ASA IPS Licensing Query

davidcannon1 · ‎07-28-2015

Hi all,

Apologies if this is in the wrong sub forum.

We currently have 2 x Cisco ASA firewalls with IPS modules installed.

The subscription license has since lapsed and so we are now unable to apply signature updates.

I was just hoping that someone confirm that part #L-ASA5525-TA-1Y is what we would require?

Also having never had to update these licenses before - how does this work when buying through a reseller?

Thanks in advance,

David.

wbalanqu · ‎07-28-2015

Hello David,

If you need a 1 year IPS subscription for an ASA 5525, then yes that will be the license that you will need.

One option of activating your license is through CLI, check this guide for a more detailed information. (http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/intro_license.html#wp1283637).

Please rate or follow me if you find this post useful. Thanks!

Marvin Rhoads · ‎07-28-2015

wbalanqu - please check the original post. Your advice is incorrect.

David - please confirm you are using the classic Cisco IPS type. The output of "show module" should show module type "ips" as up.

For the classic Cisco IPS (now end of sales), the signature update entitlement is tied to the active Smartnet contract with the IPS service subscription update ("SU" in the Smartnet contract part number) for the ASA.

The part number "L-ASA5525-TA-1Y" is for use with an ASA using the FirePOWER module (module type "sfr"). It is used to license the IPS feature via the FireSIGHT Management Center used to manage those newer module types.

davidcannon1 · ‎07-29-2015

Hi Marvin,

Here is the output from the "show module" on both ASA firewalls;

hostname/pri/act# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH17367BQQ
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH17367BQQ
cxsc Unknown N/A FCH17367BQQ

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.3(3)E4
cxsc Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled perpetual

hostname/sec/stby# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH17367BFF
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH17367BFF
cxsc Unknown N/A FCH17367BFF

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.3(3)E4
cxsc Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled perpetual

So going by your previous comment, the IPS subscription license should be included with our smartnet? Both of the ASA firewalls have active smartnet cover, but we simply renew this via a 3rd party support company who manage our firewalls.

Apologies if this is a tedious query!

Thanks,

David.

Marvin Rhoads · ‎07-29-2015

They should be included in your Smartnet, correct.

The Smartnet line item would have a service level something like "SU1" for product number "ASA5525-IPS-K9".

That will suffice to register the ASA by serial number in Cisco's system and entitle the IPS module to download the signature updates.

davidcannon1 · ‎07-30-2015

Hi Marvin,

The smartnet was purchased through a reseller so we haven't has sight of any documentation with regards to the smartnet.

I'll revert back to them to see if there's any sign of this and report back.

Thanks for the help so far,

David.