07-07-2021 02:07 AM
Hi,
I have launched an ASAv from this AWS Marketplace product, https://aws.amazon.com/marketplace/pp/prodview-k3dpkteh6bgzi. I have tried both the 9.14.2.13 and 9.15.1.15 versions but I am seeing the following errors on both versions:
Warning: ASAv platform license state is Unlicensed.
Message #423 : Install ASAv platform license for full functionality.
Message #424 : Failure contacting AWS server; reason code 8
Message #425 : Failure contacting AWS server; reason code 8
We have this working in separate AWS accounts, however, these were set up last year and so are using a 9.13.x version of the ASA software which appears to be no longer available on the AWS Marketplace. All AWS environments are set up using Terraform so I am confident that the AWS side of things is all ok.
The ASA side of things is quite simple, it has 3 Elastic Network Adapters attached for management, inside and outside interfaces. All use DHCP to get their IPs and the outside interface has "ip address dhcp setroute" set. The ASA is used as the NAT device for servers in the inside interface subnet.
While all the above is working, the performance is really bad and I believe this is down to the product being unlicensed. When running "show version" I see...
License mode: AWS Licensing
License state: PROBATIONARY
Would this cause really slow performance? If so what can be done to troubleshoot failing to contact the AWS servers? Also, what server is it looking for and what does reason code 8 mean?
Any help at all would be greatly appreciated!
Many thanks,
Chris
07-07-2021 02:52 AM
what kind of deployment you have in AWS :
can you post below :
# show vm
# show License status (remove your serial or any confidential data)
#show verion
Note : as per the Licens show AWAS Licensing, so this tied with AWS provider License.
07-07-2021 03:02 AM
Here are the output of the commands. "show license status" wasn't valid so I've given the output of "show license features"
show vm:
Virtual Platform Resource Status
--------------------------------
Number of vCPUs : 2
Processor Memory : 4096 MB
Hypervisor : KVMAWS
Region : us-east-1a
Instance Type : c5.large
Virtual Platform Resource Limits
--------------------------------
Connections : 100000
VLANs : 50
AnyConnect Premium Peers : 250
TLS Proxy Sessions : 500
show license features:
Serial Number: <REDACTED>
License mode: AWS Licensing
License state: PROBATIONARY
Licensed features for this platform:
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 2
AnyConnect Essentials : Disabled
Other VPN Peers : 250
Total VPN Peers : 250
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 2
Botnet Traffic Filter : Enabled
Cluster : Disabled
show version:
Cisco Adaptive Security Appliance Software Version 9.14(2)13
SSP Operating System Version 2.8(1.144)
Device Manager Version 7.14(1)
Compiled on Fri 05-Mar-21 04:04 GMT by builders
System image file is "boot:/asa9142-13-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 17 hours 33 mins
Hardware: ASAv, 4096 MB RAM, CPU Xeon 4100/6100/8100 series 3000 MHz, 1 CPU (2 cores)
Internal ATA Compact Flash, 11264MB
Slot 1: ATA Compact Flash, 11264MB
BIOS Flash Firmware Hub @ 0x1, 0KB
0: Ext: Management0/0 : address is 1206.9cd8.a469, irq 0
1: Ext: TenGigabitEthernet0/0: address is 121b.b0b9.3237, irq 0
2: Ext: TenGigabitEthernet0/1: address is 1290.2242.7497, irq 0
3: Int: Internal-Data0/0 : address is 0000.0100.0001, irq 0
License mode: AWS Licensing
License state: PROBATIONARY
Licensed features for this platform:
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 2
AnyConnect Essentials : Disabled
Other VPN Peers : 250
Total VPN Peers : 250
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Advanced Endpoint Assessment : Disabled
Shared License : Disabled
Total TLS Proxy Sessions : 2
Botnet Traffic Filter : Enabled
Cluster : Disabled
Serial Number: <REDACTED>
Image type : Release
Key version : A
10-27-2021 11:52 PM
Is the ASAv throughput limited to 100Kbps as the license state is PROBATIONARY ?
04-13-2022 07:13 AM
Has this been resolved? If so could you provide information on how it was resolved. We are facing the same issue with a device utilizing AWS Licensing.
04-13-2022 10:32 AM
@sloan if you use BYOL make sure your management interface has Internet access and that you enter the token from your software.cisco.com Smart license portal.
If you use Amazon licensing they should provision this for you.
04-13-2022 10:36 AM
This is using Amazon licensing and the license has been provisioned however the ASAv is showing the following error and license status.
Syslog Message:
Failed to contact AWS license server, error code 8
License Status:
License mode: AWS Licensing
License state: PROBATIONARY
I have tried a reload but it didn't change anything. I check on the AWS side and the license is showing as listed to this instance id.
Thank you for the response. If you have any additional ideas would love the help.
Regards
04-13-2022 01:44 PM
I was able to resolve this by completing a full stop of the instance and starting it back up. Upon reboot the license was installed once again and working as expected. For those that are using this model this may render helpful in the future if you encounter the same issue.
07-10-2024 06:27 AM
We managed to find out the cause for this issue. The ASAv requires IMDSv1 to get the license information, so if you have IMDSv2 set to required on the EC2 instance then the ASAv is unable to get the license information and it remains I a probationary state until the trial is over.
As soon as we set IMDSv2 to optional the ASAv was able to get the license information and changed to a licensed state.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide