cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
0
Helpful
8
Replies

pix activation key explaination needed

daviddtran
Level 1
Level 1

Hi All,

I need an explaination as to why on some Pix firewalls, running exactly the same

code, the activation key showed up as

4-tuples while other firewalls showed up

as 5-tuples.

I opened a TAC case with Cisco but I am

getting evasive answer from Cisco TACs

which makes nosense at all.

Can anyone offer any sights to this? Thanks.

David

CCIE security

CiscoPix> sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Device Manager Version 5.1(2)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "flash:/pix712.bin"

Config file at boot was "startup-config"

CiscoPix up 17 days 6 hours

Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0004.c161.5536, irq 10

1: Ext: Ethernet1 : address is 0004.c161.5537, irq 11

2: Ext: Ethernet2 : address is 0002.b318.0a83, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Restricted (R) license.

Serial Number: xxxxx

Running Activation Key: ****

Configuration last modified by enable_15 at 16:12:25.483 UTC Tue Feb 20 2007

CiscoPix>

------------------------------------

Pix535> sh ver

Cisco PIX Security Appliance Software Version 7.1(2)

Device Manager Version 5.1(2)

Compiled on Tue 14-Mar-06 17:00 by dalecki

System image file is "flash:/pix712.bin"

Config file at boot was "startup-config"

dca2-Primedia-PIX-1-P up 288 days 9 hours

Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB

0: Ext: GigabitEthernet0 : address is 000e.0cad.d2ba, irq 255

1: Ext: GigabitEthernet1 : address is 000e.0cad.d2bb, irq 255

2: Ext: GigabitEthernet2 : address is 000e.0cad.d30d, irq 255

3: Ext: Ethernet0 : address is 000e.0caf.f48a, irq 255

4: Ext: Ethernet1 : address is 000e.0caf.f5ab, irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 14

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a (UR) license.

Serial Number: xxxxxxxxx

Running Activation Key: ****

Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006

Pix535>

------------------------------

8 Replies 8

daviddtran
Level 1
Level 1

Here is another one:

ATT-pix> sh ver

Cisco PIX Security Appliance Software Version 7.0(6)8

Device Manager Version 5.0(6)

Compiled on Wed 18-Oct-06 15:48 by builders

System image file is "flash:/pix706-8.bin"

Config file at boot was "startup-config"

dca2-lucent-pix up 22 days 16 hours

failover cluster up 22 days 16 hours

Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 000d.8811.e4fc, irq 15

1: Ext: Ethernet1 : address is 000d.8811.e4fd, irq 15

2: Ext: Ethernet2 : address is 000d.8811.e4fe, irq 15

3: Ext: Ethernet3 : address is 000d.8811.e4ff, irq 15

4: Ext: Ethernet4 : address is 000d.8811.e4cc, irq 11

5: Ext: Ethernet5 : address is 000d.8811.e4cd, irq 10

6: Ext: Ethernet6 : address is 000d.8811.e4ce, irq 11

7: Ext: Ethernet7 : address is 000d.8811.e4cf, irq 10

8: Ext: Ethernet8 : address is 000d.8811.bd44, irq 12

9: Ext: Ethernet9 : address is 000d.8811.bd45, irq 15

10: Ext: Ethernet10 : address is 000d.8811.bd46, irq 12

11: Ext: Ethernet11 : address is 000d.8811.bd47, irq 15

12: Ext: Ethernet12 : address is 000e.0caa.e86a, irq 15

13: Ext: Ethernet13 : address is 000e.0caa.e914, irq 12

Licensed features for this platform:

Maximum Physical Interfaces : 14

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a (UR) license.

Serial Number: xxxxx

Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471

Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007

ATT-pix> exit

David

Hello David

Is this the way to differentiate the UR/R / FO licenses.. I can see from ur outputs that R licenses have 4 , and UR has 5 !!! It is anyway some kind of a hash value, which might require help from some experts who create this:)

Raj

Hi Raj,

You should read all of my posts before replying. Your explaination makes no sense.

How do youexplain this:

This platform has a (UR) license.

Serial Number: xxxxxxxxx

Running Activation Key: 0x8d14701c 0x2c7682a5 0x24b205b4 0xa32158f0 0x483dda82

Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006

Pix535>

As you can see, this is UR it has 5-tuples key.

This one belows is also UR and it has 4-tuples key:

This platform has a (UR) license.

Serial Number: xxxxx

Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471

Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007

ATT-pix> exit

Same platform, same pix 7.1(2) code. Why

different in the tuple?

David

Oh.. you took the response seriously ?? I had anyway put it in a lighter side , and thats why included the smileys.... I think this is a really unnecessary thing to analyse.. what problems do you have if it is a 4 or 5 tuples ???? I do read all posts dude.. otherwise, will not answer to CCIE security guys like you..

Raj

Raj,

I apologize. Didn't mean for it to come out

that way.

Problem between the 5-tuples and 4-tuples

is that let say I have a 5-tuples activation

keys on the pix running 7.x code. Let say

I decide to downgrade it to 6.3(5) code.

The "downgrade" command only accepts 4-tuples

activation key. So on the pix 7.x code with

5 tuples activation key, I am pretty much

screwed. I don't have such problems when

downgrading pix from 7.x back to 6.3(5) when

the pix itself already has 4-tuples activation

key. Cisco TAC is really vague on this issue.

I've not gotten a satisfactory response from

them.

Does that make sense? Thanks.

David

Hey david,

I think it will be better if you contact the licensing team. They will regenerate the key and give it to you... licensing@cisco.com... I have seen some TAC cases with this issue, and it has been that the licensing team always steps in to regenerate the key...

Raj

Raj,

I know that I can always contact the licensing

team. However, I want to know as to why it

behaves this way. This is very bothersome.

I've yet gotten a satisfactory answer from cisco

on this.

David

zubairjalal
Level 1
Level 1

Hi David.

7.x comes with a 5 tuple key and 6.x with a 4 tuple key.

Now if you want to downgrade from 7.x to 6.3 then the downgrade command will convert the 5 tuple key to a 4 tuple key automatically ....but there is a catch here....your DES/3DES/AES functionality will be disabled....you will have to regenerate keys for DES-3DES/AES..which is done free of cost.

regards

Zubair

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: