cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1433
Views
6
Helpful
12
Replies

Pix License - UR changed to FO after 3DES/AES upgrade

wen.chen
Level 1
Level 1

The Pix525 had FO enabled in A/A mode with an UR license when I bought it. It is not meant for FO setup and I want to use 3DES for VPN. The activation-key process went fine except for saying about Failover being different. After the reboot the box is showing "This platform has a Failover Only-Active/Standby (FO) license". Is this normal? does it mean I have to live without 3DES?

12 Replies 12

andrew.prince
Level 10
Level 10

Can you post the output from a "sho ver"

the following is the show ver after the upgrade:

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 5.2(2)

Compiled on Thu 07-Aug-08 19:42 by builders

System image file is "flash:/pix804.bin"

Config file at boot was "startup-config"

pixfirewall up 11 hours 13 mins

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 0002.b945.a7db, irq 10

1: Ext: Ethernet1 : address is 0002.b945.a7dc, irq 11

2: Ext: Ethernet2 : address is 00e0.b602.7949, irq 11

3: Ext: Ethernet3 : address is 00e0.b602.7948, irq 10

4: Ext: Ethernet4 : address is 00e0.b602.7947, irq 9

5: Ext: Ethernet5 : address is 00e0.b602.7946, irq 5

<--- More --->

Licensed features for this platform:

Maximum Physical Interfaces : 10

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

Serial Number: 480480115

Running Activation Key: 0xfc134f51 0x2010325f 0xf0c03580 0xb7887034 0x8e33d38a

Configuration last modified by enable_15 at 04:13:23.128 UTC Fri Aug 29 2008

OK - so no issues then:-

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : Unlimited

HTH>

But my question is how the license got changed from UR to FO? I have done similar work before and UR license remained UR after the 3DES upgrade.

Would the current FO license affect the performance of this box in any way?

Thanks for reply.

If it was UR in a failover bundle...but not really sure to be honest.

This change will have no impact I can think of to the performance and operation of the device.

HTH>

this is the Licensed features for this platform before the upgrade:

Maximum Physical Interfaces : 10

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Even the Failover changed from Active/Active to Active/Standby. Isnt it weird?

Out of curiosity I tried turn on failover and the screen says it is a standby license and will reload every 24 hours.

Are you sure you put the correct serial number in for the 3DES activation? Where did you get the unit from? Maybe you have bought a "grey" unit :o(

The serial number is copied from the original show ver before the upgrade. what do you mean by "grey" unit?

Farrukh Haroon
VIP Alumni
VIP Alumni

No this is not normal, open a case with Cisco TAC (Licensing Team) or email to licensing@cisco.com. They might have depreciated the latter.

Regards

Farrukh

I did run into the exact situation like yours

a couple years ago. When I upgraded the Pix

535 from 6.x to 7.x, the feature goes from UR

to FO. I had to open a Cisco TAC case for this

and it took them a while to figure it out.

I don't know if you notice this but with

version 7.x on the Pix, for some Pix firewalls,

you will see a 4 tuple keys while on other

pix firewalls, you will 5 tuple keys. Very

strange.

This is getting more interesting. I tried downgrade with VPN-DES activation-keys. First time with the one that came with the box, and everything is recovered to the original state. Then the second time I tried with the key from Cisco site it went into FO license again. Anyone seen this before?

I had the exact same problem. Just contact Cisco via email and they will provide you with a UR key.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: