10-14-2013 09:41 AM - edited 03-11-2019 07:52 PM
Hi all!
I have deployed an ASA5512-IPS-K9 unit that has the following 2 licenses installed:
All is working out fine except for the IPS SW module.
When viewing the IPS using ASDM, the Sensor Health is shown as critical and the License status says No License.
However, the ASDM dashboard says that the box has a Security Plus license and the show module ips detail output says the IPS Module Enabled perpetual.
I have even inserted the licenses provided through the CLI using the "activation-key" command where the reponse obtained is that the license provided is the same as the one already in the box.
Please see the attached screenshots and show module ips detail output.
Note that I have configured the Auto/Cisco.com Update settings using my CCO login.
Grateful if someone could shed some light on this issue.
Regards,
Alvin
10-14-2013 01:42 PM
Hi Alvin,
last time i went online to generate the license for the IPS but it failed so I called TAC and they generated it for me.
If i remember correctly, there's a license on ASA to run the IPS module but there's also a license in the IPS software for the IPS itself (which I guess is included but just needs to be generated and added in the IPS software via ASDM/IDM/IME/CLI...)
There's also a subscription required for auto-update of signatures...
From the licensing guide:
http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html
The IPS module license lets you run the IPS software module on the ASA.
You must also purchase a separate IPS signature subscription...
Patrick
10-15-2013 10:10 AM
Hi Patrick!
Thanks for the info.
Actually, the ASA5512-X unit is supposed to be an Cisco ASA 5512-IPS-K9 as per the part number received.
I have checked the link you posted and also found this on the IPS module:
"The IPS module license lets you run the IPS software module on the ASA.
You must also purchase a separate IPS signature subscription; for failover, purchase a subscription for each unit.
To obtain IPS signature support, you must purchase the ASA with IPS pre-installed (the part number must include "IPS")."
"The combined failover cluster license does not let you pair non-IPS and IPS units. For example, if you buy the IPS version of the ASA 5515-X (part number ASA5515-IPS-K9) and try to make a failover pair with a non-IPS version (part number ASA5515-K9), then Cisco will not let you obtain IPS signature updates for the ASA5515-K9 unit, even though it has an IPS module license inherited from the other unit."
Doesn't that imply that the unit I purchased is entitled for IPS signature updates?
Regards,
Alvin
10-15-2013 11:20 AM
Yes when you purchase the IPS bundle edition; the services contract is added automatically:
In CCW, this is the CON-SU...:
ASA5512-IPS-K9 ASA 5512-X with IPS, SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES | $ 6,495.00 | 1 | $ 6,495.00 |
CON-SU3-A12IPS9 IPS SVC, AR 24X7X4 ASA 5512-X with IPS, SW, 6GE Data, 1GE M. Duration: 12 Month(s) | $ 1,076.99 | 1 | $ 1,076.99 |
Here are the requirements for updating the signatures:
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide