pix activation key explaination needed

Unanswered Question
Feb 22nd, 2007

Hi All,

I need an explaination as to why on some Pix firewalls, running exactly the same

code, the activation key showed up as

4-tuples while other firewalls showed up

as 5-tuples.

I opened a TAC case with Cisco but I am

getting evasive answer from Cisco TACs

which makes nosense at all.

Can anyone offer any sights to this? Thanks.

David

CCIE security

CiscoPix> sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Device Manager Version 5.1(2)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "flash:/pix712.bin"

Config file at boot was "startup-config"

CiscoPix up 17 days 6 hours

Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0004.c161.5536, irq 10

1: Ext: Ethernet1 : address is 0004.c161.5537, irq 11

2: Ext: Ethernet2 : address is 0002.b318.0a83, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Restricted (R) license.

Serial Number: xxxxx

Running Activation Key: ****

Configuration last modified by enable_15 at 16:12:25.483 UTC Tue Feb 20 2007

CiscoPix>

------------------------------------

Pix535> sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Device Manager Version 5.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki

System image file is "flash:/pix712.bin"

Config file at boot was "startup-config"

dca2-Primedia-PIX-1-P up 288 days 9 hours

Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB

0: Ext: GigabitEthernet0 : address is 000e.0cad.d2ba, irq 255

1: Ext: GigabitEthernet1 : address is 000e.0cad.d2bb, irq 255

2: Ext: GigabitEthernet2 : address is 000e.0cad.d30d, irq 255

3: Ext: Ethernet0 : address is 000e.0caf.f48a, irq 255

4: Ext: Ethernet1 : address is 000e.0caf.f5ab, irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 14

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a (UR) license.

Serial Number: xxxxxxxxx

Running Activation Key: ****

Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006

Pix535>

------------------------------

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Thu, 02/22/2007 - 15:44

Here is another one:

ATT-pix> sh ver

Cisco PIX Security Appliance Software Version 7.0(6)8

Device Manager Version 5.0(6)

Compiled on Wed 18-Oct-06 15:48 by builders

System image file is "flash:/pix706-8.bin"

Config file at boot was "startup-config"

dca2-lucent-pix up 22 days 16 hours

failover cluster up 22 days 16 hours

Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 000d.8811.e4fc, irq 15

1: Ext: Ethernet1 : address is 000d.8811.e4fd, irq 15

2: Ext: Ethernet2 : address is 000d.8811.e4fe, irq 15

3: Ext: Ethernet3 : address is 000d.8811.e4ff, irq 15

4: Ext: Ethernet4 : address is 000d.8811.e4cc, irq 11

5: Ext: Ethernet5 : address is 000d.8811.e4cd, irq 10

6: Ext: Ethernet6 : address is 000d.8811.e4ce, irq 11

7: Ext: Ethernet7 : address is 000d.8811.e4cf, irq 10

8: Ext: Ethernet8 : address is 000d.8811.bd44, irq 12

9: Ext: Ethernet9 : address is 000d.8811.bd45, irq 15

10: Ext: Ethernet10 : address is 000d.8811.bd46, irq 12

11: Ext: Ethernet11 : address is 000d.8811.bd47, irq 15

12: Ext: Ethernet12 : address is 000e.0caa.e86a, irq 15

13: Ext: Ethernet13 : address is 000e.0caa.e914, irq 12

Licensed features for this platform:

Maximum Physical Interfaces : 14

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a (UR) license.

Serial Number: xxxxx

Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471

Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007

ATT-pix> exit

David

sachinraja Thu, 02/22/2007 - 16:21

Hello David

Is this the way to differentiate the UR/R / FO licenses.. I can see from ur outputs that R licenses have 4 , and UR has 5 !!! It is anyway some kind of a hash value, which might require help from some experts who create this:)

Raj

daviddtran Thu, 02/22/2007 - 18:42

Hi Raj,

You should read all of my posts before replying. Your explaination makes no sense.

How do youexplain this:

This platform has a (UR) license.

Serial Number: xxxxxxxxx

Running Activation Key: 0x8d14701c 0x2c7682a5 0x24b205b4 0xa32158f0 0x483dda82

Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006

Pix535>

As you can see, this is UR it has 5-tuples key.

This one belows is also UR and it has 4-tuples key:

This platform has a (UR) license.

Serial Number: xxxxx

Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471

Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007

ATT-pix> exit

Same platform, same pix 7.1(2) code. Why

different in the tuple?

David

sachinraja Thu, 02/22/2007 - 18:52

Oh.. you took the response seriously ?? I had anyway put it in a lighter side , and thats why included the smileys.... I think this is a really unnecessary thing to analyse.. what problems do you have if it is a 4 or 5 tuples ???? I do read all posts dude.. otherwise, will not answer to CCIE security guys like you..

Raj

daviddtran Thu, 02/22/2007 - 19:04

Raj,

I apologize. Didn't mean for it to come out

that way.

Problem between the 5-tuples and 4-tuples

is that let say I have a 5-tuples activation

keys on the pix running 7.x code. Let say

I decide to downgrade it to 6.3(5) code.

The "downgrade" command only accepts 4-tuples

activation key. So on the pix 7.x code with

5 tuples activation key, I am pretty much

screwed. I don't have such problems when

downgrading pix from 7.x back to 6.3(5) when

the pix itself already has 4-tuples activation

key. Cisco TAC is really vague on this issue.

I've not gotten a satisfactory response from

them.

Does that make sense? Thanks.

David

daviddtran Fri, 02/23/2007 - 14:07

Raj,

I know that I can always contact the licensing

team. However, I want to know as to why it

behaves this way. This is very bothersome.

I've yet gotten a satisfactory answer from cisco

on this.

David

zubairjalal Mon, 02/26/2007 - 23:28

Hi David.

7.x comes with a 5 tuple key and 6.x with a 4 tuple key.

Now if you want to downgrade from 7.x to 6.3 then the downgrade command will convert the 5 tuple key to a 4 tuple key automatically ....but there is a catch here....your DES/3DES/AES functionality will be disabled....you will have to regenerate keys for DES-3DES/AES..which is done free of cost.

regards

Zubair

Actions

This Discussion