ASA Image Names
Most of the Customers have difficulties to understand what each numbers mean on the ASA image namings and what are the differences.
A typical ASA image name looks like this: asa841-k8.bin or asa841-11-k8.bin
After the "asa" keyword the numbers mean the version, what it will appear like 8.4.1 in the "show version" output. The first number is the Major Release (8), then the Minor Release (4) and finally the Maintenance Release (1). Some images contain an extra number which indicates that image is an intrim image (in the second example that number is 11, which appears as 8.4.1(11) in the "show version" output):
Cisco Adaptive Security Appliance Software Version 8.4(1.11) Compiled on Tue 14-Dec-10 12:00 by builders System image file is "disk0:/asa841-11-k8.bin"
Whats the difference between k8 and k9 images?
By the code itself, there is NO difference. K9 means that it contains an encryption enabled license for 3DES/AES. Typically you can get these images directly from Cisco Sales like ASA5505-UL-BUN-K9. This means an ASA image for ASA 5505 Unlimited License bundeled with the hardware and encryption feature enabled. You can check in the "show version" :
VPN-3DES-AES : Enabled
Between two major release Cisco creates and publish some intermediate images for ASA and PIX. This is typically because of urgent bug fixes what have been discovered since the main image has released. By the time TAC finds some critical defects and with high interactions with Business Unit the fixes are merged into the new versions.
In order to balance the timeliness of releases with the thoroughness of testing, Cisco provides two different levels of automated testing on interim builds.
1. A full regression test run consists of approximately 17,000 test cases. The images which pass this level of testing are posted on CCO for direct customer access at the regular customer download location for ASA.
2. A light regression test run consists of approximately 700 test cases. The images which pass this level of testing are posted to pages that are only accessible by Cisco Internal personnel. Due to the reduced set of testing done on these images, TAC should only provide these images to customers who are encountering an issue that is specifically addressed in the build and the customer cannot wait for the next scheduled full regression cycle.
ASA image download page including full regression tested interims:
Adaptive Security Appliance (ASA) Device Manager (ASDM):
You can check your license info under the "show version" and "show activation-key". Here is an example:
Licensed features for this platform: <-----------------FEATURES WHICH ARE AVAILABLE BY YOUR LICENSE Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled SSL VPN Peers : 2 Total VPN Peers : 25 Dual ISPs : Enabled VLAN Trunk Ports : 8 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Enabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has an ASA 5505 Security Plus license. <--------------------- TYPE OF YOUR LICENSE Serial Number: JMX00000000 <------------------SERIAL NUMBER Running Activation Key: 0x........0x........ 0x........0x........0x....... <--------- ACTIVATION KEY ASA# show activation-key Serial Number: JMX00000000 Running Permanent Activation Key: 0x------ 0x------ 0x------ 0x------ 0x------ 0x------ Running Timebased Activation Key: 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x''''''
Free 3DES/AES license
To obtain a FREE ASA Firewall 3DES/AES encryption activation key, log on to the following URL where you will see the link for the FREE ASA Firewall 3DES/AES activation key:
Clicking the FREE ASA Firewall 3DES/AES link will allow you to complete the one-time, on-line agreement for the use of strong encryption, as well as obtain your FREE ASA Firewall 3DES/AES activation key.
You will not need to complete this form for any future FREE ASA Firewall 3DES/AES activation keys.
Please note: The Technical Assistance Center (TAC) will not be able to provide the FREE ASA Firewall 3DES/AES activation key to customers, and will re-direct all customers to the process described above. This process is required to meet Federal regulations surrounding the use of strong encryption.
activation-key key [activate | deactivate] ASA# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490
PLEASE NOTE: copy and paste can include some hidden characters which can cause the license key improper. May be it worth to try to type one-by-one the key and hit ENTER.
You can get more information about the type of licensing
Please contact your local Cisco Account/Sales Team to get uptodate information about the contracts.
With ASA 8.3, you no longer need duplicate licensing in Active/Standby mode. Just need to have the Botnet license on one of the failover units
The IPS License for signature updates is included in the IPS ervice contract for the SSM card (and possibly ASA chassis when purchased as a bundle). The IPS service contract goes by the name "Cisco Services for IPS". It includes the support generally covered by SmartNET as well as the IPS License for Signature Updates. Customers has the option to buy a separate contract to cover the ASA itself (presumably a SmartNET contract) and a Cisco Service for IPS to cover just the SSM.
Other DEMO licenses
Shared licenses enable customers to set a “pool” of licenses on a Master device . Any ASA with IP connectivity to the Master can become a participant and “lease” licenses from it. Customers will benefit from operational flexibility and investment protection, as they will be able to add devices to their deployment without the need to pre-assign a specific license to each device. Note that Shared Licensing is not intending to solve the requirement for a failover license in HA configuration.
For ASAs configured as an active/standby failover pair and as shared license servers, both ASAs must have the same shared license SKU(s). For example, if you purchase a 10,000 session shared license for the active ASA that is also a license server, you must also purchase a 10,000 session shared license for the standby unit. Because of this requirement, both units in the failover pair can act as the license server.
Before failover, the active ASA acts as the shared license server. After failover, the active and standby ASA reverses roles—the standby ASA becomes the active ASA and assumes the role of shared license server. The standby ASA continues in the active role after failover. It does not give up that role when the active unit becomes operational. The roles remain reversed, and the new active unit continues the role as the new license server.
show shared license detail
User is facing issue in licensing of ASA VPN concepts and not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
- Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number does he need?
- Assuming he do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number does he need? He is assuming this is correct >> ASA5525VPN-PM250K9
- AnyConnect Essentials and Premium are mutually exclusive. If you purchase the Premium license and activate it on your ASA it will deactivate your AnyConnect Essentials. For what it's worth, the Mobile license works with either.
- Yes, that's the correct SKU for the ASA 5525-X with 250 AnyConnect Premium plus AnyConnect Mobile bundle.
Troubleshooting and FAQ
First of all you need to be sure that you used the correct activation-key for the correct device. The activation-key is based on the serial number and must be generated by the licensing team.
- Lost activation-key: The activation-key can be regenerated by licensing team. You need to send the serial number and/or PAK number to firstname.lastname@example.org . May be licensing team could request from you different information like contract number in case.
- License key is correct, but not take effect: If you see the correct activation-key under the "show activation-key", please try to reboot the device. If it doesn't help, please do the followings as a "lost activation-key".
- Customer bought a new ASA, can he/she transfer the license? Licenses are permanent. Once issued, they can never be revoked or transferred. Since the only way to provide a license for a different device is by issuing a brand new one and not removing their old one, any desire to provide special discounts in this instance need to be handled through the sales process / deals desk.
- VPN FLEX license: SSL VPN FLEX licenses are 2 month /60 days temporary licenses products offered to our customers. They can be used by customer who want to plan for business continuity or short-term increases of the SSL VPN seats counts.
- Temporary License Expiration: When a time based license expires, the ASA will switch to the installed perm license. If no perm license is available, then ASA defaults for no license will be set. The device should not require reboot, unless a feature, such as failover, requires reboot for deactivation. For example. if failover is enabled in the temporary license but not in the perm then a reboot will be required. All VPN features should not require a reboot
How to obtain strong-crypto licenses for ASA
Update from Mike Wenstrom
The process to obtain K9 activation key has changed. Here's a summary of the steps:
Strong Crypto (3DES/AES) License
Q. How can I obtain strong-crypto licenses for my ASA?
A. ASA strong crypto (3DES / AES) keys are available at: http://www.cisco.com/go/license
- Enter your CCO userid and password
- Click the “Continue to Product License Activation” link.
- Click Get Other Licenses > IPS, Crypto, Other…
- Select Security Products > Cisco ASA 3DES/AES License, click Next
- Enter ASA Serial number and click Next
- If this is the first time you have applied for a strong crypto product, review and accept the terms of the license windows. You may need to return to http://www.cisco.com/go/license and complete the steps above.
- In the 3. Review and Submit window, click the I Agree with the terms of the License check box, review your contact information, and click Submit
- An email will be sent you with the ASA Activation key and instructions on how to apply the key
Thanks, Mike Wenstrom
Cisco Security Solutions Architect Supporting CDW