Re: ASA 5506-X ISP Failover

prsgroup · ‎09-01-2015

I understand the ASA 5506-X requires the Security Plus license for failover, however, I haven't been able to determine if that's only for HA active/standby failover where you have two devices and one backs up the other, or if it applies to WAN failover where a single device redirects traffic to a second ISP if the first goes down.

Can anyone provide clarification?

Thank you,

Rick

mekozloski · ‎09-02-2015

Hi Rick,

Definitely not clear on the 5506 (compared to the 5505). Since all the ports on the 5506 are routed instead of switched (like the 5512 and up and unlike the 5505), dual ISP support might be available w/o the additional license.

Arturo Bianchi · ‎03-14-2016

Hi,

I was asking the same question but as usual is not immediately find an answer...

True that according to this article Like Chalk and Cheese: Cisco ASA 5506-X with Release 9.4.1 – Policy Based Routing there is a revolution, and it is finally available the PBR also on ASA but it is not resolved the issue of licenses. While no one can give a definite answer, I'll have to do a question to the TAC, not having at hand a 5506 and having to decide!

Has anyone had any feedback?

73,

A.

afloriani · ‎04-14-2016

Hi,

PBR is available, but it only works, if the Routing policies are used to establish the connection (e.g. the SYN-packet for a TCP-connection). Apparently the Routing policies are not checked, if there already exists an entry in the Firewall Connection table (see bug CSCuv00272).

If you are only using the scenario, Cisco developers have foreseen ("outbound" connections using different uplinks), then it seems to work fine.