04-14-2019 08:12 AM - edited 02-21-2020 09:02 AM
Hi There, I am having FTD 2100 appliance managed through FMC appliance and recently implemented, when i tried to created IPSEC tunnel to remote site, while deploying the policy, its creating error. as like below. inputs on this is highly appriciated.
Strong crypto (i.e encryption algorithm greater than DES) for VPN topology xxx_VPN is not supported. This can be because of FMC is running on evaluation license or smart licensing is not entitled for storng crypto.
In this case, how to i verify my FMC is not running evaluation license and how to activate smart licensing for strong crypto.
04-15-2019 09:15 PM
Do you have your appliance (or the managing FMC) registered in your Smart license account?
If so, you can request Cisco add the 3DES-AES license for it.
04-16-2019 03:56 AM
04-16-2019 05:31 AM
I just checked my company Smart Account and see that we don't have a separate strong crypto (3DES-AES) license for FTD devices. There doesn't appear to be any global setting in the account that enables Strong Crypto either. (Or if there is it's not exposed to an account admin (me).)
I recommend opening a case via email to licensing@cisco.com to have then check your account settings.
04-16-2019 05:41 AM
Looks like you did not enable export-control features when registering the device via FMC using smart licensing. When you register the FMC using a token, make sure the "Allow export control" checkbox is checked.
Once you do this, your FTD device should have this enabled under the FMC:
What you need to do is re-register the FMC again to smart licensing, this time with export control enabled.
04-16-2019 05:42 AM
Good catch Rahul, thanks for posting that one.
04-16-2019 08:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide