cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6850
Views
35
Helpful
19
Replies

ASA5505-50-BUN-K9 3DES license problem [Resolved]

Hi,

I have ASA505 with 3DES disabled, i heard that i can have the 3DES license without fee, so i contacted cisco more than 10 times to have the license, and every time they send me the same licence as my parmanent base key: 5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa

I don't understand the problem, here is the show activation key output:

Running Permanent Activation Key: 
0x5321ec6e 0x102e534b 0xfc21e96c 0x841c8ca8 0xce1727aa
Licensed features for this platform:
 
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 50             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Disabled       perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.

And the license key that cisco send me every time isexactely the same but it should activate the 3DES encryption algorithm:

Inside Hosts                    : 50        
Failover                        : Disabled  
Encryption-DES                  : Enabled   
Encryption-3DES-AES             : Enabled   
Security Contexts               : Default   
GTP/GPRS                        : Disabled  
AnyConnect Premium Peers        : Default   
Other VPN Peers                 : Default   
Advanced Endpoint Assessment    : Disabled  
AnyConnect for Mobile           : Disabled  
AnyConnect for Cisco VPN Phone  : Disabled  
Shared License                  : Disabled  
UC Phone Proxy Sessions         : Default   
Total UC Proxy Sessions         : Default   
AnyConnect Essentials           : Disabled  
Botnet Traffic Filter           : Disabled  
Intercompany Media Engine       : Disabled  
Platform = asa

JMX152040DW:      5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa

ASA5505.jpg

Can someone tell me where is the problem please?

Thank you in advance.

7 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Plugging that serial number into the licensing tool get the activation key you noted but also the text:

"ASA5500-ENCR-K9

Warning, our records indicate that the Cisco ASA Firewall hardware serial NUMBER that you submitted during registration has previously been licensed FOR A higher feature SET."

What other licensing has been done on this ASA? Are you the original owner? You may have to call the TAC to sort it out if you aren't.

View solution in original post

Yes, I would contact the TAC again and have them stay on the line with you to resolve completely. Something is amiss with your license and they should be able to make it right.

View solution in original post

As I noted ealier, request they escalate your service request to resolve satisfactorily.

This should have no connection to the image version. If the new device has a corrupted image and you do not have a support contract AND you are within the initial 90 day warranty, the TAC should be able to help you with direct access to a good image.

Again, you would still need to escalate the service request.

View solution in original post

You're welcome.

NPE means No Payload Encryption. I did not think to ask earlier, but if you are in a country for whom the US has forbidden export of products containing strong encryption, you would not be eligible for a 3DES-AES image and activation.

General Reference:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

List of countries affected:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/faqs.html#Q7

An RMA is a Return Material Authorization. It means Cisco will ship a new device in exchange for one they determine to be inoperable.

View solution in original post

That's good - so the TAC should be able to get you resolved with a new image and activation key.

I'm just guessing but your equipment may have originally been part of an allocation that went to a reseller that did business with your neighboring country of Libya which is restricted.

View solution in original post

Houari,

Sorry the TAC did not provide your software. As a new purchase, it should have been entitled.

What is your current software version and how much memory does your 5505 have? Running 8.3 or later on the 5505 requires 512 MB of memory. Reference. You should also be upgrading the ASDM software image to the current release.

A system software upgrade will cause a loss of service while the system reloads. If done correctly it will only be brief (<5 minutes). The ASDM upgrade does not cause any service interruption.

There is always some risk but follow the upgrade procedure and it should go fine. It is most easily done via the ASDM GUI.

View solution in original post

Yes, your memory is good.

To update via the GUI, Choose "Tools, Upgrade Software from Local Computer". In the dialog box that pops up pick "Image to upload" as ASA (not the default APCF) and then browse to your local copy of the new software. It will then upload the file using https to your ASA disk0, ask you if you want to make this the new boot image (choose yes) and then ask if you want to reload and upgrade now.

Remember the updated ASDM (asdm-711.bin) will give you the most functionality with the new release. You should follow the similar process to get it on the ASA, choosing instead ASDM from the "Image to Upload" drop down menu. You won't have to reload the ASA itself after you do that, only the ASDM client.

View solution in original post

19 Replies 19

Marvin Rhoads
Hall of Fame
Hall of Fame

Plugging that serial number into the licensing tool get the activation key you noted but also the text:

"ASA5500-ENCR-K9

Warning, our records indicate that the Cisco ASA Firewall hardware serial NUMBER that you submitted during registration has previously been licensed FOR A higher feature SET."

What other licensing has been done on this ASA? Are you the original owner? You may have to call the TAC to sort it out if you aren't.

Hi Marvin,

Thank you for response

I bought it new from a reseller(not directly from cisco representative), and i unpacked it by my self(it was new).

I already called the TAC, and they sent me exactly the same activation key.

Should i recall them?

Thank you.

Yes, I would contact the TAC again and have them stay on the line with you to resolve completely. Something is amiss with your license and they should be able to make it right.

I called them twice time today, the first one i've received the same license.

The second time, TAC has leveled-up my request after that i send them the screen-shoot and the result of show version.

Hope that i will get the problem resolved.

I will keep you posted.

Thank you.

Here is there last response (04/12/2012 14:26 from Peter Christian Avengoza):

Dear Houari Dali Youcef,

This is the same license key.

JMX152040DW:   5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa

However please send me the ?show activation-key detail? and please try to reload the ASA5505 and see how it looks.

If you need further assistance with this software license request, please let me know and I will be glad to assist you. Otherwise, if I do not hear back from you, I will file this case as ?resolved?.

Thank you for contacting Cisco.

What can i do more ? i sent to them the show activation-key, and i reloaded the firewall !

Here is there last response:

K8 and K9 are only license.

You can get images for this ASA:

http://software.cisco.com/download/release.html?mdfid=280582808&flowid=4377&softwareid=280775065&release=9.1.1.ED&relind=AVAILABLE&rellifecycle=&reltype=latest

Please provide me with output of show tech for this ASA.

But i couldn't download the image beacause i don't have service contrat ID. Is it impossible to get this image without this service contrat ?

Thank you!

As I noted ealier, request they escalate your service request to resolve satisfactorily.

This should have no connection to the image version. If the new device has a corrupted image and you do not have a support contract AND you are within the initial 90 day warranty, the TAC should be able to help you with direct access to a good image.

Again, you would still need to escalate the service request.

They already escalted my service request, here is:

2012/12/15  12.32:

Hi Houari,

I have escalated your issue again to the Business Unit to check what is the cause of the problem that you are getting. Kindly bear with us.

Best regards,

Peter Christian Avengoza

And i bought for about 6 month ago.

How do i chech if i have a corrupted image on my firewall?

Here is other email they sent to me:

2012/12/15 12:08:

I have opened a new TAC case (624204757) for you because you ASA device JMX152040DW is running a "NPE" image. This image is not capable of supporting K8/K9,we need to verify if the NPE device can be updated to K8/K9 simply by replacing the SW image (or if not, it would need to be RMA'ed).

Can you please explain me what this means ? (RMA'ed ??)

Thank you very much for your help Marvin.

You're welcome.

NPE means No Payload Encryption. I did not think to ask earlier, but if you are in a country for whom the US has forbidden export of products containing strong encryption, you would not be eligible for a 3DES-AES image and activation.

General Reference:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

List of countries affected:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/faqs.html#Q7

An RMA is a Return Material Authorization. It means Cisco will ship a new device in exchange for one they determine to be inoperable.

Yes, but i'm from Algeria, i don't belong to those group of country

That's good - so the TAC should be able to get you resolved with a new image and activation key.

I'm just guessing but your equipment may have originally been part of an allocation that went to a reseller that did business with your neighboring country of Libya which is restricted.

I Hope not, i'm going to verify this tomorrow in morning.

I'll keep you posted.

Thank you again.

Hi,

I had to download this file: http://software.cisco.com/download/release.html?mdfid=280582808&flowid=4377&softwareid=280775065&release=9.1.1.ED&relind=AVAILABLE&rellifecycle=&reltype=latest

I asked a friend who get a valid service contrat and so have a ability to download the image for me.

The file is named: asa911-k8.bin

Do you know how to proceed the update? is there a risk that my firewall will not work correctly ?

Thank you.

Houari,

Sorry the TAC did not provide your software. As a new purchase, it should have been entitled.

What is your current software version and how much memory does your 5505 have? Running 8.3 or later on the 5505 requires 512 MB of memory. Reference. You should also be upgrading the ASDM software image to the current release.

A system software upgrade will cause a loss of service while the system reloads. If done correctly it will only be brief (<5 minutes). The ASDM upgrade does not cause any service interruption.

There is always some risk but follow the upgrade procedure and it should go fine. It is most easily done via the ASDM GUI.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: