We have several IDSM-2s in place. We were having some issues with the vendor on obtaining the real licenses for them. The vendor secured a trial license for one of the IDSMs. When I went to install it I wasn't paying attention (look twice before clicking gentlemen) and I accidently applied that license to an IDSM that had a current license file on it. The problem now is that the trial license that I accidently installed actually expires about 5 days after the real license was supposed to expire so I'm not able to re-apply the actual license for that ISDM. This brings about 2 questions;
1) Is there a way to uninstall a license from an IDSM?
2) If not is there any problem in leaving the trial license in place since it expires 5 days *after* the real license was supposed to expire?
The only difference between a Trial License and a contract based License is the Grace Period within the License.
Both allow the same functionality (installing signature updates) and the software itself does not distinguish between the 2 in how it uses them.
The Trial License generally does Not come with a Grace Period. In which case when the Trial License expires you can not install any later signature updates.
The Contract based License generally comes with a 60 day grace period. In which case when the Contract based License expires you are still able to install signature updates within 60 days after the expiration. This gives you 60 days to get your next contract in order and get the new license.
So in your case with the Contract based license you would possibly have an additional 55 day grace period (when compared to the Trial license expiring 5 days later without a grace period) to do signature updates before being forced to install the next Contract based license.
So long as your Next Contract is in order and you install the Next Contract License before the Trial License runs out you don't have anything to worry about. You would just be moving from one unexpired contract to another with a later date.
But if you think there may be issues in getting your Next Contract in order, then you might want/need that additional 55 days of grace period you would get with the older Contract based License.
There is not a CLI option to remove the existing license, but there is a round about method of doing so.
Create a service account.
Login with the service account.
Switch to user root using "su -" and using the same password as you used on the service account.
The execute "cd /usr/cids/idsRoot/shared"
And delete the ips.lic file using "rm ips.lic"
Now reboot the sensor.
When the sensor comes back up try and apply your older Contract based License.
If there is still a problem, then go back through the steps above. But instead of removing just the ips.lic file you can try removing all of the other files in that /usr/cids/idsRoot/shared directory except host.conf and lost+found.
Reboot the sensor and try again.
I generally do not recommend doing the above because it is easy to mess up the sensor by doing things in the service account. So it is a use at your own risk situation.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...