Requested-tell: ASA 8.2 SSLVPN Shared Licenses
I hope to start a series of publications at your request :)
I will begin in brief with a new feature of ASA 8.2 (let them again be accused of advertising :))
In large companies, a situation often arises when the connection points of encrypted tunnels are several. The user connects to the piece of hardware that is closer to him (configured by default, dynamically selected). Earlier it was necessary to buy quite a lot of licenses for each piece of iron. It would be a minor issue if the licenses were inexpensive. But the convenient SSLVPN technology for tsiska is expensive.
In addition, the tsiska officially announced a tendency to transfer all to SSLVPN, instead of IPSec VPN.
In OS version 8.2 this problem was solved.
')
There was such a feature as shared licenses. Their essence is that one pack of licenses is bought, the license server (ASASHka) knows about it. The rest of the connection points (for the time being only ASAshki, but afterwards the routers), if necessary, climb onto the license server and ask themselves to expand the quota.
So, what we had: separate ASAshki, for each N SSLVPN licenses.
What we get with the purchase of shared licenses: a common bundle of licenses shared by all connection points. At the same time, the purchased old licenses are not lost anywhere: if there are separate licenses, they are first used, and only then a request is sent to the license server for an additional quota (50 pieces are requested immediately).
Thus, the piece of hardware will allow you to connect as many clients as you need, as long as the license stock on the license server is enough, but no more than the maximum number of SSLVPN tunnels for which this platform is designed.
The limitations are as follows:
ASA 5505 25
ASA 5510 250
ASA 5520 750
ASA 5540 2500
ASA 5550 5000
ASA 5580 10,000
Additionally, for reliability, you can select one ASAshka as backup for the license server. It will synchronize the license database with the server and in the event of a server crash, it will take over its functions (but not longer than 5 days)
How to set it up.
Firstly, you need to buy the necessary license for all Asashek to activate the shared licenses feature. A new activation-key will be sent to you and after they are activated, the feature itself will become available.
Secondly, it is necessary to buy the necessary number of licenses (sold in batches of 500 pieces with a quantity of 500-50000 licenses, and then to 545,000 inclusive in batches of 5000 licenses).
Thirdly, you need to configure the license server
asa (config) # license-server secret [secret key]
Fourth, you need to configure clients (so-called stand-alone ASA)
asa (config) # license-server [address] secret [secret key] port [#]
Where address - IP address of the license server, port - TCP port (by default - 50544)
It remains to enable the feature:
asa (config) # license-server enable [interface]
Additionally, you can configure one of the standalone ASA as a backup server
On the server itself:
asa (config) # license-server backup address [address] backup-id [serial-num] ha-backup-id [ha-serial-num]
Where backup-id is the serial number of the backup ASAshka,
hw-bachup-id - serial number of the active piece of iron in a file pair, if Active / Stanby failover is used as a backup
On the backup ASAshka, you must enable listening on the interface
asa (config) # license-server backup enable [interface]
See what happened, you can teams
asa # show shared license [backup | client | detail]
Example:
5510-P (config) # show shared license
Shared license utilization:
SSLVPN:
Total for network: 200000
Available: 200,000
Utilized: 0
This device:
Platform limit: 250
Current usage: 0
High usage: 0
Client ID Usage Hostname
XXXXXXXXXXX 0 5540-A
It will work like this:
1. When connecting a new SSLVPN connection, ASashka will check if it has free licenses of its own and will allow the connection, if any.
2. If there are no licenses, but license-server is configured, ASashka will send a request for the allocation of a new quota (50 pieces). It will send the same request and if there are less than 10 licenses that were previously taken from the server.
3. If she has more than 60 free licenses, she will send 50 pieces back to the server so that others can use.
I will begin in brief with a new feature of ASA 8.2 (let them again be accused of advertising :))
In large companies, a situation often arises when the connection points of encrypted tunnels are several. The user connects to the piece of hardware that is closer to him (configured by default, dynamically selected). Earlier it was necessary to buy quite a lot of licenses for each piece of iron. It would be a minor issue if the licenses were inexpensive. But the convenient SSLVPN technology for tsiska is expensive.
In addition, the tsiska officially announced a tendency to transfer all to SSLVPN, instead of IPSec VPN.
In OS version 8.2 this problem was solved.
')
There was such a feature as shared licenses. Their essence is that one pack of licenses is bought, the license server (ASASHka) knows about it. The rest of the connection points (for the time being only ASAshki, but afterwards the routers), if necessary, climb onto the license server and ask themselves to expand the quota.
Read more under the cut
So, what we had: separate ASAshki, for each N SSLVPN licenses.
What we get with the purchase of shared licenses: a common bundle of licenses shared by all connection points. At the same time, the purchased old licenses are not lost anywhere: if there are separate licenses, they are first used, and only then a request is sent to the license server for an additional quota (50 pieces are requested immediately).
Thus, the piece of hardware will allow you to connect as many clients as you need, as long as the license stock on the license server is enough, but no more than the maximum number of SSLVPN tunnels for which this platform is designed.
The limitations are as follows:
ASA 5505 25
ASA 5510 250
ASA 5520 750
ASA 5540 2500
ASA 5550 5000
ASA 5580 10,000
Additionally, for reliability, you can select one ASAshka as backup for the license server. It will synchronize the license database with the server and in the event of a server crash, it will take over its functions (but not longer than 5 days)
How to set it up.
Firstly, you need to buy the necessary license for all Asashek to activate the shared licenses feature. A new activation-key will be sent to you and after they are activated, the feature itself will become available.
Secondly, it is necessary to buy the necessary number of licenses (sold in batches of 500 pieces with a quantity of 500-50000 licenses, and then to 545,000 inclusive in batches of 5000 licenses).
Thirdly, you need to configure the license server
asa (config) # license-server secret [secret key]
Fourth, you need to configure clients (so-called stand-alone ASA)
asa (config) # license-server [address] secret [secret key] port [#]
Where address - IP address of the license server, port - TCP port (by default - 50544)
It remains to enable the feature:
asa (config) # license-server enable [interface]
Additionally, you can configure one of the standalone ASA as a backup server
On the server itself:
asa (config) # license-server backup address [address] backup-id [serial-num] ha-backup-id [ha-serial-num]
Where backup-id is the serial number of the backup ASAshka,
hw-bachup-id - serial number of the active piece of iron in a file pair, if Active / Stanby failover is used as a backup
On the backup ASAshka, you must enable listening on the interface
asa (config) # license-server backup enable [interface]
See what happened, you can teams
asa # show shared license [backup | client | detail]
Example:
5510-P (config) # show shared license
Shared license utilization:
SSLVPN:
Total for network: 200000
Available: 200,000
Utilized: 0
This device:
Platform limit: 250
Current usage: 0
High usage: 0
Client ID Usage Hostname
XXXXXXXXXXX 0 5540-A
It will work like this:
1. When connecting a new SSLVPN connection, ASashka will check if it has free licenses of its own and will allow the connection, if any.
2. If there are no licenses, but license-server is configured, ASashka will send a request for the allocation of a new quota (50 pieces). It will send the same request and if there are less than 10 licenses that were previously taken from the server.
3. If she has more than 60 free licenses, she will send 50 pieces back to the server so that others can use.
Source: https://habr.com/ru/post/62132/
All Articles