Virtual sensors for IPS 8.0(2) The AIP SSM running IPS software
Version 6.0 and above can run multiple
virtual sensors, which means you can
configure multiple security policies on the
AIP SSM. You can assign each context or
single mode ASA to one or more virtual
sensors, or you can assign multiple security
contexts to the same virtual sensor.
We introduced the following command:
allocate-ips.

Automatic MAC address assignment 8.0(5)/8.2(2) The MAC address format was changed to
enhancements use a prefix, to use a fixed starting value
(A2), and to use a different scheme for the
primary and secondary unit MAC addresses
in a failover pair. The MAC addresses are
also now persistent across reloads. The
command parser now checks if
auto-generation is enabled; if you want to
also manually assign a MAC address, you
cannot start the manual MAC address with
A2.
We modified the following command:
mac-address auto prefix.

Maximum contexts increased for the ASA 8.4(1) The maximum security contexts for the
5550 and 5580 ASA 5550 was increased from 50 to 100.
The maximum for the ASA 5580 was
increased from 50 to 250.

Automatic MAC address assignment 8.5(1) Automatic MAC address assignment is now
enabled by default enabled by default.
We modified the following command:
mac-address auto.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
226
 High Availability and Scalability
History for Multiple Context Mode

Feature Name Platform Releases Feature Information

Automatic generation of a MAC address 8.6(1) In multiple context mode, the ASA now
prefix converts the automatic MAC address
generation configuration to use a default
prefix. The ASA auto-generates the prefix
based on the last two bytes of the interface
(ASA 5500-X) or backplane (ASASM)
MAC address. This conversion happens
automatically when you reload, or if you
reenable MAC address generation. The
prefix method of generation provides many
benefits, including a better guarantee of
unique MAC addresses on a segment. You
can view the auto-generated prefix by
entering the show running-config
mac-address command. If you want to
change the prefix, you can reconfigure the
feature with a custom prefix. The legacy
method of MAC address generation is no
longer available.
Note To maintain hitless upgrade for
failover pairs, the ASA does not
convert the MAC address
method in an existing
configuration upon a reload if
failover is enabled. However,
we strongly recommend that you
manually change to the prefix
method of generation when
using failover, especially for the
ASASM. Without the prefix
method, ASASMs installed in
different slot numbers
experience a MAC address
change upon failover, and can
experience traffic interruption.
After upgrading, to use the
prefix method of MAC address
generation, reenable MAC
address generation to use the
default prefix.

We modified the following command:

mac-address auto.

Automatic MAC address assignment 9.0(1) Automatic MAC address assignment is now
disabled by default on all models except disabled by default except for the ASASM.
for the ASASM
We modified the following command:
mac-address auto.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
227
 High Availability and Scalability
History for Multiple Context Mode

Feature Name Platform Releases Feature Information

Dynamic routing in Security Contexts 9.0(1) EIGRP and OSPFv2 dynamic routing
protocols are now supported in multiple
context mode. OSPFv3, RIP, and multicast
routing are not supported.

New resource type for routing table entries 9.0(1) A new resource type, routes, was created
to set the maximum number of routing table
entries in each context.
We modified the following commands:
limit-resource, show resource types, show
resource usage, show resource allocation.

Site-to-Site VPN in multiple context mode 9.0(1) Site-to-site VPN tunnels are now supported
in multiple context mode.

New resource type for site-to-site VPN 9.0(1) New resource types, vpn other and vpn
tunnels burst other, were created to set the
maximum number of site-to-site VPN
tunnels in each context.
We modified the following commands:
limit-resource, show resource types, show
resource usage, show resource allocation.

New resource type for IKEv1 SA 9.1(2) New resource type, ikev1 in-negotiation,
negotiations was created to set the maximum percentage
of IKEv1 SA negotiations in each context
to prevent overwhelming the CPU and
crypto engines. Under certain conditions
(large certificates, CRL checking), you
might want to restrict this resource.
We modified the following commands:
limit-resource, show resource types, show
resource usage, show resource allocation.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
228
 High Availability and Scalability
History for Multiple Context Mode

Feature Name Platform Releases Feature Information

Support for Remote Access VPN in 9.5(2) You can now use the following remote
multiple context mode access features in multiple context mode:
• AnyConnect 3.x and later (SSL VPN
only; no IKEv2 support)
• Centralized AnyConnect image
configuration
• AnyConnect image upgrade
• Context Resource Management for
AnyConnect connections

Note The AnyConnect Apex license

is required for multiple context
mode; you cannot use the default
or legacy license.

We introduced the following commands:

limit-resource vpn anyconnect,
limit-resource vpn burst anyconnect

Pre-fill/Username-from-cert feature for 9.6(2) AnyConnect SSL support is extended,

multiple context mode allowing pre-fill/username-from-certificate
feature CLIs, previously available only in
single mode, to be enabled in multiple
context mode as well.
We did not modify any commands.

Flash Virtualization for Remote Access 9.6(2) Remote access VPN in multiple context
VPN mode now supports flash virtualization.
Each context can have a private storage
space and a shared storage place based on
the total flash that is available:
• Private storage—Store files associated
only with that user and specific to the
content that you want for that user.
• Shared storage—Upload files to this
space and have it accessible to any
user context for read/write access once
you enable it.

We introduced the following commands:

limit-resource storage, storage-url

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
229
 High Availability and Scalability
History for Multiple Context Mode

Feature Name Platform Releases Feature Information

AnyConnect client profiles supported in 9.6(2) AnyConnect client profiles are supported
multi-context devices in multi-context devices. To add a new
profile using ASDM, you must have the
AnyConnect Secure Mobility Client release
4.2.00748 or 4.3.03013 and later.

Stateful failover for AnyConnect 9.6(2) Stateful failover is now supported for
connections in multiple context mode AnyConnect connections in multiple
context mode.
We did not modify any commands.

Remote Access VPN Dynamic Access 9.6(2) You can now configure DAP per context
Policy (DAP) is supported in multiple in multiple context mode.
context mode
We did not modify any commands.

Remote Access VPN CoA (Change of 9.6(2) You can now configure CoA per context in
Authorization) is supported in multiple multiple context mode.
context mode
We did not modify any commands.

Remote Access VPN localization is 9.6(2) Localization is supported globally. There

supported in multiple context mode is only one set of localization files that are
shared across different contexts.
We did not modify any commands.

Remote Access VPN for IKEv2 is 9.9(2) You can configure Remote Access VPN in
supported in multiple context mode multiple context mode for IKEv2.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
230
 CHAPTER 8
Failover for High Availability
This chapter describes how to configure Active/Standby or Active/Active failover to accomplish high availability
of the Cisco ASA.
• About Failover, on page 231
• Licensing for Failover, on page 255
• Guidelines for Failover, on page 256
• Defaults for Failover, on page 257
• Configure Active/Standby Failover, on page 258
• Configure Active/Active Failover, on page 262
• Configure Optional Failover Parameters, on page 268
• Manage Failover, on page 275
• Monitoring Failover, on page 281
• History for Failover, on page 283

About Failover
Configuring failover requires two identical ASAs connected to each other through a dedicated failover link
and, optionally, a state link. The health of the active units and interfaces is monitored to determine if specific
failover conditions are met. If those conditions are met, failover occurs.

Failover Modes
The ASA supports two failover modes, Active/Active failover and Active/Standby failover. Each failover
mode has its own method for determining and performing failover.
• In Active/Standby failover, one unit is the active unit. It passes traffic. The standby unit does not actively
pass traffic. When a failover occurs, the active unit fails over to the standby unit, which then becomes
active. You can use Active/Standby failover for ASAs in single or multiple context mode.
• In an Active/Active failover configuration, both ASAs can pass network traffic. Active/Active failover
is only available to ASAs in multiple context mode. In Active/Active failover, you divide the security
contexts on the ASA into 2 failover groups. A failover group is simply a logical group of one or more
security contexts. One group is assigned to be active on the primary ASA, and the other group is assigned
to be active on the secondary ASA. When a failover occurs, it occurs at the failover group level.

Both failover modes support stateful or stateless failover.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
231
 High Availability and Scalability
Failover System Requirements

Failover System Requirements

This section describes the hardware, software, and license requirements for ASAs in a Failover configuration.

Hardware Requirements
The two units in a Failover configuration must:
• Be the same model.
• Have the same number and types of interfaces.
For the Firepower 4100/9300 chassis, all interfaces must be preconfigured in FXOS identically before
you enable Failover. If you change the interfaces after you enable Failover, make the interface changes
in FXOS on the standby unit, and then make the same changes on the active unit. If you remove an
interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign
an interface to an EtherChannel), then the ASA configuration retains the original commands so that you
can make any necessary adjustments; removing an interface from the configuration can have wide effects.
You can manually remove the old interface configuration in the ASA OS.
• Have the same modules installed (if any).
• Have the same RAM installed.

If you are using units with different flash memory sizes in your Failover configuration, make sure the unit
with the smaller flash memory has enough space to accommodate the software image files and the configuration
files. If it does not, configuration synchronization from the unit with the larger flash memory to the unit with
the smaller flash memory will fail.

Software Requirements
The two units in a Failover configuration must:
• Be in the same context mode (single or multiple).
• For single mode: Be in the same firewall mode (routed or transparent).
In multiple context mode, the firewall mode is set at the context-level, and you can use mixed modes.
• Have the same major (first number) and minor (second number) software version. However, you can
temporarily use different versions of the software during an upgrade process; for example, you can
upgrade one unit from Version 8.3(1) to Version 8.3(2) and have failover remain active. We recommend
upgrading both units to the same version to ensure long-term compatibility.
• Have the same AnyConnect images. If the failover pair has mismatched images when a hitless upgrade
is performed, then the clientless SSL VPN connection terminates in the final reboot step of the upgrade
process, the database shows an orphaned session, and the IP pool shows that the IP address assigned to
the client is “in use.”
• (Firepower 4100/9300) Have the same flow offload mode, either both enabled or both disabled.

License Requirements
The two units in a failover configuration do not need to have identical licenses; the licenses combine to make
a failover cluster license.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
232
 High Availability and Scalability
Failover and Stateful Failover Links

Failover and Stateful Failover Links

The failover link and the optional stateful failover link are dedicated connections between the two units. Cisco
recommends to use the same interface between two devices in a failover link or a stateful failover link. For
example, in a failover link, if you have used eth0 in device 1, use the same interface (eth0) in device 2 as well.

Caution All information sent over the failover and state links is sent in clear text unless you secure the communication
with an IPsec tunnel or a failover key. If the ASA is used to terminate VPN tunnels, this information includes
any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive
data in clear text could pose a significant security risk. We recommend securing the failover communication
with an IPsec tunnel or a failover key if you are using the ASA to terminate VPN tunnels.

Failover Link
The two units in a failover pair constantly communicate over a failover link to determine the operating status
of each unit.

Failover Link Data

The following information is communicated over the failover link:
• The unit state (active or standby)
• Hello messages (keep-alives)
• Network link status
• MAC address exchange
• Configuration replication and synchronization

Interface for the Failover Link

You can use an unused data interface (physical, subinterface, redundant, or EtherChannel) as the failover link;
however, you cannot specify an interface that is currently configured with a name. The failover link interface
is not configured as a normal networking interface; it exists for failover communication only. This interface
can only be used for the failover link (and also for the state link). For most models, you cannot use a
management interface for failover unless explicitly described below.
The ASA does not support sharing interfaces between user data and the failover link. You also cannot use
separate subinterfaces on the same parent for the failover link and for data.
See the following guidelines for the failover link:
• 5506-X through 5555-X—You cannot use the Management interface as the failover link; you must use
a data interface. The only exception is for the 5506H-X, where you can use the management interface
as the failover link.
• 5506H-X—You can use the Management 1/1 interface as the failover link. If you configure it for failover,
you must reload the device for the change to take effect. In this case, you cannot also use the ASA
Firepower module, because it requires the Management interface for management purposes.
• 5585-X—Do not use the Management 0/0 interface, even though it can be used as a data interface. It
does not support the necessary performance for this use.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
233
 High Availability and Scalability
Connecting the Failover Link

• Firepower 4100/9300—We recommend that you use a 10 GB data interface for the combined failover
and state link. You cannot use the management-type interface for the failover link.
• All other models—1 GB interface is large enough for a combined failover and state link.

For a redundant interface used as the failover link, see the following benefits for added redundancy:
• When a failover unit boots up, it alternates between the member interfaces to detect an active unit.
• If a failover unit stops receiving keepalive messages from its peer on one of the member interfaces, it
switches to the other member interface.

For an EtherChannel used as the failover link, to prevent out-of-order packets, only one interface in the
EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot
alter the EtherChannel configuration while it is in use as a failover link.

Connecting the Failover Link

Connect the failover link in one of the following two ways:
• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the
failover interfaces of the ASA.
• Using an Ethernet cable to connect the units directly, without the need for an external switch.

If you do not use a switch between the units, if the interface fails, the link is brought down on both peers. This
condition may hamper troubleshooting efforts because you cannot easily determine which unit has the failed
interface and caused the link to come down.
The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or
a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and
swaps one of the transmit/receive pairs to MDIX.

Stateful Failover Link

To use Stateful Failover, you must configure a Stateful Failover link (also known as the state link) to pass
connection state information.

Note Cisco recommends that the bandwidth of the stateful failover link should at least match the bandwidth of the
data interfaces.

Shared with the Failover Link

Sharing a failover link is the best way to conserve interfaces. However, you must consider a dedicated interface
for the state link and failover link, if you have a large configuration and a high traffic network.

Dedicated Interface
You can use a dedicated data interface (physical, redundant, or EtherChannel) for the state link. For an
EtherChannel used as the state link, to prevent out-of-order packets, only one interface in the EtherChannel
is used. If that interface fails, then the next interface in the EtherChannel is used.
Connect a dedicated state link in one of the following two ways:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
234
 High Availability and Scalability
Avoiding Interrupted Failover and Data Links

• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the
failover interfaces of the ASA device.
• Using an Ethernet cable to connect the appliances directly, without the need for an external switch.
If you do not use a switch between the units, if the interface fails, the link is brought down on both peers.
This condition may hamper troubleshooting efforts because you cannot easily determine which unit has
the failed interface and caused the link to come down.
The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover
cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects
the cable and swaps one of the transmit/receive pairs to MDIX.

For optimum performance when using long distance failover, the latency for the state link should be less than
10 milliseconds and no more than 250 milliseconds. If latency is more than 10 milliseconds, some performance
degradation occurs due to retransmission of failover messages.

Avoiding Interrupted Failover and Data Links

We recommend that failover links and data interfaces travel through different paths to decrease the chance
that all interfaces fail at the same time. If the failover link is down, the ASA can use the data interfaces to
determine if a failover is required. Subsequently, the failover operation is suspended until the health of the
failover link is restored.
See the following connection scenarios to design a resilient failover network.

Scenario 1—Not Recommended

If a single switch or a set of switches are used to connect both failover and data interfaces between two ASAs,
then when a switch or inter-switch-link is down, both ASAs become active. Therefore, the following two
connection methods shown in the following figures are NOT recommended.
Figure 33: Connecting with a Single Switch—Not Recommended

Figure 34: Connecting with a Double-Switch—Not Recommended

Scenario 2—Recommended
We recommend that failover links NOT use the same switch as the data interfaces. Instead, use a different
switch or use a direct cable to connect the failover link, as shown in the following figures.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
235
 High Availability and Scalability
Avoiding Interrupted Failover and Data Links

Figure 35: Connecting with a Different Switch

Figure 36: Connecting with a Cable

Scenario 3—Recommended
If the ASA data interfaces are connected to more than one set of switches, then a failover link can be connected
to one of the switches, preferably the switch on the secure (inside) side of network, as shown in the following
figure.
Figure 37: Connecting with a Secure Switch

Scenario 4—Recommended
The most reliable failover configurations use a redundant interface on the failover link, as shown in the
following figures.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
236
 High Availability and Scalability
MAC Addresses and IP Addresses in Failover

Figure 38: Connecting with Redundant Interfaces

Figure 39: Connecting with Inter-switch Links

MAC Addresses and IP Addresses in Failover

When you configure your interfaces, you can specify an active IP address and a standby IP address on the
same network. Generally, when a failover occurs, the new active unit takes over the active IP addresses and
MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries
change or time out anywhere on the network.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
237
 High Availability and Scalability
MAC Addresses and IP Addresses in Failover

Note Although recommended, the standby address is not required. Without a standby IP address, the active unit
cannot perform network tests to check the standby interface health; it can only track the link state. You also
cannot connect to the standby unit on that interface for management purposes.

The IP address and MAC address for the state link do not change at failover.

Active/Standby IP Addresses and MAC Addresses

For Active/Standby Failover, see the following for IP address and MAC address usage during a failover event:
1. The active unit always uses the primary unit's IP addresses and MAC addresses.
2. When the active unit fails over, the standby unit assumes the IP addresses and MAC addresses of the
failed unit and begins passing traffic.
3. When the failed unit comes back online, it is now in a standby state and takes over the standby IP addresses
and MAC addresses.

However, if the secondary unit boots without detecting the primary unit, then the secondary unit becomes the
active unit and uses its own MAC addresses, because it does not know the primary unit MAC addresses. When
the primary unit becomes available, the secondary (active) unit changes the MAC addresses to those of the
primary unit, which can cause an interruption in your network traffic. Similarly, if you swap out the primary
unit with new hardware, a new MAC address is used.
Virtual MAC addresses guard against this disruption, because the active MAC addresses are known to the
secondary unit at startup, and remain the same in the case of new primary unit hardware. If you do not configure
virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow.
The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so
connected routers do not learn of the MAC address change for these addresses.

Active/Active IP Addresses and MAC Addresses

For Active/Active failover, see the following for IP address and MAC address usage during a failover event:
1. The primary unit autogenerates active and standby MAC addresses for all interfaces in failover group 1
and 2 contexts. You can also manually configure the MAC addresses if necessary, for example, if there
are MAC address conflicts.
2. Each unit uses the active IP addresses and MAC addresses for its active failover group, and the standby
addresses for its standby failover group. For example, the primary unit is active for failover group 1, so
it uses the active addresses for contexts in failover group 1. It is standby for the contexts in failover group
2, where it uses the standby addresses.
3. When a unit fails over, the other unit assumes the active IP addresses and MAC addresses of the failed
failover group and begins passing traffic.
4. When the failed unit comes back online, and you enabled the preempt option, it resumes the failover
group.

Virtual MAC Addresses

The ASA has multiple methods to configure virtual MAC addresses. We recommend using only one method.
If you set the MAC address using multiple methods, the MAC address used depends on many variables, and

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
238
 High Availability and Scalability
Intra- and Inter-Chassis Module Placement for the ASA Services Module

might not be predictable. Manual methods include the interface mode mac-address command, the failover
mac address command, and for Active/Active failover, the failover group mode mac address command, in
addition to autogeneration methods described below.
In multiple context mode, you can configure the ASA to generate virtual active and standby MAC addresses
automatically for shared interfaces, and these assignments are synced to the secondary unit (see the mac-address
auto command). For non-shared interfaces, you can manually set the MAC addresses for Active/Standby
mode (Active/Active mode autogenerates MAC addresses for all interfaces).
For Active/Active failover, virtual MAC addresses are always used, either with default values or with values
you can set per interface.

Intra- and Inter-Chassis Module Placement for the ASA Services Module
You can place the primary and secondary ASASMs within the same switch or in two separate switches.

Intra-Chassis Failover
If you install the secondary ASASM in the same switch as the primary ASASM, you protect against
module-level failure.
Even though both ASASMs are assigned the same VLANs, only the active module takes part in networking.
The standby module does not pass any traffic.
The following figure shows a typical intra-switch configuration.
Figure 40: Intra-Switch Failover

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
239
 High Availability and Scalability
Inter-Chassis Failover

Inter-Chassis Failover
To protect against switch-level failure, you can install the secondary ASASM in a separate switch. The ASASM
does not coordinate failover directly with the switch, but it works harmoniously with the switch failover
operation. See the switch documentation to configure failover for the switch.
For the best reliability of failover communications between ASASMs, we recommend that you configure an
EtherChannel trunk port between the two switches to carry the failover and state VLANs.
For other VLANs, you must ensure that both switches have access to all firewall VLANs, and that monitored
VLANs can successfully pass hello packets between both switches.
The following figure shows a typical switch and ASASM redundancy configuration. The trunk between the
two switches carries the failover ASASM VLANs (VLANs 10 and 11).

Note ASASM failover is independent of the switch failover operation; however, ASASM works in any switch
failover scenario.

Figure 41: Normal Operation

If the primary ASASM fails, then the secondary ASASM becomes active and successfully passes the firewall
VLANs.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
240
High Availability and Scalability
Inter-Chassis Failover

Figure 42: ASASM Failure

If the entire switch fails, as well as the ASASM (such as in a power failure), then both the switch and the
ASASM fail over to their secondary units.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
241
 High Availability and Scalability
Stateless and Stateful Failover

Figure 43: Switch Failure

Stateless and Stateful Failover

The ASA supports two types of failover, stateless and stateful for both the Active/Standby and Active/Active
modes.

Note Some configuration elements for clientless SSL VPN (such as bookmarks and customization) use the VPN
failover subsystem, which is part of Stateful Failover. You must use Stateful Failover to synchronize these
elements between the members of the failover pair. Stateless failover is not recommended for clientless SSL
VPN.

Stateless Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the
new active unit takes over.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
242
 High Availability and Scalability
Stateful Failover

Note Some configuration elements for clientless SSL VPN (such as bookmarks and customization) use the VPN
failover subsystem, which is part of Stateful Failover. You must use Stateful Failover to synchronize these
elements between the members of the failover pair. Stateless (regular) failover is not recommended for clientless
SSL VPN.

Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to the
standby unit, or in Active/Active failover, between the active and standby failover groups. After a failover
occurs, the same connection information is available at the new active unit. Supported end-user applications
are not required to reconnect to keep the same communication session.

Supported Features
For Stateful Failover, the following state information is passed to the standby ASA:
• NAT translation table.
• TCP and UDP connections and states. Other types of IP protocols, and ICMP, are not parsed by the active
unit, because they get established on the new active unit when a new packet arrives.
• The HTTP connection table (unless you enable HTTP replication).
• The HTTP connection states (if HTTP replication is enabled)—By default, the ASA does not replicate
HTTP session information when Stateful Failover is enabled. We suggest that you enable HTTP replication.
• SCTP connection states. However, SCTP inspection stateful failover is best effort. During failover, if
any SACK packets are lost, the new active unit will drop all other out of order packets in the queue until
the missing packet is received.
• The ARP table
• The Layer 2 bridge table (for bridge groups)
• The ISAKMP and IPsec SA table
• GTP PDP connection database
• SIP signaling sessions and pin holes.
• ICMP connection state—ICMP connection replication is enabled only if the respective interface is
assigned to an asymmetric routing group.
• Static and dynamic routing tables—Stateful Failover participates in dynamic routing protocols, like OSPF
and EIGRP, so routes that are learned through dynamic routing protocols on the active unit are maintained
in a Routing Information Base (RIB) table on the standby unit. Upon a failover event, packets travel
normally with minimal disruption to traffic because the active secondary unit initially has rules that
mirror the primary unit. Immediately after failover, the re-convergence timer starts on the newly active
unit. Then the epoch number for the RIB table increments. During re-convergence, OSPF and EIGRP
routes become updated with a new epoch number. Once the timer is expired, stale route entries (determined
by the epoch number) are removed from the table. The RIB then contains the newest routing protocol
forwarding information on the newly active unit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
243
 High Availability and Scalability
Unsupported Features

Note Routes are synchronized only for link-up or link-down events on an active unit.
If the link goes up or down on the standby unit, dynamic routes sent from the
active unit may be lost. This is normal, expected behavior.

• DHCP Server—DHCP address leases are not replicated. However, a DHCP server configured on an
interface will send a ping to make sure an address is not being used before granting the address to a
DHCP client, so there is no impact to the service. State information is not relevant for DHCP relay or
DDNS.
• Cisco IP SoftPhone sessions—If a failover occurs during an active Cisco IP SoftPhone session, the call
remains active because the call session state information is replicated to the standby unit. When the call
is terminated, the IP SoftPhone client loses connection with the Cisco Call Manager. This connection
loss occurs because there is no session information for the CTIQBE hangup message on the standby unit.
When the IP SoftPhone client does not receive a response back from the Call Manager within a certain
time period, it considers the Call Manager unreachable and unregisters itself.
• RA VPN—Remote access VPN end users do not have to reauthenticate or reconnect the VPN session
after a failover. However, applications operating over the VPN connection could lose packets during the
failover process and not recover from the packet loss.

Unsupported Features
For Stateful Failover, the following state information is not passed to the standby ASA:
• The user authentication (uauth) table
• TCP state bypass connections
• Multicast routing.
• State information for modules, such as the ASA FirePOWER module.
• Selected clientless SSL VPN features:
• Smart Tunnels
• Port Forwarding
• Plugins
• Java Applets
• IPv6 clientless or Anyconnect sessions
• Citrix authentication (Citrix users must reauthenticate after failover)

Transparent Firewall Mode Bridge Group Requirements for Failover

There are special considerations for failover when using bridge groups.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
244
 High Availability and Scalability
Transparent Mode Bridge Group Requirements for Appliances, ASAv

Transparent Mode Bridge Group Requirements for Appliances, ASAv

When the active unit fails over to the standby unit, the connected switch port running Spanning Tree Protocol
(STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To avoid traffic
loss while the port is in a blocking state, you can configure one of the following workarounds depending on
the switch port mode:
• Access mode—Enable the STP PortFast feature on the switch:

interface interface_id
spanning-tree portfast

The PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The port
still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP
blocking mode.
• Trunk mode—Block BPDUs on the ASA on a bridge group's member interfaces with an EtherType
access rule.

access-list id ethertype deny bpdu

access-group id in interface name1
access-group id in interface name2

Blocking BPDUs disables STP on the switch. Be sure not to have any loops involving the ASA in your
network layout.

If neither of the above options are possible, then you can use one of the following less desirable workarounds
that impacts failover functionality or STP stability:
• Disable interface monitoring.
• Increase interface holdtime to a high value that will allow STP to converge before the ASAs fail over.
• Decrease STP timers to allow STP to converge faster than the interface holdtime.

Transparent Mode Bridge Group Requirements for the ASA Services Module
To avoid loops when you use failover with bridge groups, you should allow BPDUs to pass (the default), and
you must use switch software that supports BPDU forwarding.
Loops can occur if both modules are active at the same time, such as when both modules are discovering each
other’s presence, or due to a bad failover link. Because the ASASMs bridge packets between the same two
VLANs, loops can occur when packets between bridge group member interfaces get endlessly replicated by
both ASASMs. The spanning tree protocol can break such loops if there is a timely exchange of BPDUs. To
break the loop, BPDUs sent between VLAN 200 and VLAN 201 need to be bridged.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
245
 High Availability and Scalability
Failover Health Monitoring

Figure 44: Bridge Group Loop

Failover Health Monitoring

The ASA monitors each unit for overall health and for interface health. This section includes information
about how the ASA performs tests to determine the state of each unit.

Unit Health Monitoring

The ASA determines the health of the other unit by monitoring the failover link with hello messages. When
a unit does not receive three consecutive hello messages on the failover link, the unit sends LANTEST messages
on each data interface, including the failover link, to validate whether or not the peer is responsive. The action
that the ASA takes depends on the response from the other unit. See the following possible actions:
• If the ASA receives a response on the failover link, then it does not fail over.
• If the ASA does not receive a response on the failover link, but it does receive a response on a data
interface, then the unit does not failover. The failover link is marked as failed. You should restore the
failover link as soon as possible because the unit cannot fail over to the standby while the failover link
is down.
• If the ASA does not receive a response on any interface, then the standby unit switches to active mode
and classifies the other unit as failed.

Interface Monitoring
You can monitor up to 1025 interfaces (in multiple context mode, divided between all contexts). You should
monitor important interfaces. For example in multiple context mode, you might configure one context to
monitor a shared interface: because the interface is shared, all contexts benefit from the monitoring.
When a unit does not receive hello messages on a monitored interface for 15 seconds (the default), it runs
interface tests. (To change the period, see the failover polltime interface command, or for Active/Active
failover, the polltime interface command) If one of the interface tests fails for an interface, but this same

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
246
 High Availability and Scalability
Interface Tests

interface on the other unit continues to successfully pass traffic, then the interface is considered to be failed,
and the ASA stops running tests.
If the threshold you define for the number of failed interfaces is met (see the failover interface-policy
command, or for Active/Active failover, the interface-policy command), and the active unit has more failed
interfaces than the standby unit, then a failover occurs. If an interface fails on both units, then both interfaces
go into the “Unknown” state and do not count towards the failover limit defined by failover interface policy.
An interface becomes operational again if it receives any traffic. A failed ASA returns to standby mode if the
interface failure threshold is no longer met.
If you have an ASA FirePOWER module, then the ASA also monitors the health of the module over the
backplane interface. Failure of the module is considered a unit failure and will trigger failover. This setting
is configurable.
If an interface has IPv4 and IPv6 addresses configured on it, the ASA uses the IPv4 addresses to perform the
health monitoring. If an interface has only IPv6 addresses configured on it, then the ASA uses IPv6 neighbor
discovery instead of ARP to perform the health monitoring tests. For the broadcast ping test, the ASA uses
the IPv6 all nodes address (FE02::1).

Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the
failover reset command. If the failover condition persists, however, the unit will fail again.

Interface Tests
The ASA uses the following interface tests. The duration of each test is approximately 1.5 seconds by default,
or 1/16 of the failover interface holdtime(see the failover polltime interface command, or for Active/Active
failover, the interface-policy command).
1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface
is down, then the ASA considers it failed, and testing stops. If the status is Up, then the ASA performs
the Network Activity test.
2. Network Activity test—A received network activity test. At the start of the test, each unit clears its received
packet count for its interfaces. As soon as a unit receives any eligible packets during the test, then the
interface is considered operational. If both units receive traffic, then testing stops. If one unit receives
traffic and the other unit does not, then the interface on the unit that does not receive traffic is considered
failed, and testing stops. If neither unit receives traffic, then the ASA starts the ARP test.
3. ARP test—A test for successful ARP replies. Each unit sends a single ARP request for the IP address in
the most recent entry in its ARP table. If the unit receives an ARP reply or other network traffic during
the test, then the interface is considered operational. If the unit does not receive an ARP reply, then the
ASA sends a single ARP request for the IP address in the next entry in the ARP table. If the unit receives
an ARP reply or other network traffic during the test, then the interface is considered operational. If both
units receive traffic, then testing stops. If one unit receives traffic, and the other unit does not, then the
interface on the unit that does not receive traffic is considered failed, and testing stops. If neither unit
receives traffic, then the ASA starts the Broadcast Ping test.
4. Broadcast Ping test—A test for successful ping replies. Each unit sends a broadcast ping, and then counts
all received packets. If the unit receives any packets during the test, then the interface is considered
operational. If both units receive traffic, then testing stops. If one unit receives traffic, and the other unit
does not, then the interface on the unit that does not receive traffic is considered failed, and testing stops.
If neither unit receives traffic, then testing starts over again with the ARP test. If both units continue to

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
247
 High Availability and Scalability
Interface Status

receive no traffic from the ARP and Broadcast Ping tests, then these tests will continue running in
perpetuity.

Interface Status
Monitored interfaces can have the following status:
• Unknown—Initial status. This status can also mean the status cannot be determined.
• Normal—The interface is receiving traffic.
• Testing—Hello messages are not heard on the interface for five poll times.
• Link Down—The interface or VLAN is administratively down.
• No Link—The physical link for the interface is down.
• Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Failover Times
The following table shows the minimum, default, and maximum failover times.

Note If you manually fail over using the CLI or ASDM, or you reload the ASA, the failover starts immediately and
is not subject to the timers listed below.

Table 10: ASA

Failover Condition Minimum Default Maximum

Active unit loses power or stops 800 milliseconds 15 seconds 45 seconds

normal operation.

Active unit main board interface 500 milliseconds 5 seconds 15 seconds

link down.

Active unit 4GE module 2 seconds 5 seconds 15 seconds

interface link down.

Active unit FirePOWER module 2 seconds 2 seconds 2 seconds

fails.

Active unit interface up, but 5 seconds 25 seconds 75 seconds

connection problem causes
interface testing.

Configuration Synchronization
Failover includes various types of configuration synchronization.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
248
 High Availability and Scalability
Running Configuration Replication

Running Configuration Replication

Running configuration replication occurs when one or both devices in the failover pair boot.
In Active/Standby failover, configurations are always synchronized from the active unit to the standby unit.
In Active/Active failover, whichever unit boots second obtains the running configuration from the unit that
boots first, regardless of the primary or secondary designation of the booting unit. After both units are up,
commands entered in the system execution space are replicated from the unit on which failover group 1 is in
the active state.
When the standby/second unit completes its initial startup, it clears its running configuration (except for the
failover commands needed to communicate with the active unit), and the active unit sends its entire
configuration to the standby/second unit. When the replication starts, the ASA console on the active unit
displays the message “Beginning configuration replication: Sending to mate,” and when it is complete, the
ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration,
replication can take from a few seconds to several minutes.
On the unit receiving the configuration, the configuration exists only in running memory. You should save
the configuration to flash memory according to Save Configuration Changes, on page 43. For example, in
Active/Active failover, enter the write memory all command in the system execution space on the unit that
has failover group 1 in the active state. The command is replicated to the peer unit, which proceeds to write
its configuration to flash memory.

Note During replication, commands entered on the unit sending the configuration may not replicate properly to the
peer unit, and commands entered on the unit receiving the configuration may be overwritten by the configuration
being received. Avoid entering commands on either unit in the failover pair during the configuration replication
process.

Note The crypto ca server command and related subcommands are not supported with failover; you must remove
them using the no crypto ca server command.

File Replication
Configuration syncing does not replicate the following files and configuration components, so you must copy
these files manually so they match:
• AnyConnect images
• CSD images
• AnyConnect profiles
The ASA uses a cached file for the AnyConnect client profile stored in cache:/stc/profiles, and not the
file stored in the flash file system. To replicate the AnyConnect client profile to the standby unit, perform
one of the following:
• Enter the write standby command on the active unit.
• Reapply the profile on the active unit.
• Reload the standby unit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
249
 High Availability and Scalability
Command Replication

• Local Certificate Authorities (CAs)

• ASA images
• ASDM images

Command Replication
After startup, commands that you enter on the active unit are immediately replicated to the standby unit. You
do not have to save the active configuration to flash memory to replicate the commands.
In Active/Active failover, commands entered in the system execution space are replicated from the unit on
which failover group 1 is in the active state.
Failure to enter the commands on the appropriate unit for command replication to occur causes the
configurations to be out of synchronization. Those changes may be lost the next time the initial configuration
synchronization occurs.
The following commands are replicated to the standby ASA:
• All configuration commands except for mode, firewall, and failover lan unit
• copy running-config startup-config
• delete
• mkdir
• rename
• rmdir
• write memory

The following commands are not replicated to the standby ASA:

• All forms of the copy command except for copy running-config startup-config
• All forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• show
• terminal pager and pager

About Active/Standby Failover

Active/Standby failover lets you use a standby ASA to take over the functionality of a failed unit. When the
active unit fails, the standby unit becomes the active unit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
250
 High Availability and Scalability
Primary/Secondary Roles and Active/Standby Status

Note For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail over
individual contexts separately.

Primary/Secondary Roles and Active/Standby Status

The main differences between the two units in a failover pair are related to which unit is active and which
unit is standby, namely which IP addresses to use and which unit actively passes traffic.
However, a few differences exist between the units based on which unit is primary (as specified in the
configuration) and which unit is secondary:
• The primary unit always becomes the active unit if both units start up at the same time (and are of equal
operational health).
• The primary unit MAC addresses are always coupled with the active IP addresses. The exception to this
rule occurs when the secondary unit becomes active and cannot obtain the primary unit MAC addresses
over the failover link. In this case, the secondary unit MAC addresses are used.

Active Unit Determination at Startup

The active unit is determined by the following:
• If a unit boots and detects a peer already running as active, it becomes the standby unit.
• If a unit boots and does not detect a peer, it becomes the active unit.
• If both units boot simultaneously, then the primary unit becomes the active unit, and the secondary unit
becomes the standby unit.

Failover Events
In Active/Standby failover, failover occurs on a unit basis. Even on systems running in multiple context mode,
you cannot fail over individual or groups of contexts.
The following table shows the failover action for each failure event. For each failure event, the table shows
the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby
unit, and any special notes about the failover condition and actions.

Table 11: Failover Events

Failure Event Policy Active Unit Action Standby Unit Action Notes

Active unit failed (power Failover n/a Become active No hello messages are
or hardware) received on any
Mark active as failed
monitored interface or the
failover link.

Formerly active unit No failover Become standby No action None.

recovers

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
251
 High Availability and Scalability
About Active/Active Failover

Failure Event Policy Active Unit Action Standby Unit Action Notes

Standby unit failed No failover Mark standby as failed n/a When the standby unit is
(power or hardware) marked as failed, then the
active unit does not
attempt to fail over, even
if the interface failure
threshold is surpassed.

Failover link failed No failover Mark failover link as Mark failover link as You should restore the
during operation failed failed failover link as soon as
possible because the unit
cannot fail over to the
standby unit while the
failover link is down.

Failover link failed at No failover Become active Become active If the failover link is
startup down at startup, both
Mark failover link as Mark failover link as
units become active.
failed failed

State link failed No failover No action No action State information

becomes out of date, and
sessions are terminated if
a failover occurs.

Interface failure on active Failover Mark active as failed Become active None.
unit above threshold

Interface failure on No failover No action Mark standby as failed When the standby unit is
standby unit above marked as failed, then the
threshold active unit does not
attempt to fail over even
if the interface failure
threshold is surpassed.

About Active/Active Failover

This section describes Active/Active failover.

Active/Active Failover Overview

In an Active/Active failover configuration, both ASAs can pass network traffic. Active/Active failover is only
available to ASAs in multiple context mode. In Active/Active failover, you divide the security contexts on
the ASA into a maximum of 2 failover groups.
A failover group is simply a logical group of one or more security contexts. You can assign failover group to
be active on the primary ASA, and failover group 2 to be active on the secondary ASA. When a failover
occurs, it occurs at the failover group level. For example, depending on interface failure patterns, it is possible
for failover group 1 to fail over to the secondary ASA, and subsequently failover group 2 to fail over to the
primary ASA. This event could occur if the interfaces in failover group 1 are down on the primary ASA but

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
252
 High Availability and Scalability
Primary/Secondary Roles and Active/Standby Status for a Failover Group

up on the secondary ASA, while the interfaces in failover group 2 are down on the secondary ASA but up on
the primary ASA.
The admin context is always a member of failover group 1. Any unassigned security contexts are also members
of failover group 1 by default. If you want Active/Active failover, but are otherwise uninterested in multiple
contexts, the simplest configuration would be to add one additional context and assign it to failover group 2.

Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the
capacity of each unit.

Note You can assign both failover groups to one ASA if desired, but then you are not taking advantage of having
two active ASAs.

Primary/Secondary Roles and Active/Standby Status for a Failover Group

As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit, and
the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate which
unit becomes active when both units start simultaneously. Instead, the primary/secondary designation does
two things:
• The primary unit provides the running configuration to the pair when they boot simultaneously.
• Each failover group in the configuration is configured with a primary or secondary unit preference. When
used with preemption, this preference ensures that the failover group runs on the correct unit after it starts
up. Without preemption, both groups run on the first unit to boot up.

Active Unit Determination for Failover Groups at Startup

The unit on which a failover group becomes active is determined as follows:
• When a unit boots while the peer unit is not available, both failover groups become active on the unit.
• When a unit boots while the peer unit is active (with both failover groups in the active state), the failover
groups remain in the active state on the active unit regardless of the primary or secondary preference of
the failover group until one of the following occurs:
• A failover occurs.
• You manually force a failover.
• You configured preemption for the failover group, which causes the failover group to automatically
become active on the preferred unit when the unit becomes available.

Failover Events
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For
example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, then
failover group 2 remains active on the primary unit while failover group 1 becomes active on the secondary
unit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
253
 High Availability and Scalability
Failover Events

Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it
is possible for all interfaces in a single context to fail without causing the associated failover group to fail.
The following table shows the failover action for each failure event. For each failure event, the policy (whether
or not failover occurs), actions for the active failover group, and actions for the standby failover group are
given.

Table 12: Failover Events

Failure Event Policy Active Group Action Standby Group Action Notes

A unit experiences a Failover Become standby Become active When a unit in a failover
power or software failure pair fails, any active
Mark as failed Mark active as failed
failover groups on that
unit are marked as failed
and become active on the
peer unit.

Interface failure on active Failover Mark active group as Become active None.
failover group above failed
threshold

Interface failure on No failover No action Mark standby group as When the standby
standby failover group failed failover group is marked
above threshold as failed, the active
failover group does not
attempt to fail over, even
if the interface failure
threshold is surpassed.

Formerly active failover No failover No action No action Unless failover group

group recovers preemption is configured,
the failover groups
remain active on their
current unit.

Failover link failed at No failover Become active Become active If the failover link is
startup down at startup, both
failover groups on both
units become active.

State link failed No failover No action No action State information

becomes out of date, and
sessions are terminated if
a failover occurs.

Failover link failed No failover n/a n/a Each unit marks the
during operation failover link as failed.
You should restore the
failover link as soon as
possible because the unit
cannot fail over to the
standby unit while the
failover link is down.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
254
 High Availability and Scalability
Licensing for Failover

Licensing for Failover

Failover units do not require the same license on each unit. If you have licenses on both units, they combine
into a single running failover cluster license. There are some exceptions to this rule. See the following table
for precise licensing requirements for failover.

Model License Requirement

ASA 5506-X and ASA 5506W-X • Active/Standby—Security Plus License.

• Active/Active—No Support.

Note Each unit must have the same encryption license.

ASA 5512-X through ASA 5555-X • ASA 5512-X—Security Plus License.

• Other models—Base License.

Note • Each unit must have the same encryption license.

• In multiple context mode, each unit must have the
the same AnyConnect Apex license.
• Each unit must have the same IPS module license.
You also need the IPS signature subscription on
the IPS side for both units. See the following
guidelines:
• To buy the IPS signature subscription you
need to have the ASA with IPS pre-installed
(the part number must include “IPS”, for
example ASA5525-IPS-K9); you cannot buy
the IPS signature subscription for a non-IPS
part number ASA.
• You need the IPS signature subscription on
both units; this subscription is not shared in
failover, because it is not an ASA license.
• The IPS signature subscription requires a
unique IPS module license per unit. Like
other ASA licenses, the IPS module license
is technically shared in the failover cluster
license. However, because of the IPS
signature subscription requirements, you
must buy a separate IPS module license for
each unit in.

ASAv See Failover Licenses for the ASAv, on page 117.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
255
 High Availability and Scalability
Guidelines for Failover

Model License Requirement

Firepower 4100/9300 See Failover Licenses for the ASA on the Firepower 4100/9300
Chassis, on page 117.

All other models Base License or Standard License.

Note • Each unit must have the same encryption license.
• In multiple context mode, each unit must have the
the same AnyConnect Apex license.

Note A valid permanent key is required; in rare instances, your PAK authentication key can be removed. If your
key consists of all 0’s, then you need to reinstall a valid authentication key before failover can be enabled.

Guidelines for Failover

Context Mode
• Active/Active mode is supported only in multiple context mode.
• For multiple context mode, perform all steps in the system execution space unless otherwise noted.

Model Support
• ASA 5506W-X—You must disable interface monitoring for the internal GigabitEthernet 1/9 interface.
These interfaces will not be able to communicate to perform the default interface monitoring checks,
resulting in a switch from active to standby and back again because of expected interface communication
failures.
• Firepower 9300—We recommend that you use inter-chassis Failover for the best redundancy.
• The ASAv on public cloud networks such as Microsoft Azure and Amazon Web Services are not supported
with Failover because Layer 2 connectivity is required.
• The ASA FirePOWER module does not support failover directly; when the ASA fails over, any existing
ASA FirePOWER flows are transferred to the new ASA. The ASA FirePOWER module in the new ASA
begins inspecting the traffic from that point forward; old inspection states are not transferred.
You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the
high-availability ASA pair to ensure consistent failover behavior.

Note Create the failover pair before you configure the ASA FirePOWER modules. If
the modules are already configured on both devices, clear the interface
configuration on the standby device before creating the failover pair. From the
CLI on the standby device, enter the clear configure interface command.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
256
 High Availability and Scalability
Defaults for Failover

ASAv Failover for High Availability

When creating a failover pair with the ASAv, it is necessary to add the data interfaces to each ASAv in the
same order. If the exact same interfaces are added to each ASAv, but in different order, errors may be presented
at the ASAv Console. Failover functionality may also be affected

Additional Guidelines
• When the active unit fails over to the standby unit, the connected switch port running Spanning Tree
Protocol (STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To
avoid traffic loss while the port is in a blocking state, you can enable the STP PortFast feature on the
switch:
interface interface_id spanning-tree portfast
This workaround applies to switches connected to both routed mode and bridge group interfaces. The
PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The port still
participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP
blocking mode.
• You cannot enable failover if a local CA server is configured. Remove the CA configuration using the
no crypto ca server command.
• Configuring port security on the switch(es) connected to the ASA failover pair can cause communication
problems when a failover event occurs. This problem occurs when a secure MAC address configured or
learned on one secure port moves to another secure port, a violation is flagged by the switch port security
feature.
• You can monitor up to 1025 interfaces on a unit, across all contexts.
• For Active/Standby Failover and a VPN IPsec tunnel, you cannot monitor both the active and standby
units using SNMP over the VPN tunnel. The standby unit does not have an active VPN tunnel, and will
drop traffic destined for the NMS. You can instead use SNMPv3 with encryption so the IPsec tunnel is
not required.
• For Active/Active failover, no two interfaces in the same context should be configured in the same ASR
group.
• For Active/Active failover, you can define a maximum of two failover groups.
• For Active/Active failover, when removing failover groups, you must remove failover group 1 last.
Failover group1 always contains the admin context. Any context not assigned to a failover group defaults
to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.

Defaults for Failover

By default, the failover policy consists of the following:
• No HTTP replication in Stateful Failover.
• A single interface failure causes failover.
• The interface poll time is 5 seconds.
• The interface hold time is 25 seconds.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
257
 High Availability and Scalability
Configure Active/Standby Failover

• The unit poll time is 1 second.

• The unit hold time is 15 seconds.
• Virtual MAC addresses are disabled in multiple context mode, except for the ASASM, where they are
enabled by default.
• Monitoring on all physical interfaces, or for the ASASM, all VLAN interfaces.

Configure Active/Standby Failover

To configure Active/Standby failover, configure basic failover settings on both the primary and secondary
units. All other configuration occurs only on the primary unit, and is then synched to the secondary unit.

Configure the Primary Unit for Active/Standby Failover

Follow the steps in this section to configure the primary in an Active/Standby failover configuration. These
steps provide the minimum configuration needed to enable failover on the primary unit.

Before you begin

• We recommend that you configure standby IP addresses for all interfaces except for the failover and
state links.
• Do not configure a nameif for the failover and state links.
• For multiple context mode, complete this procedure in the system execution space. To change from the
context to the system execution space, enter the changeto system command.

Procedure

Step 1 Designate this unit as the primary unit:

failover lan unit primary

Step 2 Specify the interface to be used as the failover link:

failover lan interface if_name interface_id
Example:

ciscoasa(config)# failover lan interface folink gigabitethernet0/3

This interface cannot be used for any other purpose (except, optionally, the state link).
The if_name argument assigns a name to the interface.
The interface_id argument can be a data physical interface, subinterface, redundant interface, or EtherChannel
interface ID. On the ASASM, the interface_id is a VLAN ID. For the ASA 5506H-X only, you can specify
the Management 1/1 interface as the failover link. If you do so, you must save the configuration with write
memory, and then reload the device. You then cannot use this interface for failover and also use the ASA

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
258
High Availability and Scalability
Configure the Primary Unit for Active/Standby Failover

Firepower module; the module requires the interface for management, and you can only use it for one function.
For the Firepower 4100/9300, you can use any data-type interface.

Step 3 Assign the active and standby IP addresses to the failover link:
failover interface ip failover_if_name {ip_address mask | ipv6_address / prefix} standby ip_address
Example:

ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

Or:

ciscoasa(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby

2001:a0a:b00::a0a:b71

This address should be on an unused subnet. 169.254.0.0/16 and fd00:0:0:*::/64 are internally used subnets,
and you cannot use them for the failover or state links.
The standby IP address must be in the same subnet as the active IP address.

Step 4 Enable the failover link:

interface failover_interface_id
no shutdown
Example:

ciscoasa(config)# interface gigabitethernet 0/3

ciscoasa(config-if)# no shutdown

Step 5 (Optional) Specify the interface you want to use as the state link:
failover link if_name interface_id
Example:

ciscoasa(config)# failover link folink gigabitethernet0/3

You can share the failover link with the statelink.

The if_name argument assigns a name to the interface.
The interface_id argument can be a physical interface, subinterface, redundant interface, or EtherChannel
interface ID. On the ASASM, the interface_id is a VLAN ID.

Step 6 If you specified a separate state link, assign the active and standby IP addresses to the state link:
failover interface ip state_if_name {ip_address mask | ipv6_address/prefix} standby ip_address
Example:

ciscoasa(config)# failover interface ip statelink 172.27.49.1 255.255.255.0 standby

172.27.49.2

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
259
 High Availability and Scalability
Configure the Primary Unit for Active/Standby Failover

Or:

ciscoasa(config)# failover interface ip statelink 2001:a0a:b00:a::a0a:b70/64 standby

2001:a0a:b00:a::a0a:b71

This address should be on an unused subnet, different from the failover link. 169.254.0.0/16 and fd00:0:0:*::/64
are internally used subnets, and you cannot use them for the failover or state links.
The standby IP address must be in the same subnet as the active IP address.
Skip this step if you are sharing the state link.

Step 7 If you specified a separate state link, enable the state link.
interface state_interface_id
no shutdown
Example:

ciscoasa(config)# interface gigabitethernet 0/4

ciscoasa(config-if)# no shutdown

Skip this step if you are sharing the state link.

Step 8 (Optional) Do one of the following to encrypt communications on the failover and state links:
• (Preferred) Establish IPsec LAN-to-LAN tunnels on the failover and state links between the units to
encrypt all failover communications:
failover ipsec pre-shared-key [0 | 8] key
Example:

ciscoasa(config)# failover ipsec pre-shared-key a3rynsun

The key can be up to 128 characters in length. Identify the same key on both units. The key is used by
IKEv2 to establish the tunnels.
If you use a master passphrase (see Configure the Master Passphrase, on page 557), then the key is
encrypted in the configuration. If you are copying from the configuration (for example, from more
system:running-config output), specify that the key is encrypted by using the 8 keyword. 0 is used by
default, specifying an unencrypted password.
The failover ipsec pre-shared-key shows as ***** in show running-config output; this obscured key
is not copyable.
If you do not configure failover and state link encryption, failover communication, including any passwords
or keys in the configuration that are sent during command replication, will be in clear text.
You cannot use both IPsec encryption and the legacy failover key encryption. If you configure both
methods, IPsec is used. However, if you use the master passphrase, you must first remove the failover
key using the no failover key command before you configure IPsec encryption.
Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license.
• (Optional) Encrypt failover communication on the failover and state links:
failover key [0 | 8] {hex key | shared_secret}

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
260
 High Availability and Scalability
Configure the Secondary Unit for Active/Standby Failover

Example:

ciscoasa(config)# failover key johncr1cht0n

Use a shared_secret from 1 to 63 characters or a 32-character hex key. For the shared_secret, you can
use any combination of numbers, letters, or punctuation. The shared secret or hex key is used to generate
the encryption key. Identify the same key on both units.
If you use a master passphrase (see Configure the Master Passphrase, on page 557), then the shared secret
or hex key is encrypted in the configuration. If you are copying from the configuration (for example,
from more system:running-config output), specify that the shared secret or hex key is encrypted by
using the 8 keyword. 0 is used by default, specifying an unencrypted password.
The failover key shared secret shows as ***** in show running-config output; this obscured key is not
copyable.
If you do not configure failover and state link encryption, failover communication, including any passwords
or keys in the configuration that are sent during command replication, will be in clear text.

Step 9 Enable failover:

failover

Step 10 Save the system configuration to flash memory:

write memory

Examples
The following example configures the failover parameters for the primary unit:

failover lan unit primary

failover lan interface folink gigabitethernet0/3
failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

interface gigabitethernet 0/3

no shutdown
failover link folink gigabitethernet0/3
failover ipsec pre-shared-key a3rynsun
failover

Configure the Secondary Unit for Active/Standby Failover

The only configuration required on the secondary unit is for the failover link. The secondary unit requires
these commands to communicate initially with the primary unit. After the primary unit sends its configuration
to the secondary unit, the only permanent difference between the two configurations is the failover lan unit
command, which identifies each unit as primary or secondary.

Before you begin

• Do not configure a nameif for the failover and state links.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
261
 High Availability and Scalability
Configure Active/Active Failover

• For multiple context mode, complete this procedure in the system execution space. To change from the
context to the system execution space, enter the changeto system command.

Procedure

Step 1 Re-enter the exact same commands as on the primary unit except for the failover lan unit primary command.
You can optionally replace it with the failover lan unit secondary command, but it is not necessary because
secondary is the default setting. See Configure the Primary Unit for Active/Standby Failover, on page 258.
For example:

ciscoasa(config)# failover lan interface folink gigabitethernet0/3

INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2
ciscoasa(config)# interface gigabitethernet 0/3
ciscoasa(config-ifc)# no shutdown
ciscoasa(config-ifc)# failover link folink gigabitethernet0/3
ciscoasa(config)# failover ipsec pre-shared-key a3rynsun
ciscoasa(config)# failover

Step 2 After the failover configuration syncs, save the configuration to flash memory:

ciscoasa(config)# write memory

Configure Active/Active Failover

This section tells how to configure Active/Active failover.

Configure the Primary Unit for Active/Active Failover

Follow the steps in this section to configure the primary unit in an Active/Active failover configuration. These
steps provide the minimum configuration needed to enable failover on the primary unit.

Before you begin

• Enable multiple context mode according to Enable or Disable Multiple Context Mode, on page 198.
• We recommend that you configure standby IP addresses for all interfaces except for the failover and
state links according to Routed and Transparent Mode Interfaces, on page 491.
• Do not configure a nameif for the failover and state links.
• Complete this procedure in the system execution space. To change from the context to the system execution
space, enter the changeto system command.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
262
High Availability and Scalability
Configure the Primary Unit for Active/Active Failover

Procedure

Step 1 Designate this unit as the primary unit:

failover lan unit primary

Step 2 Specify the interface to be used as the failover link:

failover lan interface if_name interface_id
Example:

ciscoasa(config)# failover lan interface folink gigabitethernet0/3

This interface cannot be used for any other purpose (except, optionally, the state link).
The if_name argument assigns a name to the interface.
The interface_id argument can be a physical interface, subinterface, redundant interface, or EtherChannel
interface ID. For the Firepower 4100/9300, you can use any data-type interface.

Step 3 Assign the active and standby IP addresses to the failover link:
standby failover interface ip if_name {ip_address mask | ipv6_address/prefix } standby ip_address
Example:

ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

Or:

ciscoasa(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby

2001:a0a:b00::a0a:b71

This address should be on an unused subnet. 169.254.0.0/16 and fd00:0:0:*::/64 are internally used subnets,
and you cannot use them for the failover or state links.
The standby IP address must be in the same subnet as the active IP address.

Step 4 Enable the failover link:

interface failover_interface_id
no shutdown
Example:

ciscoasa(config)# interface gigabitethernet 0/3

ciscoasa(config-if)# no shutdown

Step 5 (Optional) Specify the interface you want to use as the state link:
failover link if_name interface_id
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
263
 High Availability and Scalability
Configure the Primary Unit for Active/Active Failover

ciscoasa(config)# failover link statelink gigabitethernet0/4

We recommend specifying a separate interface from the failover link or data interfaces.
The if_name argument assigns a name to the interface.
The interface_id argument can be a physical interface, subinterface, redundant interface, or EtherChannel
interface ID. On the ASASM, the interface_id specifies a VLAN ID.

Step 6 If you specified a separate state link, assign the active and standby IP addresses to the state link:
This address should be on an unused subnet, different from the failover link. 169.254.0.0/16 and fd00:0:0:*::/64
are internally used subnets, and you cannot use them for the failover or state links.
The standby IP address must be in the same subnet as the active IP address.
Skip this step if you are sharing the state link.
failover interface ip state if_name {ip_address mask | ipv6_address/prefix} standby ip_address
Example:

ciscoasa(config)# failover interface ip statelink 172.27.49.1 255.255.255.0 standby

172.27.49.2

Or:

ciscoasa(config)# failover interface ip statelink 2001:a0a:b00:a::a0a:b70/64 standby

2001:a0a:b00:a::a0a:b71

Step 7 If you specified a separate state link, enable the state link:
interface state_interface_id
no shutdown
Example:

ciscoasa(config)# interface gigabitethernet 0/4

ciscoasa(config-if)# no shutdown

Skip this step if you are sharing the state link.

Step 8 (Optional) Do one of the following to encrypt communications on the failover and state links:
• (Preferred) Establish IPsec LAN-to-LAN tunnels on the failover and state links between the units to
encrypt all failover communications:
failover ipsec pre-shared-key [0 | 8] key

ciscoasa(config)# failover ipsec pre-shared-key a3rynsun

The key can be up to 128 characters in length. Identify the same key on both units. The key is used by
IKEv2 to establish the tunnels.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
264
High Availability and Scalability
Configure the Primary Unit for Active/Active Failover

If you use a master passphrase (see Configure the Master Passphrase, on page 557), then the key is
encrypted in the configuration. If you are copying from the configuration (for example, from more
system:running-config output), specify that the key is encrypted by using the 8 keyword. 0 is used by
default, specifying an unencrypted password.
The failover ipsec pre-shared-key shows as ***** in show running-config output; this obscured key
is not copyable.
If you do not configure failover and state link encryption, failover communication, including any passwords
or keys in the configuration that are sent during command replication, will be in clear text.
You cannot use both IPsec encryption and the legacy failover key encryption. If you configure both
methods, IPsec is used. However, if you use the master passphrase, you must first remove the failover
key using the no failover key command before you configure IPsec encryption.
Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license.
• (Optional) Encrypt failover communication on the failover and state links:
failover key [0 | 8] {hex key | shared_secret}

ciscoasa(config)# failover key johncr1cht0n

Use a shared_secret, from 1 to 63 characters, or a 32-character hex key.

For the shared_secret, you can use any combination of numbers, letters, or punctuation. The shared secret
or hex key is used to generate the encryption key. Identify the same key on both units.
If you use a master passphrase (see Configure the Master Passphrase, on page 557), then the shared secret
or hex key is encrypted in the configuration. If you are copying from the configuration (for example,
from more system:running-config output), specify that the shared secret or hex key is encrypted by
using the 8 keyword. 0 is used by default, specifying an unencrypted password.
The failover key shared secret shows as ***** in show running-config output; this obscured key is not
copyable.
If you do not configure failover and state link encryption, failover communication, including any passwords
or keys in the configuration that are sent during command replication, will be in clear text.

Step 9 Create failover group 1:

failover group 1
primary
preempt [delay]
Example:

ciscoasa(config-fover-group)# failover group 1

ciscoasa(config-fover-group)# primary
ciscoasa(config-fover-group)# preempt 1200

Typically, you assign group 1 to the primary unit, and group 2 to the secondary unit. Both failover groups
become active on the unit that boots first (even if it seems like they boot simultaneously, one unit becomes
active first), despite the primary or secondary setting for the group. The preempt command causes the failover
group to become active on the designated unit automatically when that unit becomes available.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
265
 High Availability and Scalability
Configure the Primary Unit for Active/Active Failover

You can enter an optional delay value, which specifies the number of seconds the failover group remains
active on the current unit before automatically becoming active on the designated unit. Valid values are from
1 to 1200.
If Stateful Failover is enabled, the preemption is delayed until the connections are replicated from the unit on
which the failover group is currently active.
If you manually fail over, the preempt command is ignored.

Step 10 Create failover group 2 and assign it to the secondary unit:

failover group 2
secondary
preempt [delay]
Example:

ciscoasa(config-fover-group)# failover group 2

ciscoasa(config-fover-group)# secondary
ciscoasa(config-fover-group)# preempt 1200

Step 11 Enter the context configuration mode for a given context, and assign the context to a failover group:
context name
join-failover-group {1 | 2}
Example:

ciscoasa(config)# context Eng

ciscoasa(config-ctx)# join-failover-group 2

Repeat this command for each context.

Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member
of failover group 1; you cannot assign it to group 2.

Step 12 Enable failover:

failover

Step 13 Save the system configuration to flash memory:

write memory

Examples
The following example configures the failover parameters for the primary unit:

failover lan unit primary

failover lan interface folink gigabitethernet0/3
failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

interface gigabitethernet 0/3

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
266
 High Availability and Scalability
Configure the Secondary Unit for Active/Active Failover

no shutdown
failover link statelink gigabitethernet0/4
failover interface ip statelink 172.27.49.1 255.255.255.0 standby 172.27.49.2

interface gigabitethernet 0/4

no shutdown
failover group 1
primary
preempt
failover group 2
secondary
preempt
context admin
join-failover-group 1
failover ipsec pre-shared-key a3rynsun
failover

Configure the Secondary Unit for Active/Active Failover

The only configuration required on the secondary unit is for the failover link. The secondary unit requires
these commands to communicate initially with the primary unit. After the primary unit sends its configuration
to the secondary unit, the only permanent difference between the two configurations is the failover lan unit
command, which identifies each unit as primary or secondary.

Before you begin

• Enable multiple context mode according to Enable or Disable Multiple Context Mode, on page 198.
• Do not configure a nameif for the failover and state links.
• Complete this procedure in the system execution space. To change from the context to the system execution
space, enter the changeto system command.

Procedure

Step 1 Re-enter the exact same commands as on the primary unit except for the failover lan unit primary command.
You can optionally replace it with the failover lan unit secondary command, but it is not necessary because
secondary is the default setting. You also do not need to enter the failover group and join-failover-group
commands, as they are replicated from the primary unit. See Configure the Primary Unit for Active/Active
Failover, on page 262.
For example:

ciscoasa(config)# failover lan interface folink gigabitethernet0/3

INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2
ciscoasa(config)# interface gigabitethernet 0/3
no shutdown
ciscoasa(config)# failover link statelink gigabitethernet0/4
INFO: Non-failover interface config is cleared on GigabitEthernet0/4 and its sub-interfaces
ciscoasa(config)# failover interface ip statelink 172.27.49.1 255.255.255.0 standby
172.27.49.2
ciscoasa(config)# interface gigabitethernet 0/4
no shutdown

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
267
 High Availability and Scalability
Configure Optional Failover Parameters

ciscoasa(config)# failover ipsec pre-shared-key a3rynsun

ciscoasa(config)# failover

Step 2 After the failover configuration syncs from the primary unit, save the configuration to flash memory:
ciscoasa(config)# write memory

Step 3 If necessary, force failover group 2 to be active on the secondary unit:

failover active group 2

Configure Optional Failover Parameters

You can customize failover settings as desired.

Configure Failover Criteria and Other Settings

See Defaults for Failover, on page 257 for the default settings for many parameters that you can change in this
section. For Active/Active mode, you set most criteria per failover group.

Before you begin

• Configure these settings in the system execution space in multiple context mode.

Procedure

Step 1 Change the unit poll and hold times:

failover polltime [unit] [msec] poll_time [holdtime [msec] time]
Example:

ciscoasa(config)# failover polltime unit msec 200 holdtime msec 800

The polltime range is between 1 and 15 seconds or between 200 and 999 milliseconds. The holdtime range
is between 1and 45 seconds or between 800 and 999 milliseconds.You cannot enter a holdtime value that is
less than 3 times the unit poll time. With a faster poll time, the ASA can detect failure and trigger failover
faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.
If a unit does not hear hello packet on the failover communication interface for one polling period, additional
testing occurs through the remaining interfaces. If there is still no response from the peer unit during the hold
time, the unit is considered failed and, if the failed unit is the active unit, the standby unit takes over as the
active unit.
In Active/Active mode, you set this rate for the system; you cannot set this rate per failover group.

Step 2 Set the session replication rate in connections per second:

failover replication rate conns

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
268
High Availability and Scalability
Configure Failover Criteria and Other Settings

Example:

ciscoasa(config)# failover replication rate 20000

The minimum and maximum rate is determined by your model. The default is the maximum rate. In
Active/Active mode, you set this rate for the system; you cannot set this rate per failover group.

Step 3 Disable the ability to make any configuration changes directly on the standby unit or context:
failover standby config-lock
By default, configurations on the standby unit/context are allowed with a warning message.

Step 4 (Active/Active mode only) Specify the failover group you want to customize:
failover group {1 | 2}
Example:

ciscoasa(config)# failover group 1

ciscoasa(config-fover-group)#

Step 5 Enable HTTP state replication:

• For Active/Standby mode:
failover replication http
• For Active/Active mode:
replication http

To allow HTTP connections to be included in the state information replication, you need to enable HTTP
replication. We recommend enabling HTTP state replication.
Note Because of a delay when deleting HTTP flows from the standby unit when using failover, the show
conn count output might show different numbers on the active unit vs. the standby unit; if you wait
several seconds and re-issue the command, you will see the same count on both units.

Step 6 Set the threshold for failover when interfaces fail:

• For Active/Standby mode:
failover interface-policy num [%]
Example:

ciscoasa (config)# failover interface-policy 20%

• For Active/Active mode:

interface-policy num [%]
Example:

ciscoasa(config-fover-group)# interface-policy 20%

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
269
 High Availability and Scalability
Configure Failover Criteria and Other Settings

By default, one interface failure causes failover.

When specifying a specific number of interfaces, the num argument can be from 1 to 1025.
When specifying a percentage of interfaces, the num argument can be from 1 to 100.

Step 7 Change the interface poll and hold times:

• For Active/Standby mode:
failover polltime interface [msec] polltime [holdtime time]
Example:

ciscoasa(config)# failover polltime interface msec 500 holdtime 5

• For Active/Active mode:

polltime interface [msec] polltime [holdtimetime]
Example:

ciscoasa(config-fover-group)# polltime interface msec 500 holdtime 5

• polltime—Sets how long to wait between sending a hello packet to the peer. Valid values for the polltime
are from 1 to 15 seconds or, if the optional msec keyword is used, from 500 to 999 milliseconds. The
default is 5 seconds.
• holdtimetime—Sets the time (as a calculation) between the last-received hello message from the peer
unit and the commencement of interface tests to determine the health of the interface. It also sets the
duration of each interface test as holdtime/16. Valid values are from 5 to 75 seconds. The default is 5
times the polltime. You cannot enter a holdtime value that is less than five times the polltime.
To calculate the time before starting interface tests (y):
a. x = (holdtime/polltime)/2, rounded to the nearest integer. (.4 and down rounds down; .5 and up rounds
up.)
b. y = x*polltime

For example, if you use the default holdtime of 25 and polltime of 5, then y = 15 seconds.

Step 8 Configure the virtual MAC address for an interface:

• For Active/Standby mode:
failover mac address phy_if active_mac standby_mac
Example:

ciscoasa(config)# failover mac address gigabitethernet0/2 00a0.c969.87c8 00a0.c918.95d8

• For Active/Active mode:

mac address phy_if active_mac standby_mac

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
270
 High Availability and Scalability
Configure Interface Monitoring

Example:

ciscoasa(config-fover-group)# mac address gigabitethernet0/2 00a0.c969.87c8 00a0.c918.95d8

The phy_if argument is the physical name of the interface, such as gigabitethernet0/1.
The active_mac and standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit
hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac is
associated with the standby IP address for the interface.
You can also set the MAC address using other commands or methods, but we recommend using only one
method. If you set the MAC address using multiple methods, the MAC address used depends on many variables,
and might not be predictable.
Use the show interface command to display the MAC address used by an interface.

Step 9 (Active/Active mode only) Repeat this procedure for the other failover group.

Configure Interface Monitoring

By default, monitoring is enabled on all physical interfaces, or for the ASASM, all VLAN interfaces, and on
any hardware or software modules installed on the ASA, such as the ASA FirePOWER module.
You might want to exclude interfaces attached to less critical networks from affecting your failover policy.
You can monitor up to 1025 interfaces on a unit (across all contexts in multiple context mode).

Before you begin

In multiple context mode, configure interfaces within each context.

Procedure

Enable or disable health monitoring for an interface:

[no] monitor-interface {if_name | service-module}
Example:

ciscoasa(config)# monitor-interface inside

ciscoasa(config)# no monitor-interface eng1

If you do not want a hardware or software module failure, such as the ASA FirePOWER module, to trigger
failover, you can disable module monitoring using the no monitor-interface service-module command. Note
that for the ASA 5585-X, if you disable monitoring of the service module, you may also want to disable
monitoring of the interfaces on the module, which are monitored separately.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
271
 High Availability and Scalability
Configure Support for Asymmetrically Routed Packets (Active/Active Mode)

Configure Support for Asymmetrically Routed Packets (Active/Active Mode)

When running in Active/Active failover, a unit might receive a return packet for a connection that originated
through its peer unit. Because the ASA that receives the packet does not have any connection information for
the packet, the packet is dropped. This drop most commonly occurs when the two ASAs in an Active/Active
failover pair are connected to different service providers and the outbound connection does not use a NAT
address.
You can prevent the return packets from being dropped by allowing asymmetrically routed packets. To do
so, you assign the similar interfaces on each ASA to the same ASR group. For example, both ASAs connect
to the inside network on the inside interface, but connect to separate ISPs on the outside interface. On the
primary unit, assign the active context outside interface to ASR group 1; on the secondary unit, assign the
active context outside interface to the same ASR group 1. When the primary unit outside interface receives
a packet for which it has no session information, it checks the session information for the other interfaces in
standby contexts that are in the same group; in this case, ASR group 1. If it does not find a match, the packet
is dropped. If it finds a match, then one of the following actions occurs:
• If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and the
packet is redirected to the other unit. This redirection continues as long as the session is active.
• If the incoming traffic originated on a different interface on the same unit, some or all of the layer 2
header is rewritten and the packet is reinjected into the stream.

Note This feature does not provide asymmetric routing; it restores asymmetrically routed packets to the correct
interface.

The following figure shows an example of an asymmetrically routed packet.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
272
High Availability and Scalability
Configure Support for Asymmetrically Routed Packets (Active/Active Mode)

Figure 45: ASR Example

1. An outbound session passes through the ASA with the active SecAppA context. It exits interface outside
ISP-A (192.168.1.1).
2. Because of asymmetric routing configured somewhere upstream, the return traffic comes back through
the interface outsideISP-B (192.168.2.2) on the ASA with the active SecAppB context.
3. Normally the return traffic would be dropped because there is no session information for the traffic on
interface 192.168.2.2. However, the interface is configured as part of ASR group 1. The unit looks for
the session on any other interface configured with the same ASR group ID.
4. The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby state
on the unit with SecAppB. Stateful Failover replicated the session information from SecAppA to SecAppB.
5. Instead of being dropped, the layer 2 header is rewritten with information for interface 192.168.1.1 and
the traffic is redirected out of the interface 192.168.1.2, where it can then return through the interface on
the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues as needed until
the session ends.

Before you begin

• Stateful Failover—Passes state information for sessions on interfaces in the active failover group to the
standby failover group.
• Replication HTTP—HTTP session state information is not passed to the standby failover group, and
therefore is not present on the standby interface. For the ASA to be able to re-route asymmetrically routed
HTTP packets, you need to replicate the HTTP state information.
• Perform this procedure within each active context on the primary and secondary units.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
273
 High Availability and Scalability
Configure Support for Asymmetrically Routed Packets (Active/Active Mode)

• You cannot configure both ASR groups and traffic zones within a context. If you configure a zone in a
context, none of the context interfaces can be part of an ASR group.

Procedure

Step 1 On the primary unit, specify the interface for which you want to allow asymmetrically routed packets:
interface phy_if
Example:

primary/admin(config)# interface gigabitethernet 0/0

Step 2 Set the ASR group number for the interface:

asr-group num
Example:

primary/admin(config-ifc)# asr-group 1

Valid values for num range from 1 to 32.

Step 3 On the secondary unit, specify the similar interface for which you want to allow asymmetrically routed packets:
interface phy_if
Example:

secondary/ctx1(config)# interface gigabitethernet 0/1

Step 4 Set the ASR group number for the interface to match the primary unit interface:
asr-group num
Example:

secondary/ctx1(config-ifc)# asr-group 1

Examples
The two units have the following configuration (configurations show only the relevant commands).
The device labeled SecAppA in the diagram is the primary unit in the failover pair.
Primary Unit System Configuration

interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
274
 High Availability and Scalability
Manage Failover

no shutdown
interface GigabitEthernet0/4
no shutdown
interface GigabitEthernet0/5
no shutdown
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/1
failover link folink
failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11
failover group 1
primary
failover group 2
secondary
admin-context SecAppA
context admin
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url flash:/admin.cfg
join-failover-group 1
context SecAppB
allocate-interface GigabitEthernet0/4
allocate-interface GigabitEthernet0/5
config-url flash:/ctx1.cfg
join-failover-group 2

SecAppA Context Configuration

interface GigabitEthernet0/2
nameif outsideISP-A
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
asr-group 1
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0 standby 10.1.0.11
monitor-interface outside

SecAppB Context Configuration

interface GigabitEthernet0/4
nameif outsideISP-B
security-level 0
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1
asr-group 1
interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 10.2.20.1 255.255.255.0 standby 10.2.20.11

Manage Failover
This section describes how to manage Failover units after you enable Failover, including how to change the
Failover setup and how to force failover from one unit to another.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
275
 High Availability and Scalability
Force Failover

Force Failover
To force the standby unit to become active, perform the following procedure.

Before you begin

In multiple context mode, perform this procedure in the System execution space.

Procedure

Step 1 Force a failover when entered on the standby unit. The standby unit becomes the active unit.
If you specify the group group_id, then this command forces a failover when entered on the standby unit for
the specified Active/Active failover group. The standby unit becomes the active unit for the failover group.
• For Active/Standby mode on the standby unit:
failover active
• For Active/Active mode on the standby unit:
failover active [group group_id]
Example:

standby# failover active group 1

Step 2 Force a failover when entered on the active unit. The active unit becomes the standby unit.
If you specify the group group_id, then this command forces a failover when entered on the active unit for
the specified failover group. The active unit becomes the standby unit for the failover group.
• For Active/Standby mode on the active unit:
no failover active
• For Active/Active mode on the active unit:
no failover active [group group_id]
Example:

active# no failover active group 1

Disable Failover
Disabling failover on one or both units causes the active and standby state of each unit to be maintained until
you reload. For an Active/Active failover pair, the failover groups remain in the active state on whichever
unit they are active, no matter which unit they are configured to prefer.
See the following characteristics when you disable failover:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
276
 High Availability and Scalability
Restore a Failed Unit

• The standby unit/context remains in standby mode so that both units do not start passing traffic (this is
called a pseudo-standby state).
• The standby unit/context continues to use its standby IP addresses even though it is no longer connected
to an active unit/context.
• The standby unit/context continues to listen for a connection on the failover link. If failover is re-enabled
on the active unit/context, then the standby unit/context resumes ordinary standby status after
re-synchronizing the rest of its configuration.
• Do not enable failover manually on the standby unit to make it active; instead see Force Failover, on
page 276. If you enable failover on the standby unit, you will see a MAC address conflict that can disrupt
IPv6 traffic.
• To truly disable failover, save the no failover configuration to the startup configuration, and then reload.

Before you begin

In multiple context mode, perform this procedure in the system execution space.

Procedure

Step 1 Disable failover:

no failover

Step 2 To completely disable failover, save the configuration and reload:

write memory
reload

Restore a Failed Unit

To restore a failed unit to an unfailed state, perform the following procedure.

Before you begin

In multiple context mode, perform this procedure in the System execution space.

Procedure

Step 1 Restore a failed unit to an unfailed state:

• For Active/Standby mode:
failover reset
• For Active/Active mode:
failover reset [group group_id]

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
277
 High Availability and Scalability
Re-Sync the Configuration

Example:

ciscoasa(config)# failover reset group 1

Restoring a failed unit to an unfailed state does not automatically make it active; restored units remain in the
standby state until made active by failover (forced or natural). An exception is a failover group (Active/Active
mode only) configured with failover preemption. If previously active, a failover group becomes active if it is
configured with preemption and if the unit on which it failed is the preferred unit.
If you specify the group group_id, this command restores a failed Active/Active failover group to an unfailed
state.

Step 2 (Active/Active mode only) To reset failover at the failover group level:
a) In the System choose Monitoring > Failover > Failover Group #, where # is the number of the failover
group you want to control.
b) Click Reset Failover.

Re-Sync the Configuration

If you enter the write standby command on the active unit, the standby unit clears its running configuration
(except for the failover commands used to communicate with the active unit), and the active unit sends its
entire configuration to the standby unit.
For multiple context mode, when you enter the write standby command in the system execution space, all
contexts are replicated. If you enter the write standby command within a context, the command replicates
only the context configuration.
Replicated commands are stored in the running configuration.

Test the Failover Functionality

To test failover functionality, perform the following procedure.

Procedure

Step 1 Test that your active unit is passing traffic as expected by using FTP (for example) to send a file between
hosts on different interfaces.
Step 2 Force a failover by entering the following command on the active unit:
Active/Standby mode:
ciscoasa(config)# no failover active
Active/Active mode:
ciscoasa(config)# no failover active group group_id

Step 3 Use FTP to send another file between the same two hosts.
Step 4 If the test was not successful, enter the show failover command to check the failover status.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
278
 High Availability and Scalability
Remote Command Execution

Step 5 When you are finished, you can restore the unit to active status by enter the following command on the newly
active unit:
Active/Standby mode:
ciscoasa(config)# no failover active
Active/Active mode:
ciscoasa(config)# failover active group group_id
Note When an ASA interface goes down, for failover it is still considered to be a unit issue. If the ASA
detects that an interface is down, failover occurs immediately, without waiting for the interface
holdtime. The interface holdtime is only useful when the ASA considers its status to be OK, although
it is not receiving hello packets from the peer. To simulate interface holdtime, shut down the VLAN
on the switch to prevent peers from receiving hello packets from each other.

Remote Command Execution

Remote command execution lets you send commands entered at the command line to a specific failover peer.

Send a Command
Because configuration commands are replicated from the active unit or context to the standby unit or context,
you can use the failover exec command to enter configuration commands on the correct unit, no matter which
unit you are logged in to. For example, if you are logged in to the standby unit, you can use the failover exec
active command to send configuration changes to the active unit. Those changes are then replicated to the
standby unit. Do not use the failover exec command to send configuration commands to the standby unit or
context; those configuration changes are not replicated to the active unit and the two configurations will no
longer be synchronized.
Output from configuration, exec, and show commands is displayed in the current terminal session, so you
can use the failover exec command to issue show commands on a peer unit and view the results in the current
terminal.
You must have sufficient privileges to execute a command on the local unit to execute the command on the
peer unit.

Procedure

Step 1 If you are in multiple context mode, use the changeto contextname command to change to the context you
want to configure. You cannot change contexts on the failover peer with the failover exec command.
Step 2 Use the following command to send commands to he specified failover unit:
ciscoasa(config)# failover exec {active | mate | standby}
Use the active or standby keyword to cause the command to be executed on the specified unit, even if that
unit is the current unit. Use the mate keyword to cause the command to be executed on the failover peer.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
279
 High Availability and Scalability
Change Command Modes

Commands that cause a command mode change do not change the prompt for the current session. You must
use the show failover exec command to display the command mode the command is executed in. See Change
Command Modes for more information.

Change Command Modes

The failover exec command maintains a command mode state that is separate from the command mode of
your terminal session. By default, the failover exec command mode starts in global configuration mode for
the specified device. You can change that command mode by sending the appropriate command (such as the
interface command) using the failover exec command. The session prompt does not change when you change
modes using failover exec.
For example, if you are logged in to global configuration mode of the active unit of a failover pair, and you
use the failover exec active command to change to interface configuration mode, the terminal prompt remains
in global configuration mode, but commands entered using failover exec are entered in interface configuration
mode.
The following examples show the difference between the terminal session mode and the failover exec command
mode. In the example, the administrator changes the failover exec mode on the active unit to interface
configuration mode for the interface GigabitEthernet0/1. After that, all commands entered using failover exec
active are sent to interface configuration mode for interface GigabitEthernet0/1. The administrator then uses
failover exec active to assign an IP address to that interface. Although the prompt indicates global configuration
mode, the failover exec active mode is in interface configuration mode.

ciscoasa(config)# failover exec active interface GigabitEthernet0/1

ciscoasa(config)# failover exec active ip address 192.168.1.1 255.255.255.0 standby
192.168.1.2
ciscoasa(config)# router rip
ciscoasa(config-router)#

Changing commands modes for your current session to the device does not affect the command mode used
by the failover exec command. For example, if you are in interface configuration mode on the active unit,
and you have not changed the failover exec command mode, the following command would be executed in
global configuration mode. The result would be that your session to the device remains in interface configuration
mode, while commands entered using failover exec active are sent to router configuration mode for the
specified routing process.

ciscoasa(config-if)# failover exec active router ospf 100

ciscoasa(config-if)#

Use the show failover exec command to display the command mode on the specified device in which commands
sent with the failover exec command are executed. The show failover exec command takes the same keywords
as the failover exec command: active, mate, or standby. The failover exec mode for each device is tracked
separately.
For example, the following is sample output from the show failover exec command entered on the standby
unit:

ciscoasa(config)# failover exec active interface GigabitEthernet0/1

ciscoasa(config)# sh failover exec active
Active unit Failover EXEC is at interface sub-command mode

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
280
 High Availability and Scalability
Security Considerations

ciscoasa(config)# sh failover exec standby

Standby unit Failover EXEC is at config mode

ciscoasa(config)# sh failover exec mate

Active unit Failover EXEC is at interface sub-command mode

Security Considerations
The failover exec command uses the failover link to send commands to and receive the output of the command
execution from the peer unit. You should enable encryption on the failover link to prevent eavesdropping or
man-in-the-middle attacks.

Limitations of Remote Command Execution

When you use remote commands you face the following limitations:
• If you upgrade one unit using the zero-downtime upgrade procedure and not the other, both units must
be running software that supports the failover exec command for the command to work.
• Command completion and context help is not available for the commands in the cmd_string argument.
• In multiple context mode, you can only send commands to the peer context on the peer unit. To send
commands to a different context, you must first change to that context on the unit to which you are logged
in.
• You cannot use the following commands with the failover exec command:
• changeto
• debug (undebug)

• If the standby unit is in the failed state, it can still receive commands from the failover exec command
if the failure is due to a service card failure; otherwise, the remote command execution will fail.
• You cannot use the failover exec command to switch from privileged EXEC mode to global configuration
mode on the failover peer. For example, if the current unit is in privileged EXEC mode, and you enter
failover exec mate configure terminal, the show failover exec mate output will show that the failover
exec session is in global configuration mode. However, entering configuration commands for the peer
unit using failover exec will fail until you enter global configuration mode on the current unit.
• You cannot enter recursive failover exec commands, such as failover exec mate failover exec mate
command.
• Commands that require user input or confirmation must use the noconfirm option. For example, to reload
the mate, enter:
failover exec mate reload noconfirm

Monitoring Failover
This section lets you monitor the Failover status.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
281
 High Availability and Scalability
Failover Messages

Failover Messages
When a failover occurs, both ASAs send out system messages.

Failover Syslog Messages

The ASA issues a number of syslog messages related to failover at priority level 2, which indicates a critical
condition. To view these messages, see the syslog messages guide. The ranges of message IDs associated
with failover are: 101xxx, 102xxx, 103xxx, 104xxx, 105xxx, 210xxx, 311xxx, 709xxx, 727xxx. For example,
105032 and 105043 indicate a problem with the failover link.

Note During failover, the ASA logically shuts down and then brings up interfaces, generating syslog messages
411001 and 411002. This is normal activity.

Failover Debug Messages

To see debug messages, enter the debug fover command. See the command reference for more information.

Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system
performance. For this reason, use the debug fover commands only to troubleshoot specific problems or during
troubleshooting sessions with Cisco TAC.

SNMP Failover Traps

To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP
management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management
station.

Monitoring Failover Status

To monitor failover status, enter one of the following commands:
• show failover
Displays information about the failover state of the unit.
• show failover group
Displays information about the failover state of the failover group. The information displayed is similar
to that of the show failover command but limited to the specified group.
• show monitor-interface
Displays information about the monitored interface.
• show running-config failover
Displays the failover commands in the running configuration.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
282
 High Availability and Scalability
History for Failover

History for Failover

Feature Name Releases Feature Information

Active/Standby failover 7.0(1) This feature was introduced.

Active/Active failover 7.0(1) This feature was introduced.

Support for a hex value for the failover key 7.0(4) You can now specify a hex value for
failover link encryption.
We modified the following command:
failover key hex.

Support for the master passphrase for the 8.3(1) The failover key now supports the master
failover key passphrase, which encrypts the shared key
in the running and startup configuration. If
you are copying the shared secret from one
ASA to another, for example from the more
system:running-config command, you can
successfully copy and paste the encrypted
shared key.
Note The failover key shared secret
shows as ***** in show
running-config output; this
obscured key is not copyable.

We modified the following command:

failover key [0 | 8].

IPv6 support for failover added. 8.2(2) We modified the following commands:
failover interface ip, show failover, ipv6
address, show monitor-interface.

Change to failover group unit preference 9.0(1) Earlier software versions allowed
during "simultaneous" bootup. “simultaneous” boot up so that the failover
groups did not require the preempt
command to become active on the preferred
unit. However, this functionality has now
changed so that both failover groups
become active on the first unit to boot up.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
283
 High Availability and Scalability
History for Failover

Feature Name Releases Feature Information

Support for IPsec LAN-to-LAN tunnels to 9.1(2) Instead of using the proprietary encryption
encrypt failover and state link for the failover key (the failover key
communications command), you can now use an IPsec
LAN-to-LAN tunnel for failover and state
link encryption.
Note Failover LAN-to-LAN tunnels
do not count against the IPsec
(Other VPN) license.

We introduced or modified the following

commands: failover ipsec pre-shared-key,
show vpn-sessiondb.

Disable health monitoring of a hardware 9.3(1) By default, the ASA monitors the health of
module an installed hardware module such as the
ASA FirePOWER module. If you do not
want a hardware module failure to trigger
failover, you can disable module
monitoring.
We modified the following command:
monitor-interface service-module

Lock configuration changes on the standby 9.3(2) You can now lock configuration changes
unit or standby context in a failover pair on the standby unit (Active/Standby
failover) or the standby context
(Active/Active failover) so you cannot
make changes on the standby unit outside
normal configuration syncing.
We introduced the following command:
failover standby config-lock

Enable use of the Management 1/1 interface 9.5(1) On the ASA 5506H only, you can now
as the failover link on the ASA 5506H configure the Management 1/1 interface as
the failover link. This feature lets you use
all other interfaces on the device as data
interfaces. Note that if you use this feature,
you cannot use the ASA Firepower module,
which requires the Management 1/1
interface to remain as a regular management
interface.
We modified the following commands:
failover lan interface, failover link

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
284
 High Availability and Scalability
History for Failover

Feature Name Releases Feature Information

Carrier Grade NAT enhancements now 9.5(2) For carrier-grade or large-scale PAT, you
supported in failover and ASA clustering can allocate a block of ports for each host,
rather than have NAT allocate one port
translation at a time (see RFC 6888). This
feature is now supported in failover and
ASA cluster deployments.
We modified the following command: show
local-host

Improved sync time for dynamic ACLs 9.6(2) When you use AnyConnect on a failover
from AnyConnect when using pair, then the sync time for the associated
Active/Standby failover dynamic ACLs (dACLs) to the standby unit
is now improved. Previously, with large
dACLs, the sync time could take hours
during which time the standby unit is busy
syncing instead of providing high
availability backup.
We did not modify any commands.

Stateful failover for AnyConnect 9.6(2) Stateful failover is now supported for
connections in multiple context mode AnyConnect connections in multiple
context mode.
We did not modify any commands.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
285
 High Availability and Scalability
History for Failover

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
286
 CHAPTER 9
ASA Cluster
Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the
convenience of a single device (management, integration into a network) while achieving the increased
throughput and redundancy of multiple devices.

Note Some features are not supported when using clustering. See Unsupported Features with Clustering, on page
365.

• About ASA Clustering, on page 287

• Licenses for ASA Clustering, on page 291
• Requirements and Prerequisites for ASA Clustering, on page 291
• Guidelines for ASA Clustering, on page 293
• Configure ASA Clustering, on page 298
• Manage Cluster Members, on page 333
• Monitoring the ASA Cluster, on page 338
• Examples for ASA Clustering, on page 344
• Reference for Clustering, on page 365
• History for ASA Clustering, on page 379

About ASA Clustering

This section describes the clustering architecture and how it works.

How the ASA Cluster Fits into Your Network

The cluster consists of multiple ASAs acting as a single unit. To act as a cluster, the ASAs need the following
infrastructure:
• Isolated, high-speed backplane network for intra-cluster communication, known as the cluster control
link.
• Management access to each ASA for configuration and monitoring.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
287
 High Availability and Scalability
Cluster Members

When you place the cluster in your network, the upstream and downstream routers need to be able to
load-balance the data coming to and from the cluster using one of the following methods:
• Spanned EtherChannel (Recommended)—Interfaces on multiple members of the cluster are grouped
into a single EtherChannel; the EtherChannel performs load balancing between units.
• Policy-Based Routing (Routed firewall mode only)—The upstream and downstream routers perform
load balancing between units using route maps and ACLs.
• Equal-Cost Multi-Path Routing (Routed firewall mode only)—The upstream and downstream routers
perform load balancing between units using equal cost static or dynamic routes.

Cluster Members
Cluster members work together to accomplish the sharing of the security policy and traffic flows. This section
describes the nature of each member role.

Bootstrap Configuration
On each device, you configure a minimal bootstrap configuration including the cluster name, cluster control
link interface, and other cluster settings. The first unit on which you enable clustering typically becomes the
master unit. When you enable clustering on subsequent units, they join the cluster as slaves.

Master and Slave Unit Roles

One member of the cluster is the master unit. The master unit is determined by the priority setting in the
bootstrap configuration; the priority is set between 1 and 100, where 1 is the highest priority. All other members
are slave units. Typically, when you first create a cluster, the first unit you add becomes the master unit simply
because it is the only unit in the cluster so far.
You must perform all configuration (aside from the bootstrap configuration) on the master unit only; the
configuration is then replicated to the slave units. In the case of physical assets, such as interfaces, the
configuration of the master unit is mirrored on all slave units. For example, if you configure GigabitEthernet
0/1 as the inside interface and GigabitEthernet 0/0 as the outside interface, then these interfaces are also used
on the slave units as inside and outside interfaces.
Some features do not scale in a cluster, and the master unit handles all traffic for those features.

Cluster Interfaces
You can configure data interfaces as either Spanned EtherChannels or as Individual interfaces. All data
interfaces in the cluster must be one type only. See About Cluster Interfaces, on page 298 for more information.

Cluster Control Link

Each unit must dedicate at least one hardware interface as the cluster control link. See About the Cluster
Control Link, on page 298 for more information.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
288
 High Availability and Scalability
Configuration Replication

Configuration Replication
All units in the cluster share a single configuration. You can only make configuration changes on the master
unit, and changes are automatically synced to all other units in the cluster.

ASA Cluster Management

One of the benefits of using ASA clustering is the ease of management. This section describes how to manage
the cluster.

Management Network
We recommend connecting all units to a single management network. This network is separate from the cluster
control link.

Management Interface
For the management interface, we recommend using one of the dedicated management interfaces. You can
configure the management interfaces as Individual interfaces (for both routed and transparent modes) or as a
Spanned EtherChannel interface.
We recommend using Individual interfaces for management, even if you use Spanned EtherChannels for your
data interfaces. Individual interfaces let you connect directly to each unit if necessary, while a Spanned
EtherChannel interface only allows remote connection to the current master unit.

Note If you use Spanned EtherChannel interface mode, and configure the management interface as an Individual
interface, you cannot enable dynamic routing for the management interface. You must use a static route.

For an Individual interface, the Main cluster IP address is a fixed address for the cluster that always belongs
to the current master unit. For each interface, you also configure a range of addresses so that each unit, including
the current master, can use a Local address from the range. The Main cluster IP address provides consistent
management access to an address; when a master unit changes, the Main cluster IP address moves to the new
master unit, so management of the cluster continues seamlessly. The Local IP address is used for routing, and
is also useful for troubleshooting.
For example, you can manage the cluster by connecting to the Main cluster IP address, which is always
attached to the current master unit. To manage an individual member, you can connect to the Local IP address.
For outbound management traffic such as TFTP or syslog, each unit, including the master unit, uses the Local
IP address to connect to the server.
For a Spanned EtherChannel interface, you can only configure one IP address, and that IP address is always
attached to the master unit. You cannot connect directly to a slave unit using the EtherChannel interface; we
recommend configuring the management interface as an Individual interface so that you can connect to each
unit. Note that you can use a device-local EtherChannel for management.

Master Unit Management Vs. Slave Unit Management

All management and monitoring can take place on the master unit. From the master unit, you can check
runtime statistics, resource usage, or other monitoring information of all units. You can also issue a command
to all units in the cluster, and replicate the console messages from slave units to the master unit.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
289
 High Availability and Scalability
RSA Key Replication

You can monitor slave units directly if desired. Although also available from the master unit, you can perform
file management on slave units (including backing up the configuration and updating images). The following
functions are not available from the master unit:
• Monitoring per-unit cluster-specific statistics.
• Syslog monitoring per unit (except for syslogs sent to the console when console replication is enabled).
• SNMP
• NetFlow

RSA Key Replication

When you create an RSA key on the master unit, the key is replicated to all slave units. If you have an SSH
session to the Main cluster IP address, you will be disconnected if the master unit fails. The new master unit
uses the same key for SSH connections, so that you do not need to update the cached SSH host key when you
reconnect to the new master unit.

ASDM Connection Certificate IP Address Mismatch

By default, a self-signed certificate is used for the ASDM connection based on the Local IP address. If you
connect to the Main cluster IP address using ASDM, then a warning message about a mismatched IP address
appears because the certificate uses the Local IP address, and not the Main cluster IP address. You can ignore
the message and establish the ASDM connection. However, to avoid this type of warning, you can enroll a
certificate that contains the Main cluster IP address and all the Local IP addresses from the IP address pool.
You can then use this certificate for each cluster member.

Inter-Site Clustering
For inter-site installations, you can take advantage of ASA clustering as long as you follow the recommended
guidelines.
You can configure each cluster chassis to belong to a separate site ID.
Site IDs work with site-specific MAC addresses and IP addresses. Packets sourced from the cluster use a
site-specific MAC address and IP address, while packets received by the cluster use a global MAC address
and IP address. This feature prevents the switches from learning the same global MAC address from both
sites on two different ports, which causes MAC flapping; instead, they only learn the site MAC address.
Site-specific MAC addresses and IP address are supported for routed mode using Spanned EtherChannels
only.
Site IDs are also used to enable flow mobility using LISP inspection.
See the following sections for more information about inter-site clustering:
• Sizing the Data Center Interconnect—Requirements and Prerequisites for ASA Clustering, on page 291
• Inter-Site Guidelines—Guidelines for ASA Clustering, on page 293
• Configure Cluster Flow Mobility—Configure Cluster Flow Mobility, on page 329
• Inter-Site Examples—Examples for Inter-Site Clustering, on page 361

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
290
 High Availability and Scalability
Licenses for ASA Clustering

Licenses for ASA Clustering

Cluster units do not require the same license on each unit. Typically, you buy a license only for the master
unit; slave units inherit the master license. If you have licenses on multiple units, they combine into a single
running ASA cluster license.
There are exceptions to this rule. See the following table for precise licensing requirements for clustering.

Model License Requirement

ASA 5585-X Cluster License, supports up to 16 units.

Note Each unit must have the same encryption license; each
unit must have the same 10 GE I/O/Security Plus
license (ASA 5585-X with SSP-10 and -20).

ASA 5516-X Base license, supports 2 units.

Note Each unit must have the same encryption license.

ASA 5512-X Security Plus license, supports 2 units.

Note Each unit must have the same encryption license.

ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X Base License, supports 2 units.
Note Each unit must have the same encryption license.

Firepower 4100/9300 Chassis See ASA Cluster Licenses for the ASA on the Firepower
4100/9300 Chassis, on page 118.

All other models No support.

Requirements and Prerequisites for ASA Clustering

Model Requirements
• ASA 5516-X—Maximum 2 units
• ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X—Maximum 2 units
• ASA 5585-X—Maximum 16 units
For the ASA 5585-X with SSP-10 and SSP-20, which include two Ten Gigabit Ethernet interfaces, we
recommend using one interface for the cluster control link, and the other for data (you can use subinterfaces
for data). Although this setup does not accommodate redundancy for the cluster control link, it does
satisfy the need to size the cluster control link to match the size of the data interfaces.
• ASA FirePOWER module—The ASA FirePOWER module does not support clustering directly, but you
can use these modules in a cluster. You are responsible for maintaining consistent policies on the ASA
FirePOWER modules in the cluster.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
291
 High Availability and Scalability
Requirements and Prerequisites for ASA Clustering

Note Create the cluster before you configure the ASA FirePOWER modules. If the
modules are already configured on the slave devices, clear the interface
configuration on the devices before adding them to the cluster. From the CLI,
enter the clear configure interface command.

ASA Hardware and Software Requirements

All units in a cluster:
• Must be the same model with the same DRAM. You do not have to have the same amount of flash
memory.
• Must run the identical software except at the time of an image upgrade. Hitless upgrade is supported.
• Must be in the same security context mode, single or multiple.
• (Single context mode) Must be in the same firewall mode, routed or transparent.
• New cluster members must use the same SSL encryption setting (the ssl encryption command) as the
master unit for initial cluster control link communication before configuration replication.
• Must have the same cluster, encryption and, for the ASA 5585-X, 10 GE I/O licenses.

Switch Requirements
• Be sure to complete the switch configuration before you configure clustering on the ASAs.
• For a list of supported switches, see Cisco ASA Compatibility.

ASA Requirements
• Provide each unit with a unique IP address before you join them to the management network.
• See the Getting Started chapter for more information about connecting to the ASA and setting the
management IP address.
• Except for the IP address used by the master unit (typically the first unit you add to the cluster),
these management IP addresses are for temporary use only.
• After a slave joins the cluster, its management interface configuration is replaced by the one replicated
from the master unit.

• To use jumbo frames on the cluster control link (recommended), you must enable Jumbo Frame
Reservation before you enable clustering.

Sizing the Data Center Interconnect for Inter-Site Clustering

You should reserve bandwidth on the data center interconnect (DCI) for cluster control link traffic equivalent
to the following calculation:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
292
 High Availability and Scalability
Guidelines for ASA Clustering

If the number of members differs at each site, use the larger number for your calculation. The minimum
bandwidth for the DCI should not be less than the size of the cluster control link for one member.
For example:
• For 4 members at 2 sites:
• 4 cluster members total
• 2 members at each site
• 5 Gbps cluster control link per member

Reserved DCI bandwidth = 5 Gbps (2/2 x 5 Gbps).

• For 6 members at 3 sites, the size increases:
• 6 cluster members total
• 3 members at site 1, 2 members at site 2, and 1 member at site 3
• 10 Gbps cluster control link per member

Reserved DCI bandwidth = 15 Gbps (3/2 x 10 Gbps).

• For 2 members at 2 sites:
• 2 cluster members total
• 1 member at each site
• 10 Gbps cluster control link per member

Reserved DCI bandwidth = 10 Gbps (1/2 x 10 Gbps = 5 Gbps; but the minimum bandwidth should not
be less than the size of the cluster control link (10 Gbps)).

Other Requirements
We recommend using a terminal server to access all cluster member unit console ports. For initial setup, and
ongoing management (for example, when a unit goes down), a terminal server is useful for remote management.

Guidelines for ASA Clustering

Context Mode
The mode must match on each member unit.

Firewall Mode
For single mode, the firewall mode must match on all units.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
293
 High Availability and Scalability
Guidelines for ASA Clustering

Failover
Failover is not supported with clustering.

IPv6
The cluster control link is only supported using IPv4.

Switches
• For the ASR 9006, if you want to set a non-default MTU, set the ASR interface MTU to be 14 bytes
higher than the cluster device MTU. Otherwise, OSPF adjacency peering attempts may fail unless the
mtu-ignore option is used. Note that the cluster device MTU should match the ASR IPv4 MTU.
• On the switch(es) for the cluster control link interfaces, you can optionally enable Spanning Tree PortFast
on the switch ports connected to the cluster unit to speed up the join process for new units.
• When you see slow bundling of a Spanned EtherChannel on the switch, you can enable LACP rate fast
for an individual interface on the switch. Note that some switches, such as the Nexus series, do not support
LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using
ISSUs with clustering.
• On the switch, we recommend that you use one of the following EtherChannel load-balancing algorithms:
source-dest-ip or source-dest-ip-port (see the Cisco Nexus OS and Cisco IOS port-channel load-balance
command). Do not use a vlan keyword in the load-balance algorithm because it can cause unevenly
distributed traffic to the devices in a cluster. Do not change the load-balancing algorithm from the default
on the cluster device.
• If you change the load-balancing algorithm of the EtherChannel on the switch, the EtherChannel interface
on the switch temporarily stops forwarding traffic, and the Spanning Tree Protocol restarts. There will
be a delay before traffic starts flowing again.
• Some switches do not support dynamic port priority with LACP (active and standby links). You can
disable dynamic port priority to provide better compatibility with Spanned EtherChannels.
• Switches on the cluster control link path should not verify the L4 checksum. Redirected traffic over the
cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could
cause traffic to be dropped.
• Port-channel bundling downtime should not exceed the configured keepalive interval.
• On Supervisor 2T EtherChannels, the default hash distribution algorithm is adaptive. To avoid asymmetric
traffic in a VSS design, change the hash algorithm on the port-channel connected to the cluster device
to fixed:
router(config)# port-channel id hash-distribution fixed
Do not change the algorithm globally; you may want to take advantage of the adaptive algorithm for the
VSS peer link.
• Unlike ASA hardware clusters, Firepower 4100/9300 clusters support LACP graceful convergence. So
for the Firepower platform, you can leave LACP graceful convergence enabled on connected Cisco
Nexus switches.

• You should disable the LACP Graceful Convergence feature on all cluster-facing EtherChannel interfaces
for Cisco Nexus switches.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
294
High Availability and Scalability
Guidelines for ASA Clustering

EtherChannels
• In Catalyst 3750-X Cisco IOS software versions earlier than 15.1(1)S2, the cluster unit did not support
connecting an EtherChannel to a switch stack. With default switch settings, if the cluster unit EtherChannel
is connected cross stack, and if the master switch is powered down, then the EtherChannel connected to
the remaining switch will not come up. To improve compatibility, set the stack-mac persistent timer
command to a large enough value to account for reload time; for example, 8 minutes or 0 for indefinite.
Or, you can upgrade to more a more stable switch software version, such as 15.1(1)S2.
• Spanned vs. Device-Local EtherChannel Configuration—Be sure to configure the switch appropriately
for Spanned EtherChannels vs. Device-local EtherChannels.
• Spanned EtherChannels—For cluster unit Spanned EtherChannels, which span across all members
of the cluster, the interfaces are combined into a single EtherChannel on the switch. Make sure each
interface is in the same channel group on the switch.

• Device-local EtherChannels—For cluster unit Device-local EtherChannels including any

EtherChannels configured for the cluster control link, be sure to configure discrete EtherChannels
on the switch; do not combine multiple cluster unit EtherChannels into one EtherChannel on the
switch.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
295
 High Availability and Scalability
Guidelines for ASA Clustering

Inter-Site Guidelines
See the following guidelines for inter-site clustering:
• Supports inter-site clustering in the following interface and firewall modes:

Interface Mode Firewall Mode

Routed Transparent

Individual Interface Yes N/A

Spanned EtherChannel Yes Yes

• For individual interface mode, when using ECMP towards a multicast Rendezvous Point (RP), we
recommend that you use a static route for the RP IP address using the Main cluster IP address as the next
hop. This static route prevents sending unicast PIM register packets to slave units. If a slave unit receives
a PIM register packet, then the packet is dropped, and the multicast stream cannot be registered.

• The cluster control link latency must be less than 20 ms round-trip time (RTT).

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
296
High Availability and Scalability
Guidelines for ASA Clustering

• The cluster control link must be reliable, with no out-of-order or dropped packets; for example, you
should use a dedicated link.
• Do not configure connection rebalancing; you do not want connections rebalanced to cluster members
at a different site.
• The cluster implementation does not differentiate between members at multiple sites for incoming
connections; therefore, connection roles for a given connection may span across sites. This is expected
behavior.
• For transparent mode, if the cluster is placed between a pair of inside and outside routers (AKA
North-South insertion), you must ensure that both inside routers share a MAC address, and also that both
outside routers share a MAC address. When a cluster member at site 1 forwards a connection to a member
at site 2, the destination MAC address is preserved. The packet will only reach the router at site 2 if the
MAC address is the same as the router at site 1.
• For transparent mode, if the cluster is placed between data networks and the gateway router at each site
for firewalling between internal networks (AKA East-West insertion), then each gateway router should
use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide identical virtual IP and MAC
address destinations at each site. The data VLANs are extended across the sites using Overlay Transport
Virtualization (OTV), or something similar. You need to create filters to prevent traffic that is destined
to the local gateway router from being sent over the DCI to the other site. If the gateway router becomes
unreachable at one site, you need to remove any filters so traffic can successfully reach the other site’s
gateway.
• For routed mode using Spanned EtherChannel, configure site-specific MAC addresses. Extend the data
VLANs across the sites using OTV, or something similar. You need to create filters to prevent traffic
that is destined to the global MAC address from being sent over the DCI to the other site. If the cluster
becomes unreachable at one site, you need to remove any filters so traffic can successfully reach the
other site’s cluster units. Dynamic routing is not supported when an inter-site cluster acts as the first hop
router for an extended segment.

Additional Guidelines
• When significant topology changes occur (such as adding or removing an EtherChannel interface, enabling
or disabling an interface on the ASA or the switch, adding an additional switch to form a VSS or vPC)
you should disable the health check feature and also disable interface monitoring for the disabled interfaces.
When the topology change is complete, and the configuration change is synced to all units, you can
re-enable the interface health check feature.
• When adding a unit to an existing cluster, or when reloading a unit, there will be a temporary, limited
packet/connection drop; this is expected behavior. In some cases, the dropped packets can hang your
connection; for example, dropping a FIN/ACK packet for an FTP connection will make the FTP client
hang. In this case, you need to reestablish the FTP connection.
• If you use a Windows 2003 server connected to a Spanned EtherChannel, when the syslog server port
is down and the server does not throttle ICMP error messages, then large numbers of ICMP messages
are sent back to the ASA cluster. These messages can result in some units of the ASA cluster experiencing
high CPU, which can affect performance. We recommend that you throttle ICMP error messages.
• We do not support VXLAN in Individual Interface mode. Only Spanned EtherChannel mode supports
VXLAN.
• We do not support IS-IS in Spanned EtherChannel mode. Only Individual Interface mode supports IS-IS.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
297
 High Availability and Scalability
Configure ASA Clustering

Defaults for ASA Clustering

• When using Spanned EtherChannels, the cLACP system ID is auto-generated and the system priority is
1 by default.
• The cluster health check feature is enabled by default with the holdtime of 3 seconds. Interface health
monitoring is enabled on all interfaces by default.
• The cluster auto-rejoin feature for a failed cluster control link is unlimited attempts every 5 minutes.
• The cluster auto-rejoin feature for a failed data interface is 3 attempts every 5 minutes, with the increasing
interval set to 2.
• Connection rebalancing is disabled by default. If you enable connection rebalancing, the default time
between load information exchanges is 5 seconds.
• Connection replication delay of 5 seconds is enabled by default for HTTP traffic.

Configure ASA Clustering

To configure clustering, perform the following tasks.

Note To enable or disable clustering, you must use a console connection (for CLI) or an ASDM connection.

Cable the Units and Configure Interfaces

Before configuring clustering, cable the cluster control link network, management network, and data networks.
Then configure your interfaces.

About Cluster Interfaces

You can configure data interfaces as either Spanned EtherChannels or as Individual interfaces. All data
interfaces in the cluster must be one type only. Each unit must also dedicate at least one hardware interface
as the cluster control link.

About the Cluster Control Link

Each unit must dedicate at least one hardware interface as the cluster control link.

Cluster Control Link Traffic Overview

Cluster control link traffic includes both control and data traffic.
Control traffic includes:
• Master election.
• Configuration replication.
• Health monitoring.

Data traffic includes:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
298
 High Availability and Scalability
Cluster Control Link Interfaces and Network

• State replication.
• Connection ownership queries and data packet forwarding.

Cluster Control Link Interfaces and Network

You can use any data interface(s) for the cluster control link, with the following exceptions:
• You cannot use a VLAN subinterface as the cluster control link.
• You cannot use a Management x/x interface as the cluster control link, either alone or as an EtherChannel.
• For the ASA 5585-X with an ASA FirePOWER module, Cisco recommends that you use ASA interfaces
for the cluster control link, and not interfaces on the ASA FirePOWER module. Module interfaces can
drop traffic for up to 30 seconds during a module reload, including reloads that occur during a software
upgrade. However, if needed, you can use module interfaces and ASA interfaces in the same cluster
control link EtherChannel. When the module interfaces drop, the remaining interfaces in the EtherChannel
are still up. The ASA 5585-X Network Module does not run a separate operating system, so it is not
affected by this issue.
Be aware that data interfaces on the module are also affected by reload drops. Cisco recommends always
using ASA interfaces redundantly with module interfaces in an EtherChannel.
For the ASA 5585-X with SSP-10 and SSP-20, which include two Ten Gigabit Ethernet interfaces, we
recommend using one interface for the cluster control link, and the other for data (you can use subinterfaces
for data). Although this setup does not accommodate redundancy for the cluster control link, it does
satisfy the need to size the cluster control link to match the size of the data interfaces.

You can use an EtherChannel or redundant interface.

Each cluster control link has an IP address on the same subnet. This subnet should be isolated from all other
traffic, and should include only the ASA cluster control link interfaces.
For a 2-member cluster, do not directly-connect the cluster control link from one ASA to the other ASA. If
you directly connect the interfaces, then when one unit fails, the cluster control link fails, and thus the remaining
healthy unit fails. If you connect the cluster control link through a switch, then the cluster control link remains
up for the healthy unit.

Size the Cluster Control Link

If possible, you should size the cluster control link to match the expected throughput of each chassis so the
cluster-control link can handle the worst-case scenarios. For example, if you have the ASA 5585-X with
SSP-60, which can pass 14 Gbps per unit maximum in a cluster, then you should also assign interfaces to the
cluster control link that can pass at least 14 Gbps. In this case, you could use 2 Ten Gigabit Ethernet interfaces
in an EtherChannel for the cluster control link, and use the rest of the interfaces as desired for data links.
Cluster control link traffic is comprised mainly of state update and forwarded packets. The amount of traffic
at any given time on the cluster control link varies. The amount of forwarded traffic depends on the
load-balancing efficacy or whether there is a lot of traffic for centralized features. For example:
• NAT results in poor load balancing of connections, and the need to rebalance all returning traffic to the
correct units.
• AAA for network access is a centralized feature, so all traffic is forwarded to the master unit.
• When membership changes, the cluster needs to rebalance a large number of connections, thus temporarily
using a large amount of cluster control link bandwidth.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
299
 High Availability and Scalability
Cluster Control Link Redundancy

A higher-bandwidth cluster control link helps the cluster to converge faster when there are membership changes
and prevents throughput bottlenecks.

Note If your cluster has large amounts of asymmetric (rebalanced) traffic, then you should increase the cluster
control link size.

Cluster Control Link Redundancy

We recommend using an EtherChannel for the cluster control link, so that you can pass traffic on multiple
links in the EtherChannel while still achieving redundancy.
The following diagram shows how to use an EtherChannel as a cluster control link in a Virtual Switching
System (VSS) or Virtual Port Channel (vPC) environment. All links in the EtherChannel are active. When
the switch is part of a VSS or vPC, then you can connect ASA interfaces within the same EtherChannel to
separate switches in the VSS or vPC. The switch interfaces are members of the same EtherChannel port-channel
interface, because the separate switches act like a single switch. Note that this EtherChannel is device-local,
not a Spanned EtherChannel.

Cluster Control Link Reliability

To ensure cluster control link functionality, be sure the round-trip time (RTT) between units is less than 20
ms. This maximum latency enhances compatibility with cluster members installed at different geographical
sites. To check your latency, perform a ping on the cluster control link between units.
The cluster control link must be reliable, with no out-of-order or dropped packets; for example, for inter-site
deployment, you should use a dedicated link.

Cluster Control Link Failure

If the cluster control link line protocol goes down for a unit, then clustering is disabled; data interfaces are
shut down. After you fix the cluster control link, you must manually rejoin the cluster by re-enabling clustering.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
300
 High Availability and Scalability
Spanned EtherChannels (Recommended)

Note When the ASA becomes inactive, all data interfaces are shut down; only the management-only interface can
send and receive traffic. The management interface remains up using the IP address the unit received from
the cluster IP pool. However if you reload, and the unit is still inactive in the cluster, the management interface
is not accessible (because it then uses the Main IP address, which is the same as the master unit). You must
use the console port for any further configuration.

Spanned EtherChannels (Recommended)

You can group one or more interfaces per chassis into an EtherChannel that spans all chassis in the cluster.
The EtherChannel aggregates the traffic across all the available active interfaces in the channel. A Spanned
EtherChannel can be configured in both routed and transparent firewall modes. In routed mode, the
EtherChannel is configured as a routed interface with a single IP address. In transparent mode, the IP address
is assigned to the BVI, not to the bridge group member interface. The EtherChannel inherently provides load
balancing as part of basic operation.

Spanned EtherChannel Benefits

The EtherChannel method of load-balancing is recommended over other methods for the following benefits:
• Faster failure discovery.
• Faster convergence time. Individual interfaces rely on routing protocols to load-balance traffic, and
routing protocols often have slow convergence during a link failure.
• Ease of configuration.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
301
 High Availability and Scalability
Guidelines for Maximum Throughput

Guidelines for Maximum Throughput

To achieve maximum throughput, we recommend the following:
• Use a load balancing hash algorithm that is “symmetric,” meaning that packets from both directions will
have the same hash, and will be sent to the same ASA in the Spanned EtherChannel. We recommend
using the source and destination IP address (the default) or the source and destination port as the hashing
algorithm.
• Use the same type of line cards when connecting the ASAs to the switch so that hashing algorithms
applied to all packets are the same.

Load Balancing
The EtherChannel link is selected using a proprietary hash algorithm, based on source or destination IP
addresses and TCP and UDP port numbers.

Note On the ASA, do not change the load-balancing algorithm from the default. On the switch, we recommend
that you use one of the following algorithms: source-dest-ip or source-dest-ip-port (see the Cisco Nexus
OS or Cisco IOS port-channel load-balance command). Do not use a vlan keyword in the load-balance
algorithm because it can cause unevenly distributed traffic to the ASAs in a cluster.

The number of links in the EtherChannel affects load balancing.

Symmetric load balancing is not always possible. If you configure NAT, then forward and return packets will
have different IP addresses and/or ports. Return traffic will be sent to a different unit based on the hash, and
the cluster will have to redirect most returning traffic to the correct unit.

EtherChannel Redundancy
The EtherChannel has built-in redundancy. It monitors the line protocol status of all links. If one link fails,
traffic is re-balanced between remaining links. If all links in the EtherChannel fail on a particular unit, but
other units are still active, then the unit is removed from the cluster.

Connecting to a VSS or vPC

You can include multiple interfaces per ASA in the Spanned EtherChannel. Multiple interfaces per ASA are
especially useful for connecting to both switches in a VSS or vPC.
Depending on your switches, you can configure up to 32 active links in the spanned EtherChannel. This feature
requires both switches in the vPC to support EtherChannels with 16 active links each (for example the Cisco
Nexus 7000 with F2-Series 10 Gigabit Ethernet Module).
For switches that support 8 active links in the EtherChannel, you can configure up to 16 active links in the
spanned EtherChannel when connecting to two switches in a VSS/vPC.
If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links;
the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use
of standby links. You can still use 8 active links and 8 standby links if desired, for example, when connecting
to a single switch.
The following figure shows a 32 active link spanned EtherChannel in an 8-ASA cluster and a 16-ASA cluster.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
302
High Availability and Scalability
Connecting to a VSS or vPC

The following figure shows a 16 active link spanned EtherChannel in a 4-ASA cluster and an 8-ASA cluster.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
303
 High Availability and Scalability
Connecting to a VSS or vPC

The following figure shows a traditional 8 active/8 standby link spanned EtherChannel in a 4-ASA cluster
and an 8-ASA cluster. The active links are shown as solid lines, while the inactive links are dotted. cLACP
load-balancing can automatically choose the best 8 links to be active in the EtherChannel. As shown, cLACP
helps achieve load balancing at the link level.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
304
 High Availability and Scalability
Individual Interfaces (Routed Firewall Mode Only)

Individual Interfaces (Routed Firewall Mode Only)

Individual interfaces are normal routed interfaces, each with their own Local IP address. Because interface
configuration must be configured only on the master unit, the interface configuration lets you set a pool of IP
addresses to be used for a given interface on the cluster members, including one for the master. The Main
cluster IP address is a fixed address for the cluster that always belongs to the current master unit. The Main
cluster IP address is a slave IP address for the master unit; the Local IP address is always the master address
for routing. The Main cluster IP address provides consistent management access to an address; when a master
unit changes, the Main cluster IP address moves to the new master unit, so management of the cluster continues
seamlessly. Load balancing, however, must be configured separately on the upstream switch in this case.

Note We recommend Spanned EtherChannels instead of Individual interfaces because Individual interfaces rely
on routing protocols to load-balance traffic, and routing protocols often have slow convergence during a link
failure.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
305
 High Availability and Scalability
Policy-Based Routing (Routed Firewall Mode Only)

Policy-Based Routing (Routed Firewall Mode Only)

When using Individual interfaces, each ASA interface maintains its own IP address and MAC address. One
method of load balancing is Policy-Based Routing (PBR).
We recommend this method if you are already using PBR, and want to take advantage of your existing
infrastructure. This method might offer additional tuning options vs. Spanned EtherChannel as well.
PBR makes routing decisions based on a route map and ACL. You must manually divide traffic between all
ASAs in a cluster. Because PBR is static, it may not achieve the optimum load balancing result at all times.
To achieve the best performance, we recommend that you configure the PBR policy so that forward and return
packets of a connection are directed to the same physical ASA. For example, if you have a Cisco router,
redundancy can be achieved by using Cisco IOS PBR with Object Tracking. Cisco IOS Object Tracking
monitors each ASA using ICMP ping. PBR can then enable or disable route maps based on reachability of a
particular ASA. See the following URLs for more details:
http://www.cisco.com/c/en/us/solutions/data-center-virtualization/intelligent-traffic-director/index.html
http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

Note If you use this method of load-balancing, you can use a device-local EtherChannel as an Individual interface.

Equal-Cost Multi-Path Routing (Routed Firewall Mode Only)

When using Individual interfaces, each ASA interface maintains its own IP address and MAC address. One
method of load balancing is Equal-Cost Multi-Path (ECMP) routing.
We recommend this method if you are already using ECMP, and want to take advantage of your existing
infrastructure. This method might offer additional tuning options vs. Spanned EtherChannel as well.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
306
 High Availability and Scalability
Nexus Intelligent Traffic Director (Routed Firewall Mode Only)

ECMP routing can forward packets over multiple “best paths” that tie for top place in the routing metric. Like
EtherChannel, a hash of source and destination IP addresses and/or source and destination ports can be used
to send a packet to one of the next hops. If you use static routes for ECMP routing, then an ASA failure can
cause problems; the route continues to be used, and traffic to the failed ASA will be lost. If you use static
routes, be sure to use a static route monitoring feature such as Object Tracking. We recommend using dynamic
routing protocols to add and remove routes, in which case, you must configure each ASA to participate in
dynamic routing.

Note If you use this method of load-balancing, you can use a device-local EtherChannel as an Individual interface.

Nexus Intelligent Traffic Director (Routed Firewall Mode Only)

When using Individual interfaces, each ASA interface maintains its own IP address and MAC address.
Intelligent Traffic Director (ITD) is a high-speed hardware load-balancing solution for Nexus 5000, 6000,
7000, and 9000 switch series. In addition to fully covering the functional capabilities of traditional PBR, it
offers a simplified configuration workflow and multiple additional features for a more granular load distribution.
ITD supports IP stickiness, consistent hashing for bi-directional flow symmetry, virtual IP addressing, health
monitoring, sophisticated failure handling policies with N+M redundancy, weighted load-balancing, and
application IP SLA probes including DNS. Due to the dynamic nature of load-balancing, it achieves a more
even traffic distribution across all cluster members as compared to PBR. In order to achieve bi-directional
flow symmetry, we recommend configuring ITD such that forward and return packets of a connection are
directed to the same physical ASA. See the following URL for more details:
http://www.cisco.com/c/en/us/solutions/data-center-virtualization/intelligent-traffic-director/index.html

Cable the Cluster Units and Configure Upstream and Downstream Equipment
Before configuring clustering, cable the cluster control link network, management network, and data networks.

Procedure

Cable the cluster control link network, management network, and data networks.
Note At a minimum, an active cluster control link network is required before you configure the units to
join the cluster.

You should also configure the upstream and downstream equipment. For example, if you use EtherChannels,
then you should configure the upstream and downstream equipment for the EtherChannels.

Examples

Note This example uses EtherChannels for load-balancing. If you are using PBR or ECMP, your switch
configuration will differ.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
307
 High Availability and Scalability
Cable the Cluster Units and Configure Upstream and Downstream Equipment

For example on each of 4 ASA 5585-Xs, you want to use:

• 2 Ten Gigabit Ethernet interfaces in a device-local EtherChannel for the cluster control link.
• 2 Ten Gigabit Ethernet interfaces in a Spanned EtherChannel for the inside and outside network;
each interface is a VLAN subinterface of the EtherChannel. Using subinterfaces lets both inside
and outside interfaces take advantage of the benefits of an EtherChannel.
• 1 Management interface.

You have one switch for both the inside and outside networks.

Purpose Connect Interfaces on each of 4 To Switch Ports

ASAs

Cluster control link TenGigabitEthernet 0/6 and 8 ports total

TenGigabitEthernet 0/7
For each TenGigabitEthernet 0/6
and TenGigabitEthernet 0/7 pair,
configure 4 EtherChannels (1 EC
for each ASA).
These EtherChannels must all be
on the same isolated cluster control
VLAN, for example VLAN 101.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
308
 High Availability and Scalability
Configure the Cluster Interface Mode on Each Unit

Purpose Connect Interfaces on each of 4 To Switch Ports

ASAs

Inside and outside interfaces TenGigabitEthernet 0/8 and 8 ports total

TenGigabitEthernet 0/9
Configure a single EtherChannel
(across all ASAs).
On the switch, configure these
VLANs and networks now; for
example, a trunk including VLAN
200 for the inside and VLAN 201
for the outside.

Management interface Management 0/0 4 ports total

Place all interfaces on the same
isolated management VLAN, for
example VLAN 100.

Configure the Cluster Interface Mode on Each Unit

You can only configure one type of interface for clustering: Spanned EtherChannels or Individual interfaces;
you cannot mix interface types in a cluster.

Before you begin

• You must set the mode separately on each ASA that you want to add to the cluster.
• You can always configure the management-only interface as an Individual interface (recommended),
even in Spanned EtherChannel mode. The management interface can be an Individual interface even in
transparent firewall mode.
• In Spanned EtherChannel mode, if you configure the management interface as an Individual interface,
you cannot enable dynamic routing for the management interface. You must use a static route.
• In multiple context mode, you must choose one interface type for all contexts. For example, if you have
a mix of transparent and routed mode contexts, you must use Spanned EtherChannel mode for all contexts
because that is the only interface type allowed for transparent mode.

Procedure

Step 1 Show any incompatible configuration so that you can force the interface mode and fix your configuration
later; the mode is not changed with this command:
cluster interface-mode {individual | spanned} check-details
Example:

ciscoasa(config)# cluster interface-mode spanned check-details

Step 2 Set the interface mode for clustering:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
309
 High Availability and Scalability
Configure Interfaces on the Master Unit

cluster interface-mode {individual | spanned} force

Example:

ciscoasa(config)# cluster interface-mode spanned force

There is no default setting; you must explicitly choose the mode. If you have not set the mode, you cannot
enable clustering.
The force option changes the mode without checking your configuration for incompatible settings. You need
to manually fix any configuration issues after you change the mode. Because any interface configuration can
only be fixed after you set the mode, we recommend using the force option so that you can at least start from
the existing configuration. You can re-run the check-details option after you set the mode for more guidance.
Without the force option, if there is any incompatible configuration, you are prompted to clear your
configuration and reload, thus requiring you to connect to the console port to reconfigure your management
access. If your configuration is compatible (rare), the mode is changed and the configuration is preserved. If
you do not want to clear your configuration, you can exit the command by typing n.
To remove the interface mode, enter the no cluster interface-mode command.

Configure Interfaces on the Master Unit

You must modify any interface that is currently configured with an IP address to be cluster-ready before you
enable clustering. For other interfaces, you can configure them before or after you enable clustering; we
recommend pre-configuring all of your interfaces so that the complete configuration is synced to new cluster
members.
This section describes how to configure interfaces to be compatible with clustering. You can configure data
interfaces as either Spanned EtherChannels or as Individual interfaces. Each method uses a different
load-balancing mechanism. You cannot configure both types in the same configuration, with the exception
of the management interface, which can be an Individual interface even in Spanned EtherChannel mode.

Configure Individual Interfaces (Recommended for the Management Interface)

Individual interfaces are normal routed interfaces, each with their own IP address taken from a pool of IP
addresses. The Main cluster IP address is a fixed address for the cluster that always belongs to the current
primary unit.
In Spanned EtherChannel mode, we recommend configuring the management interface as an Individual
interface. Individual management interfaces let you connect directly to each unit if necessary, while a Spanned
EtherChannel interface only allows connection to the current primary unit.

Before you begin

• Except for the management-only interface, you must be in Individual interface mode.
• For multiple context mode, perform this procedure in each context. If you are not already in the context
configuration mode, enter the changeto context name command.
• Individual interfaces require you to configure load balancing on neighbor devices. External load balancing
is not required for the management interface.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
310
High Availability and Scalability
Configure Individual Interfaces (Recommended for the Management Interface)

• (Optional) Configure the interface as a device-local EtherChannel interface, a redundant interface, and/or
configure subinterfaces.
• For an EtherChannel, this EtherChannel is local to the unit, and is not a Spanned EtherChannel.
• Management-only interfaces cannot be redundant interfaces.

Procedure

Step 1 Configure a pool of Local IP addresses (IPv4 and/or IPv6), one of which will be assigned to each cluster unit
for the interface:
(IPv4)
ip local pool poolname first-address — last-address [mask mask]
(IPv6)
ipv6 local pool poolname ipv6-address/prefix-length number_of_addresses
Example:

ciscoasa(config)# ip local pool ins 192.168.1.2-192.168.1.9

ciscoasa(config-if)# ipv6 local pool insipv6 2001:DB8::1002/32 8

Include at least as many addresses as there are units in the cluster. If you plan to expand the cluster, include
additional addresses. The Main cluster IP address that belongs to the current primary unit is not a part of this
pool; be sure to reserve an IP address on the same network for the Main cluster IP address.
You cannot determine the exact Local address assigned to each unit in advance; to see the address used on
each unit, enter the show ip[v6] local pool poolname command. Each cluster member is assigned a member
ID when it joins the cluster. The ID determines the Local IP used from the pool.

Step 2 Enter interface configuration mode:

interface interface_id
Example:

ciscoasa(config)# interface tengigabitethernet 0/8

Step 3 (Management interface only) Set an interface to management-only mode so that it does not pass through
traffic:
management-only
By default, Management type interfaces are configured as management-only. In transparent mode, this
command is always enabled for a Management type interface.
This setting is required if the cluster interface mode is Spanned.

Step 4 Name the interface:

nameif name
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
311
 High Availability and Scalability
Configure Individual Interfaces (Recommended for the Management Interface)

ciscoasa(config-if)# nameif inside

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering
this command with a new value.

Step 5 Set the Main cluster IP address and identify the cluster pool:
(IPv4)
ip address ip_address [mask] cluster-pool poolname
(IPv6)
ipv6 address ipv6-address/prefix-length cluster-pool poolname
Example:

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 cluster-pool ins

ciscoasa(config-if)# ipv6 address 2001:DB8::1002/32 cluster-pool insipv6

This IP address must be on the same network as the cluster pool addresses, but not be part of the pool. You
can configure an IPv4 and/or an IPv6 address.
DHCP, PPPoE, and IPv6 autoconfiguration are not supported; you must manually configure the IP addresses.

Step 6 Set the security level, where number is an integer between 0 (lowest) and 100 (highest):
security-level number
Example:

ciscoasa(config-if)# security-level 100

Step 7 Enable the interface:

no shutdown

Examples
The following example configures the Management 0/0 and Management 0/1 interfaces as a
device-local EtherChannel, and then configures the EtherChannel as an Individual interface:

ip local pool mgmt 10.1.1.2-10.1.1.9

ipv6 local pool mgmtipv6 2001:DB8:45:1002/64 8
interface management 0/0

channel-group 1 mode active

no shutdown

interface management 0/1

channel-group 1 mode active

no shutdown

interface port-channel 1

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
312
 High Availability and Scalability
Configure Spanned EtherChannels

nameif management
ip address 10.1.1.1 255.255.255.0 cluster-pool mgmt
ipv6 address 2001:DB8:45:1001/64 cluster-pool mgmtipv6
security-level 100
management-only

Configure Spanned EtherChannels

A Spanned EtherChannel spans all ASAs in the cluster, and provides load balancing as part of the EtherChannel
operation.

Before you begin

• You must be in Spanned EtherChannel interface mode.
• For multiple context mode, start this procedure in the system execution space. If you are not already in
the System configuration mode, enter the changeto system command.
• For transparent mode, configure the bridge group. See Configure the Bridge Virtual Interface (BVI), on
page 498.
• Do not specify the maximum and minimum links in the EtherChannel—We recommend that you do not
specify the maximum and minimum links in the EtherChannel (The lacp max-bundle and port-channel
min-bundle commands) on either the ASA or the switch. If you need to use them, note the following:
• The maximum links set on the ASA is the total number of active ports for the whole cluster. Be
sure the maximum links value configured on the switch is not larger than the ASA value.
• The minimum links set on the ASA is the minimum active ports to bring up a port-channel interface
per unit. On the switch, the minimum links is the minimum links across the cluster, so this value
will not match the ASA value.

• Do not change the load-balancing algorithm from the default (see the port-channel load-balance
command). On the switch, we recommend that you use one of the following algorithms: source-dest-ip
or source-dest-ip-port (see the Cisco Nexus OS and Cisco IOS port-channel load-balance command).
Do not use a vlan keyword in the load-balance algorithm because it can cause unevenly distributed traffic
to the ASAs in a cluster.
• The lacp port-priority and lacp system-priority commands are not used for a Spanned EtherChannel.
• When using Spanned EtherChannels, the port-channel interface will not come up until clustering is fully
enabled. This requirement prevents traffic from being forwarded to a unit that is not an active unit in the
cluster.

Procedure

Step 1 Specify the interface you want to add to the channel group:
interface physical_interface
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
313
 High Availability and Scalability
Configure Spanned EtherChannels

ciscoasa(config)# interface gigabitethernet 0/0

The physical_interface ID includes the type, slot, and port number as type slot/port. This first interface in the
channel group determines the type and speed for all other interfaces in the group.

Step 2 Assign this interface to an EtherChannel:

channel-group channel_id mode active [vss-id {1 | 2}]
Example:

ciscoasa(config-if)# channel-group 1 mode active

The channel_id is between 1 and 48. If the port-channel interface for this channel ID does not yet exist in the
configuration, one will be added automatically:
interface port-channel channel_id
Only active mode is supported for Spanned EtherChannels.
If you are connecting the ASA to two switches in a VSS or vPC, then configure the vss-id keyword to identify
to which switch this interface is connected (1 or 2). You must also use the port-channel span-cluster
vss-load-balance command for the port-channel interface in Step 6.

Step 3 Enable the interface:

no shutdown

Step 4 (Optional) Add additional interfaces to the EtherChannel by repeating the process.
Example:

ciscoasa(config)# interface gigabitethernet 0/1

ciscoasa(config-if)# channel-group 1 mode active
ciscoasa(config-if)# no shutdown

Multiple interfaces in the EtherChannel per unit are useful for connecting to switches in a VSS or vPC. Keep
in mind that by default, a spanned EtherChannel can have only 8 active interfaces out of 16 maximum across
all members in the cluster; the remaining 8 interfaces are on standby in case of link failure. To use more than
8 active interfaces (but no standby interfaces), disable dynamic port priority using the clacp static-port-priority
command. When you disable dynamic port priority, you can use up to 32 active links across the cluster. For
example, for a cluster of 16 ASAs, you can use a maximum of 2 interfaces on each ASA, for a total of 32
interfaces in the spanned EtherChannel.

Step 5 Specify the port-channel interface:

interface port-channel channel_id
Example:

ciscoasa(config)# interface port-channel 1

This interface was created automatically when you added an interface to the channel group.

Step 6 Set this EtherChannel as a Spanned EtherChannel:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
314
High Availability and Scalability
Configure Spanned EtherChannels

port-channel span-cluster [vss-load-balance]

Example:

ciscoasa(config-if)# port-channel span-cluster

If you are connecting the ASA to two switches in a VSS or vPC, then you should enable VSS load balancing
by using the vss-load-balance keyword. This feature ensures that the physical link connections between the
ASAs to the VSS (or vPC) pair are balanced. You must configure the vss-id keyword in the channel-group
command for each member interface before enabling load balancing (see Step 2).

Step 7 (Optional) You can set the Ethernet properties for the port-channel interface to override the properties set on
the Individual interfaces.
This method provides a shortcut to set these parameters because these parameters must match for all interfaces
in the channel group.

Step 8 (Optional) If you are creating VLAN subinterfaces on this EtherChannel, do so now.
Example:

ciscoasa(config)# interface port-channel 1.10

ciscoasa(config-if)# vlan 10

The rest of this procedure applies to the subinterfaces.

Step 9 (Multiple Context Mode) Allocate the interface to a context. Then enter:
changeto context name
interface port-channel channel_id

Example:

ciscoasa(config)# context admin

ciscoasa(config)# allocate-interface port-channel1
ciscoasa(config)# changeto context admin
ciscoasa(config-if)# interface port-channel 1

For multiple context mode, the rest of the interface configuration occurs within each context.

Step 10 Name the interface:

nameif name
Example:

ciscoasa(config-if)# nameif inside

The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering
this command with a new value.

Step 11 Perform one of the following, depending on the firewall mode.

• Routed Mode—Set the IPv4 and/or IPv6 address:
(IPv4)

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
315
 High Availability and Scalability
Configure Spanned EtherChannels

ip address ip_address [mask]

(IPv6)
ipv6 address ipv6-prefix/prefix-length
Example:

ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0

ciscoasa(config-if)# ipv6 address 2001:DB8::1001/32

DHCP, PPPoE, and IPv6 autoconfig are not supported.

• Transparent Mode—Assign the interface to a bridge group:
bridge-group number
Example:

ciscoasa(config-if)# bridge-group 1

Where number is an integer between 1 and 100. You can assign up to 64 interfaces to a bridge group.
You cannot assign the same interface to more than one bridge group. Note that the BVI configuration
includes the IP address.

Step 12 Set the security level:

security-level number
Example:

ciscoasa(config-if)# security-level 50

Where number is an integer between 0 (lowest) and 100 (highest).

Step 13 Configure a global MAC address for a Spanned EtherChannel to avoid potential network connectivity problems:
mac-address mac_address
Example:

ciscoasa(config-if)# mac-address 000C.F142.4CDE

With a manually-configured MAC address, the MAC address stays with the current master unit. If you do not
configure a MAC address, then if the master unit changes, the new master unit uses a new MAC address for
the interface, which can cause a temporary network outage.
In multiple context mode, if you share an interface between contexts, you should instead enable auto-generation
of MAC addresses so you do not need to set the MAC address manually. Note that you must manually configure
the MAC address using this command for non-shared interfaces.
The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address
00-0C-F1-42-4C-DE is entered as 000C.F142.4CDE.
The first two bytes of a manual MAC address cannot be A2 if you also want to use auto-generated MAC
addresses.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
316
 High Availability and Scalability
Create the Bootstrap Configuration

Step 14 (Routed mode) For inter-site clustering, configure a site-specific MAC address and IP address for each site:
mac-address mac_address site-id number
Example:

ciscoasa(config-if)# mac-address aaaa.1111.1234

ciscoasa(config-if)# mac-address aaaa.1111.aaaa site-id 1 site-ip 10.9.9.1
ciscoasa(config-if)# mac-address aaaa.1111.bbbb site-id 2 site-ip 10.9.9.2
ciscoasa(config-if)# mac-address aaaa.1111.cccc site-id 3 site-ip 10.9.9.3
ciscoasa(config-if)# mac-address aaaa.1111.dddd site-id 4 site-ip 10.9.9.4

The site-specific IP addresses must be on the same subnet as the global IP address. The site-specific MAC
address and IP address used by a unit depends on the site ID you specify in each unit’s bootstrap configuration.

Create the Bootstrap Configuration

Each unit in the cluster requires a bootstrap configuration to join the cluster.

Configure the Master Unit Bootstrap Settings

Each unit in the cluster requires a bootstrap configuration to join the cluster. Typically, the first unit you
configure to join the cluster will be the master unit. After you enable clustering, after an election period, the
cluster elects a master unit. With only one unit in the cluster initially, that unit will become the master unit.
Subsequent units that you add to the cluster will be slave units.

Before you begin

• Back up your configurations in case you later want to leave the cluster, and need to restore your
configuration.
• For multiple context mode, complete these procedures in the system execution space. To change from
the context to the system execution space, enter the changeto system command.
• We recommend enabling jumbo frame reservation for use with the cluster control link.
• You must use the console port to enable or disable clustering. You cannot use Telnet or SSH.
• With the exception of the cluster control link, any interfaces in your configuration must be configured
with a cluster IP pool or as a Spanned EtherChannel before you enable clustering, depending on your
interface mode. If you have pre-existing interface configuration, you can either clear the interface
configuration (clear configure interface), or convert your interfaces to cluster interfaces before you
enable clustering.
• When you add a unit to a running cluster, you may see temporary, limited packet/connection drops; this
is expected behavior.
• Pre-determine the size of the cluster control link. See Size the Cluster Control Link, on page 299.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
317
 High Availability and Scalability
Configure the Master Unit Bootstrap Settings

Procedure

Step 1 Enable the cluster control link interface before you join the cluster.
You will later identify this interface as the cluster control link when you enable clustering.
We recommend that you combine multiple cluster control link interfaces into an EtherChannel if you have
enough interfaces. The EtherChannel is local to the ASA, and is not a Spanned EtherChannel.
The cluster control link interface configuration is not replicated from the master unit to slave units; however,
you must use the same configuration on each unit. Because this configuration is not replicated, you must
configure the cluster control link interfaces separately on each unit.
• You cannot use a VLAN subinterface as the cluster control link.
• You cannot use a Management x/x interface as the cluster control link, either alone or as an EtherChannel.
• For the ASA 5585-X with an ASA FirePOWER module, Cisco recommends that you use ASA interfaces
for the cluster control link, and not interfaces on the ASA FirePOWER module. Module interfaces can
drop traffic for up to 30 seconds during a module reload, including reloads that occur during a software
upgrade. However, if needed, you can use module interfaces and ASA interfaces in the same cluster
control link EtherChannel. When the module interfaces drop, the remaining interfaces in the EtherChannel
are still up. The ASA 5585-X Network Module does not run a separate operating system, so it is not
affected by this issue.

a) Enter interface configuration mode:

interface interface_id
Example:

ciscoasa(config)# interface tengigabitethernet 0/6

b) (Optional, for an EtherChannel) Assign this physical interface to an EtherChannel:

channel-group channel_id mode on
Example:

ciscoasa(config-if)# channel-group 1 mode on

The channel_id is between 1 and 48. If the port-channel interface for this channel ID does not yet exist
in the configuration, one will be added automatically:
interface port-channel channel_id
We recommend using the On mode for cluster control link member interfaces to reduce unnecessary traffic
on the cluster control link. The cluster control link does not need the overhead of LACP traffic because
it is an isolated, stable network. Note: We recommend setting data EtherChannels to Active mode.
c) Enable the interface:
no shutdown
You only need to enable the interface; do not configure a name for the interface, or any other parameters.
d) (For an EtherChannel) Repeat for each additional interface you want to add to the EtherChannel:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
318
High Availability and Scalability
Configure the Master Unit Bootstrap Settings

Example:

ciscoasa(config)# interface tengigabitethernet 0/7

ciscoasa(config-if)# channel-group 1 mode on
ciscoasa(config-if)# no shutdown

Step 2 (Optional) Specify the maximum transmission unit for the cluster control link interface:
mtu cluster bytes
Example:

ciscoasa(config)# mtu cluster 9000

Set the MTU between 1400 and 9198 bytes. The default MTU is 1500 bytes.
We suggest setting the MTU to 1600 bytes or greater, which requires you to enable jumbo frame reservation
before continuing with this procedure. Jumbo frame reservation requires a reload of the ASA.
This command is a global configuration command, but is also part of the bootstrap configuration that is not
replicated between units.

Step 3 Name the cluster and enter cluster configuration mode:

cluster group name
Example:

ciscoasa(config)# cluster group pod1

The name must be an ASCII string from 1 to 38 characters. You can only configure one cluster group per
unit. All members of the cluster must use the same name.

Step 4 Name this member of the cluster:

local-unit unit_name
Use a unique ASCII string from 1 to 38 characters. Each unit must have a unique name. A unit with a duplicated
name will be not be allowed in the cluster.
Example:

ciscoasa(cfg-cluster)# local-unit unit1

Step 5 Specify the cluster control link interface, preferably an EtherChannel:

cluster-interface interface_id ip ip_address mask
Example:

ciscoasa(cfg-cluster)# cluster-interface port-channel2 ip 192.168.1.1 255.255.255.0

INFO: Non-cluster interface config is cleared on Port-Channel2

Subinterfaces and Management interfaces are not allowed.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
319
 High Availability and Scalability
Configure the Master Unit Bootstrap Settings

Specify an IPv4 address for the IP address; IPv6 is not supported for this interface. This interface cannot have
a nameif configured.
For each unit, specify a different IP address on the same network.

Step 6 If you use inter-site clustering, set the site ID for this unit so it uses a site-specific MAC address:
site-id number
Example:

ciscoasa(cfg-cluster)# site-id 1

The number is between 1 and 8.

Step 7 Set the priority of this unit for master unit elections:
priority priority_number
Example:

ciscoasa(cfg-cluster)# priority 1

The priority is between 1 and 100, where 1 is the highest priority.

Step 8 (Optional) Set an authentication key for control traffic on the cluster control link:
key shared_secret
Example:

ciscoasa(cfg-cluster)# key chuntheunavoidable

The shared secret is an ASCII string from 1 to 63 characters. The shared secret is used to generate the key.
This command does not affect datapath traffic, including connection state update and forwarded packets,
which are always sent in the clear.

Step 9 (Optional) Disable dynamic port priority in LACP:

clacp static-port-priority
Some switches do not support dynamic port priority, so this command improves switch compatibility. Moreover,
it enables support of more than 8 active spanned EtherChannel members, up to 32 members. Without this
command, only 8 active members and 8 standby members are supported. If you enable this command, then
you cannot use any standby members; all members are active.

Step 10 (Optional) Manually specify the cLACP system ID and system priority:
clacp system-mac {mac_address | auto} [system-priority number]
Example:

ciscoasa(cfg-cluster)# clacp system-mac 000a.0000.aaaa

When using Spanned EtherChannels, the ASA uses cLACP to negotiate the EtherChannel with the neighbor
switch. ASAs in a cluster collaborate in cLACP negotiation so that they appear as a single (virtual) device to
the switch. One parameter in cLACP negotiation is a system ID, which is in the format of a MAC address.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
320
High Availability and Scalability
Configure the Master Unit Bootstrap Settings

All ASAs in the cluster use the same system ID: auto-generated by the master unit (the default) and replicated
to all secondaries; or manually specified in this command in the form H.H.H, where H is a 16-bit hexadecimal
digit. (For example, the MAC address 00-0A-00-00-AA-AA is entered as 000A.0000.AAAA.) You might
want to manually configure the MAC address for troubleshooting purposes, for example, so that you can use
an easily identified MAC address. Typically, you would use the auto-generated MAC address.
The system priority, between 1 and 65535, is used to decide which unit is in charge of making a bundling
decision. By default, the ASA uses priority 1, which is the highest priority. The priority needs to be higher
than the priority on the switch.
This command is not part of the bootstrap configuration, and is replicated from the master unit to the slave
units. However, you cannot change this value after you enable clustering.

Step 11 Enable clustering:

enable [noconfirm]
Example:

ciscoasa(cfg-cluster)# enable
INFO: Clustering is not compatible with following commands:
policy-map global_policy
class inspection_default
inspect skinny
policy-map global_policy
class inspection_default
inspect sip
Would you like to remove these commands? [Y]es/[N]o:Y

INFO: Removing incompatible commands from running configuration...

Cryptochecksum (changed): f16b7fc2 a742727e e40bc0b0 cd169999
INFO: Done

When you enter the enable command, the ASA scans the running configuration for incompatible commands
for features that are not supported with clustering, including commands that may be present in the default
configuration. You are prompted to delete the incompatible commands. If you respond No, then clustering is
not enabled. Use the noconfirm keyword to bypass the confirmation and delete incompatible commands
automatically.
For the first unit enabled, a master unit election occurs. Because the first unit should be the only member of
the cluster so far, it will become the master unit. Do not perform any configuration changes during this period.
To disable clustering, enter the no enable command.
Note If you disable clustering, all data interfaces are shut down, and only the management-only interface
is active.

Examples
The following example configures a management interface, configures a device-local EtherChannel
for the cluster control link, and then enables clustering for the ASA called “unit1,” which will become
the master unit because it is added to the cluster first:

ip local pool mgmt 10.1.1.2-10.1.1.9

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
321
 High Availability and Scalability
Configure Slave Unit Bootstrap Settings

ipv6 local pool mgmtipv6 2001:DB8::1002/32 8

interface management 0/0
nameif management
ip address 10.1.1.1 255.255.255.0 cluster-pool mgmt
ipv6 address 2001:DB8::1001/32 cluster-pool mgmtipv6
security-level 100
management-only
no shutdown

interface tengigabitethernet 0/6

channel-group 1 mode on
no shutdown

interface tengigabitethernet 0/7

channel-group 1 mode on
no shutdown

cluster group pod1

local-unit unit1
cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0
priority 1
key chuntheunavoidable
enable noconfirm

Configure Slave Unit Bootstrap Settings

Perform the following procedure to configure the slave units.

Before you begin

• You must use the console port to enable or disable clustering. You cannot use Telnet or SSH.
• Back up your configurations in case you later want to leave the cluster, and need to restore your
configuration.
• For multiple context mode, complete this procedure in the system execution space. To change from the
context to the system execution space, enter the changeto system command.
• We recommend enabling jumbo frame reservation for use with the cluster control link.
• If you have any interfaces in your configuration that have not been configured for clustering (for example,
the default configuration Management 0/0 interface), you can join the cluster as a slave unit (with no
possibility of becoming the master in a current election).
• When you add a unit to a running cluster, you may see temporary, limited packet/connection drops; this
is expected behavior.

Procedure

Step 1 Configure the same cluster control link interface as you configured for the master unit.
Example:

ciscoasa(config)# interface tengigabitethernet 0/6

ciscoasa(config-if)# channel-group 1 mode on
ciscoasa(config-if)# no shutdown

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
322
High Availability and Scalability
Configure Slave Unit Bootstrap Settings

ciscoasa(config)# interface tengigabitethernet 0/7

ciscoasa(config-if)# channel-group 1 mode on
ciscoasa(config-if)# no shutdown

Step 2 Specify the same MTU that you configured for the master unit:
Example:

ciscoasa(config)# mtu cluster 9000

Step 3 Identify the same cluster name that you configured for the master unit:
Example:

ciscoasa(config)# cluster group pod1

Step 4 Name this member of the cluster with a unique string:

local-unit unit_name
Example:

ciscoasa(cfg-cluster)# local-unit unit2

Specify an ASCII string from 1 to 38 characters.

Each unit must have a unique name. A unit with a duplicated name will be not be allowed in the cluster.

Step 5 Specify the same cluster control link interface that you configured for the master unit, but specify a different
IP address on the same network for each unit:
cluster-interface interface_id ip ip_address mask
Example:

ciscoasa(cfg-cluster)# cluster-interface port-channel2 ip 192.168.1.2 255.255.255.0

INFO: Non-cluster interface config is cleared on Port-Channel2

Specify an IPv4 address for the IP address; IPv6 is not supported for this interface. This interface cannot have
a nameif configured.
Each unit must have a unique name. A unit with a duplicated name will not be allowed in the cluster.

Step 6 If you use inter-site clustering, set the site ID for this unit so it uses a site-specific MAC address:
site-id number
Example:

ciscoasa(cfg-cluster)# site-id 1

The number is between 1 and 8.

Step 7 Set the priority of this unit for master unit elections, typically to a higher value than the master unit:
priority priority_number

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
323
 High Availability and Scalability
Customize the Clustering Operation

Example:

ciscoasa(cfg-cluster)# priority 2

Set the priority between 1 and 100, where 1 is the highest priority.

Step 8 Set the same authentication key that you set for the master unit:
Example:

ciscoasa(cfg-cluster)# key chuntheunavoidable

Step 9 Enable clustering:

enable as-slave
You can avoid any configuration incompatibilities (primarily the existence of any interfaces not yet configured
for clustering) by using the enable as-slave command. This command ensures the slave joins the cluster with
no possibility of becoming the master in any current election. Its configuration is overwritten with the one
synced from the master unit.
To disable clustering, enter the no enable command.
Note If you disable clustering, all data interfaces are shut down, and only the management interface is
active.

Examples
The following example includes the configuration for a slave unit, unit2:

interface tengigabitethernet 0/6

channel-group 1 mode on
no shutdown

interface tengigabitethernet 0/7

channel-group 1 mode on
no shutdown

cluster group pod1

local-unit unit2
cluster-interface port-channel1 ip 192.168.1.2 255.255.255.0
priority 2
key chuntheunavoidable
enable as-slave

Customize the Clustering Operation

You can customize clustering health monitoring, TCP connection replication delay, flow mobility and other
optimizations.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
324
 High Availability and Scalability
Configure Basic ASA Cluster Parameters

Perform these procedures on the master unit.

Configure Basic ASA Cluster Parameters

You can customize cluster settings on the master unit.

Before you begin

• For multiple context mode, complete this procedure in the system execution space on the master unit.
To change from the context to the system execution space, enter the changeto system command.

Procedure

Step 1 Enter cluster configuration mode:

cluster group name

Step 2 (Optional) Enable console replication from slave units to the master unit:
console-replicate
This feature is disabled by default. The ASA prints out some messages directly to the console for certain
critical events. If you enable console replication, slave units send the console messages to the master unit so
that you only need to monitor one console port for the cluster.

Step 3 Set the minimum trace level for clustering events:

trace-level level
Set the minimum level as desired:
• critical—Critical events (severity=1)
• warning—Warnings (severity=2)
• informational—Informational events (severity=3)
• debug—Debugging events (severity=4)

Configure Health Monitoring and Auto-Rejoin Settings

This procedure configures unit and interface health monitoring.
You might want to disable health monitoring of non-essential interfaces, for example, the management
interface. You can monitor any port-channel ID, redundant ID, or single physical interface ID, or the software
or hardware module, such as the ASA Firepower module. Health monitoring is not performed on VLAN
subinterfaces or virtual interfaces such as VNIs or BVIs. You cannot configure monitoring for the cluster
control link; it is always monitored.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
325
 High Availability and Scalability
Configure Health Monitoring and Auto-Rejoin Settings

Procedure

Step 1 Enter cluster configuration mode.

cluster group name
Example:

ciscoasa(config)# cluster group test

ciscoasa(cfg-cluster)#

Step 2 Customize the cluster unit health check feature.

health-check [holdtime timeout] [vss-enabled]
To determine unit health, the ASA cluster units send keepalive messages on the cluster control link to other
units. If a unit does not receive any keepalive messages from a peer unit within the holdtime period, the peer
unit is considered unresponsive or dead.
• holdtime timeout—Determines the amount of time between unit keepalive status messages, between .8
and 45 seconds; The default is 3 seconds.
• vss-enabled—Floods the keepalive messages on all EtherChannel interfaces in the cluster control link
to ensure that at least one of the switches can receive them. If you configure the cluster control link as
an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable
the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting
up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they
are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you
set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages
on one of these EtherChannel interfaces.

When any topology changes occur (such as adding or removing a data interface, enabling or disabling an
interface on the ASA or the switch, or adding an additional switch to form a VSS or vPC) you should disable
the health check feature and also disable interface monitoring for the disabled interfaces (no health-check
monitor-interface). When the topology change is complete, and the configuration change is synced to all
units, you can re-enable the health check feature.
Example:

ciscoasa(cfg-cluster)# health-check holdtime 5

Step 3 Disable the interface health check on an interface.

no health-check monitor-interface [interface_id | service-module]
The interface health check monitors for link failures. If all physical ports for a given logical interface fail on
a particular unit, but there are active ports under the same logical interface on other units, then the unit is
removed from the cluster. The amount of time before the ASA removes a member from the cluster depends
on the type of interface and whether the unit is an established member or is joining the cluster. Health check
is enabled by default for all interfaces. You can disable it per interface using the no form of this command.
You might want to disable health monitoring of non-essential interfaces, for example, the management
interface.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
326
High Availability and Scalability
Configure Health Monitoring and Auto-Rejoin Settings

• interface_id—Disables monitoring of any port-channel ID, redundant ID, or single physical interface
ID. Health monitoring is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or
BVIs. You cannot configure monitoring for the cluster control link; it is always monitored.
• service-module—Disables monitoring of a hardware or software module, such as the ASA FirePOWER
module. Note that for the ASA 5585-X, if you disable monitoring of the service module, you may also
want to disable monitoring of the interfaces on the module, which are monitored separately.

When any topology changes occur (such as adding or removing a data interface, enabling or disabling an
interface on the ASA or the switch, or adding an additional switch to form a VSS or vPC) you should disable
the health check feature (no health-check) and also disable interface monitoring for the disabled interfaces.
When the topology change is complete, and the configuration change is synced to all units, you can re-enable
the health check feature.
Example:

ciscoasa(cfg-cluster)# no health-check monitor-interface management0/0

Step 4 Customize the auto-rejoin cluster settings after a health check failure.
health-check {data-interface | cluster-interface} auto-rejoin [unlimited | auto_rejoin_max]
auto_rejoin_interval auto_rejoin_interval_variation
• unlimited—(Default for the cluster-interface) Does not limit the number of rejoin attempts.
• auto-rejoin-max—Sets the number of rejoin attempts, between 0 and 65535. 0 disables auto-rejoining.
The default for the data-interface is 3.
• auto_rejoin_interval—Defines the interval duration in minutes between rejoin attempts, between 2 and
60. The default value is 5 minutes. The maximum total time that the unit attempts to rejoin the cluster is
limited to 14400 minutes (10 days) from the time of last failure.
• auto_rejoin_interval_variation—Defines if the interval duration increases. Set the value between 1 and
3: 1 (no change); 2 (2 x the previous duration), or 3 (3 x the previous duration). For example, if you set
the interval duration to 5 minutes, and set the variation to 2, then the first attempt is after 5 minutes; the
2nd attempt is 10 minutes (2 x 5); the 3rd attempt 20 minutes (2 x 10), and so on. The default value is 1
for the cluster-interface and 2 for the data-interface .

Example:

ciscoasa(cfg-cluster)# health-check data-interface auto-rejoin 10 3 3

Example
The following example configures the health-check holdtime to .3 seconds; enables VSS; disables
monitoring on the Ethernet 1/2 interface, which is used for management; sets the auto-rejoin for data
interfaces to 4 attempts starting at 2 minutes, increasing the duration by 3 x the previous interval;
and sets the auto-rejoin for the cluster control link to 6 attempts every 2 minutes.

ciscoasa(config)# cluster group test

ciscoasa(cfg-cluster)# health-check holdtime .3 vss-enabled

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
327
 High Availability and Scalability
Configure Connection Rebalancing and the Cluster TCP Replication Delay

ciscoasa(cfg-cluster)# no health-check monitor-interface ethernet1/2

ciscoasa(cfg-cluster)# health-check data-interface auto-rejoin 4 2 3
ciscoasa(cfg-cluster)# health-check cluster-interface auto-rejoin 6 2 1

Configure Connection Rebalancing and the Cluster TCP Replication Delay

You can configure connection rebalancing. For more information, see Rebalancing New TCP Connections
Across the Cluster, on page 379
Enable the cluster replication delay for TCP connections to help eliminate the “unnecessary work” related to
short-lived flows by delaying the director/backup flow creation. Note that if a unit fails before the
director/backup flow is created, then those flows cannot be recovered. Similarly, if traffic is rebalanced to a
different unit before the flow is created, then the flow cannot be recovered. You should not enable the TCP
replication delay for traffic on which you disable TCP randomization.

Procedure

Step 1 Enable the cluster replication delay for TCP connections:

cluster replication delay seconds {http | match tcp {host ip_address | ip_address mask | any | any4 | any6}
[{eq | lt | gt} port] {host ip_address | ip_address mask | any | any4 | any6} [{eq | lt | gt} port]}
Example:

ciscoasa(config)# cluster replication delay 15 match tcp any any eq ftp

ciscoasa(config)# cluster replication delay 15 http

Set the seconds between 1 and 15. The http delay is enabled by default for 5 seconds.
In multiple context mode, configure this setting within the context.

Step 2 Enter cluster configuration mode:

cluster group name

Step 3 (Optional) Enable connection rebalancing for TCP traffic:

conn-rebalance [frequency seconds]
Example:

ciscoasa(cfg-cluster)# conn-rebalance frequency 60

This command is disabled by default. If enabled, ASAs exchange load information periodically, and offload
new connections from more loaded devices to less loaded devices. The frequency, between 1 and 360 seconds,
specifies how often the load information is exchanged. The default is 5 seconds.
Do not configure connection rebalancing for inter-site topologies; you do not want connections rebalanced
to cluster members at a different site.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
328
 High Availability and Scalability
Configure Inter-Site Features

Configure Inter-Site Features

For inter-site clustering, you can customize your configuration to enhance redundancy and stability.

Configure Cluster Flow Mobility

You can inspect LISP traffic to enable flow mobility when a server moves between sites.

About LISP Inspection

You can inspect LISP traffic to enable flow mobility between sites.

About LISP
Data center virtual machine mobility such as VMware VMotion enables servers to migrate between data
centers while maintaining connections to clients. To support such data center server mobility, routers need to
be able to update the ingress route towards the server when it moves. Cisco Locator/ID Separation Protocol
(LISP) architecture separates the device identity, or endpoint identifier (EID), from its location, or routing
locator (RLOC), into two different numbering spaces, making server migration transparent to clients. For
example, when a server moves to a new site and a client sends traffic to the server, the router redirects traffic
to the new location.
LISP requires routers and servers in certain roles, such as the LISP egress tunnel router (ETR), ingress tunnel
router (ITR), first hop routers, map resolver (MR), and map server (MS). When the first hop router for the
server senses that the server is connected to a different router, it updates all of the other routers and databases
so that the ITR connected to the client can intercept, encapsulate, and send traffic to the new server location.

ASA LISP Support

The ASA does not run LISP itself; it can, however, inspect LISP traffic for location changes and then use this
information for seamless clustering operation. Without LISP integration, when a server moves to a new site,
traffic comes to an ASA cluster member at the new site instead of to the original flow owner. The new ASA
forwards traffic to the ASA at the old site, and then the old ASA has to send traffic back to the new site to
reach the server. This traffic flow is sub-optimal and is known as “tromboning” or “hair-pinning.”
With LISP integration, the ASA cluster members can inspect LISP traffic passing between the first hop router
and the ETR or ITR, and can then change the flow owner to be at the new site.

LISP Guidelines
• The ASA cluster members must reside between the first hop router and the ITR or ETR for the site. The
ASA cluster itself cannot be the first hop router for an extended segment.
• Only fully-distributed flows are supported; centralized flows, semi-distributed flows, or flows belonging
to individual units are not moved to new owners. Semi-distributed flows include applications, such as
SIP, where all child flows are owned by the same ASA that owns the parent flow.
• The cluster only moves Layer 3 and 4 flow states; some application data might be lost.
• For short-lived flows or non-business-critical flows, moving the owner may not be worthwhile. You can
control the types of traffic that are supported with this feature when you configure the inspection policy,
and should limit flow mobility to essential traffic.

ASA LISP Implementation

This feature includes several inter-related configurations (all of which are described in this chapter):

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
329
 High Availability and Scalability
Configure LISP Inspection

1. (Optional) Limit inspected EIDs based on the host or server IP address—The first hop router might send
EID-notify messages for hosts or networks the ASA cluster is not involved with, so you can limit the
EIDs to only those servers or networks relevant to your cluster. For example, if the cluster is only involved
with 2 sites, but LISP is running on 3 sites, you should only include EIDs for the 2 sites involved with
the cluster.
2. LISP traffic inspection—The ASA inspects LISP traffic on UDP port 4342 for the EID-notify message
sent between the first hop router and the ITR or ETR. The ASA maintains an EID table that correlates
the EID and the site ID. For example, you should inspect LISP traffic with a source IP address of the first
hop router and a destination address of the ITR or ETR. Note that LISP traffic is not assigned a director,
and LISP traffic itself does not participate in cluster state sharing.
3. Service Policy to enable flow mobility on specified traffic—You should enable flow mobility on
business-critical traffic. For example, you can limit flow mobility to only HTTPS traffic, and/or to traffic
to specific servers.
4. Site IDs—The ASA uses the site ID for each cluster unit to determine the new owner.
5. Cluster-level configuration to enable flow mobility—You must also enable flow mobility at the cluster
level. This on/off toggle lets you easily enable or disable flow mobility for a particular class of traffic or
applications.

Configure LISP Inspection

You can inspect LISP traffic to enable flow mobility when a server moves between sites.

Before you begin

• Assign each cluster unit to a site ID according to Configure the Master Unit Bootstrap Settings, on page
317 and Configure Slave Unit Bootstrap Settings, on page 322.
• LISP traffic is not included in the default-inspection-traffic class, so you must configure a separate class
for LISP traffic as part of this procedure.

Procedure

Step 1 (Optional) Configure a LISP inspection map to limit inspected EIDs based on IP address, and to configure
the LISP pre-shared key:
a) Create an extended ACL; only the destination IP address is matched to the EID embedded address:
access list eid_acl_name extended permit ip source_address mask destination_address mask
Both IPv4 and IPv6 ACLs are accepted. See the command reference for exact access-list extended syntax.
b) Create the LISP inspection map, and enter parameters mode:
policy-map type inspect lisp inspect_map_name
parameters
c) Define the allowed EIDs by identifying the ACL you created:
allowed-eid access-list eid_acl_name

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
330
High Availability and Scalability
Configure LISP Inspection

The first hop router or ITR/ETR might send EID-notify messages for hosts or networks that the ASA
cluster is not involved with, so you can limit the EIDs to only those servers or networks relevant to your
cluster. For example, if the cluster is only involved with 2 sites, but LISP is running on 3 sites, you should
only include EIDs for the 2 sites involved with the cluster.
d) If necessary, enter the pre-shared key:
validate-key key

Example:

ciscoasa(config)# access-list TRACKED_EID_LISP extended permit ip any 10.10.10.0 255.255.255.0

ciscoasa(config)# policy-map type inspect lisp LISP_EID_INSPECT
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# allowed-eid access-list TRACKED_EID_LISP
ciscoasa(config-pmap-p)# validate-key MadMaxShinyandChrome

Step 2 Configure LISP inspection for UDP traffic between the first hop router and the ITR or ETR on port 4342:
a) Configure the extended ACL to identify LISP traffic:
access list inspect_acl_name extended permit udp source_address mask destination_address mask eq
4342
You must specify UDP port 4342. Both IPv4 and IPv6 ACLs are accepted. See the command reference
for exact access-list extended syntax.
b) Create a class map for the ACL:
class-map inspect_class_name
match access-list inspect_acl_name
c) Specify the policy map, the class map, enable inspection using the optional LISP inspection map, and
apply the service policy to an interface (if new):
policy-map policy_map_name
class inspect_class_name
inspect lisp [inspect_map_name]
service-policy policy_map_name {global | interface ifc_name}
If you have an existing service policy, specify the existing policy map name. By default, the ASA includes
a global policy called global_policy, so for a global policy, specify that name. You can also create one
service policy per interface if you do not want to apply the policy globally. LISP inspection is applied to
traffic bidirectionally so you do not need to apply the service policy on both the source and destination
interfaces; all traffic that enters or exits the interface to which you apply the policy map is affected if the
traffic matches the class map for both directions.

Example:

ciscoasa(config)# access-list LISP_ACL extended permit udp host 192.168.50.89 host

192.168.10.8 eq 4342
ciscoasa(config)# class-map LISP_CLASS
ciscoasa(config-cmap)# match access-list LISP_ACL
ciscoasa(config-cmap)# policy-map INSIDE_POLICY
ciscoasa(config-pmap)# class LISP_CLASS
ciscoasa(config-pmap-c)# inspect lisp LISP_EID_INSPECT

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
331
 High Availability and Scalability
Configure LISP Inspection

ciscoasa(config)# service-policy INSIDE_POLICY interface inside

The ASA inspects LISP traffic for the EID-notify message sent between the first hop router and the ITR or
ETR. The ASA maintains an EID table that correlates the EID and the site ID.

Step 3 Enable Flow Mobility for a traffic class:

a) Configure the extended ACL to identify business critical traffic that you want to re-assign to the most
optimal site when servers change sites:
access list flow_acl_name extended permit udp source_address mask destination_address mask eq port
Both IPv4 and IPv6 ACLs are accepted. See the command reference for exact access-list extended syntax.
You should enable flow mobility on business-critical traffic. For example, you can limit flow mobility to
only HTTPS traffic, and/or to traffic to specific servers.
b) Create a class map for the ACL:
class-map flow_map_name
match access-list flow_acl_name
c) Specify the same policy map on which you enabled LISP inspection, the flow class map, and enable flow
mobility:
policy-map policy_map_name
class flow_map_name
cluster flow-mobility lisp

Example:

ciscoasa(config)# access-list IMPORTANT-FLOWS extended permit tcp any 10.10.10.0 255.255.255.0

eq https
ciscoasa(config)# class-map IMPORTANT-FLOWS-MAP
ciscoasa(config)# match access-list IMPORTANT-FLOWS
ciscoasa(config-cmap)# policy-map INSIDE_POLICY
ciscoasa(config-pmap)# class IMPORTANT-FLOWS-MAP
ciscoasa(config-pmap-c)# cluster flow-mobility lisp

Step 4 Enter cluster group configuration mode, and enable flow mobility for the cluster:
cluster group name
flow-mobility lisp
This on/off toggle lets you easily enable or disable flow mobility.

Examples
The following example:
• Limits EIDs to those on the 10.10.10.0/24 network
• Inspects LISP traffic (UDP 4342) between a LISP router at 192.168.50.89 (on inside) and an
ITR or ETR router (on another ASA interface) at 192.168.10.8

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
332
 High Availability and Scalability
Manage Cluster Members

• Enables flow mobility for all inside traffic going to a server on 10.10.10.0/24 using HTTPS.
• Enables flow mobility for the cluster.

access-list TRACKED_EID_LISP extended permit ip any 10.10.10.0 255.255.255.0

policy-map type inspect lisp LISP_EID_INSPECT
parameters
allowed-eid access-list TRACKED_EID_LISP
validate-key MadMaxShinyandChrome
!
access-list LISP_ACL extended permit udp host 192.168.50.89 host 192.168.10.8 eq 4342
class-map LISP_CLASS
match access-list LISP_ACL
policy-map INSIDE_POLICY
class LISP_CLASS
inspect lisp LISP_EID_INSPECT
service-policy INSIDE_POLICY interface inside
!
access-list IMPORTANT-FLOWS extended permit tcp any 10.10.10.0 255.255.255.0 eq https
class-map IMPORTANT-FLOWS-MAP
match access-list IMPORTANT-FLOWS
policy-map INSIDE_POLICY
class IMPORTANT-FLOWS-MAP
cluster flow-mobility lisp
!
cluster group cluster1
flow-mobility lisp

Manage Cluster Members

After you deploy the cluster, you can change the configuration and manage cluster members.

Become an Inactive Member

To become an inactive member of the cluster, disable clustering on the unit while leaving the clustering
configuration intact.

Note When an ASA becomes inactive (either manually or through a health check failure), all data interfaces are
shut down; only the management-only interface can send and receive traffic. To resume traffic flow, re-enable
clustering; or you can remove the unit altogether from the cluster. The management interface remains up using
the IP address the unit received from the cluster IP pool. However if you reload, and the unit is still inactive
in the cluster (for example, you saved the configuration with clustering disabled), then the management
interface is disabled. You must use the console port for any further configuration.

Before you begin

• You must use the console port; you cannot enable or disable clustering from a remote CLI connection.
• For multiple context mode, perform this procedure in the system execution space. If you are not already
in the System configuration mode, enter the changeto system command.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
333
 High Availability and Scalability
Deactivate a Member

Procedure

Step 1 Enter cluster configuration mode:

cluster group name
Example:

ciscoasa(config)# cluster group pod1

Step 2 Disable clustering:

no enable
If this unit was the master unit, a new master election takes place, and a different member becomes the master
unit.
The cluster configuration is maintained, so that you can enable clustering again later.

Deactivate a Member
To deactivate a member other than the unit you are logged into, perform the following steps.

Note When an ASA becomes inactive, all data interfaces are shut down; only the management-only interface can
send and receive traffic. To resume traffic flow, re-enable clustering. The management interface remains up
using the IP address the unit received from the cluster IP pool. However if you reload, and the unit is still
inactive in the cluster (for example, if you saved the configuration with clustering disabled), the management
interface is disabled. You must use the console port for any further configuration.

Before you begin

For multiple context mode, perform this procedure in the system execution space. If you are not already in
the System configuration mode, enter the changeto system command.

Procedure

Remove the unit from the cluster.

cluster remove unit unit_name
The bootstrap configuration remains intact, as well as the last configuration synched from the master unit, so
that you can later re-add the unit without losing your configuration. If you enter this command on a slave unit
to remove the master unit, a new master unit is elected.
To view member names, enter cluster remove unit ?, or enter the show cluster info command.
Example:

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
334
 High Availability and Scalability
Rejoin the Cluster

ciscoasa(config)# cluster remove unit ?

Current active units in the cluster:

asa2

ciscoasa(config)# cluster remove unit asa2

WARNING: Clustering will be disabled on unit asa2. To bring it back
to the cluster please logon to that unit and re-enable clustering

Rejoin the Cluster

If a unit was removed from the cluster, for example for a failed interface or if you manually deactivated a
member, you must manually rejoin the cluster.

Before you begin

• You must use the console port to reenable clustering. Other interfaces are shut down.
• For multiple context mode, perform this procedure in the system execution space. If you are not already
in the System configuration mode, enter the changeto system command.
• Make sure the failure is resolved before you try to rejoin the cluster.

Procedure

Step 1 At the console, enter cluster configuration mode:

cluster group name
Example:

ciscoasa(config)# cluster group pod1

Step 2 Enable clustering.

enable

Leave the Cluster

If you want to leave the cluster altogether, you need to remove the entire cluster bootstrap configuration.
Because the current configuration on each member is the same (synced from the primary unit), leaving the
cluster also means either restoring a pre-clustering configuration from backup, or clearing your configuration
and starting over to avoid IP address conflicts.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
335
 High Availability and Scalability
Leave the Cluster

Before you begin

You must use the console port; when you remove the cluster configuration, all interfaces are shut down,
including the management interface and cluster control link. Moreover, you cannot enable or disable clustering
from a remote CLI connection.

Procedure

Step 1 For a secondary unit, disable clustering:

cluster group cluster_name

no enable

Example:

ciscoasa(config)# cluster group cluster1

ciscoasa(cfg-cluster)# no enable

You cannot make configuration changes while clustering is enabled on a secondary unit.

Step 2 Clear the cluster configuration:

clear configure cluster
The ASA shuts down all interfaces including the management interface and cluster control link.

Step 3 Disable cluster interface mode:

no cluster interface-mode
The mode is not stored in the configuration and must be reset manually.

Step 4 If you have a backup configuration, copy the backup configuration to the running configuration:
copy backup_cfg running-config
Example:

ciscoasa(config)# copy backup_cluster.cfg running-config

Source filename [backup_cluster.cfg]?

Destination filename [running-config]?

ciscoasa(config)#

Step 5 Save the configuration to startup:

write memory

Step 6 If you do not have a backup configuration, reconfigure management access. Be sure to change the interface
IP addresses, and restore the correct hostname, for example.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
336
 High Availability and Scalability
Change the Master Unit

Change the Master Unit

Caution The best method to change the master unit is to disable clustering on the master unit, wait for a new master
election, and then re-enable clustering. If you must specify the exact unit you want to become the master, use
the procedure in this section. Note, however, that for centralized features, if you force a master unit change
using this procedure, then all connections are dropped, and you have to re-establish the connections on the
new master unit.

To change the master unit, perform the following steps.

Before you begin

For multiple context mode, perform this procedure in the system execution space. If you are not already in
the System configuration mode, enter the changeto system command.

Procedure

Set a new unit as the master unit:

cluster master unit unit_name
Example:

ciscoasa(config)# cluster master unit asa2

You will need to reconnect to the Main cluster IP address.

To view member names, enter cluster master unit ? (to see all names except the current unit), or enter the
show cluster info command.

Execute a Command Cluster-Wide

To send a command to all members in the cluster, or to a specific member, perform the following steps.
Sending a show command to all members collects all output and displays it on the console of the current unit.
Other commands, such as capture and copy, can also take advantage of cluster-wide execution.

Procedure

Send a command to all members, or if you specify the unit name, a specific member:
cluster exec [unit unit_name] command
Example:

ciscoasa# cluster exec show xlate

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
337
 High Availability and Scalability
Monitoring the ASA Cluster

To view member names, enter cluster exec unit ? (to see all names except the current unit), or enter the show
cluster info command.

Examples
To copy the same capture file from all units in the cluster at the same time to a TFTP server, enter
the following command on the master unit:

ciscoasa# cluster exec copy /pcap capture: tftp://10.1.1.56/capture1.pcap

Multiple PCAP files, one from each unit, are copied to the TFTP server. The destination capture file
name is automatically attached with the unit name, such as capture1_asa1.pcap, capture1_asa2.pcap,
and so on. In this example, asa1 and asa2 are cluster unit names.
The following sample output for the cluster exec show port-channel summary command shows
EtherChannel information for each member in the cluster:

ciscoasa# cluster exec show port-channel summary

master(LOCAL):***********************************************************
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+-----------+-----------------------------------------------
1 Po1 LACP Yes Gi0/0(P)
2 Po2 LACP Yes Gi0/1(P)
slave:******************************************************************
Number of channel-groups in use: 2
Group Port-channel Protocol Span-cluster Ports
------+-------------+-----------+-----------------------------------------------
1 Po1 LACP Yes Gi0/0(P)
2 Po2 LACP Yes Gi0/1(P)

Monitoring the ASA Cluster

You can monitor and troubleshoot cluster status and connections.

Monitoring Cluster Status

See the following commands for monitoring cluster status:
• show cluster info [health ]
With no keywords, the show cluster info command shows the status of all members of the cluster.
The show cluster info health command shows the current health of interfaces, units, and the cluster
overall.
See the following output for the show cluster info command:

ciscoasa# show cluster info

Cluster stbu: On

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
338
 High Availability and Scalability
Capturing Packets Cluster-Wide

This is "C" in state SLAVE

ID : 0
Site ID : 1
Version : 9.4(1)
Serial No.: P3000000025
CCL IP : 10.0.0.3
CCL MAC : 000b.fcf8.c192
Last join : 17:08:59 UTC Sep 26 2011
Last leave: N/A
Other members in the cluster:
Unit "D" in state SLAVE
ID : 1
Site ID : 1
Version : 9.4(1)
Serial No.: P3000000001
CCL IP : 10.0.0.4
CCL MAC : 000b.fcf8.c162
Last join : 19:13:11 UTC Sep 23 2011
Last leave: N/A
Unit "A" in state MASTER
ID : 2
Site ID : 2
Version : 9.4(1)
Serial No.: JAB0815R0JY
CCL IP : 10.0.0.1
CCL MAC : 000f.f775.541e
Last join : 19:13:20 UTC Sep 23 2011
Last leave: N/A
Unit "B" in state SLAVE
ID : 3
Site ID : 2
Version : 9.4(1)
Serial No.: P3000000191
CCL IP : 10.0.0.2
CCL MAC : 000b.fcf8.c61e
Last join : 19:13:50 UTC Sep 23 2011
Last leave: 19:13:36 UTC Sep 23 2011

• show cluster info transport {asp | cp}

Shows transport related statistics for the following:
• asp —Data plane transport statistics.
• cp —Control plane transport statistics.

• show cluster history

Shows the cluster history.

Capturing Packets Cluster-Wide

See the following command for capturing packets in a cluster:
cluster exec capture
To support cluster-wide troubleshooting, you can enable capture of cluster-specific traffic on the master unit
using the cluster exec capture command, which is then automatically enabled on all of the slave units in the
cluster.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
339
 High Availability and Scalability
Monitoring Cluster Resources

Monitoring Cluster Resources

See the following command for monitoring cluster resources:
show cluster {cpu | memory | resource} [options]
Displays aggregated data for the entire cluster. The options available depends on the data type.

Monitoring Cluster Traffic

See the following commands for monitoring cluster traffic:
• show conn [detail], cluster exec show conn
The show conn command shows whether a flow is a director, backup, or forwarder flow. Use the cluster
exec show conn command on any unit to view all connections. This command can show how traffic for
a single flow arrives at different ASAs in the cluster. The throughput of the cluster is dependent on the
efficiency and configuration of load balancing. This command provides an easy way to view how traffic
for a connection is flowing through the cluster, and can help you understand how a load balancer might
affect the performance of a flow.
The show conn detail command also shows which flows are subject to flow mobility.
The following is sample output for the show conn detail command:

ciscoasa/ASA2/slave# show conn detail

12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - LISP triggered flow owner mobility,
M - SMTP data, m - SIP media, n - GUP
O - outbound data, o - offloaded,
P - inside back connection,
Q - Diameter, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, z - forwarding stub flow
ESP outside: 10.1.227.1/53744 NP Identity Ifc: 10.1.226.1/30604, , flags c, idle 0s,
uptime
1m21s, timeout 30s, bytes 7544, cluster sent/rcvd bytes 0/0, owners (0,255) Traffic
received
at interface outside Locally received: 7544 (93 byte/s) Traffic received at interface
NP
Identity Ifc Locally received: 0 (0 byte/s) UDP outside: 10.1.227.1/500 NP Identity
Ifc:
10.1.226.1/500, flags -c, idle 1m22s, uptime 1m22s, timeout 2m0s, bytes 1580, cluster
sent/rcvd bytes 0/0, cluster sent/rcvd total bytes 0/0, owners (0,255) Traffic received
at
interface outside Locally received: 864 (10 byte/s) Traffic received at interface NP

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
340
High Availability and Scalability
Monitoring Cluster Traffic

Identity
Ifc Locally received: 716 (8 byte/s)

To troubleshoot the connection flow, first see connections on all units by entering the cluster exec show
conn command on any unit. Look for flows that have the following flags: director (Y), backup (y), and
forwarder (z). The following example shows an SSH connection from 172.18.124.187:22 to
192.168.103.131:44727 on all three ASAs; ASA 1 has the z flag showing it is a forwarder for the
connection, ASA3 has the Y flag showing it is the director for the connection, and ASA2 has no special
flags showing it is the owner. In the outbound direction, the packets for this connection enter the inside
interface on ASA2 and exit the outside interface. In the inbound direction, the packets for this connection
enter the outside interface on ASA 1 and ASA3, are forwarded over the cluster control link to ASA2,
and then exit the inside interface on ASA2.

ciscoasa/ASA1/master# cluster exec show conn

ASA1(LOCAL):**********************************************************
18 in use, 22 most used
Cluster stub connections: 0 in use, 5 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes
37240828, flags z

ASA2:*****************************************************************
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:00, bytes
37240828, flags UIO

ASA3:*****************************************************************
10 in use, 12 most used
Cluster stub connections: 2 in use, 29 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:03, bytes 0,
flags Y

• show cluster info [conn-distribution | packet-distribution | loadbalance | flow-mobility counters]

The show cluster info conn-distribution and show cluster info packet-distribution commands show
traffic distribution across all cluster units. These commands can help you to evaluate and adjust the
external load balancer.
The show cluster info loadbalance command shows connection rebalance statistics.
The show cluster info flow-mobility counters command shows EID movement and flow owner movement
information. See the following output for show cluster info flow-mobility counters:

ciscoasa# show cluster info flow-mobility counters

EID movement notification received : 4
EID movement notification processed : 4
Flow owner moving requested : 2

• show cluster {access-list | conn | traffic | user-identity | xlate} [options]

Displays aggregated data for the entire cluster. The options available depends on the data type.
See the following output for the show cluster access-list command:

ciscoasa# show cluster access-list

hitcnt display order: cluster-wide aggregated result, unit-A, unit-B, unit-C, unit-D

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
341
 High Availability and Scalability
Monitoring Cluster Routing

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval
300
access-list 101; 122 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit tcp 192.168.143.0 255.255.255.0 any eq www
(hitcnt=0, 0, 0, 0, 0) 0x207a2b7d
access-list 101 line 2 extended permit tcp any 192.168.143.0 255.255.255.0 (hitcnt=0,
0, 0, 0, 0) 0xfe4f4947
access-list 101 line 3 extended permit tcp host 192.168.1.183 host 192.168.43.238
(hitcnt=1, 0, 0, 0, 1) 0x7b521307
access-list 101 line 4 extended permit tcp host 192.168.1.116 host 192.168.43.238
(hitcnt=0, 0, 0, 0, 0) 0x5795c069
access-list 101 line 5 extended permit tcp host 192.168.1.177 host 192.168.43.238
(hitcnt=1, 0, 0, 1, 0) 0x51bde7ee
access list 101 line 6 extended permit tcp host 192.168.1.177 host 192.168.43.13
(hitcnt=0, 0, 0, 0, 0) 0x1e68697c
access-list 101 line 7 extended permit tcp host 192.168.1.177 host 192.168.43.132
(hitcnt=2, 0, 0, 1, 1) 0xc1ce5c49
access-list 101 line 8 extended permit tcp host 192.168.1.177 host 192.168.43.192
(hitcnt=3, 0, 1, 1, 1) 0xb6f59512
access-list 101 line 9 extended permit tcp host 192.168.1.177 host 192.168.43.44
(hitcnt=0, 0, 0, 0, 0) 0xdc104200
access-list 101 line 10 extended permit tcp host 192.168.1.112 host 192.168.43.44
(hitcnt=429, 109, 107, 109, 104)
0xce4f281d
access-list 101 line 11 extended permit tcp host 192.168.1.170 host 192.168.43.238
(hitcnt=3, 1, 0, 0, 2) 0x4143a818
access-list 101 line 12 extended permit tcp host 192.168.1.170 host 192.168.43.169
(hitcnt=2, 0, 1, 0, 1) 0xb18dfea4
access-list 101 line 13 extended permit tcp host 192.168.1.170 host 192.168.43.229
(hitcnt=1, 1, 0, 0, 0) 0x21557d71
access-list 101 line 14 extended permit tcp host 192.168.1.170 host 192.168.43.106
(hitcnt=0, 0, 0, 0, 0) 0x7316e016
access-list 101 line 15 extended permit tcp host 192.168.1.170 host 192.168.43.196
(hitcnt=0, 0, 0, 0, 0) 0x013fd5b8
access-list 101 line 16 extended permit tcp host 192.168.1.170 host 192.168.43.75
(hitcnt=0, 0, 0, 0, 0) 0x2c7dba0d

To display the aggregated count of in-use connections for all units, enter:

ciscoasa# show cluster conn count

Usage Summary In Cluster:*********************************************
200 in use (cluster-wide aggregated)
cl2(LOCAL):***********************************************************
100 in use, 100 most used

cl1:******************************************************************
100 in use, 100 most used

• show asp cluster counter

This command is useful for datapath troubleshooting.

Monitoring Cluster Routing

See the following commands for cluster routing:
• show route cluster
• debug route cluster

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
342
 High Availability and Scalability
Configuring Logging for Clustering

Shows cluster information for routing.

• show lisp eid

Shows the ASA EID table showing EIDs and site IDs.
See the following output from the cluster exec show lisp eid command.

ciscoasa# cluster exec show lisp eid

L1(LOCAL):************************************************************
LISP EID Site ID
33.44.33.105 2
33.44.33.201 2
11.22.11.1 4
11.22.11.2 4
L2:*******************************************************************
LISP EID Site ID
33.44.33.105 2
33.44.33.201 2
11.22.11.1 4
11.22.11.2 4

• show asp table classify domain inspect-lisp

This command is useful for troubleshooting.

Configuring Logging for Clustering

See the following command for configuring logging for clustering:
logging device-id
Each unit in the cluster generates syslog messages independently. You can use the logging device-id command
to generate syslog messages with identical or different device IDs to make messages appear to come from the
same or different units in the cluster.

Monitoring Cluster Interfaces

See the following commands for monitoring cluster interfaces:
• show cluster interface-mode
Shows the cluster interface mode.
• show port-channel
Includes information about whether a port-channel is spanned.
• show lacp cluster {system-mac | system-id}
Shows the cLACP system ID and priority.
• debug lacp cluster [all | ccp | misc | protocol]
Shows debug messages for cLACP.
• show interface

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
343
 High Availability and Scalability
Debugging Clustering

Shows the use of the site MAC address when in use:

ciscoasa# show interface port-channel1.3151

Interface Port-channel1.3151 "inside", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 1000 Mbps, DLY 10 usec
VLAN identifier 3151
MAC address aaaa.1111.1234, MTU 1500
Site Specific MAC address aaaa.1111.aaaa
IP address 10.3.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
132269 packets input, 6483425 bytes
1062 packets output, 110448 bytes
98530 packets dropped

Debugging Clustering
See the following commands for debugging clustering:
• debug cluster [ccp | datapath | fsm | general | hc | license | rpc | transport]
Shows debug messages for clustering.
• debug cluster flow-mobility
Shows events related to clustering flow mobility.
• debug lisp eid-notify-intercept
Shows events when the eid-notify message is intercepted.
• show cluster info trace
The show cluster info trace command shows the debug information for further troubleshooting.
See the following output for the show cluster info trace command:

ciscoasa# show cluster info trace

Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Receive CCP message: CCP_MSG_LOAD_BALANCE
Feb 02 14:19:47.456 [DBUG]Send CCP message to all: CCP_MSG_KEEPALIVE from 80-1 at
MASTER

Examples for ASA Clustering

These examples include all cluster-related ASA configuration for typical deployments.

Sample ASA and Switch Configuration

The following sample configurations connect the following interfaces between the ASA and the switch:

ASA Interface Switch Interface

GigabitEthernet 0/2 GigabitEthernet 1/0/15

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
344
 High Availability and Scalability
ASA Configuration

ASA Interface Switch Interface

GigabitEthernet 0/3 GigabitEthernet 1/0/16

GigabitEthernet 0/4 GigabitEthernet 1/0/17

GigabitEthernet 0/5 GigabitEthernet 1/0/18

ASA Configuration

Interface Mode on Each Unit

cluster interface-mode spanned force

ASA1 Master Bootstrap Configuration

interface GigabitEthernet0/0
channel-group 1 mode on
no shutdown
!
interface GigabitEthernet0/1
channel-group 1 mode on
no shutdown
!
interface Port-channel1
description Clustering Interface
!
cluster group Moya
local-unit A
cluster-interface Port-channel1 ip 10.0.0.1 255.255.255.0
priority 10
key emphyri0
enable noconfirm

ASA2 Slave Bootstrap Configuration

interface GigabitEthernet0/0
channel-group 1 mode on
no shutdown
!
interface GigabitEthernet0/1
channel-group 1 mode on
no shutdown
!
interface Port-channel1
description Clustering Interface
!
cluster group Moya
local-unit B
cluster-interface Port-channel1 ip 10.0.0.2 255.255.255.0
priority 11
key emphyri0
enable as-slave

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
345
 High Availability and Scalability
Cisco IOS Switch Configuration

Master Interface Configuration

ip local pool mgmt-pool 10.53.195.231-10.53.195.232

interface GigabitEthernet0/2
channel-group 10 mode active
no shutdown
!
interface GigabitEthernet0/3
channel-group 10 mode active
no shutdown
!
interface GigabitEthernet0/4
channel-group 11 mode active
no shutdown
!
interface GigabitEthernet0/5
channel-group 11 mode active
no shutdown
!
interface Management0/0
management-only
nameif management
ip address 10.53.195.230 cluster-pool mgmt-pool
security-level 100
no shutdown
!
interface Port-channel10
port-channel span-cluster
mac-address aaaa.bbbb.cccc
nameif inside
security-level 100
ip address 209.165.200.225 255.255.255.224
!
interface Port-channel11
port-channel span-cluster
mac-address aaaa.dddd.cccc
nameif outside
security-level 0
ip address 209.165.201.1 255.255.255.224

Cisco IOS Switch Configuration

interface GigabitEthernet1/0/15
switchport access vlan 201
switchport mode access
spanning-tree portfast
channel-group 10 mode active
!
interface GigabitEthernet1/0/16
switchport access vlan 201
switchport mode access
spanning-tree portfast
channel-group 10 mode active
!
interface GigabitEthernet1/0/17
switchport access vlan 401
switchport mode access
spanning-tree portfast
channel-group 11 mode active
!

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
346
 High Availability and Scalability
Firewall on a Stick

interface GigabitEthernet1/0/18
switchport access vlan 401
switchport mode access
spanning-tree portfast
channel-group 11 mode active

interface Port-channel10
switchport access vlan 201
switchport mode access

interface Port-channel11
switchport access vlan 401
switchport mode access

Firewall on a Stick

Data traffic from different security domains are associated with different VLANs, for example, VLAN 10 for
the inside network and VLAN 20 for the outside network. Each ASA has a single physical port connected to
the external switch or router. Trunking is enabled so that all packets on the physical link are 802.1q
encapsulated. The ASA is the firewall between VLAN 10 and VLAN 20.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
347
 High Availability and Scalability
Firewall on a Stick

When using Spanned EtherChannels, all data links are grouped into one EtherChannel on the switch side. If
an ASA becomes unavailable, the switch will rebalance traffic between the remaining units.

Interface Mode on Each Unit

cluster interface-mode spanned force

ASA1 Master Bootstrap Configuration

interface tengigabitethernet 0/8

no shutdown
description CCL

cluster group cluster1

local-unit asa1
cluster-interface tengigabitethernet0/8 ip 192.168.1.1 255.255.255.0
priority 1
key chuntheunavoidable
enable noconfirm

ASA2 Slave Bootstrap Configuration

interface tengigabitethernet 0/8

no shutdown
description CCL

cluster group cluster1

local-unit asa2
cluster-interface tengigabitethernet0/8 ip 192.168.1.2 255.255.255.0
priority 2
key chuntheunavoidable
enable as-slave

ASA3 Slave Bootstrap Configuration

interface tengigabitethernet 0/8

no shutdown
description CCL

cluster group cluster1

local-unit asa3
cluster-interface tengigabitethernet0/8 ip 192.168.1.3 255.255.255.0
priority 3
key chuntheunavoidable
enable as-slave

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
348
High Availability and Scalability
Firewall on a Stick

Master Interface Configuration

ip local pool mgmt 10.1.1.2-10.1.1.9

ipv6 local pool mgmtipv6 2001:DB8::1002/64 8
interface management 0/0

nameif management
ip address 10.1.1.1 255.255.255.0 cluster-pool mgmt
ipv6 address 2001:DB8::1001/32 cluster-pool mgmtipv6
security-level 100
management-only
no shutdown

interface tengigabitethernet 0/9

channel-group 2 mode active

no shutdown
interface port-channel 2
port-channel span-cluster
interface port-channel 2.10
vlan 10
nameif inside
ip address 10.10.10.5 255.255.255.0
ipv6 address 2001:DB8:1::5/64
mac-address 000C.F142.4CDE
interface port-channel 2.20
vlan 20
nameif outside
ip address 209.165.201.1 255.255.255.224
ipv6 address 2001:DB8:2::8/64
mac-address 000C.F142.5CDE

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
349
 High Availability and Scalability
Traffic Segregation

Traffic Segregation

You may prefer physical separation of traffic between the inside and outside network.
As shown in the diagram above, there is one Spanned EtherChannel on the left side that connects to the inside
switch, and the other on the right side to outside switch. You can also create VLAN subinterfaces on each
EtherChannel if desired.

Interface Mode on Each Unit

cluster interface-mode spanned force

ASA1 Master Bootstrap Configuration

interface tengigabitethernet 0/6

channel-group 1 mode on
no shutdown

interface tengigabitethernet 0/7

channel-group 1 mode on
no shutdown
interface port-channel 1
description CCL

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
350
High Availability and Scalability
Traffic Segregation

cluster group cluster1

local-unit asa1
cluster-interface port-ch