enabling and licensing security feature set on 2900 15.2(4).M5

Unanswered Question
Apr 25th, 2014
User Badges:

We currently have a router running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M5.bin"

This is a new router out of the box, I don't know what was originally purchased as far a licensing goes.
VPN is configured and will need the K9 security feature set enabled.

This has been enabled via the command:
license boot module c2900 technology-package securityk9

After reboot I see the following lines in the config and VPN is working:

!
license udi pid CISCO2921/K9 sn FTX1803AM0H
license boot module c2900 technology-package securityk9
!

My question is regarding what "sh license" shows, which is, I have the evaluation license that expires in 8 weeks:

#sh license
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: 8 weeks 2 days
Period Used: 1 day 18 hours
License Type: EvalRightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low

I am being told (not by Cisco) that this license will transition into a permanent license after the eval period without any user intervention.

But the example given was datak9, not securityk9

Lifetime RTU (After Migration)
Once you migrate to a Lifetime RTU release, as the license keys have changed, the RTU license restarts from time zero. This means that for the first 60 days, the Lifetime RTU license is considered to be in evaluation mode. The show CLI output displays the "EvalRightToUse" for the initial 60 days. An example of this output is shown below.
Router# show license
Index 4 Feature: datak9
Period left: 8 weeks 4 days
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low
After approximately 60 days, the Lifetime RTU license transitions to "RightToUse" without any further customer intervention. Syslogs and Traps are sent 10 days and 5 days before transition and on the actual day of transition to provide notice of pending/completion of license transition. After the transition, the show CLI output displays "RightToUse" for the License Type. An example of this output is shown below.
Router# show license
Index 4 Feature: datak9
Period left: Life time
License Type: RightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low

I need to make sure that his license does not expire as this router is in production and will cause loss of service if it expires.

I have contacted Cisco TAC and their answer was "We don't know what will happen, wait until the license expires and see if it transitions"

We can buy the license if needed, I just need to know if I actually need it.

Anyone have any input?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Marvin Rhoads Fri, 04/25/2014 - 06:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I am suspicious of that TAC response. I would request the case be re-opened and escalated.

Installing a permanent feature license requires ordering and receiving it (in the form of a Product Authorization Key or PAK). You use the PAK plus your router's Universal Device Identifier (UDI) on the Cisco licensing portal to get a license file (*.lic). With that and the "license boot level ___" command, a reload should leave you with a permanent activated license.

For evaluation licenses the documented behavior is that if you have not purchased and installed a license, once the evaluation license expires the feature will continue to operated until the next reload.

wilson_1234_2 Fri, 04/25/2014 - 08:14
User Badges:

Sorry Marvin,

I meant to give you five points.

I am disappointed in the TAC answer, but not surprised. I replied that It was an unsatisfactory answer and if he couldn't provide a better one, to escalate to someone that can. I copied the Team Manager and got an undeliverable with the e-mail address that was given.

What you said is what I believe as well, which is I need a PAK file to enable security feature set permanently.

Marvin Rhoads Fri, 04/25/2014 - 08:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're welcome.

Thanks for the rating - I'll get over the single point. :)

Actions

This Discussion