02-22-2007 03:43 PM - edited 03-11-2019 02:37 AM
Hi All,
I need an explaination as to why on some Pix firewalls, running exactly the same
code, the activation key showed up as
4-tuples while other firewalls showed up
as 5-tuples.
I opened a TAC case with Cisco but I am
getting evasive answer from Cisco TACs
which makes nosense at all.
Can anyone offer any sights to this? Thanks.
David
CCIE security
CiscoPix> sh ver
Cisco PIX Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"
CiscoPix up 17 days 6 hours
Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 0004.c161.5536, irq 10
1: Ext: Ethernet1 : address is 0004.c161.5537, irq 11
2: Ext: Ethernet2 : address is 0002.b318.0a83, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Restricted (R) license.
Serial Number: xxxxx
Running Activation Key: ****
Configuration last modified by enable_15 at 16:12:25.483 UTC Tue Feb 20 2007
CiscoPix>
------------------------------------
Pix535> sh ver
Cisco PIX Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"
dca2-Primedia-PIX-1-P up 288 days 9 hours
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
0: Ext: GigabitEthernet0 : address is 000e.0cad.d2ba, irq 255
1: Ext: GigabitEthernet1 : address is 000e.0cad.d2bb, irq 255
2: Ext: GigabitEthernet2 : address is 000e.0cad.d30d, irq 255
3: Ext: Ethernet0 : address is 000e.0caf.f48a, irq 255
4: Ext: Ethernet1 : address is 000e.0caf.f5ab, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a (UR) license.
Serial Number: xxxxxxxxx
Running Activation Key: ****
Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006
Pix535>
------------------------------
02-22-2007 03:44 PM
Here is another one:
ATT-pix> sh ver
Cisco PIX Security Appliance Software Version 7.0(6)8
Device Manager Version 5.0(6)
Compiled on Wed 18-Oct-06 15:48 by builders
System image file is "flash:/pix706-8.bin"
Config file at boot was "startup-config"
dca2-lucent-pix up 22 days 16 hours
failover cluster up 22 days 16 hours
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 000d.8811.e4fc, irq 15
1: Ext: Ethernet1 : address is 000d.8811.e4fd, irq 15
2: Ext: Ethernet2 : address is 000d.8811.e4fe, irq 15
3: Ext: Ethernet3 : address is 000d.8811.e4ff, irq 15
4: Ext: Ethernet4 : address is 000d.8811.e4cc, irq 11
5: Ext: Ethernet5 : address is 000d.8811.e4cd, irq 10
6: Ext: Ethernet6 : address is 000d.8811.e4ce, irq 11
7: Ext: Ethernet7 : address is 000d.8811.e4cf, irq 10
8: Ext: Ethernet8 : address is 000d.8811.bd44, irq 12
9: Ext: Ethernet9 : address is 000d.8811.bd45, irq 15
10: Ext: Ethernet10 : address is 000d.8811.bd46, irq 12
11: Ext: Ethernet11 : address is 000d.8811.bd47, irq 15
12: Ext: Ethernet12 : address is 000e.0caa.e86a, irq 15
13: Ext: Ethernet13 : address is 000e.0caa.e914, irq 12
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a (UR) license.
Serial Number: xxxxx
Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471
Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007
ATT-pix> exit
David
02-22-2007 04:21 PM
Hello David
Is this the way to differentiate the UR/R / FO licenses.. I can see from ur outputs that R licenses have 4 , and UR has 5 !!! It is anyway some kind of a hash value, which might require help from some experts who create this:)
Raj
02-22-2007 06:42 PM
Hi Raj,
You should read all of my posts before replying. Your explaination makes no sense.
How do youexplain this:
This platform has a (UR) license.
Serial Number: xxxxxxxxx
Running Activation Key: 0x8d14701c 0x2c7682a5 0x24b205b4 0xa32158f0 0x483dda82
Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006
Pix535>
As you can see, this is UR it has 5-tuples key.
This one belows is also UR and it has 4-tuples key:
This platform has a (UR) license.
Serial Number: xxxxx
Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471
Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007
ATT-pix> exit
Same platform, same pix 7.1(2) code. Why
different in the tuple?
David
02-22-2007 06:52 PM
Oh.. you took the response seriously ?? I had anyway put it in a lighter side , and thats why included the smileys.... I think this is a really unnecessary thing to analyse.. what problems do you have if it is a 4 or 5 tuples ???? I do read all posts dude.. otherwise, will not answer to CCIE security guys like you..
Raj
02-22-2007 07:04 PM
Raj,
I apologize. Didn't mean for it to come out
that way.
Problem between the 5-tuples and 4-tuples
is that let say I have a 5-tuples activation
keys on the pix running 7.x code. Let say
I decide to downgrade it to 6.3(5) code.
The "downgrade" command only accepts 4-tuples
activation key. So on the pix 7.x code with
5 tuples activation key, I am pretty much
screwed. I don't have such problems when
downgrading pix from 7.x back to 6.3(5) when
the pix itself already has 4-tuples activation
key. Cisco TAC is really vague on this issue.
I've not gotten a satisfactory response from
them.
Does that make sense? Thanks.
David
02-22-2007 09:00 PM
Hey david,
I think it will be better if you contact the licensing team. They will regenerate the key and give it to you... licensing@cisco.com... I have seen some TAC cases with this issue, and it has been that the licensing team always steps in to regenerate the key...
Raj
02-23-2007 02:07 PM
Raj,
I know that I can always contact the licensing
team. However, I want to know as to why it
behaves this way. This is very bothersome.
I've yet gotten a satisfactory answer from cisco
on this.
David
02-26-2007 11:28 PM
Hi David.
7.x comes with a 5 tuple key and 6.x with a 4 tuple key.
Now if you want to downgrade from 7.x to 6.3 then the downgrade command will convert the 5 tuple key to a 4 tuple key automatically ....but there is a catch here....your DES/3DES/AES functionality will be disabled....you will have to regenerate keys for DES-3DES/AES..which is done free of cost.
regards
Zubair
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: