02-22-2007 03:43 PM - edited 03-11-2019 02:37 AM
Hi All,
I need an explaination as to why on some Pix firewalls, running exactly the same
code, the activation key showed up as
4-tuples while other firewalls showed up
as 5-tuples.
I opened a TAC case with Cisco but I am
getting evasive answer from Cisco TACs
which makes nosense at all.
Can anyone offer any sights to this? Thanks.
David
CCIE security
CiscoPix> sh ver
Cisco PIX Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"
CiscoPix up 17 days 6 hours
Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 0004.c161.5536, irq 10
1: Ext: Ethernet1 : address is 0004.c161.5537, irq 11
2: Ext: Ethernet2 : address is 0002.b318.0a83, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Restricted (R) license.
Serial Number: xxxxx
Running Activation Key: ****
Configuration last modified by enable_15 at 16:12:25.483 UTC Tue Feb 20 2007
CiscoPix>
------------------------------------
Pix535> sh ver
Cisco PIX Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Compiled on Tue 14-Mar-06 17:00 by dalecki
System image file is "flash:/pix712.bin"
Config file at boot was "startup-config"
dca2-Primedia-PIX-1-P up 288 days 9 hours
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
0: Ext: GigabitEthernet0 : address is 000e.0cad.d2ba, irq 255
1: Ext: GigabitEthernet1 : address is 000e.0cad.d2bb, irq 255
2: Ext: GigabitEthernet2 : address is 000e.0cad.d30d, irq 255
3: Ext: Ethernet0 : address is 000e.0caf.f48a, irq 255
4: Ext: Ethernet1 : address is 000e.0caf.f5ab, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a (UR) license.
Serial Number: xxxxxxxxx
Running Activation Key: ****
Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006
Pix535>
------------------------------
02-22-2007 03:44 PM
Here is another one:
ATT-pix> sh ver
Cisco PIX Security Appliance Software Version 7.0(6)8
Device Manager Version 5.0(6)
Compiled on Wed 18-Oct-06 15:48 by builders
System image file is "flash:/pix706-8.bin"
Config file at boot was "startup-config"
dca2-lucent-pix up 22 days 16 hours
failover cluster up 22 days 16 hours
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 000d.8811.e4fc, irq 15
1: Ext: Ethernet1 : address is 000d.8811.e4fd, irq 15
2: Ext: Ethernet2 : address is 000d.8811.e4fe, irq 15
3: Ext: Ethernet3 : address is 000d.8811.e4ff, irq 15
4: Ext: Ethernet4 : address is 000d.8811.e4cc, irq 11
5: Ext: Ethernet5 : address is 000d.8811.e4cd, irq 10
6: Ext: Ethernet6 : address is 000d.8811.e4ce, irq 11
7: Ext: Ethernet7 : address is 000d.8811.e4cf, irq 10
8: Ext: Ethernet8 : address is 000d.8811.bd44, irq 12
9: Ext: Ethernet9 : address is 000d.8811.bd45, irq 15
10: Ext: Ethernet10 : address is 000d.8811.bd46, irq 12
11: Ext: Ethernet11 : address is 000d.8811.bd47, irq 15
12: Ext: Ethernet12 : address is 000e.0caa.e86a, irq 15
13: Ext: Ethernet13 : address is 000e.0caa.e914, irq 12
Licensed features for this platform:
Maximum Physical Interfaces : 14
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a (UR) license.
Serial Number: xxxxx
Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471
Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007
ATT-pix> exit
David
02-22-2007 04:21 PM
Hello David
Is this the way to differentiate the UR/R / FO licenses.. I can see from ur outputs that R licenses have 4 , and UR has 5 !!! It is anyway some kind of a hash value, which might require help from some experts who create this:)
Raj
02-22-2007 06:42 PM
Hi Raj,
You should read all of my posts before replying. Your explaination makes no sense.
How do youexplain this:
This platform has a (UR) license.
Serial Number: xxxxxxxxx
Running Activation Key: 0x8d14701c 0x2c7682a5 0x24b205b4 0xa32158f0 0x483dda82
Configuration last modified by enable_15 at 00:03:53.682 UTC Wed Dec 6 2006
Pix535>
As you can see, this is UR it has 5-tuples key.
This one belows is also UR and it has 4-tuples key:
This platform has a (UR) license.
Serial Number: xxxxx
Running Activation Key: 0xce123456 0x25c13274 0x0ab1xyzd 0xfa5b2471
Configuration last modified by enable_1 at 04:42:52.072 UTC Tue Feb 20 2007
ATT-pix> exit
Same platform, same pix 7.1(2) code. Why
different in the tuple?
David
02-22-2007 06:52 PM
Oh.. you took the response seriously ?? I had anyway put it in a lighter side , and thats why included the smileys.... I think this is a really unnecessary thing to analyse.. what problems do you have if it is a 4 or 5 tuples ???? I do read all posts dude.. otherwise, will not answer to CCIE security guys like you..
Raj
02-22-2007 07:04 PM
Raj,
I apologize. Didn't mean for it to come out
that way.
Problem between the 5-tuples and 4-tuples
is that let say I have a 5-tuples activation
keys on the pix running 7.x code. Let say
I decide to downgrade it to 6.3(5) code.
The "downgrade" command only accepts 4-tuples
activation key. So on the pix 7.x code with
5 tuples activation key, I am pretty much
screwed. I don't have such problems when
downgrading pix from 7.x back to 6.3(5) when
the pix itself already has 4-tuples activation
key. Cisco TAC is really vague on this issue.
I've not gotten a satisfactory response from
them.
Does that make sense? Thanks.
David
02-22-2007 09:00 PM
Hey david,
I think it will be better if you contact the licensing team. They will regenerate the key and give it to you... licensing@cisco.com... I have seen some TAC cases with this issue, and it has been that the licensing team always steps in to regenerate the key...
Raj
02-23-2007 02:07 PM
Raj,
I know that I can always contact the licensing
team. However, I want to know as to why it
behaves this way. This is very bothersome.
I've yet gotten a satisfactory answer from cisco
on this.
David
02-26-2007 11:28 PM
Hi David.
7.x comes with a 5 tuple key and 6.x with a 4 tuple key.
Now if you want to downgrade from 7.x to 6.3 then the downgrade command will convert the 5 tuple key to a 4 tuple key automatically ....but there is a catch here....your DES/3DES/AES functionality will be disabled....you will have to regenerate keys for DES-3DES/AES..which is done free of cost.
regards
Zubair
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide