We recently replaced our PAYG ASAv with a newer version 9.20 instance. During the upgrade we noticed that the new firewall was unable to change into a licensed state, instead, it was stuck at probationary and would have transitioned to unlicensed at the end of the trial.
After trying to launch a new firewall with a software version that matched the old one (9.19) and getting the same result we started to compare the difference between the old and new EC2 instances. At this point we found out the cause, the new instance had the IMDSv2 (Instance Metadata Service) setting set to required, but the old instance had it set to optional, meaning that IMDSv1 was still available.
As soon as we changed the IMDSv2 setting to optional on the new firewall, regardless of the software version, the firewall was then able to get the license details successfully.
Is there a configuration setting we can change to force the ASAv to use IMDSv2 to get the license details? Or does this require a software update from Cisco? At present, the ASAv EC2 instance is the only one in our entire AWS account that needs to use IMDSv1. It would be great to get the ASAv to use IMDSv2 so that we can completely disable it in our account. See https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service for more details
If there isn't a configuration change we can make to switch over to IMDSv2, then could we please get a response from Cisco about when this is likely to be fixed?