ASA IPS Licensing confusion

steven.crutchley · ‎06-23-2014

I have an ASA whereby the show ver command gives the following output:

Licensed features for this platform:
<snip>
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Enabled        perpetual <<<<<<<<<<<<<<<<<<<<<
Cluster                           : Disabled       perpetual

This leads me to believe we have all the IPS licensing that we need. However we cannot access any IPS settings from within ADSM.

In an attempt to get the correct licensing key, we attempt to go through CIsco's online process to the get key based on the PAK code. However when we do so we get the following response:

Not allowed downgrade/update Sku(s) 'ASA5525-IPS-SSP' for 'ASA5525' : Device contains following licenses 'ASA5525-IPS-SSP,ASA5500-ENCR-K9'
Serial Number =XXXXXXXXXX
We're sorry, but we cannot process your request.
If you would like any assistance in the resolution of this issue, please open a Service Request using the TAC Service Request Tool at

http://tools.cisco.com/ServiceRequestTool/create/DefineProblem.do .
As an alternative you may also call our main Technical Assistance Center at 800-553-2447.

Sincerely,
Cisco Systems Licensing

That to me looks like the license is already on the device, but from the CLI within the module we get the following:

ri-reading-ips# show version

<snip>

Cisco Intrusion Prevention System, Version 7.3(2)E4

<snip>

OS Version: 2.6.29.1

Platform: ASA5525-IPS

Serial Number: XXXXXXXXXXXX

No license present

Sensor up-time is 1 day.

Using 2914M out of 3456M bytes of available memory (84% usage)

<snip>

login: XXXXX

Password:

***NOTICE***

<snip>

***LICENSE NOTICE***

There is no license key installed on this IPS platform.

The system will continue to operate with the currently installed

signature set. A valid license must be obtained in order to apply

signature updates. Please go to http://www.cisco.com/go/license

to obtain a new license or install a license.

Am I missing a crucial step in activating the license or getting another key from Cisco to get this feature-set activated?

Any help is appreciated.

steven.crutchley · ‎06-23-2014

Hi all,

Apologies my colleague has come through for me and found another thread asking the same question.

Please see: https://supportforums.cisco.com/document/119481/does-my-ips-moudle-work-well

Quoting from Todd Pula on that thread:

"The 5500-X platform requires two different license keys. The first is the IPS feature license key which you have already installed on the ASA. This will allow you to redirect traffic to the IPS instance. As others have stated above, you will need a Cisco Services for IPS contract which will entitle you to a signature update license key for the IPS itself."