Cisco asa base license limitations




















Pair 2 includes the backup server. When the primary unit from Pair 1 goes down, the standby unit immediately becomes the new main licensing server. The backup server from Pair 2 never gets used. Only if both units in Pair 1 go down does the backup server in Pair 2 come into use as the shared licensing server. If Pair 1 remains down, and the primary unit in Pair 2 goes down, then the standby unit in Pair 2 comes into use as the shared licensing server.

The standby backup server shares the same operating limits as the primary backup server; if the standby unit becomes active, it continues counting down where the primary unit left off. For participant pairs, both units register with the shared licensing server using separate participant IDs.

The active unit syncs its participant ID with the standby unit. The standby unit uses this ID to generate a transfer request when it switches to the active role. This transfer request is used to move the shared sessions from the previously active unit to the new active unit. The ASA does not limit the number of participants for the shared license; however, a very large shared network could potentially affect the performance on the licensing server.

In this case, you can increase the delay between participant refreshes, or you can create two shared networks. With some exceptions, failover and cluster units do not require the same license on each unit.

For earlier versions, see the licensing document for your version. Failover units do not require the same license on each unit. Older versions of ASA software required that the licenses match on each unit. Starting with Version 8.

If you have licenses on both units, they combine into a single running failover cluster license. However, because of the IPS signature subscription requirements, you must buy a separate IPS module license for each unit in. Note A valid permanent key is required; in rare instances, your authentication key can be removed.

Cluster units do not require the same license on each unit. Typically, you buy a license only for the master unit; slave units inherit the master license. If you have licenses on multiple units, they combine into a single running ASA cluster license. For failover pairs or ASA clusters, the licenses on each unit are combined into a single running cluster license.

If you buy separate licenses for each unit, then the combined license uses the following rules:. One unit can use 18 contexts and the other unit can use 12 contexts, for example, for a total of Because the platform limit is , the combined license allows a maximum of contexts.

Therefore, you can configure up to contexts on the master unit; each slave unit will also have contexts through configuration replication. Because the platform limit is , the licenses will be combined for a total of contexts. For example, if you have 48 weeks left on the Botnet Traffic Filter license on two units, then the combined duration is 96 weeks. If the units lose communication for more than 30 days, then each unit reverts to the license installed locally. During the day grace period, the combined running license continues to be used by all units.

If you do not restore communication during the day period, then for time-based licenses, time is subtracted from all unit licenses, if installed.

They are treated as separate licenses and do not benefit from the combined license. The time elapsed includes the day grace period. You have a week Botnet Traffic Filter license installed on two units. The combined running license allows a total duration of weeks. The time-based license behavior depends on when communication is restored:. Because failover pairs do not require the same license on both units, you can apply new licenses to each unit without any downtime. If you apply a permanent license that requires a reload see Table , then you can fail over to the other unit while you reload.

If both units require reloading, then you can reload them separately so that you have no downtime. You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA series.

You can use one time-based license per feature at a time. For identical licenses, the time limit is combined when you install multiple time-based licenses. For non-identical licenses for example, a session AnyConnect Premium license and a session license , the ASA automatically activates the next time-based license it finds for the feature. Can I install a new permanent license while maintaining an active time-based license?

Activating a permanent license does not affect time-based licenses. For failover, can I use a shared licensing server as the primary unit, and the shared licensing backup server as the secondary unit?

The secondary unit has the same running license as the primary unit; in the case of the shared licensing server, they require a server license. The backup server requires a participant license. The backup server can be in a separate failover pair of two backup servers. Do I need to buy the same licenses for the secondary unit in a failover pair? Typically, you buy a license only for the primary unit; the secondary unit inherits the primary license when it becomes active.

In the case where you also have a separate license on the secondary unit for example, if you purchased matching licenses for pre The shared license is used only after the sessions from the locally installed license time-based or permanent are used up.

Note : On the shared licensing server, the permanent AnyConnect Premium license is not used; you can however use a time-based license at the same time as the shared licensing server license.

In this case, the time-based license sessions are available for local AnyConnect Premium sessions only; they cannot be added to the shared licensing pool for use by participants. All license types are available in both routed and transparent mode. Failov er Guidelines. Your activation key remains compatible if you upgrade to the latest version from any previous version. However, you might have issues if you want to maintain downgrade capability:. Any other keys are made inactive.

If the last time-based license is for a feature introduced in 8. Reenter the permanent key or a valid time-based key. Even if the keys are matching, the license used will no longer be a combined license.

You need to reenter the permanent key to disable the time-based license. Additional Guidelines and Limitations. To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative.

You need to purchase a separate Product Authorization Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional AnyConnect Premium sessions.

After obtaining the Product Authorization Keys, register them on Cisco. Step 1 Obtain the serial number for your ASA by entering the following command. Step 2 If you are not already registered with Cisco. Step 3 Go to the following licensing website:. Step 4 Enter the following information, when prompted:. An activation key is automatically generated and sent to the e-mail address that you provide. This key includes all features you have registered so far for permanent licenses.

For time-based licenses, each license has a separate activation key. After you enter all of the Product Authorization Keys, the final activation key provided includes all of the permanent features you registered. This section describes how to enter a new activation key, and how to activate and deactivate time-based keys.

Table Permanent License Reloading Requirements. Applies an activation key to the ASA. The key is a five-element hexadecimal string with one space between each element. The leading 0x specifier is optional; all values are assumed to be hexadecimal. You can install one permanent key, and multiple time-based keys. If you enter a new permanent key, it overwrites the already installed one.

The activate and deactivate keywords are available for time-based keys only. If you do not enter any value, activate is the default. The last time-based key that you activate for a given feature is the active one.

To deactivate any active time-based key, enter the deactivate keyword. If you enter a key for the first time, and specify deactivate , then the key is installed on the ASA in an inactive state. See Time-Based Licenses for more information.

See Table for a list of licenses that need reloading. If you need to reload, you will see the following message:. This section describes how to configure the shared licensing server and participants. This section describes how to configure the ASA to be a shared licensing server.

The server must have a shared licensing server key. Any participant with this secret can use the licensing server. Sets the refresh interval between 10 and seconds; this value is provided to participants to set how often they should communicate with the server. The default is 30 seconds. Sets the port on which the server listens for SSL connections from participants, between 1 and The default is TCP port Identifies the backup server IP address and serial number. If the backup server is part of a failover pair, identify the standby unit serial number as well.

You can only identify 1 backup server and its optional standby unit. Enables this unit to be the shared licensing server. Specify the interface on which participants contact the server. You can repeat this command for as many interfaces as desired. The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and dmz interface:.

This section enables a shared license participant to act as the backup server if the main server goes down. The backup server must have a shared licensing participant key. Identifies the shared licensing server IP address and shared secret.

If you changed the default port in the server configuration, set the port for the backup server to match. Enables this unit to be the shared licensing backup server. The following example identifies the license server and shared secret, and enables this unit as the backup shared license server on the inside interface and dmz interface:.

See Configuring the Shared Licensing Participant. This section configures a shared licensing participant to communicate with the shared licensing server. The participant must have a shared licensing participant key.

If you changed the default port in the server configuration, set the port for the participant to match. If you configured a backup server, enter the backup server address. The following example sets the license server IP address and shared secret, as well as the backup license server IP address:. This section describes how to view your current license, and for time-based activation keys, how much time the license has left.

See No Payload Encryption Models for more information. This command shows the permanent license, active time-based licenses, and the running license, which is a combination of the permanent license and active time-based licenses. The detail keyword also shows inactive time-based licenses. Example Standalone Unit Output for the show activation-key command.

The following is sample output from the show activation-key command for a standalone unit that shows the running license the combined permanent license and time-based licenses , as well as each active time-based license:.

Example Standalone Unit Output for show activation-key detail. The following is sample output from the show activation-key detail command for a standalone unit that shows the running license the combined permanent license and time-based licenses , as well as the permanent license and each installed time-based license active and inactive :. The following is sample output from the show activation-key detail command for the primary failover unit that shows:.

The following is sample output from the show activation-key detail command for the secondary failover unit that shows:. Premium licenses. The following is sample output from the show activation-key command for the primary failover unit that shows:.

The following is sample output from the show activation-key command for the secondary failover unit that shows:. Example Output in a Cluster for show activation-key. To monitor the shared license, enter one of the following commands. Shows shared license statistics. Optional keywords are available only for the licensing server: the detail keyword shows statistics per participant. To limit the display to one participant, use the client keyword.

The backup keyword shows information about the backup server. To clear the shared license statistics, enter the clear shared license command. Shows the licenses installed on the ASA. The show version command also shows license information. The following is sample output from the show shared license command on the license participant:.

The following is sample output from the show shared license detail command on the license server:. Table lists each feature change and the platform release in which it was implemented. Table Feature History for Licensing. Increased interfaces for the Base license on the ASA For the Base license on the ASA , the maximum number of interfaces was increased from 3 plus a management interface to unlimited interfaces.

The maximum number of VLANs for the Security Plus license on the ASA was increased from 5 3 fully functional; 1 failover; one restricted to a backup interface to 20 fully functional interfaces. In addition, the number of trunk ports was increased from 1 to 8.

Now there are 20 fully functional interfaces, you do not need to use the backup interface command to cripple a backup ISP interface; you can use a fully functional interface for it. The backup interface command is still useful for an Easy VPN configuration. In the Base license, they continue to be used as Fast Ethernet Mbps ports. Use the speed command to change the speed on the interface and use the show interface command to see what speed is currently configured for each interface.

The Advanced Endpoint Assessment license was introduced. As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connections, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates. It also scans for any registry entries, filenames, and process names that you specify. It sends the scan results to the ASA. With an Advanced Endpoint Assessment License, you can enhance Host Scan by configuring an attempt to update noncompliant computers to meet version requirements.

Cisco can provide timely updates to the list of applications and versions that Host Scan supports in a package that is separate from Cisco Secure Desktop. The AnyConnect for Mobile license was introduced. The UC Proxy sessions license was introduced. All of these applications are licensed under the UC Proxy umbrella, and can be mixed and matched. The Botnet Traffic Filter license was introduced. The Botnet Traffic Filter protects against malware network activity by tracking connections to known bad domains and IP addresses.

The AnyConnect Essentials License was introduced. By default, the ASA uses the AnyConnect Essentials license, but you can disable it to use other licenses by using the webvpn , and then the no anyconnect-essentials command. Mobility Proxy application no longer requires Unified Communications Proxy license. Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units.

We modified the following commands: show activation-key and show version. So, I could make one for the outside, one for the dmz, and the other 6 for the inside. Should the user license support that, or do I need to go to security plus? I believe there is a 10 user limit on this. How is this enforced? Does this mean that it will only route traffic for 10 hosts? Some of those devices would have traffic going through a site-to-site VPN.

Perhaps it controls it through NAT, in which case the devices since they would be nat excempt would not count? Go to Solution. As per your 1st query , the DMZ is restricted vlan for this license.

This means you would be able to configure the DMZ vlan but it will either be able to talk with the Inside or the outside interface simultaneously. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit.

The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit.

See the show local-host command to view host limits. View solution in original post. Although Vibhor already gave you the essential information related to the Base License ASA you should also notice that you can avoid some of the restricted DMZ limitations depending how you set up your network. Now if you had a situation where it was essential that both your DMZ and LAN networks should be able to connect towards eachother a setup that the default DMZ setup would not allowed then you could consider configuring the "no forward interface Vlanx" command on the "outside" interface and towards your "inside" interfaces Vlan for examle.

This would enable you to allow connection from "outside" to "dmz" , "dmz" to "inside" and "inside" to "dmz". One thing to consider with such a setup might be that if you had to make a change to this setup at some point then that might become a bit harder.

To my understanding you can not simply configure the "no forward interface Vlanx" command to another interface to replace the one located in another interface but you would actually have to remove the interface with the command and then configure the interface with the command you want to move the restriction to.

As you might imagine doing this with the "outside" interface might prove to be a bit tricky. You would have to be doing this change locally as you would have to remove the "outside" interface for a moment.

Typically the default DMZ setup is enough though but have run into some situations where this has been required to avoid License upgrade. Optional Time-based license: Available. Optional license: Available sessions. Optional Perm. Optional Shared licenses: Participant or Server. For the Server:. With the 10,session UC license, the total combined sessions can be 10,, but the maximum number of Phone Proxy sessions is Base License : Disabled; fiber ifcs run at 1 GE. Optional license: Available 10, sessions.

Each SSP acts as an independent device, with separate configurations and management. You can use the two SSPs as a failover pair if desired. The AnyConnect client software offers the same set of client features, whether it is enabled by this license or an AnyConnect Premium license. In conjunction with an AnyConnect Premium license, this license enables access from hardware IP phones that have built in AnyConnect compatibility. This license provides access to the AnyConnect Client for touch-screen mobile devices running Windows Mobile 5.

We recommend using this license if you want to support mobile access to AnyConnect 2. Here is the functionality you receive based on the license you install. This includes allowing or denying remote access from a mobile device. The shared license pool is large, but the maximum number of sessions used by each individual ASA cannot exceed the maximum number listed for permanent licenses. The DES license cannot be disabled. To prevent the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to use only string encryption.

If you also have a Unified Communications UC license installed that is higher than the default TLS proxy limit, then the ASA sets the limit to be the UC license limit plus an additional number of sessions depending on your model. To view the limits of your model, enter the tls-proxy maximum-sessions? If you need more than sessions for IME, then the remaining sessions of the platform limit are used on a first-come, first-served basis by UC and IME.

Note K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. You might also use SRTP encryption sessions for your connections:. The maximum number of combined interfaces; for example, VLANs, physical, redundant, bridge group, and EtherChannel interfaces. Every interface command defined in the configuration counts against this limit. The following applications use TLS proxy sessions for their connections. Each TLS proxy session used by these applications and only these applications is counted against the UC license limit:.

Some UC applications might use multiple sessions for a connection. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. If you clear the configuration using the clear configure all command, for example , then the TLS proxy limit is set to the default for your model; if this default is lower than the UC license limit, then you see an error message to use the tls-proxy maximum-sessions command to raise the limit again in ASDM, use the TLS Proxy pane.

Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning.

For example:. Table shows how the VPN licenses and features can combine. AnyConnect for Mobile 9. You can only have one license type active, either the AnyConnect Essentials license or the AnyConnect Premium license.

If you install the AnyConnect Essentials license, then it is used by default. See the no anyconnect-essentials command to enable the Premium license instead. Mobile Posture support is different for the AnyConnect Essentials vs. See Table for details. It is represented by an activation key that is a bit 5 bit words or 20 bytes value. This value encodes the serial number an 11 character string and the enabled features.

By defa ult, your ASA ships with a license already installed. This license might be the Base License, to which you want to add more licenses, or it might already have all of your licenses installed, depending on what you ordered and what your vendor installed for you. You can have one permanent activation key installed. The permanent activation key includes all licensed features in a single key.

If you also install time-based licenses, the ASA combines the permanent and time-based licenses into a running license. In addition to permanent licenses, you can purchase time-based licenses or receive an evaluation license that has a time-limit. For example, you might buy a time-based AnyConnect Premium license to handle short-term surges in the number of concurrent SSL VPN users, or you might order a Botnet Traffic Filter time-based license that is valid for 1 year.

Note We suggest you do not change the system clock after you install the time-based license. If you set the clock to be a later date, then if you reload, the ASA checks the system clock against the original installation time, and assumes that more time has passed than has actually been used. If you set the clock back, and the actual running time is greater than the time between the original installation time and the system clock, then the license immediately expires after a reload.

When you activate a time-based license, then f eatures from both permanent and time-based licenses combine to form the running license. How the permanent and time-based licenses combine depends on the type of license. Table lists the combination rules for each feature license. Note Even when the permanent license is used, if the time-based license is active, it continues to count down.

The higher value is used, either time-based or permanent. For example, if the permanent license is sessions, and the time-based license is sessions, then sessions are enabled. Typically, you will not install a time-based license that has less capability than the permanent license, but if you do so, then the permanent license is used. The time-based license sessions are added to the permanent sessions, up to the platform limit.

For example, if the permanent license is sessions, and the time-based license is sessions, then sessions are enabled for as long as the time-based license is active. The time-based license contexts are added to the permanent contexts, up to the platform limit.

For example, if the permanent license is 10 contexts, and the time-based license is 20 contexts, then 30 contexts are enabled for as long as the time-based license is active. There is no permanent Botnet Traffic Filter license available; the time-based license is used. For licenses that have a status of enabled or disabled, then the license with the enabled status is used. For licenses with numerical tiers, the higher value is used. In many cases, you might need to renew your time-based license and have a seamless transition from the old license to the new one.

For features that are only available with a time-based license, it is especially important that the license not expire before you can apply the new license. The ASA allows you to stack time-based licenses so you do not have to worry about the license expiring or about losing time on your licenses because you installed the new one early. When you install an identical time-based license as one already installed, then the licenses are combined, and the duration equals the combined duration. You install a week Botnet Traffic Filter license, and use the license for 25 weeks 27 weeks remain.

You then purchase another week Botnet Traffic Filter license. When you install the second license, the licenses combine to have a duration of 79 weeks 52 weeks plus 27 weeks.

You install an 8-week session AnyConnect Premium license, and use it for 2 weeks 6 weeks remain. You then install another 8-week session license, and the licenses combine to be sessions for 14 weeks 8 weeks plus 6 weeks. If the licenses are not identical for example, a session AnyConnect Premium license vs.

Because only one time-based license per feature can be active, only one of the licenses can be active. Although non-identical licenses do not combine, when the current license expires, the ASA automatically activates an installed license of the same feature if available. When the current license for a feature expires, the ASA automatically activates an installed license of the same feature if available.

If there are no other time-based licenses available for the feature, then the permanent license is used. If you have more than one additional time-based license installed for a feature, then the ASA uses the first license it finds; which license is used is not user-configurable and depends on internal operations. If you prefer to use a different time-based license than the one the ASA activated, then you must manually activate the license you prefer.

For example, you have a time-based session AnyConnect Premium license active , a time-based session AnyConnect Premium license inactive , and a permanent session AnyConnect Premium license. While the session license expires, the ASA activates the session license. After the session license expires, the ASA uses the session permanent license. A shared license lets you purchase a large number of AnyConnect Premium sessions and share the sessions as needed among a group of ASAs by configuring one of the ASAs as a shared licensing server, and the rest as shared licensing participants.

This section describes how a shared license works and includes the following topics:. The following steps describe how shared licenses operate:. Decide which ASA should be the shared licensing server, and purchase the shared licensing server license using that device serial number. Decide which ASAs should be shared licensing participants, including the shared licensing backup server, and obtain a shared licensing participant license for each device, using each device serial number.

Optional Designate a second ASA as a shared licensing backup server. You can only specify one backup server. Note The shared licensing backup server only needs a participant license. Configure a shared secret on the shared licensing server; any participants with the shared secret can use the shared license. When you configure the ASA as a participant, it registers with the shared licensing server by sending information about itself, including the local license and model information.

Note The participant needs to be able to communicate with the server over the IP network; it does not have to be on the same subnet. The shared licensing server responds with information about how often the participant should poll the server. When a participant uses up the sessions of the local license, it sends a request to the shared licensing server for additional sessions in session increments.

The shared licensing server responds with a shared license. The total sessions used by a participant cannot exceed the maximum sessions for the platform model. Note The shared licensing server can also participate in the shared license pool. It does not need a participant license as well as the server license to participate. If there are not enough sessions left in the shared license pool for the participant, then the server responds with as many sessions as available.

The participant continues to send refresh messages requesting more sessions until the server can adequately fulfill the request. When the load is reduced on a participant, it sends a message to the server to release the shared sessions. See the following guidelines for communication issues between the participant and server:.

The shared licensing backup server must register successfully with the main shared licensing server before it can take on the backup role.

When it registers, the main shared licensing server syncs server settings as well as the shared license information with the backup, including a list of registered participants and the current license usage. The main server and backup server sync the data at 10 second intervals. After the initial sync, the backup server can successfully perform backup duties, even after a reload. When the main server goes down, the backup server takes over server operation.

The backup server can operate for up to 30 continuous days, after which the backup server stops issuing sessions to participants, and existing sessions time out. Be sure to reinstate the main server within that day period. Critical-level syslog messages are sent at 15 days, and again at 30 days. When the main server comes back up, it syncs with the backup server, and then takes over server operation.

When the backup server is not active, it acts as a regular participant of the main shared licensing server. Note When you first launch the main shared licensing server, the backup server can only operate independently for 5 days. The operational limit increases day-by-day, until 30 days is reached. Also, if the main server later goes down for any length of time, the backup server operational limit decrements day-by-day. When the main server comes back up, the backup server starts to increment again day-by-day.

For example, if the main server is down for 20 days, with the backup server active during that time, then the backup server will only have a day limit left over. This recharging function is implemented to discourage misuse of the shared license. This section describes how shared licenses interact with failover and includes the following topics:. This section describes how the main server and backup server interact with failover. Because the shared licensing server is also performing normal duties as the ASA, including performing functions such as being a VPN gateway and firewall, then you might need to configure failover for the main and backup shared licensing servers for increased reliability.

Note The backup server mechanism is separate from, but compatible with, failover. The standby unit does not act as the backup shared licensing server. Instead, you can have a second pair of units acting as the backup server, if desired. For example, you have a network with 2 failover pairs. Pair 1 includes the main licensing server. Pair 2 includes the backup server. When the primary unit from Pair 1 goes down, the standby unit immediately becomes the new main licensing server.

The backup server from Pair 2 never gets used. Only if both units in Pair 1 go down does the backup server in Pair 2 come into use as the shared licensing server.

If Pair 1 remains down, and the primary unit in Pair 2 goes down, then the standby unit in Pair 2 comes into use as the shared licensing server see Figure Figure Failover and Shared License Servers. The standby backup server shares the same operating limits as the primary backup server; if the standby unit becomes active, it continues counting down where the primary unit left off.

For participant pairs, both units register with the shared licensing server using separate participant IDs. The active unit syncs its participant ID with the standby unit. The standby unit uses this ID to generate a transfer request when it switches to the active role. This transfer request is used to move the shared sessions from the previously active unit to the new active unit.

The ASA does not limit the number of participants for the shared license; however, a very large shared network could potentially affect the performance on the licensing server. In this case, you can increase the delay between participant refreshes, or you can create two shared networks.

With some exceptions, failover units do not require the same license on each unit. For earlier versions, see the licensing document for your version. Failover units do not require the same license on each unit. Older versions of ASA software required that the licenses match on each unit. Starting with Version 8. If you have licenses on both units, they combine into a single running failover cluster license. Note A valid permanent key is required; in rare instances, your authentication key can be removed.

For failover pairs, the licenses on each unit are combined into a single running failover cluster license. If you buy separate licenses for the primary and secondary unit, then the combined license uses the following rules:.

For example, if you have 48 weeks left on the Botnet Traffic Filter license on both units, then the combined duration is 96 weeks. If the failover units lose communication for more than 30 days, then each unit reverts to the license installed locally. During the day grace period, the combined running license continues to be used by both units. If you restore communication during the day grace period, then for time-based licenses, the time elapsed is subtracted from the primary license; if the primary license becomes expired, only then does the secondary license start to count down.

If you do not restore communication during the day period, then for time-based licenses, time is subtracted from both primary and secondary licenses, if installed. They are treated as two separate licenses and do not benefit from the failover combined license.

The time elapsed includes the day grace period. You have a week Botnet Traffic Filter license installed on both units. The combined running license allows a total duration of weeks. The units operate as a failover unit for 10 weeks, leaving 94 weeks on the combined license 42 weeks on the primary, and 52 weeks on the secondary.



0コメント

  • 1000 / 1000