ASA versions, image names and Licensing


Jul 11, 2011 3:56 AM
Jul 11th, 2011

ASA Image Names

Most of the Customers have difficulties to understand what each numbers mean on the ASA image namings and what are the differences.

A typical ASA image name looks like this: asa841-k8.bin or asa841-11-k8.bin

After the "asa" keyword the numbers mean the version, what it will appear like 8.4.1 in the "show version" output. The first number is the Major Release (8), then the Minor Release (4) and finally the Maintenance Release (1). Some images contain an extra number which indicates that image is an intrim image (in the second example that number is 11, which appears as 8.4.1(11) in the "show version" output):

Cisco Adaptive Security Appliance Software Version 8.4(1.11)

Compiled on Tue 14-Dec-10 12:00 by builders

System image file is "disk0:/asa841-11-k8.bin"

Whats the difference between k8 and k9 images?

By the code itself, there is NO difference. K9 means that it contains an encryption enabled license for 3DES/AES. Typically you can get these images directly from Cisco Sales like ASA5505-UL-BUN-K9. This means an ASA image for ASA 5505 Unlimited License bundeled with the hardware and encryption feature enabled. You can check in the "show version" :

VPN-3DES-AES                   : Enabled

1. Interim versions

Between two major release Cisco creates and publish some intermediate images for ASA and PIX. This is typically because of urgent bug fixes what have been discovered since the main image has released. By the time TAC finds some critical defects and with high interactions with Business Unit the fixes are merged into the new versions.

In order to balance the timeliness of releases with the   thoroughness of testing, Cisco provides two different levels of automated testing   on interim builds.

1. A full regression test run consists of approximately 17,000 test cases.   The images which pass this level of testing are posted on CCO for direct   customer access at the regular customer download location for ASA.

2. A light regression test run consists of approximately 700 test cases.   The images which pass this level of testing are posted to pages that are only   accessible by Cisco Internal personnel. Due to the reduced set of testing   done on these images, TAC should only provide these images to customers who   are encountering an issue that is specifically addressed in the build and the   customer cannot wait for the next scheduled full regression cycle.

2. Download

ASA image download page including full regression tested interims:

Adaptive Security Appliance (ASA) Device Manager (ASDM):


You can check your license info under the "show version" and "show activation-key". Here is an example:

Licensed features for this platform:                             <-----------------FEATURES WHICH ARE AVAILABLE BY YOUR LICENSE

Maximum Physical Interfaces    : 8

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 25

Dual ISPs                      : Enabled

VLAN Trunk Ports               : 8

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Enabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5505 Security Plus license.    <--------------------- TYPE OF YOUR LICENSE

Serial Number: JMX00000000                                             <------------------SERIAL NUMBER

Running Activation Key: 0x........0x........ 0x........0x........0x.......    <--------- ACTIVATION KEY

ASA# show activation-key

Serial Number:  JMX00000000

Running Permanent Activation Key: 0x------ 0x------ 0x------ 0x------ 0x------ 0x------
Running Timebased Activation Key: 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x''''''

3. Free 3DES/AES license:

To obtain a FREE ASA Firewall 3DES/AES encryption activation key, log on to the following URL where you will see the link for the FREE ASA Firewall 3DES/AES activation key:

Clicking the FREE ASA Firewall 3DES/AES link will allow you to complete the one-time, on-line agreement for the use of strong encryption, as well as obtain your FREE ASA Firewall 3DES/AES activation key.

You will not need to complete this form for any future FREE ASA Firewall 3DES/AES activation keys.

Please note:  The Technical Assistance Center (TAC) will not be able to provide the FREE ASA Firewall 3DES/AES activation key to customers, and will re-direct all customers to the process described above.  This process is required to meet Federal regulations surrounding the use of strong encryption.


activation-key key [activate | deactivate]

ASA# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490

PLEASE NOTE: copy and paste can include some hidden characters which can cause the license key improper. May be it worth to try to type one-by-one the key and hit ENTER.

Command reference:

You can get more information about the type of licensing:

Please contact your local Cisco Account/Sales Team to get uptodate information about the contracts.


With ASA 8.3, you no longer need duplicate licensing in Active/Standby mode. Just need to have the Botnet license on one of the failover units

IPS Licensing

The IPS License for signature updates is included in the IPS ervice  contract for the SSM card (and possibly ASA chassis when purchased as a  bundle). The IPS service contract goes by the name "Cisco Services for IPS". It includes the support generally covered by SmartNET as well as the IPS License for Signature Updates. Customers has the option to buy a separate contract to cover the ASA itself (presumably a  SmartNET contract) and a Cisco Service for IPS to cover just the SSM.

Other DEMO licenses:

Shared licenses

Shared licenses enable customers to set a “pool” of licenses on a Master  device . Any ASA  with IP connectivity to the Master can become a  participant and “lease”  licenses from it. Customers will benefit from  operational flexibility and investment protection, as they will be able  to add devices to their deployment without the need to pre-assign a  specific license to each device.  Note that Shared Licensing is not intending to solve the requirement for a failover license in HA configuration.

For ASAs configured as an active/standby failover pair and as shared  license servers, both ASAs must have the same shared license  SKU(s).  For example, if you purchase a 10,000 session shared license  for the active ASA that is also a license server, you must also purchase  a 10,000 session shared license for the standby unit. Because of this  requirement, both units in the failover pair can act as the license  server.

Before failover, the active ASA acts as the shared license  server.  After failover, the active and standby ASA reverses roles—the  standby ASA becomes the active ASA and assumes the role of shared  license server.  The standby ASA continues in the active role after  failover.  It does not give up that role when the active unit becomes  operational. The roles remain reversed, and the new active unit  continues the role as the new license server.

show shared license detail

Troubleshooting and FAQ

First of all you need to be sure that you used the correct activation-key for the correct device. The activation-key is based on the serial number and must be generated by the licensing team.

  1. Lost activation-key: The activation-key can be regenerated by licensing team. You need to send the serial number and/or PAK number to . May be licensing team could request from you different information like contract number in case.
  2. License key is correct, but not take effect: If you see the correct activation-key under the "show activation-key", please try to reboot the device. If it doesn't help, please do the followings as a "lost activation-key".
  3. RMA
  4. Customer bought a new ASA, can he/she transfer the license? Licenses are permanent. Once issued, they can never be revoked or  transferred. Since the only way to provide a license for a different  device is by issuing a brand new one and not removing their old one, any  desire to provide special discounts in this instance need to be handled  through the sales process / deals desk.
  5. VPN FLEX license: SSL VPN FLEX licenses are 2 month /60 days temporary licenses products  offered to our customers. They can be used by customer who want to plan  for  business continuity or short-term increases of the SSL VPN seats  counts.
  6. Temporary License Expiration: When a time based license expires, the ASA will switch to the installed  perm license.  If no perm license is available, then ASA defaults for no  license will be set.  The device should not require reboot, unless a  feature, such as failover, requires reboot for deactivation.  For  example. if failover is enabled in the temporary license but not in the  perm then a reboot will be required.  All VPN features should not  require a reboot
Average Rating: 4.8 (4 ratings)



Login or Register to take actions

This Document

Posted July 11, 2011 at 3:56 AM
Comments:2 Avg. Rating:4.8
Views:32706 Contributors:2

Related Content

Documents Leaderboard