11-21-2018 01:03 AM - edited 02-21-2020 08:29 AM
Hello experts,
Any input from you guys would be greatly appriciated.
I have two ASA 5545-X in an Active/Standby failover. I configured Remote Access VPN and tried to install the AnyConnect APEX license on both units. I am getting the below error, which says the APEX license will not have the 3DES/AES license. However, both ASAs currently have 3DES/AES licenses. What would happen if I go ahead and install the APEX license?
ASA have site to site VPN tunnels usning AES encryption.
ASA# show activation-key
Serial Number: FCH126575TY
Running Permanent Activation Key: 0xb2544e66c 0x64f779af 0xad704556 0xcd9828b4 0x5t3cf392
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5545 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
This platform has an ASA5545 VPN Premium license.
The flash permanent activation key is the SAME as the running permanent key.
When I tried to install APEX.
ASA(config)# activation-key 683ca162 0c6f91b1 25f0699c d5d87ce8 4256ca85
Validating activation key. This may take a few minutes...
The following features available in running permanent activation key are NOT
available in new permanent activation key:
Encryption-3DES-AES
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm]
Please let me know if you have further questions.
Thanks
Suresh
11-21-2018 05:18 AM
It should be fine and the new AnyConnect license should not overwrite the 3DES-AES license.
Worst case you can re-download a new free 3DES-AES license and apply it after you confirm the Anyconnect Apex installation. You might want to go ahead and pre-download one so you have it on hand.
12-11-2018 05:54 AM
Hi Marvin,
Thanks for the response.
Cisco TAC confirmed that the APEx license comes with the 3DES-AES. However, once I installed the APEX license 3DES-AES was disappeared.
Since I have the Security ELA, I was able to generate a new 3DES-AES and installed it.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide