Cisco asav demo license

Cisco asav demo license DEFAULT

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.4

Cisco Smart Software Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.


Note

Smart Software Licensing is only supported on the ASAv and ASA Firepower chassis. Other models use PAK licenses. See About PAK Licenses.

For more information about Smart Licensing features and behaviors per platform, see Smart Enabled Product Families.


About Smart Software Licensing

This section describes how Smart Software Licensing works.

Smart Software Licensing for the ASA on the Firepower 9300 Chassis

For the ASA on the Firepower 9300 chassis, Smart Software Licensing configuration is split between the Firepower 9300 chassis supervisor and the ASA.

  • Firepower 9300 chassis—Configure all Smart Software Licensing infrastructure on the chassis, including parameters for communicating with the License Authority. The Firepower 9300 chassis itself does not require any licenses to operate.

  • ASA Application—Configure all license entitlements in the ASA.

Smart Software Manager and Accounts

When you purchase 1 or more licenses for the device, you manage them in the Cisco Smart Software Manager:

https://software.cisco.com/#module/SmartLicensing

The Smart Software Manager lets you create a master account for your organization.


Note

If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization.


By default, your licenses are assigned to the Default Virtual Account under your master account. As the account administrator, you can optionally create additional virtual accounts; for example, you can create accounts for regions, departments, or subsidiaries. Multiple virtual accounts let you more easily manage large numbers of licenses and devices.

Licenses and Devices Managed per Virtual Account

Licenses and devices are managed per virtual account: only that virtual account’s devices can use the licenses assigned to the account. If you need additional licenses, you can transfer an unused license from another virtual account. You can also transfer devices between virtual accounts.

For the ASA on the Firepower 9300 chassis—Only the chassis registers as a device, while the ASA applications in the chassis request their own licenses. For example, for a Firepower 9300 chassis with 3 security modules, the chassis counts as one device, but the modules use 3 separate licenses.

Evaluation License

ASAv

The ASAv does not support an evaluation mode. Before the ASAv registers with the Licensing Authority, it operates in a severely rate-limited state.

Firepower 9300 Chassis

The Firepower 9300 chassis supports two types of evaluation license:

  • Chassis-level evaluation mode—Before the Firepower 9300 chassis registers with the Licensing Authority, it operates for 90 days (total usage) in evaluation mode. The ASA cannot request specific entitlements in this mode; only default entitlements are enabled. When this period ends, the Firepower 9300 chassis becomes out-of-compliance.

  • Entitlement-based evaluation mode—After the Firepower 9300 chassis registers with the Licensing Authority, you can obtain time-based evaluation licenses that can be assigned to the ASA. In the ASA, you request entitlements as usual. When the time-based license expires, you need to either renew the time-based license or obtain a permanent license.


Note

You cannot receive an evaluation license for Strong Encryption (3DES/AES); you must register with the License Authority and obtain a permanent license.


About Licenses by Type

The following sections include additional information about licenses by type.

AnyConnect Plus, AnyConnect Apex, And VPN Only Licenses

The AnyConnect Plus, AnyConnect Apex, or VPN Only license is a multi-use license that you can apply to multiple ASAs, all of which share a user pool as specified by the license. Devices that use Smart Licensing do not require any AnyConnect license to be physically applied to the actual platform. The same licenses must still be purchased, and you must still link the Contract number to your Cisco.com ID for SW Center access and technical support. For more information, see:

Other VPN License

Other VPN sessions include the following VPN types:

  • IPsec remote access VPN using IKEv1

  • IPsec site-to-site VPN using IKEv1

  • IPsec site-to-site VPN using IKEv2

This license is included in the Base license.

Total VPN Sessions Combined, All Types

  • Although the maximum VPN sessions add up to more than the maximum VPN AnyConnect and Other VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the ASA, so be sure to size your network appropriately.

  • If you start a clientless SSL VPN session and then start an AnyConnect client session from the portal, 1 session is used in total. However, if you start the AnyConnect client first (from a standalone client, for example) and then log into the clientless SSL VPN portal, then 2 sessions are used.

Encryption License

Strong Encryption: ASAv

Strong Encryption (3DES/AES) is available for management connections before you connect to the License Authority, so you can launch ASDM and connect to the License Authority. For through-the-box traffic, throughput is severely limited until you connect to the License Authority and obtain the Strong Encryption license.

If the ASAv becomes out-of-compliance later, then the ASAv reverts to the rate-limited state.

Strong Encryption: Firepower 9300 Chassis

You must manually request the Strong Encryption license in the ASA configuration using the CLI because ASDM requires 3DES. If the ASA becomes out-of-compliance, neither management traffic nor through-traffic requiring this license will be allowed.

DES: All Models

The DES license cannot be disabled. If you have the 3DES license installed, DES is still available. To prevent the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to use only strong encryption.

Total UC Proxy Sessions

Each TLS proxy session for Encrypted Voice Inspection is counted against the TLS license limit.

Other applications that use TLS proxy sessions do not count toward the TLS limit, for example, Mobility Advantage Proxy (which does not require a license).

Some applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections.

You independently set the TLS proxy limit using the tls-proxy maximum-sessions command or in ASDM, using the Configuration > Firewall > Unified Communications > TLS Proxy pane. To view the limits of your model, enter the tls-proxy maximum-sessions ? command. When you apply a TLS proxy license that is higher than the default TLS proxy limit, the ASA automatically sets the TLS proxy limit to match the license. The TLS proxy limit takes precedence over the license limit; if you set the TLS proxy limit to be less than the license, then you cannot use all of the sessions in your license.


Note

For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted.

If you clear the configuration (using the clear configure all command, for example), then the TLS proxy limit is set to the default for your model; if this default is lower than the license limit, then you see an error message to use the tls-proxy maximum-sessions command to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover and enter the write standby command or in ASDM, use File > Save Running Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear configure all command is generated on the secondary unit automatically, so you may see the warning message on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning.


You might also use SRTP encryption sessions for your connections:

  • For K8 licenses, SRTP sessions are limited to 250.

  • For K9 licenses, there is no limit.


Note

Only calls that require encryption/decryption for media are counted toward the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count toward the limit.


VLANs, Maximum

For an interface to count against the VLAN limit, you must assign a VLAN to it. For example:

Botnet Traffic Filter License

Requires a Strong Encryption (3DES/AES) License to download the dynamic database.

Failover or ASA Cluster Licenses

Failover Licenses for the ASAv

The standby unit requires the same model license as the primary unit.

Failover Licenses for the ASA on the Firepower 9300 Chassis

Each Firepower 9300 chassis must be registered with the License Authority or satellite server. There is no extra cost for the secondary unit. For permanent license reservation, you must purchase separate licenses for each chassis.

Each ASA must have the same encryption license. For regular Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300 chassis. For older Cisco Smart Software Manager satellite deployments, see below.

In the ASA licensing configuration, other licenses do not need to match on each failover unit, and you can configure licensing separately on each unit. Each unit requests its own licenses from the server. The licenses requested by both units are aggregated into a single failover license that is shared by the failover pair, and this aggregated licenese is cached on the standby unit to be used if it becomes the active unit in the future. Typically, you only need to configure licenses on the primary unit.

Each license type is managed as follows:

  • Standard—Each unit includes the Standard license by default, so for a failover pair, 2 Standard licenses are requested from the server.

  • Context—Each unit can request its own Context license. However, the Standard license includes 10 contexts by default and is present on both units. The value from each unit’s Standard license plus the value of any optional Context licenses on both units are combined up to the platform limit. For example:

    • The Standard license includes 10 contexts; for 2 units, these licenses add up to 20 contexts.You configure a 250-Context license on the primary unit in an Active/Standby pair. Therefore, the aggregated failover license includes 270 contexts. However, because the platform limit for one unit is 250, the combined license allows a maximum of 250 contexts only. In this case, you should only configure the primary Context license to be 230 contexts.

    • The Standard license includes 10 contexts; for 2 units, these licenses add up to 20 contexts. You configure a 10-Context license on the primary unit in an Active/Active pair, and a 10-Context license on the secondary unit. Therefore, the aggregated failover license includes 40 contexts. One unit can use 22 contexts and the other unit can use 18 contexts, for example, for a total of 40. Because the platform limit for one unit is 250, the combined license allows a maximum of 250 contexts; the 40 contexts are within the limit.

  • Carrier—Only one unit needs to request this license, and both units can use it.

  • Strong Encryption (3DES) (for a pre-2.3.0 Cisco Smart Software Manager satellite deployment only)—Each unit must request its own license from the server; unlike the other license configurations, this configuration is replicated to the standby unit. For Smart Software Manager satellite deployments, to use ASDM and other strong encryption features, after you deploy the cluster you must enable the Strong Encryption (3DES) license on the primary unit using the ASA CLI. The Strong Encryption (3DES) license is not available with any type of evaluation license.

ASA Cluster Licenses for the ASA on the Firepower 9300 Chassis

The clustering feature itself does not require any licenses. To use Strong Encryption and other optional licenses, you can only request licenses on the control unit; the licenses are aggregated with the data units. If you have licenses on multiple units, they combine into a single running ASA cluster license. License configuration completed on the control unit is not replicated to the data units. You can only configure separate license entitlements on data units if you disable clustering, configure the licensing, and then re-enable clustering.


Note

To use ASDM and other strong encryption features, after you deploy the cluster you must enable the Strong Encryption (3DES) license on the control unit using the ASA CLI. This license is inherited by the data units; you do not need to configure this license separately on each unit. The Strong Encryption (3DES) license is not available with any type of evaluation license.



Note

If the control unit fails, and does not rejoin within 30 days (the licensing grace period), then the inherited licenses disappear. You must then manually configure the missing licenses on the new control unit.


Prerequisites for Smart Software Licensing

Regular and Satellite Smart License Prerequisites

ASAv

  • Ensure internet access, or HTTP proxy access from the device.

  • Configure a DNS server so the device can resolve the name of the License Authority.

  • Set the clock for the device.

  • Create a master account on the Cisco Smart Software Manager:

    https://software.cisco.com/#module/SmartLicensing

    If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization.

Firepower 4100/9300

Configure the Smart Software Licensing infrastructure on the Firepower 9300 chassis before you configure the ASA licensing entitlements.

Permanent License Reservation Prerequisites

  • Create a master account on the Cisco Smart Software Manager:

    https://software.cisco.com/#module/SmartLicensing

    If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization. Even though the ASA does need internet connectivity to the Smart Licensing server for permanent license reservation, the Smart Software Manager is used to manage your permanent licenses.

  • Obtain support for permanent license reservation from the licensing team. You must provide a justification for using permanent license reservation. If your account is not approved, then you cannot purchase and apply permanent licenses.

  • Purchase special permanent licenses (see License PIDs). If you do not have the correct license in your account, then when you try to reserve a license on the ASA, you will see an error message similar to: "The licenses cannot be reserved because the Virtual Account does not contain a sufficient surplus of the following perpetual licenses: 1 - Firepower 4100 ASA PERM UNIV(perpetual)."

  • The permanent license includes all available features, including the Strong Encryption (3DES/AES) license if your account qualifies. AnyConnect client capabilities are also enabled to the platform maximum, contingent on your purchase of an AnyConnect license that enables the right to use AnyConnect (see AnyConnect Plus, AnyConnect Apex, And VPN Only Licenses).

License PIDs

When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace. Search for the following license Product IDs (PIDs).

ASAv PIDs

ASAv PIDs:

  • ASAv5—L-ASAV5S-K9=

  • ASAv10—L-ASAV10S-K9=

  • ASAv30—L-ASAV30S-K9=

  • ASAv50—L-ASAV50S-K9=

Firepower 9300 PIDs

Firepower 9300 PIDs:

  • Standard license—L-F9K-ASA=. The Standard license is free, but you still need to add it to your Smart Software Licensing account.

  • 10 context license—L-F9K-ASA-SC-10=. Context licenses are additive; buy multiple licenses to meet your needs.

  • Carrier (Diameter, GTP/GPRS, SCTP)—L-F9K-ASA-CAR=

  • Strong Encryption (3DES/AES) license—L-F9K-ASA-ENCR-K9=. This license is free. Although this license is not generally rquired (for example, ASAs that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.

Guidelines for Smart Software Licensing

  • Only Smart Software Licensing is supported. For older software on the ASAv, if you upgrade an existing PAK-licensed ASAv, then the previously installed activation key will be ignored, but retained on the device. If you downgrade the ASAv, the activation key will be reinstated.

  • (Firepower 9300 ASA security module) To use ASDM and other strong encryption features such as VPN, after you deploy the ASA you must enable the Strong Encryption (3DES) license on the control unit using the ASA CLI. For clustering, configure the license on the control unit. This license is inherited by the data units; you do not need to configure this license separately on each unit.

  • Because the Cisco Transport Gateway uses a certificate with a non-compliant country code, you cannot use HTTPS when using the ASA in conjunction with that product. You must use HTTP with Cisco Transport Gateway.

Defaults for Smart Software Licensing

ASAv

  • The ASAv default configuration includes a Smart Call Home profile called “License” that specifies the URL for the Licensing Authority.

  • When you deploy the ASAv, you set the feature tier and throughput level. Only the standard level is available at this time.

  • Also during deployment, you can optionally configure an HTTP proxy.

ASA on the Firepower 9300 Chassis

There is no default configuration. You must manually enable the standard license tier and other optional licenses.

ASAv: Configure Smart Software Licensing

This section describes how to configure Smart Software Licensing for the ASAv.

Procedure



ASAv: Configure Smart Software Licensing

When you deploy the ASAv, you can pre-configure the device and include a registration token so it registers with the License Authority and enables Smart Software Licensing. If you need to change your HTTP proxy server, license entitlement, or register the ASAv (for example, if you did not include the ID token in the Day0 configuration), perform this task.


Note

You may have pre-configured the HTTP proxy and license entitlements when you deployed your ASAv. You may also have included the registration token with your Day0 configuration when you deployed the ASAv; if so, you do not need to re-register using this procedure.


Procedure


Step 1

In the Smart Software Manager (Cisco Smart Software Manager), request and copy a registration token for the virtual account to which you want to add this device.

  1. Click Inventory.

  2. On the General tab, click New Token.

  3. On the Create Registration Token dialog box enter the following settings, and then click Create Token:

    • Description

    • Expire After—Cisco recommends 30 days.

    • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag.

    The token is added to your inventory.

  4. Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA.

Step 2

(Optional) On the ASAv, specify the HTTP Proxy URL:

call-home

http-proxyport

If your network uses an HTTP proxy for internet access, you must configure the proxy address for Smart Software Licensing. This proxy is also used for Smart Call Home in general.

Example:

Step 3

Configure the license entitlements.

  1. Enter license smart configuration mode:

    license smart

    Example:

  2. Set the feature tier:

    feature tier standard

    Only the standard tier is available.

  3. Set the throughput level:

    throughput level {100M | 1G | 2G}

    Example:

  1. Exit license smart mode to apply your changes:

    exit

    Your changes do not take effect until you exit the license smart configuration mode, either by explicitly exiting the mode (exit or end) or by entering any command that takes you to a different mode.

    Example:

Step 4

Register the ASAv with the License Authority.

When you register the ASAv, the License Authority issues an ID certificate for communication between the ASAv and the License Authority. It also assigns the ASAv to the appropriate virtual account. Normally, this procedure is a one-time instance. However, you might need to later re-register the ASAv if the ID certificate expires because of a communication problem, for example.

  1. Enter the registration token on the ASAv:

    license smart register idtokenid_token [force]

    Example:

    Use the force keyword to register an ASAv that is already registered, but that might be out of sync with the License Authority. For example, use force if the ASAv was accidentally removed from the Smart Software Manager.

    The ASAv attempts to register with the License Authority and request authorization for the configured license entitlements.

    Example:


(Optional) Deregister the ASAv

Deregistering the ASAv removes the ASAv from your account. All license entitlements and certificates on the ASAv are removed. You might want to deregister to free up a license for a new ASAv. Alternatively, you can remove the ASAv from the Smart Software Manager.

Procedure


Deregister the ASAv:

license smart deregister

The ASAv then reloads.


(Optional) Renew the ASAv ID Certificate or License Entitlement

By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. You might want to manually renew the registration for either of these items if you have a limited window for Internet access, or if you make any licensing changes in the Smart Software Manager, for example.

Procedure


Step 1

Renew the ID certificate:

license smart renew id

Step 2

Renew the license entitlement:

license smart renew auth


Firepower 4100/9300: Configure Smart Software Licensing

This procedure applies for a chassis using the License Authority, Satellite server users; see the FXOS configuration guide to configure your method as a prerequisite.


Note

The Strong Encryption (3DES/AES) license is not enabled by default so you cannot use ASDM to configure your ASA until you request the Strong Encryption license using the ASA CLI. Other strong encryption features are also not available until you do so.


Before you begin

For an ASA cluster, you need to access the control unit for configuration. Check the Firepower Chassis Manager to see which unit is the control unit. You can also check from the ASA CLI, as shown in this procedure.

Procedure


Step 1

Connect to the Firepower 9300 chassis CLI (console or SSH), and then session to the ASA:


connect moduleconsole
connect asa

Example:

The next time you connect to the ASA console, you go directly to the ASA; you do not need to enter connect asa again.

For an ASA cluster, you only need to access the control unit for license configuration and other configuration. Typically, the control unit is in slot 1, so you should connect to that module first.

Step 2

At the ASA CLI, enter global configuration mode. By default, the enable password is blank.


enable
configure terminal

Example:

Step 3

If required, for an ASA cluster confirm that this unit is the control unit:

show cluster info

Example:

If a different unit is the control unit, exit the connection and connect to the correct unit. See below for information about exiting the connection.

Step 4

Enter license smart configuration mode:

license smart

Example:

Step 5

Set the feature tier:

feature tier standard

Only the standard tier is available. A tier license is a prerequisite for adding other feature licenses. You must have sufficient tier licenses in your account. Otherwise, you cannot configure any other feature licenses or any features that require licenses.

Step 6

Request one or more of the following features:

  • Mobile SP (GTP/GPRS)

    featuremobile-sp

  • Security Contexts

    feature context

  • Strong Encryption (3DES/AES)

    feature strong-encryption

Example:

Step 7

To exit the ASA console, enter ~ at the prompt to exit to the Telnet application. Enter quit to exit back to the supervisor CLI.


Licenses Per Model

This section lists the license entitlements available for the ASAv and Firepower 9300 chassis ASA security module.

ASAv

The following table shows the licensed features for the ASAv series.

Licenses

Standard License

Firewall Licenses

Botnet Traffic Filter

Enabled

Firewall Conns, Concurrent

ASAv5: 100,000

ASAv10: 100,000

ASAv30: 500,000

GTP/GPRS

Enabled

Total UC Proxy Sessions

ASAv5: 500

ASAv10: 500

ASAv30: 1000

VPN Licenses

AnyConnect peers

Unlicensed

Optional AnyConnect Plus or Apex license, Maximums:

ASAv5: 50

ASAv10: 250

ASAv30: 750

Other VPN Peers

ASAv5: 250

ASAv10: 250

ASAv30: 1000

Total VPN Peers, combined all types

ASAv5: 250

ASAv10: 250

ASAv30: 1000

General Licenses

Throughput Level

ASAv5: 1 Gbps

ASAv10: 1 Gbps

ASAv30: 2 Gbps

Encryption

Strong (3DES/AES)

Failover

Active/Standby

Security Contexts

No support

Clustering

No support

VLANs, Maximum

ASAv5: 50

ASAv10: 50

ASAv30: 200

RAM, vCPUs

ASAv5: 2 GB, 1 vCPU

ASAv10: 2 GB, 1 vCPU

ASAv30: 8 GB, 4 vCPUs

Firepower 9300 ASA Application

The following table shows the licensed features for the Firepower 9300 ASA application.

Licenses

Standard License

Firewall Licenses

Botnet Traffic Filter

No Support.

Firewall Conns, Concurrent

Firepower 9300 SM-36: 60,000,000, up to 70,000,000 for a chassis with 3 modules

Firepower 9300 SM-24: 55,000,000, up to 70,000,000 for a chassis with 3 modules

GTP/GPRS

Disabled

Optional License: Mobile SP

Total UC Proxy Sessions

15,000

VPN is not supported with Firepower Chassis Manager 1.1.2 and earlier.

General Licenses

Encryption

Base (DES) or Strong (3DES/AES)

Security Contexts

10

Optional License: Maximum of 250, in increments of 10

Sours: https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/intro-license-smart.html

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.10

Strong Encryption: ASAv

Strong Encryption (3DES/AES) is available for management connections before you connect to the License Authority or Satellite server, so you can launch ASDM and connect to the License Authority. For through-the-box traffic, throughput is severely limited until you connect to the License Authority and obtain the Strong Encryption license.

When you request the registration token for the ASAv from your Smart Software Licensing account, check the Allow export-controlled functionality on the products registered with this token check box so that the Strong Encryption (3DES/AES) license is applied (your account must be qualified for its use). If the ASAv becomes out-of-compliance later, as long as the export compliance token was successfully applied, the ASAv will retain the license and not revert to the rate-limited state. The license is removed if you re-register the ASAv, and export compliance is disabled, or if you restore the ASAv to factory default settings.

If you initially register the ASAv without strong encryption and later add strong encryption, then you must reload the ASAv for the new license to take effect.

For permanent license reservation licenses, the Strong Encryption (3DES/AES) license is enabled if your account qualifies for its use.

For pre-2.3.0 Satellite server versions, you must manually request the Strong Encryption license in the ASA configuration (the export compliance token is not supported); in this case, if the ASAv becomes out-of-compliance, throughput is severely limited.

Strong Encryption: Firepower 2100

Strong Encryption (3DES/AES) is available for management connections before you connect to the License Authority or Satellite server so you can launch ASDM. Note that ASDM access is only available on management-only interfaces with the default encryption. Through the box traffic is not allowed until you connect and obtain the Strong Encryption license.

When you request the registration token for the ASA from your Smart Software Licensing account, check the Allow export-controlled functionality on the products registered with this token check box so that the Strong Encryption (3DES/AES) license is applied (your account must be qualified for its use). If the ASA becomes out-of-compliance later, as long as the export compliance token was successfully applied, the ASA will continue to allow through the box traffic. Even if you re-register the ASA, and export compliance is disabled, the license remains enabled. The license is removed if you restore the ASA to factory default settings.

If you initially register the ASA without strong encryption and later add strong encryption, then you must reload the ASA for the new license to take effect.

For permanent license reservation licenses, the Strong Encryption (3DES/AES) license is enabled if your account qualifies for its use.

For pre-2.3.0 Satellite server versions, you must manually request the Strong Encryption license in the ASA configuration (the export compliance token is not supported); in this case, if the ASA becomes out-of-compliance, through-traffic will not be allowed.

Strong Encryption: Firepower 4100/9300 Chassis

When the ASA is deployed as a logical device, you can launch ASDM immediately. Through the box traffic is not allowed until you connect and obtain the Strong Encryption license.

When you request the registration token for the Firepower chassis from your Smart Software Licensing account, check the Allow export-controlled functionality on the products registered with this token check box so that the Strong Encryption (3DES/AES) license is applied (your account must be qualified for its use).

If the ASA becomes out-of-compliance later, as long as the export compliance token was successfully applied, the ASA will continue to allow through the box traffic. The license is removed if you re-register the chassis, and export compliance is disabled, or if you restore the chassis to factory default settings.

If you initially register the chassis without strong encryption and later add strong encryption, then you must reload the ASA application for the new license to take effect.

For permanent license reservation licenses, the Strong Encryption (3DES/AES) license is enabled if your account qualifies for its use.

For pre-2.3.0 Satellite server versions that do not support the export-compliance token: You must manually request the Strong Encryption license in the ASA configuration using the CLI because ASDM requires 3DES. If the ASA becomes out-of-compliance, neither management traffic nor through-traffic requiring this license will be allowed.

DES: All Models

The DES license cannot be disabled. If you have the 3DES license installed, DES is still available. To prevent the use of DES when you want to only use strong encryption, be sure to configure any relevant commands to use only strong encryption.

Sours: https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/intro-license-smart.html
  1. Apa format guidelines 2021
  2. Point break imdb cast
  3. Team turbo max steel
  4. Abandoned places in oakland

ASA Smart License on FXOS Firepower Appliances

Introduction

This document describes the Adaptive Security Appliance (ASA) Smart Licensing feature on Firepower eXtensible Operating System (FXOS). Smart Licensing on FXOS is used when there is an ASA installed on the chassis. For Firepower Threat Defense (FTD) and Firepower Management Center (FMC), Smart Licensing check FMC and FTD Smart License Registration and Troubleshooting.

This document covers mainly the scenarios where the FXOS chassis has direct Internet access. If your FXOS chassis cannot access the Internet then you need to consider either a Satellite Server or Permanent License Reservation (PLR). Check the FXOS configuration guide for more details on Offline Management.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Smart Licensing Architecture

A high-level overview of the chassis components:

Cisco ASA Smart Licensing on FXOS - high-level overview of chassis components

  • Both Management Input/Output (MIO) and individual modules play roles in Smart Licensing
  • MIO itself does not require any licenses for its operation
  • SA Application(s) running on each module needs to be licensed

The FXOS supervisor is the Management Input/Output (MIO). The MIO contains 3 main components:

  • Smart Agent
  • License Manager
  • AppAG

Overall Architecture

Cisco ASA Smart Licensing on FXOS - architecture diagram

Nomenclature

Term

Description

Cisco License Authority

The Cisco license backend for Smart Licensing. Maintains all the customer product licensing related information including entitlements and device information.

Smart License Account

A customer account that has all the entitlements for the appliance.

Token ID

An identifier used to distinguish the Smart License Account when registering an appliance.

Entitlement

Equivalent to a license. May correspond to an individual feature or an entire feature tier.

Product Activation Key (PAK)

The older licensing mechanism. Tied to a single appliance.

Smart Agent States

State

Description

Un-Configured

Smart licensing is not enabled

Un-Identified

Smart licensing has been enabled but the Smart Agent has not yet contacted Cisco to register

Registered

The agent has contacted the Cisco licensing authority and registered

Authorized

When an agent receives an in compliance status in response to an entitlement authorization request

Out Of Compliance

When an agent receives an Out of Compliance (OOC) status in response to an Entitlement Authorization request

Authorization expired

If the agent has not communicated with Cisco for 90 days

ASA Entitlements

These are the supported ASA entitlements:

  • Standard tier
  • Multi context
  • Strong Encryption (3DES)
  • Mobile/Service Provider (GTP)

Configuration

Follow the instructions from these documents:

Before any feature tier configuration

asa(config-smart-lic)# show license all
Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Invalid (0)

No entitlements in use

Serial Number:  FCH12345ABC

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

***************************************************************************
*                                 WARNING                                 *
*                                                                         *
*    THIS DEVICE IS NOT LICENSED WITH A VALID FEATURE TIER ENTITLEMENT    *
*                                                                         *
***************************************************************************

Configure standard tier:

asa(config)# license smart
INFO: License(s) corresponding to an entitlement will be activated only after an entitlement request has been authorized.
asa(config-smart-lic)# feature tier standard
asa(config-smart-lic)# show license all

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Authorized (3)

Entitlement(s):

Feature tier:
Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_STANDARD,1.0_7d7f5ee2-1398-4b0e-aced-b3f7fb1cacfc
Version: 1.0
Enforcement mode: Authorized
Handle: 1
Requested time: Tue, 04 Aug 2020 07:58:13 UTC
Requested count: 1
Request status: Complete

Serial Number: FCH12345ABC

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 10
Carrier : Disabled
AnyConnect Premium Peers : 20000
AnyConnect Essentials : Disabled
Other VPN Peers : 20000
Total VPN Peers : 20000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 15000
Clustetext

Failover (High Availability)

As it is documented in the ASA Configuration Guide, each Firepower unit must be registered with the License Authority or satellite server. Verification from the ASA CLI:

asa# show failover | include host
        This host: Primary - Active
        Other host: Secondary - Standby Ready

asa#show license all

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Authorized (3)

Entitlement(s):

Feature tier:
        Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_STANDARD,1.0_7d7f5ee2-1398-4b0e-aced-b3f7fb1cacfc
        Version: 1.0
        Enforcement mode: Authorized
        Handle: 1
        Requested time: Tue, 04 Aug 2020 07:58:13 UTC
        Requested count: 1
        Request status: Complete

Serial Number:  FCH12345ABC

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 20
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

The standby unit:

asa# show failover | i host
        This host: Secondary - Standby Ready
        Other host: Primary - Active

asa# show license all

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Not applicable in standby state

No entitlements in use

Serial Number:  FCH12455DEF

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Disabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 20
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Case Study: ASA HA license on FP2100

  • On 2100 the ASA communicates with the Cisco Smart Licensing portal (cloud) using the ASA interfaces, not the FXOS management
  • You need to register both ASAs to the Cisco Smart Licensing portal (cloud)

In this case, HTTP local authentication is used on outside interface:

ciscoasa(config)# show run http
http server enable
http 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# show run aaa
aaa authentication http console LOCAL
ciscoasa(config)# show run username
username cisco password ***** pbkdf2

You can only connect to the ASA via ASDM if there is a 3DES/AES license enabled. For an ASA that is not already registered this is possible only on an interface that is management-only. Per configuration guide: "Strong Encryption (3DES/AES) is available for management connections before you connect to the License Authority or Satellite server so you can launch ASDM. Note that ASDM access is only available on management-only interfaces with the default encryption. Through the box traffic is not allowed until you connect and obtain the Strong Encryption license". In different case you get:

ciscoasa(config)# debug ssl 255
debug ssl enabled at level 255.
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

To overcome the ASA has management-only configured on the Internet-facing interface and thus ASDM connection is possible:

interface Ethernet1/2
management-only
nameif outside
security-level 100
ip address 192.168.123.111 255.255.255.0 standby 192.168.123.112

Cisco ASA Smart Licensing on FXOS - Cisco ASDM 710(1) start screen

Configure the Smart Licensing on Primary ASA:

Cisco ASA Smart Licensing on FXOS - Configure Smart Licensing on primary ASA

Navigate to Monitoring > Properties > Smart License to check the status of the registration:

Cisco ASA Smart Licensing on FXOS - Check registration status

Primary ASA CLI verification:

ciscoasa/pri/act# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: Cisco Systems, Inc.
Virtual Account: NGFW
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Nov 25 2020 16:43:59 UTC
Last Renewal Attempt: None
Next Renewal Attempt: May 24 2021 16:43:58 UTC
Registration Expires: Nov 25 2021 16:39:12 UTC

License Authorization:
Status: AUTHORIZED on Nov 25 2020 16:47:42 UTC
Last Communication Attempt: SUCCEEDED on Nov 25 2020 16:47:42 UTC
Next Communication Attempt: Dec 25 2020 16:47:41 UTC
Communication Deadline: Feb 23 2021 16:42:46 UTC

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

License Usage
==============

Firepower 2100 ASA Standard (FIREPOWER_2100_ASA_STANDARD):
Description: Firepower 2100 ASA Standard
Count: 1
Version: 1.0
Status: AUTHORIZED

Product Information
===================
UDI: PID:FPR-2140,SN:JAD12345ABC

Agent Version
=============
Smart Agent for Licensing: 4.3.6_rel/38

ciscoasa/pri/act# show run license
license smart
feature tier standardciscoasa/pri/act# show license features
Serial Number: JAD12345ABC
Export Compliant: YES

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Cluster : Disabled


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 4
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Cluster : Disabled

Connect via ASDM to the standby ASA (this will be only possible if the ASA has been configured with a standby IP). The standby ASA is shown as UNREGISTERED and this is expected since it has not been registered yet to the Smart Licensing portal:

Cisco ASA Smart Licensing on FXOS - Connect to standby ASA via ASDM - standby ASA is UNREGISTERED

Cisco ASA Smart Licensing on FXOS - Connect to standby ASA via ASDM - Monitoring tab

The standby ASA CLI shows:

ciscoasa/sec/stby# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed

License Authorization:
Status: No Licenses in Use

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

License Usage
==============

No licenses in use

Product Information
===================
UDI: PID:FPR-2140,SN:JAD123456A

Agent Version
=============
Smart Agent for Licensing: 4.3.6_rel/38
ciscoasa/sec/stby# show run license
license smart
feature tier standard

The license features enabled on the standby ASA:

ciscoasa/sec/stby# show license features
Serial Number: JAD123456A
Export Compliant: NO

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Cluster : Disabled


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 4
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Cluster : Disabled

Register the standby ASA:

Cisco ASA Smart Licensing on FXOS - Register the standby ASA

The result on standby ASA is that it is REGISTERED:

Cisco ASA Smart Licensing on FXOS - standby ASA is REGISTERED

CLI verification on standby ASA:

ciscoasa/sec/stby# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: REGISTERED
Smart Account: Cisco Systems, Inc.
Virtual Account: NGFW
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Nov 25 2020 17:06:51 UTC
Last Renewal Attempt: None
Next Renewal Attempt: May 24 2021 17:06:51 UTC
Registration Expires: Nov 25 2021 17:01:47 UTC

License Authorization:
Status: AUTHORIZED on Nov 25 2020 17:07:28 UTC
Last Communication Attempt: SUCCEEDED on Nov 25 2020 17:07:28 UTC
Next Communication Attempt: Dec 25 2020 17:07:28 UTC
Communication Deadline: Feb 23 2021 17:02:15 UTC

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

License Usage
==============

No licenses in use

Product Information
===================
UDI: PID:FPR-2140,SN:JAD123456AX

Agent Version
=============
Smart Agent for Licensing: 4.3.6_rel/38

ciscoasa/sec/stby# show license feature
Serial Number: JAD123456A
Export Compliant: YES

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Cluster : Disabled


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 4
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Cluster : Disabled

ASA Cluster

If the devices have a license mismatch then the cluster is not formed:

Cluster unit unit-1-1 transitioned from DISABLED to MASTER
New cluster member unit-2-1 rejected due to encryption license mismatch

A successful cluster setup:

asa(config)#cluster group GROUP1
asa(cfg-cluster)# enable
Removed all entitlements except per-unit entitlement configuration before joining cluster as slave unit.

Detected Cluster Master.
Beginning configuration replication from Master.
.
Cryptochecksum (changed): ede485ad d7fb9644 2847deaf ba16830b
End configuration replication from Master.

Cluster Master

asa# show cluster info | i state
    This is "unit-1-1" in state MASTER
    Unit "unit-2-1" in state SLAVE

asa# show license all

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Authorized (3)

Entitlement(s):

Feature tier:
        Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_STANDARD,1.0_7d7f5ee2-1398-4b0e-aced-b3f7fb1cacfc
        Version: 1.0
        Enforcement mode: Authorized
        Handle: 2
        Requested time: Mon, 10 Aug 2020 08:12:38 UTC
        Requested count: 1
        Request status: Complete

Serial Number:  FCH12345ABC

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 20
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Cluster Slave:

asa# show cluster info | i state
    This is "unit-2-1" in state SLAVE
    Unit "unit-1-1" in state MASTER

asa# show license all

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Authorized (3)

Entitlement(s):

Strong encryption:
        Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_ENCRYPTION,1.0_052986db-c5ad-40da-97b1-ee0438d3b2c9
        Version: 1.0
        Enforcement mode: Authorized
        Handle: 3
        Requested time: Mon, 10 Aug 2020 07:29:45 UTC
        Requested count: 1
        Request status: Complete

Serial Number:  FCH12345A6B

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 20
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabled

Verification & Debugging

Chassis (MIO) Summary of Verification Commands

FPR4125# show license all
FPR4125# show license techsupport
FPR4125#scope monitoring
FPR4125 /monitoring # scope callhome
FPR4125 /monitoring/callhome # show expand
FPR4125# scope system
FPR4125 /system # scope services
FPR4125 /system/services # show dns
FPR4125 /system/services # show ntp-server
FPR4125# scope security
FPR4125 /security # show trustpoint
FPR4125#show clock
FPR4125# show timezone
FPR4125# show license usage

Configuration Verification

FPR4125-1# scope system
FPR4125-1 /system # scope services
FPR4125-1 /system/services # show configuration

ASA Summary of Verification Commands

asa# show run license
asa# show license all
asa# show license entitlement
asa# show license features
asa# show tech-support license
asa# debug license 255

Chassis (MIO) Sample Outputs of Verification Commands

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
  Status: REGISTERED
  Smart Account: TAC Cisco Systems, Inc.
  Virtual Account: EU TAC
  Export-Controlled Functionality: ALLOWED
  Initial Registration: SUCCEEDED on Dec 10 2018 23:30:02 UTC
  Last Renewal Attempt: SUCCEEDED on Mar 12 2020 23:16:11 UTC
  Next Renewal Attempt: Sep 08 2020 23:16:10 UTC
  Registration Expires: Mar 12 2021 23:11:09 UTC

License Authorization:
  Status: AUTHORIZED on Aug 04 2020 07:58:46 UTC
  Last Communication Attempt: SUCCEEDED on Aug 04 2020 07:58:46 UTC
  Next Communication Attempt: Sep 03 2020 07:58:45 UTC
  Communication Deadline: Nov 02 2020 07:53:44 UTC

License Conversion:
  Automatic Conversion Enabled: True
  Status: Not started

Export Authorization Key:
  Features Authorized:
    <none>

Utility:
  Status: DISABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Callhome

License Usage
==============

Firepower 4100 ASA Standard (FIREPOWER_4100_ASA_STANDARD):
  Description: Firepower 4100 ASA Standard
  Count: 1
  Version: 1.0
  Status: AUTHORIZED
  Export status: NOT RESTRICTED

Product Information
===================
UDI: PID:FPR-4125-SUP,SN:JAD12345678

Agent Version
=============
Smart Agent for Licensing: 4.6.9_rel/104

Reservation Info
================
License reservation: DISABLEDFPR4125-1# scope monitoring
FPR4125-1 /monitoring # scope callhome
FPR4125-1 /monitoring/callhome # show expand

Callhome:
Admin State: Off
Throttling State: On
Contact Information:
Customer Contact Email:
From Email:
Reply To Email:
Phone Contact e.g., +1-011-408-555-1212:
Street Address:
Contract Id:
Customer Id:
Site Id:
Switch Priority: Debugging
Enable/Disable HTTP/HTTPS Proxy: Off
HTTP/HTTPS Proxy Server Address:
HTTP/HTTPS Proxy Server Port: 80
SMTP Server Address:
SMTP Server Port: 25

Anonymous Reporting:
Admin State
-----------
Off

Callhome periodic system inventory:
Send periodically: Off
Interval days: 30
Hour of day to send: 0
Minute of hour: 0
Time last sent: Never
Next scheduled: Never

Destination Profile:
Name: full_txt
Level: Warning
Alert Groups: All,Cisco Tac,Diagnostic,Environmental
Max Size: 5000000
Format: Full Txt
Reporting: Smart Call Home Data

Name: short_txt
Level: Warning
Alert Groups: All,Cisco Tac,Diagnostic,Environmental
Max Size: 5000000
Format: Short Txt
Reporting: Smart Call Home Data

Name: SLProfile
Level: Normal
Alert Groups: Smart License
Max Size: 5000000
Format: Xml
Reporting: Smart License Data

Destination:
Name Transport Protocol Email or HTTP/HTTPS URL Address
---------- ------------------ -------------------------------
SLDest Httpshttps://tools.cisco.com/its/service/oddce/services/DDCEServiceFPR4125-1# scope system
FPR4125-1 /system # scope services
FPR4125-1 /system/services # show dns
Domain Name Servers:
    IP Address: 172.16.200.100
FPR4125-1 /system/services #show ntp-server

NTP server hostname:
    Name                                                             Time Sync Status
    ---------------------------------------------------------------- ----------------
    10.62.148.75                                                     Unreachable Or Invalid Ntp Server
    172.18.108.14                                                    Time Synchronized
    172.18.108.15                                                    CandidateFPR4125-1# scope security
FPR4125-1 /security # show trustpoint
Trustpoint Name: CHdefault
Trustpoint certificate chain: -----BEGIN CERTIFICATE-----
MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x

8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
-----END CERTIFICATE-----
Cert Status: Valid
Trustpoint Name: CiscoLicRoot
Trustpoint certificate chain: -----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMQ4wDAYDVQQKEwVDaXNj

QYYWqUCT4ElNEKt1J+hvc5MuNbWIYv2uAnUVb3GbsvDWl99/KA==
-----END CERTIFICATE-----
Cert Status: Valid
Trustpoint Name: CSCO2099SUDI
Trustpoint certificate chain: -----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIJAZozWHjOFsHBMA0GCSqGSIb3DQEBCwUAMC0xDjAMBgNV

PKkmBlNQ9hQcNM3CSzVvEAK0CCEo/NJ/xzZ6WX1/f8Df1eXbFg==
-----END CERTIFICATE-----
Cert Status: Valid
Trustpoint Name: CSCOBA2099SUDI
Trustpoint certificate chain: -----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgIJAaZa8V7plOvhMA0GCSqGSIb3DQEBCwUAMD0xDjAMBgNV

b/JPEAZkbji0RQTWLyfR82LWFLo0
-----END CERTIFICATE-----
Cert Status: ValidFPR4125-1#show clock
Tue Aug  4 09:55:50 UTC 2020
FPR4125-1#show timezone
Timezone:FPR4125-1# scope system
FPR4125-1 /system # scope services
FPR4125-1 /system/services # show configuration
 scope services
     create ssh-server host-key rsa
     delete ssh-server host-key ecdsa
     disable ntp-authentication
     disable telnet-server
     enable https
     enable ssh-server
     enter dns 173.38.200.100
     enter ip-block 0.0.0.0 0 https
     exit
     enter ip-block 0.0.0.0 0 ssh
     exit
     enter ntp-server 10.62.148.75
         set ntp-sha1-key-id 0
 !       set ntp-sha1-key-string
     exit
     enter ntp-server 172.18.108.14
         set ntp-sha1-key-id 0
 !       set ntp-sha1-key-string
     exit
     enter ntp-server 172.18.108.15
         set ntp-sha1-key-id 0
 !       set ntp-sha1-key-string
     exit
     scope shell-session-limits
         set per-user 32
         set total 32
     exit
     scope telemetry
         disable
     exit
     scope web-session-limits
         set per-user 32
         set total 256
     exit
     set domain-name ""
     set https auth-type cred-auth
     set https cipher-suite "ALL:!DHE-PSK-AES256-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!
EDH-DSS-DES-CBC3-SHA:!DES-CBC3-SHA:!ADH:!3DES:!EXPORT40:!EXPORT56:!LOW:!MEDIUM:!NULL:!RC4:!MD5:!IDEA:+HIGH:+EXP"
     set https cipher-suite-mode high-strength
     set https crl-mode strict
     set https keyring default
     set https port 443
     set ssh-server host-key ecdsa secp256r1
     set ssh-server host-key rsa 2048
     set ssh-server kex-algorithm diffie-hellman-group14-sha1
    set ssh-server mac-algorithm hmac-sha1 hmac-sha2-256 hmac-sha2-512
     set ssh-server encrypt-algorithm aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr chacha20-poly1305_openssh_com
     set ssh-server rekey-limit volume none time none
     set ssh-client kex-algorithm diffie-hellman-group14-sha1
     set ssh-client mac-algorithm hmac-sha1 hmac-sha2-256 hmac-sha2-512
     set ssh-client encrypt-algorithm aes128-ctr aes192-ctr aes256-ctr
     set ssh-client rekey-limit volume none time none
     set ssh-client stricthostkeycheck disable
     set timezone ""
 exitFPR4125-1# show license usage

License Authorization:
  Status: AUTHORIZED on Aug 04 2020 07:58:46 UTC

Firepower 4100 ASA Standard (FIREPOWER_4100_ASA_STANDARD):
  Description: Firepower 4100 ASA Standard
  Count: 1
  Version: 1.0
  Status: AUTHORIZED
  Export status: NOT RESTRICTED

ASA Sample Outputs of Verification Commands

asa# show run license
license smart
 feature tier standardasa# show license all

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Authorized (3)

Entitlement(s):

Feature tier:
        Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_STANDARD,1.0_7d7f5ee2-1398-4b0e-aced-b3f7fb1cacfc
        Version: 1.0
        Enforcement mode: Authorized
        Handle: 1
        Requested time: Tue, 04 Aug 2020 07:58:13 UTC
        Requested count: 1
        Request status: Complete

Serial Number:  FCH12345ABC

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabledasa# show license entitlement

Entitlement(s):

Feature tier:
        Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_STANDARD,1.0_7d7f5ee2-1398-4b0e-aced-b3f7fb1cacfc
        Version: 1.0
        Enforcement mode: Authorized
        Handle: 1
        Requested time: Tue, 04 Aug 2020 07:58:13 UTC
        Requested count: 1
        Request status: Completeasa# show license features
Serial Number:  FCH12345ABC

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 20000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 20000
Total VPN Peers                   : 20000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 15000
Cluster                           : Enabledasa#  show tech-support license

Smart licensing enabled: Yes

Compliance status: In compliance

Overall licensed status: Authorized (3)

Entitlement(s):

Feature tier:
        Tag: regid.2015-10.com.cisco.FIREPOWER_4100_ASA_STANDARD,1.0_7d7f5ee2-1398-4b0e-aced-b3f7fb1cacfc
        Version: 1.0
        Enforcement mode: Authorized
        Handle: 1
        Requested time: Tue, 04 Aug 2020 07:58:13 UTC
        Requested count: 1
        Request status: Complete

Successful Registration

The output is from the chassis manager User Interface (UI):

Smart Licensing is ENABLED

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

Registration:
Status: REGISTERED
Smart Account: TAC Cisco Systems, Inc.
Virtual Account: EU TAC
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Dec 10 2018 23:30:02 UTC
Last Renewal Attempt: SUCCEEDED on Mar 12 2020 23:16:11 UTC
Next Renewal Attempt: Sep 08 2020 23:16:10 UTC
Registration Expires: Mar 12 2021 23:11:09 UTC

License Authorization:
Status: AUTHORIZED on Jul 05 2020 17:49:15 UTC
Last Communication Attempt: SUCCEEDED on Jul 05 2020 17:49:15 UTC
Next Communication Attempt: Aug 04 2020 17:49:14 UTC
Communication Deadline: Oct 03 2020 17:44:13 UTC

License Conversion:
Automatic Conversion Enabled: True
Status: Not started

Export Authorization Key:
Features Authorized:
<none>

Cisco Success Network: DISABLED

Expired Authorization

The output is from the chassis manager User Interface:

Smart Licensing is ENABLED

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

Registration:
Status: REGISTERED
Smart Account: Cisco SVS temp - request access through [email protected]
Virtual Account: Sample Account
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Nov 22 2019 08:17:30 UTC
Last Renewal Attempt: FAILED on Aug 04 2020 07:32:08 UTC
Failure reason: Agent received a failure status in a response message. Please check the Agent log file for the detailed message.
Next Renewal Attempt: Aug 04 2020 08:33:48 UTC
Registration Expires: Nov 21 2020 08:12:20 UTC

License Authorization:
Status: AUTH EXPIRED on Aug 04 2020 07:10:16 UTC
Last Communication Attempt: FAILED on Aug 04 2020 07:10:16 UTC
Failure reason: Data and signature do not match
Next Communication Attempt: Aug 04 2020 08:10:14 UTC
Communication Deadline: DEADLINE EXCEEDED

License Conversion:
Automatic Conversion Enabled: True
Status: Not started

Export Authorization Key:
Features Authorized:
<none>

Last Configuration Error
=========================
Command : register idtoken ZDA2MjFlODktYjllMS00NjQwLTk0MmUtYmVkYWU2NzIyZjYwLTE1ODIxODY2%0AMzEwODV8K2RWVTNURGFIK0tDYUhOSjg3bjFsdytwbU1SUi81N20rQTVPN2lT%0AdEtvYz0%3D%0A
Error : Smart Agent already registered

Cisco Success Network: DISABLED

Sample Outputs from Chassis CLI

Unregistered

firepower# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED

License Authorization:
Status: No Licenses in Use

License Usage
==============

No licenses in use

Product Information
===================
UDI: PID:F9K-C9300-SUP-K9,SN:JAD12345678

Agent Version
=============
Smart Agent for Licensing: 1.2.2_throttle/6

Registration Pending

firepower# scope license
firepower /license # register idtoken <id-token>
firepower /license # show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
  Status: UNREGISTERED - REGISTRATION PENDING
  Initial Registration: First Attempt Pending

License Authorization:
  Status: No Licenses in Use

License Usage
==============

No licenses in use

Product Information
===================
UDI: PID:F9K-C9300-SUP-K9,SN:JAD12345678

Agent Version
=============
Smart Agent for Licensing: 1.2.2_throttle/6

Registration Error

firepower /license # show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
  Status: UNREGISTERED - REGISTRATION FAILED
  Initial Registration: FAILED on Aug 04 04:46:47 2020 UTC
    Failure reason: HTTP transport failed

License Authorization:
  Status: No Licenses in Use

License Usage
==============

No licenses in use

Product Information
===================
UDI: PID:F9K-C9300-SUP-K9,SN:JAD12345678

Agent Version
=============
Smart Agent for Licensing: 1.2.2_throttle/6

Evaluation Period

firepower# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
 Status: REGISTERING - REGISTRATION IN PROGRESS
 Initial Registration: FAILED on Aug 04 04:46:47 2020 UTC
 Next Registration Attempt: Aug 04 05:06:16 2020 UTC

License Authorization:
 Status: EVALUATION MODE
 Evaluation Period Remaining: 89 days, 14 hours, 26 minutes, 20 seconds

License Usage
==============

(ASA-SSP-STD):
 Description:
 Count: 1
 Version: 1.0
 Status: EVALUATION MODE


Product Information
===================
UDI: PID:F9K-C9300-SUP-K9,SN:JAD12345678

Agent Version
=============
Smart Agent for Licensing: 1.2.2_throttle/6

Common License Problems on FXOS Chassis (MIO)

Registration Error: Invalid token

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED - REGISTRATION FAILED
  Export-Controlled Functionality: NOT ALLOWED
  Initial Registration: FAILED on Aug 07 2020 06:39:24 UTC
    Failure reason: {"token":["The token 'ODNmNTExMTAtY2YzOS00Mzc1LWEzNWMtYmNiMm
UyNzM4ZmFjLTE1OTkxMTkz%0ANDk0NjR8NkJJdWZpQzRDbmtPR0xBWlVpUzZqMjlySnl5QUczT2M0YVI
vcmxm%0ATGczND0%3D%0B' is not valid."]}

Recommended Steps

  • Check if the call-home URL is pointing to CSSM.
  • Login to the CSSM and check if the token is generated from there or if the token has expired.

Registration Error: Product already registered

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration: 
Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 01:30:00 2020 UTC
  Failure reason: {"sudi":["The product 'firepower.com.cisco.
FPR9300,1.0_ed6dadbe-c965-4aeb-ab58-62e34033b453' and sudi {\"suvi\"=>nil,
\"uuid\"=>nil, \"host_identifier\"=>nil, \"udi_pid\"=>\"FPR9K-SUP\",
\"udi_serial_number\"=>\"JAD1234567S\", \"udi_vid\"=>nil, \"mac_address\"=>nil}
have already been registered."]}

Recommended Steps

  1. Login to the CSSM
  2. Check the ‘Product Instances’ tab in ALL virtual account
  3. Locate the old registration instance by SN and remove it
  4. This issue could be caused by:
    1. Failure to automatically renew when time/date is not set up correctly, e.g. no NTP server is configured.   or
    2. Wrong order of operations when you switch between a Satellite and a Production server, e.g. change "URL" first and then issue "deregister".

Registration Error: Date offset beyond the limit

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
 Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 01:30:00 2020 UTC
Failure reason: {"timestamp":["The device date '1453329321505' is offset beyond the allowed tolerance limit."]}

Recommended Steps

Check the time/date configuration to sure that an NTP server is configured.

Registration Error: Failed to resolve host

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
  Status: REGISTERING - REGISTRATION IN PROGRESS
  Export-Controlled Functionality: NOT ALLOWED
  Initial Registration: FAILED on Aug 07 2020 06:58:46 UTC
    Failure reason: Failed to resolve host
  Next Registration Attempt: Aug 07 2020 07:16:42 UTC
Registration Error: Failed to resolve host

Recommended Steps

  • Check if the callhome SLDest URL is correct (scope monitoring > scope callhome > show expand).
  • Check if the MIO DNS server configuration is correct. E.g. from CLI:
FPR4125-1# scope system
FPR4125-1 /system # scope services
FPR4125-1 /system/services # show dns
Domain Name Servers:
    IP Address: 172.31.200.100
  • Try to ping from the chassis CLI the 'tools.cisco.com' and see if it resolves.
FPR4125-1# connect local-mgmt
FPR4125-1(local-mgmt)# ping tools.cisco.com
  • Try to ping from the chassis CLI the DNS server.
FPR4125-1# connect local-mgmt
FPR4125-1(local-mgmt)# ping 172.31.200.100
PING 172.31.200.100 (172.31.200.100) from 10.62.148.225 eth0: 56(84) bytes of data.
^C
--- 172.31.200.100 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3001ms
  • Enable capture on chassis (MIO) mgmt interface (this is only applicable on FP41xx/FP93xx) and check the DNS communication as you run a ping test to the 'tools.cisco.com'.
FPR4125-1# connect fxos
FPR4125-1(fxos)# ethanalyzer local interface mgmt capture-filter "udp port 53" limit-captured-frames 0 limit-frame-size 10000
Capturing on 'eth0'
    1 2020-08-07 08:10:45.252955552 10.62.148.225 → 172.31.200.100 DNS 75 Standard query 0x26b4 A tools.cisco.com
   2 2020-08-07 08:10:47.255015331 10.62.148.225 → 172.31.200.100 DNS 75 Standard query 0x26b4 A tools.cisco.com
    3 2020-08-07 08:10:49.257160749 10.62.148.225 → 172.31.200.100 DNS 75 Standard query 0x5019 A tools.cisco.com
    4 2020-08-07 08:10:51.259222753 10.62.148.225 → 172.31.200.100 DNS 75 Standard query 0x5019 A tools.cisco.com

Registration Error: Failed to authenticate server

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration: 
Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 2020 06:58:46 UTC
  Failure reason: Failed to authenticate server

Recommended Steps

  • Check if the MIO trustpoint CHdefault has the correct certificate. e.g.
FPR4125-1# scope security
FPR4125-1 /security # show trustpoint
Trustpoint Name: CHdefault
Trustpoint certificate chain: -----BEGIN CERTIFICATE-----
MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
...
8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
-----END CERTIFICATE-----
Cert Status: Valid
  • Check if the NTP server and timezone are set correctly. Certificate verification needs the same time between server and client. To accomplish this, use NTP to synchronize the time. E.g. FXOS UI verification:

Cisco ASA Smart Licensing on FXOS - Select Use NTP Server to synchronize the time

CLI verification:

FPR4125-1# scope system
FPR4125-1 /system # scope services
FPR4125-1 /system/services # show ntp-server

NTP server hostname:
    Name                                                   Time Sync Status
    ------------------------------------------------------ ----------------
    10.62.148.75                                         Unreachable Or Invalid Ntp Server
    172.18.108.14                                         Time Synchronized
    172.18.108.15                                          Candidate
  • Enable a capture and check the TCP communication (HTTPS) between the MIO and the tools.cisco.com. Here you have a few options:
  • You can close your HTTPS session to the FXOS UI and then set a capture filter on CLI for HTTPS, e.g.
FPR4100(fxos)# ethanalyzer local interface mgmt capture-filter "tcp port 443" limit-captured-frames 50
Capturing on eth0
2017-01-12 13:09:44.296256 10.62.148.37 -> 72.163.4.38  TCP 43278 > https [SYN] Seq=0 Len=0 MSS=1460 TSV=206433871 TSER=0 WS=9
2017-01-12 13:09:44.452405  72.163.4.38 -> 10.62.148.37 TCP https > 43278 [SYN,ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1380 TSV=2933962056 TSER=206433871
2017-01-12 13:09:44.452451 10.62.148.37 -> 72.163.4.38  TCP 43278 > https [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=206433887 TSER=2933962056
2017-01-12 13:09:44.453219 10.62.148.37 -> 72.163.4.38  SSL Client Hello
2017-01-12 13:09:44.609171  72.163.4.38 -> 10.62.148.37 TCP https > 43278 [ACK] Seq=1 Ack=518 Win=32251 Len=0 TSV=2933962263 TSER=206433887
2017-01-12 13:09:44.609573  72.163.4.38 -> 10.62.148.37 SSL Continuation Data
2017-01-12 13:09:44.609595 10.62.148.37 -> 72.163.4.38  TCP 43278 > https [ACK] Seq=518 Ack=1369 Win=8208 Len=0 TSV=206433902 TSER=2933962264
2017-01-12 13:09:44.609599  72.163.4.38 -> 10.62.148.37 SSL Continuation Data
2017-01-12 13:09:44.609610 10.62.148.37 -> 72.163.4.38  TCP 43278 > https [ACK] Seq=518 Ack=2737 Win=10944 Len=0 TSV=206433902 TSER=2933962264

Additionally, if you want to keep the FXOS UI open you can specify in the capture the destination IPs (72.163.4.38 and 173.37.145.8 are the tools.cisco.com servers at the time of this writing). It is also highly recommended to save the capture in pcap format and check it in Wireshark. This is an example of a successful registration:

FPR4125-1(fxos)# ethanalyzer local interface mgmt capture-filter "tcp port 443 and (host 72.163.4.38 or host 173.37.145.8)" limit-captured-frames 0 limit-frame-size 10000 write workspace:///SSL.pcap
Capturing on 'eth0'
    1 2020-08-07 08:39:02.515693672 10.62.148.225 → 173.37.145.8 TCP 74 59818 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=800212367 TSecr=0 WS=512
    2 2020-08-07 08:39:02.684723361 173.37.145.8 → 10.62.148.225 TCP 60 443 → 59818 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1330
    3 2020-08-07 08:39:02.684825625 10.62.148.225 → 173.37.145.8 TCP 54 59818 → 443 [ACK] Seq=1 Ack=1 Win=29200 Len=0
    4 2020-08-07 08:39:02.685182942 10.62.148.225 → 173.37.145.8 TLSv1 571 Client Hello

   11 2020-08-07 08:39:02.854525349 10.62.148.225 → 173.37.145.8 TCP 54 59818 → 443 [ACK] Seq=518 Ack=3991 Win=37240 Len=0

To export the pcap file to a remote FTP server:

FPR4125-1# connect local-mgmt
FPR4125-1(local-mgmt)# dir

1 56936 Aug 07 08:39:35 2020 SSL.pcap
1    29 May 06 17:48:02 2020 blade_debug_plugin
1    19 May 06 17:48:02 2020 bladelog
1    16 Dec 07 17:24:43 2018 cores
2  4096 Dec 07 17:28:46 2018 debug_plugin/
1    31 Dec 07 17:24:43 2018 diagnostics
2  4096 Dec 07 17:22:28 2018 lost+found/
1    25 Dec 07 17:24:31 2018 packet-capture
2  4096 Sep 24 07:05:40 2019 techsupport/

Usage for workspace://
3999125504 bytes total
284364800 bytes used
3509907456 bytes free
FPR4125-1(local-mgmt)# copy workspace:///SSL.pcap ftp://[email protected]/SSL.pcap
Password:
FPR4125-1(local-mgmt)#

Cisco ASA Smart Licensing on FXOS - ssl.pcap exported to remote FTP server

Registration Error: HTTP transport failed

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration: 
 Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 2020 06:58:46 UTC
Failure reason: HTTP transport failed

Recommended Steps

  • Check if the call-home URL is correct. You can check this from the FXOS UI or the CLI (scope monitoring > show callhome detail expand)
  • Enable a capture and check the TCP communication (HTTPS) between the MIO and the tools.cisco.com as it is demonstrated in the 'Failed to authenticate server' section of this document.

Registration Error: Couldn't connect to host

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 2020 06:58:46 UTC
Failure reason: Couldn't connect to host

Recommended Steps

  • If a proxy configuration is enabled, check the proxy URL and port are configured correctly.
  • Enable a capture and check the TCP communication (HTTPS) between the MIO and the tools.cisco.com as it is demonstrated in the 'Failed to authenticate server' section of this document.

Registration Error: HTTP server returns error code >= 400

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 2020 06:58:46 UTC
 Failure reason: HTTP server returns error code >= 400. Contact proxy server admin if proxy configuration is enabled

Recommended Steps

  • If a proxy configuration is enabled contact the proxy server admin about proxy settings.
  • Enable a capture and check the TCP communication (HTTPS) between the MIO and the tools.cisco.com as it is demonstrated in the 'Failed to authenticate server' section of this document. Try to register again (‘force’ option) from the FXOS CLI:
FPR4125-1 /license # register idtoken ODNmNTExMTAtY2YzOS00Mzc1LWEzNWMtYmNiMmUyNzM4ZmFjLTE1OTkxMTkz%0ANDk0NjR8NkJJdWZpQzRDbmtPR0xBWlVpUzZqMjlySnl5QUczT2M0YVIvcmxm%0ATGczND0%3D%0A force

Registration Error: Parse backend response message failed

FPR4125-1# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
 Status: UNREGISTERED - REGISTRATION FAILED
 Export-Controlled Functionality: Not Allowed
 Initial Registration: FAILED on Aug 07 2020 06:58:46 UTC
 Failure reason: Parsing backend response message failed

Recommended Steps

  • Auto retry attempts later. Use "renew" to retry immediately.
FPR4125-1# scope license
FPR4125-1 /license # scope licdebug
FPR4125-1 /license/licdebug # renew
  • Check if the call-home URL is correct.

License Issues on ASA - 1xxx/21xx Series

Registration Error: Communication message send error

ciscoasa# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED

Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
  Export-Controlled Functionality: NOT ALLOWED
  Initial Registration: FAILED on Aug 07 2020 11:29:42 UTC
    Failure reason: Communication message send error
  Next Registration Attempt: Aug 07 2020 11:46:13 UTC

Recommended Steps

ciscoasa# show run dns
  • Try to ping tools.cisco.com. In this case, the management interface is used:
ciscoasa# ping management tools.cisco.com
                ^
ERROR: % Invalid Hostnameciscoasa# show route management-only

Ensure that you have license enabled, e.g.

ciscoasa# show run license
license smart
 feature tier standard
 feature strong-encryption
  • Enable capture on the interface that routes towards the tools.cisco.com (if you take the capture without any IP filters ensure that you don’t have ASDM open when you take the capture to avoid unnecessary capture noise).
ciscoasa# capture CAP interface management match tcp any any eq 443

WARNING: Running packet capture can have an adverse impact on performance.

  • Enable temporarily Syslog logging level 7 (debugging) and check the ASA Syslog messages during the registration process
ciscoasa(config)# logging buffer-size 10000000
ciscoasa(config)#logging buffered  7
ciscoasa(config)# logging enable
ciscoasa# show logging
%ASA-7-717025: Validating certificate chain containing 3 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 3000683B0F7504F7B244B3EA7FC00927E960D735, subject name: CN=tools.cisco.com,O=Cisco Systems\, Inc.,L=San Jose,ST=CA,C=US.
%ASA-7-717030: Found a suitable trustpoint _SmartCallHome_ServerCA to validate certificate.
%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
%ASA-6-717022: Certificate was successfully validated. serial number: 3000683B0F7504F7B244B3EA7FC00927E960D735, subject name:  CN=tools.cisco.com,O=Cisco Systems\, Inc.,L=San Jose,ST=CA,C=US.
%ASA-6-725002: Device completed SSL handshake with server management:10.62.148.184/22258 to 173.37.145.8/443 for TLSv1.2 session

Try to register again:

ciscoasa # license smart register idtoken <idtoken> force

Special requirements for add-on entitlements

  • A valid feature tier entitlement needs to be acquired before configuring any add-on entitlements.
  • All the add-on entitlements need to be released before releasing the feature tier entitlement.

Entitlement state during reboot operation

  • Entitlement states are saved in the flash.
  • During boot time, this information is read from the flash and the licenses are set depending on the enforcement mode saved.
  • The startup configuration is applied based on this cached entitlement information.
  • Entitlements are requested again after each reboot.

Engage Cisco TAC Support

FP41xx/FP9300

If all of the above fails then collect from the chassis CLI these outputs and contact Cisco TAC:

Output 1

FPR4125-1# show license techsupport

Output 2

FPR4125-1# scope monitoring
FPR4125-1 /monitoring # scope callhome
FPR4125-1 /monitoring/callhome # show detail expand

Output 3

FXOS chassis support bundle

FPR4125-1#connect local-mgmt
FPR4125-1(local-mgmt)# show tech-support chassis 1 detail

Output 4 (highly recommended)

Ethanalyzer capture from the chassis CLI

FP1xxx/FP21xx

Output 1

ciscoasa# show tech-support license

Output 2

ciscoasa# connect fxos admin
firepower-2140# connect local-mgmt
firepower-2140(local-mgmt)# show tech-support fprm detail

Frequently Asked Questions (FAQ)

On FP21xx where is the Licensing tab on the chassis (FCM) GUI?
As of 9.13.x, FP21xx supports 2 ASA modes:

In Appliance mode, there is no chassis UI. In Platform mode, there is a chassis UI, but the license is configured from the ASA CLI or ASDM.
On the other hand, on FPR4100/9300 platforms, the license must be configured in FCM via GUI or FXOS CLI and ASA entitlements must be requested from ASA CLI or ASDM.
References:

How can you enable a Strong Encryption License?
This functionality is enabled automatically if the token which was used in the FCM registration had the option Allow export-controlled functionality on the products registered with this token enabled.


How can you enable a Strong Encryption License if the Export-Controlled Features on the FCM level and corresponding Encryption-3DES-AES on the ASA level is Disabled?
If the token does not have this option enabled, de-register the FCM and register it again with a token which has this option enabled.


What can you do if the option Allow export-controlled functionality on the products registered with this token is not available when you generate the token?
Contact your Cisco Account team.


Is it mandatory to configure feature strong-encryption on the ASA level?
The feature strong-encryption option is mandatory only if FCM is integrated with a pre-2.3.0 Satellite server. This is only one scenario when you must configure this feature.


Which IPs must be allowed in the path between the FCM and the Smart Licensing Cloud?
The FXOS uses address https://tools.cisco.comon (port 443) to communicate with the licensing cloud. The address https://tools.cisco.com is resolved to these IP addresses:

Why do you get an Out of Compliance error?
The device can become out of compliance in these situations:

  • Over-utilization - (the device uses unavailable licenses).
  • License expiration - A time-based license expired.
  • Lack of communication - The device cannot reach the Licensing Authority for re-authorization.

To verify whether your account is in, or approaching, an Out-of-Compliance state, you must compare the entitlements currently in use by your Firepower chassis against those in your Smart Account.
In an out-of-compliance state, you are able to make configuration changes to features that require special licenses, but the operation is otherwise unaffected. For example, over the Standard license limit contexts that already exist continue to run, and you can modify their configuration, but you are not able to add a new context.

Why after the addition of missing licenses, you still get an Out of Compliance error?
By default, the device communicates with the License Authority every 30 days to check entitlements. If you would like to trigger it manually, you must follow these steps:
For FPR1000/2100 platforms it must be done via ASDM or via CLI:

ASA# license smart renew auth

For FPR4100/9300 platforms it must be done via FXOS CLI:

FP4100# scope system
FP4100 /system # scope license
FP4100 /license # scope licdebug
FP4100 /license/licdebug # renew

Why there is no License In Use on the ASA level?
Ensure that ASA entitlement was configured on the ASA level, for example:

ASA(config)# license smart
ASA(config-smart-lic)# feature tier standard

Why licenses are still not In use even after the configuration of an ASA entitlement?
This status is expected if you deployed an ASA Active/Standby failover pair and you check the license usage on the Standby device.
As per the Configuration Guide, the configuration is replicated to the standby unit, but the standby unit does not use the configuration; it remains in a cached state. Only the active unit requests the licenses from the server. The licenses are aggregated into a single failover license that is shared by the failover pair, and this aggregated license is also cached on the standby unit to be used if it becomes the active unit in the future. For reference:

Failover or ASA Cluster Licenses

What you can do if FCM does not have access to the Internet?
As an alternative, you can deploy Cisco Smart Software Manager On-Prem (formerly known as Cisco Smart Software Manager Satellite). This is a component of Cisco Smart Licensing that works in conjunction with the Cisco Smart Software Manager. It offers near real-time visibility and reporting capabilities of the Cisco licenses you purchase and consume. It also gives security-sensitive organizations a way to access a subset of Cisco SSM functionality without the usage of a direct internet connection to manage their install base.

Where you can find more information about Cisco Smart Software Manager On-Prem?
You can find this information in the FXOS Configuration Guide:

Related Information

Sours: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215920-asa-smart-license-registration-and-troub.html

Cisco ASAv Smart Licensing Explained and Registration Process

With the realease of 9.3 for ASA’s Cisco introduced Smart Licensing where it lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance(source).

Personally, I think it’s a great way to manage all of your licenses. This comes especially helpful if you are in the Cloud sector. As a Private Cloud provider for example it allows you to manage licenses for your IAAS offering in one centralized location fast and easy. Ability to “reuse” license if one tenant no longer needs it to the second tenant is a powerful tool.  Since everything going virtual, not having licenses tied to physical equipment provides leverage and speed in deployments.

Before hopping in into implementation piece I would like to provide an overview of different licenses that Cisco provides for their virtual ASA’s.

As you may know the difference is going to be in the resources/features. Before purchasing any ASAv license its crucial to identify what are your requirements such as throughput, session ,etc.

Table below provides all the information you need for Cisco four offerings (asav5, asav10, asav30, asav50) as of April 10, 2018. Highlited features are the ones I would pay close attention prior purchasing decision. For more information please visit Cisco Data Sheet including ordering part numbers.

Table 1. 

FeatureASAv5ASAv10ASAv30ASAv50
Stateful inspection throughput (maximum)1(UDP)100 Mbps1 Gbps2 Gbps10 Gbps
Stateful inspection throughput (multiprotocol)2(TCP)50 Mbps500 Mbps1 Gbps5 Gbps
Advanced Encryption Standard (AES) VPN throughput330 Mbps125 Mbps1 Gbps3 Gbps
Connections per second8,00020,00060,000120,000
Concurrent sessions50,000100,000500,0002,000,000
VLANs25502001024
Bridge groups1225100250
IPsec VPN peers5025075010,000
Cisco AnyConnect® or clientless VPN user sessions5025075010,000
Cisco Unified Communications phone proxy502501000Not tested
Cisco Cloud Web Security users2501,0005000Not tested
High availabilityActive/standby

VMware ESX/ESXi 6.0, 6.5; vMotion

KVM

Hyper-V: Windows Server 2012 R2 (Not supported for ASAv50)

Hypervisor support
Public Cloud SupportAWS (c3.large, c3.xlarge, c4.large, c4.xlarge, M4)

Azure (d3, d3_v2) (including Azure Government Cloud)

Currently not supported on Public Cloud
ModesRouted and transparent
Virtual CPUs1148
Memory1 GB minimum
1.5 GB maximum
2 GB8 GB16 GB
Minimum disk storage48 GB8 GB16 GB16 GB

Once you purchase the license there are (2) pieces to the puzzle. First is you will need to deploy OVF file on your compute infrastructure (VMware/Hyper-V). This post does not cover the deployment of the OVF file.  Please let me know if you are interested in covering that piece and I’ll be more than happy to present it.  Otherwise please follow one of the Cisco KB articles on this process.

After ASAv has been deployed you will need to register it to get all the features you paid for.

By default, ASAv comes with limited resources. That can be verified by the following three commands:

ASAv# sh vm

Virtual Platform Resource Limits
——————————–
Number of vCPUs              :     0 
Processor Memory             :     0 MB 

Virtual Platform Resource Status
——————————–
Number of vCPUs                 :     2     (Noncompliant: Over-provisioned)
Processor Memory                :  4096 MB  (Noncompliant: Over-provisioned)
Hypervisor                      :   VMware
Model Id                        :   ASAv30


ASAv# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.8(1)

Compiled on Fri 02-Feb-18 06:18 PST by builders
System image file is “disk0:/asa982-20-smp-k8.bin”
Config file at boot was “startup-config”

IDS-LDEN-Demo01-ASAv up 61 days 21 hours

Hardware:   ASAv, 4096 MB RAM, CPU Xeon E5 series 2000 MHz, 1 CPU (2 cores)
Model Id:   ASAv30
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

 0: Ext: Management0/0       : address is 0050.56a1.26a7, irq 10
1: Ext: GigabitEthernet0/0  : address is 0050.56a1.1c89, irq 5
2: Ext: GigabitEthernet0/1  : address is 0050.56a1.52a8, irq 9
3: Ext: GigabitEthernet0/2  : address is 0050.56a1.399c, irq 11
4: Ext: GigabitEthernet0/3  : address is 0050.56a1.3ac9, irq 10
5: Ext: GigabitEthernet0/4  : address is 0050.56a1.0fa1, irq 5
6: Ext: GigabitEthernet0/5  : address is 0050.56a1.76ff, irq 9
7: Ext: GigabitEthernet0/6  : address is 0050.56a1.7d33, irq 11
8: Ext: GigabitEthernet0/7  : address is 0050.56a1.376d, irq 10
9: Ext: GigabitEthernet0/8  : address is 0050.56a1.3784, irq 5

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.


ASAv# sh license status

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed

License Authorization: 
  Status: No Licenses in Use

Registering your newly deployed ASAv will require applying tokenID that can be generated from Smart Licensing Portal. Please not you should have a account created during the purchase process.

Once logged in navigate to Smart Software Licensing URL(fig.1)

smart-software-license1

Navigate to Inventory > Licenses to verify if the license was applied to your account(fig.2).

smart-software-license2

From that point navigate to General > New Token > Create Token(fig.3).

smart-software-license3

At this point new Token should be generated(fig.4). Copy it to clipboard you’ll need it soon.

smart-software-license4

In order to have a successful license installation your ASAv needs to be able to ping/resolve tools.cisco.com.

ASAv# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

If that fails, your registration will fail.  Make sure you have a proper dns domain lookup configured. This is the step that is being missed a lot of times.

ASAv(config)#dns domain-lookup outside
DNS server-group DefaultDNS
name-server 8.8.8.8
domain-name companyName.local​

Now you are ready to apply Smart Licensing. First apply proper throughput level to license smart object

ASAv(config)# license smart
ASAv(config-smart-lic)# ?

Smart Licensing configuration commands:
exit        Exit Smart Licensing configuration mode and apply configuration
feature     Set License feature
no          Negate a command
throughput  Set License throughput
ASAv(config-smart-lic)# throughput level ?

smart-lic-mode mode commands/options:
100M  Enable 100 Mbps throughput level
  10G   Enable 10 Gbps throughput level
  1G    Enable 1 Gbps throughput level
  2G    Enable 2 Gbps throughput level

Full command i.e for ASAv30 would be:

license smart
feature tier standard
throughput level 2G
exit

Finally apply idtoken which was previously copied to your clipboard

license smart register idtoken MzE2MTMwMzItMzQ4Yy00NmUxLWI3ZjYtNWFhZGVlMDc4ZWViLTE1MjU5NzQ4%0AMDQ2MDd8RHp0NkdkbGRZOFlnSllUM0dEVUdmN0c force

To verify if the license was successfully installed check the vm status as well as license usage

ASAv# sh vm

Virtual Platform Resource Limits
——————————–
Number of vCPUs              :     4
Processor Memory             :  8192 MB 

Virtual Platform Resource Status
——————————–
Number of vCPUs                 :     4     (Compliant)
Processor Memory                :  8192 MB  (Compliant)
Hypervisor                      :   VMware
Model Id                        :   ASAv30


ASAv# sh license usage 

License Authorization:
Status: AUTHORIZED on Feb 09 03:08:47 2018 UTC

ASAv30 Standard – 2G (ASAv-STD-2G):
Description: ASAv30 Standard – 2G
Count: 1
Version: 1.0
Status: AUTHORIZED

If the registration failed please double check you can ping tools.cisco.com AND/OR redo the idtoken on Smart License Portal and reapply.

I hope this has been informative and let me know if you were successful or not

Thanks.

About The Author

Bart Dworzanczyk

Bart is passionate about new technologies and their impact on our lives. He does not believe in titles or amount of certifications but positive attitude and motivation. Simply the guy that make things happen. You can reach him via Linkedin or meet him on CSGO. Currently focusing on architecting and designing custom-build hybrid cloud solutions around IaaS, DRaaS, BaaS realm.

Sours: http://binaryroute.net/cisco-asav-smart-licensing-explained-and-registration-process/

Asav license cisco demo

High performance, scalable security

Ideal for remote worker and multi-tenant environments. Supports site-to-site VPN, remote-access VPN, and clientless VPN. Integrates with Azure transit VNet for scalable inter-VNet traffic. Cisco ASAv can also scale up/down to meet the needs of dynamic environments. High availability provides resilience.

Consistent security everywhere

Gain consistent security policies, enforcement and protection across your physical, virtual, and cloud environments. Cisco ASAv provides advanced protocol inspection, including voice and video. Micro-segmentation secures east-west traffic.

Unified management

Enjoy unified management for cloud, physical, and virtual devices with Cisco Defense Orchestrator (CDO). Supports the REST API, an HTTP-based interface that facilitates appliance management, security policies, status monitoring, and enables multiple cloud management solutions for physical and virtual instances of Cisco ASA.

Unified security platform

Cisco SecureX is a cloud-native, built-in platform experience within our portfolio that is integrated and open for simplicity, unified in one location for visibility, and maximizes operational efficiency. SecureX also orchestrates the configuration of Azure VNets manually or automatically in response to events from Cisco Security products.

FREE TRIAL- Cisco ASAv has a demo mode that runs with reduced performance. No license required.

Cisco ASAv is integrated with Azure Security Center and available in the Azure Government Cloud

For a list of supported Azure instances, please see the Cisco ASAv data sheet

Sours: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cisco.cisco-adaptive-security-appliance?tab=overview
Cisco Demo Licenses

She gladly got rid of the swords and backpack, threw off her jacket, leaving only the pants and red silk ribbons that supported her breasts. The broth was cold and fresh. And the Fox is crimson. Well, master, Rila settled down again at ease in the huge leather chair.

You will also be interested:

That the operation they were developing failed. That the director of the plant covered up his master thief. His superiors will report even higher, those even higher.



11393 11394 11395 11396 11397