ASA versions, image names and Licensing

Document

Tue, 01/27/2015 - 03:11
Jul 11th, 2011

ASA Image Names

Scenario 1:

Most of the Customers have difficulties to understand what each numbers mean on the ASA image namings and what are the differences.

A typical ASA image name looks like this: asa841-k8.bin or asa841-11-k8.bin

After the "asa" keyword the numbers mean the version, what it will appear like 8.4.1 in the "show version" output. The first number is the Major Release (8), then the Minor Release (4) and finally the Maintenance Release (1). Some images contain an extra number which indicates that image is an intrim image (in the second example that number is 11, which appears as 8.4.1(11) in the "show version" output):

Cisco Adaptive Security Appliance Software Version 8.4(1.11)
Compiled on Tue 14-Dec-10 12:00 by builders
System image file is "disk0:/asa841-11-k8.bin"

Whats the difference between k8 and k9 images?

By the code itself, there is NO difference. K9 means that it contains an encryption enabled license for 3DES/AES. Typically you can get these images directly from Cisco Sales like ASA5505-UL-BUN-K9. This means an ASA image for ASA 5505 Unlimited License bundeled with the hardware and encryption feature enabled. You can check in the "show version" :

VPN-3DES-AES                   : Enabled

Interim versions

Between two major release Cisco creates and publish some intermediate images for ASA and PIX. This is typically because of urgent bug fixes what have been discovered since the main image has released. By the time TAC finds some critical defects and with high interactions with Business Unit the fixes are merged into the new versions.

In order to balance the timeliness of releases with the   thoroughness of testing, Cisco provides two different levels of automated testing   on interim builds.

1. A full regression test run consists of approximately 17,000 test cases.   The images which pass this level of testing are posted on CCO for direct   customer access at the regular customer download location for ASA.

2. A light regression test run consists of approximately 700 test cases.   The images which pass this level of testing are posted to pages that are only   accessible by Cisco Internal personnel. Due to the reduced set of testing   done on these images, TAC should only provide these images to customers who   are encountering an issue that is specifically addressed in the build and the   customer cannot wait for the next scheduled full regression cycle.

Download

ASA image download page including full regression tested interims:

http://www.cisco.com/cisco/software/release.html?mdfid=279916854&flowid=4373&softwareid=280775065

Adaptive Security Appliance (ASA) Device Manager (ASDM):

http://www.cisco.com/cisco/software/release.html?mdfid=279513399&catid=268438162&softwareid=280775064

Licensing

You can check your license info under the "show version" and "show activation-key". Here is an example:

Licensed features for this platform:                             <-----------------FEATURES WHICH ARE AVAILABLE BY YOUR LICENSE

Maximum Physical Interfaces    : 8
VLANs                          : 20, DMZ Unrestricted
Inside Hosts                   : Unlimited
Failover                       : Active/Standby
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 25
Dual ISPs                      : Enabled
VLAN Trunk Ports               : 8
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Enabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5505 Security Plus license.    <--------------------- TYPE OF YOUR LICENSE

Serial Number: JMX00000000      <------------------SERIAL NUMBER

Running Activation Key: 0x........0x........ 0x........0x........0x.......    <--------- ACTIVATION KEY

ASA# show activation-key
Serial Number:  JMX00000000
Running Permanent Activation Key: 0x------ 0x------ 0x------ 0x------ 0x------ 0x------
Running Timebased Activation Key: 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x''''''

Free 3DES/AES license

To obtain a FREE ASA Firewall 3DES/AES encryption activation key, log on to the following URL where you will see the link for the FREE ASA Firewall 3DES/AES activation key:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=139

Clicking the FREE ASA Firewall 3DES/AES link will allow you to complete the one-time, on-line agreement for the use of strong encryption, as well as obtain your FREE ASA Firewall 3DES/AES activation key.

You will not need to complete this form for any future FREE ASA Firewall 3DES/AES activation keys.

Please note:  The Technical Assistance Center (TAC) will not be able to provide the FREE ASA Firewall 3DES/AES activation key to customers, and will re-direct all customers to the process described above.  This process is required to meet Federal regulations surrounding the use of strong encryption.

Configuration:

activation-key key [activate | deactivate]
ASA# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490

PLEASE NOTE: copy and paste can include some hidden characters which can cause the license key improper. May be it worth to try to type one-by-one the key and hit ENTER.

Command reference: http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1623546

You can get more information about the type of licensing

http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.html

Please contact your local Cisco Account/Sales Team to get uptodate information about the contracts.

Botnet

With ASA 8.3, you no longer need duplicate licensing in Active/Standby mode. Just need to have the Botnet license on one of the failover units

IPS Licensing

The IPS License for signature updates is included in the IPS ervice  contract for the SSM card (and possibly ASA chassis when purchased as a  bundle). The IPS service contract goes by the name "Cisco Services for IPS". It includes the support generally covered by SmartNET as well as the IPS License for Signature Updates. Customers has the option to buy a separate contract to cover the ASA itself (presumably a  SmartNET contract) and a Cisco Service for IPS to cover just the SSM.

Other DEMO licenses

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

Shared licenses

Shared licenses enable customers to set a “pool” of licenses on a Master  device . Any ASA  with IP connectivity to the Master can become a  participant and “lease”  licenses from it. Customers will benefit from  operational flexibility and investment protection, as they will be able  to add devices to their deployment without the need to pre-assign a  specific license to each device.  Note that Shared Licensing is not intending to solve the requirement for a failover license in HA configuration.

For ASAs configured as an active/standby failover pair and as shared  license servers, both ASAs must have the same shared license  SKU(s).  For example, if you purchase a 10,000 session shared license  for the active ASA that is also a license server, you must also purchase  a 10,000 session shared license for the standby unit. Because of this  requirement, both units in the failover pair can act as the license  server.

Before failover, the active ASA acts as the shared license  server.  After failover, the active and standby ASA reverses roles—the  standby ASA becomes the active ASA and assumes the role of shared  license server.  The standby ASA continues in the active role after  failover.  It does not give up that role when the active unit becomes  operational. The roles remain reversed, and the new active unit  continues the role as the new license server.

show shared license detail

Scenario 2:

Problem:

User is facing issue in licensing of ASA VPN concepts and not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.

  • Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number does he need?  
  • Assuming he do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number does he need? He is assuming this is correct  >>  ASA5525VPN-PM250K9

Solution:

  1. AnyConnect Essentials and Premium are mutually exclusive. If you purchase the Premium license and activate it on your ASA it will deactivate your AnyConnect Essentials. For what it's worth, the Mobile license works with either.
  2. Yes, that's the correct SKU for the ASA 5525-X with 250 AnyConnect Premium plus AnyConnect Mobile bundle.

Troubleshooting and FAQ

First of all you need to be sure that you used the correct activation-key for the correct device. The activation-key is based on the serial number and must be generated by the licensing team.

  1. Lost activation-key: The activation-key can be regenerated by licensing team. You need to send the serial number and/or PAK number to licensing@cisco.com . May be licensing team could request from you different information like contract number in case.
  2. License key is correct, but not take effect: If you see the correct activation-key under the "show activation-key", please try to reboot the device. If it doesn't help, please do the followings as a "lost activation-key".
  3. RMA
  4. Customer bought a new ASA, can he/she transfer the license? Licenses are permanent. Once issued, they can never be revoked or  transferred. Since the only way to provide a license for a different  device is by issuing a brand new one and not removing their old one, any  desire to provide special discounts in this instance need to be handled  through the sales process / deals desk.
  5. VPN FLEX license: SSL VPN FLEX licenses are 2 month /60 days temporary licenses products  offered to our customers. They can be used by customer who want to plan  for  business continuity or short-term increases of the SSL VPN seats  counts.
  6. Temporary License Expiration: When a time based license expires, the ASA will switch to the installed  perm license.  If no perm license is available, then ASA defaults for no  license will be set.  The device should not require reboot, unless a  feature, such as failover, requires reboot for deactivation.  For  example. if failover is enabled in the temporary license but not in the  perm then a reboot will be required.  All VPN features should not  require a reboot

How to obtain strong-crypto licenses for ASA

Update from Mike Wenstrom

The process to obtain K9 activation key has changed. Here's a summary of the steps:

Strong Crypto (3DES/AES) License

Q. How can I obtain strong-crypto licenses for my ASA?

A. ASA strong crypto (3DES / AES) keys are available at: http://www.cisco.com/go/license

  1. Enter your CCO userid and password
  2. Click the “Continue to Product License Activation” link.
  3. Click Get Other Licenses > IPS, Crypto, Other…
  4. Select Security Products > Cisco ASA 3DES/AES License, click Next
  5. Enter ASA Serial number and click Next
    • If this is the first time you have applied for a strong crypto product, review and accept the terms of the license windows. You may need to return to http://www.cisco.com/go/license  and complete the steps above.
  6. In the 3. Review and Submit window, click the I Agree with the terms of the License  check box, review your contact information, and click Submit
  7. An email will be sent you with the ASA Activation key and instructions on how to apply the key

Thanks, Mike Wenstrom

Cisco Security Solutions Architect Supporting CDW
mwenstro@cisco.com

Reference

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3 - Managing Feature Licenses

mwenstro Thu, 01/08/2015 - 09:25

This document is useful. The process to obtain K9 activation key has changed. Here's a summary of the steps:

Strong Crypto (3DES/AES) License

Q. How can I obtain strong-crypto licenses for my ASA?

A. ASA strong crypto (3DES / AES) keys are available at: http://www.cisco.com/go/license

  1. Enter your CCO userid and password
  2. Click the “Continue to Product License Activation” link.
  3. Click Get Other Licenses > IPS, Crypto, Other…
  4. Select Security Products > Cisco ASA 3DES/AES License, click Next
  5. Enter ASA Serial number and click Next
    • If this is the first time you have applied for a strong crypto product, review and accept the terms of the license windows. You may need to return to http://www.cisco.com/go/license  and complete the steps above.
  6. In the 3. Review and Submit window, click the I Agree with the terms of the License  check box, review your contact information, and click Submit
  7. An email will be sent you with the ASA Activation key and instructions on how to apply the key

 

Thanks, Mike Wenstrom

Cisco Security Solutions Architect Supporting CDW
mwenstro@cisco.com

Actions

This Document

Related Content