11-21-2012 02:21 AM - edited 02-21-2020 04:47 AM
Hi,
I have ASA505 with 3DES disabled, i heard that i can have the 3DES license without fee, so i contacted cisco more than 10 times to have the license, and every time they send me the same licence as my parmanent base key: 5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa
I don't understand the problem, here is the show activation key output:
Running Permanent Activation Key:
0x5321ec6e 0x102e534b 0xfc21e96c 0x841c8ca8 0xce1727aa
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 50 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 10 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
And the license key that cisco send me every time isexactely the same but it should activate the 3DES encryption algorithm:
Inside Hosts : 50
Failover : Disabled
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : Default
GTP/GPRS : Disabled
AnyConnect Premium Peers : Default
Other VPN Peers : Default
Advanced Endpoint Assessment : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Shared License : Disabled
UC Phone Proxy Sessions : Default
Total UC Proxy Sessions : Default
AnyConnect Essentials : Disabled
Botnet Traffic Filter : Disabled
Intercompany Media Engine : Disabled
Platform = asa
JMX152040DW: 5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa
Can someone tell me where is the problem please?
Thank you in advance.
Solved! Go to Solution.
11-21-2012 08:12 AM
Plugging that serial number into the licensing tool get the activation key you noted but also the text:
"ASA5500-ENCR-K9
Warning, our records indicate that the Cisco ASA Firewall hardware serial NUMBER that you submitted during registration has previously been licensed FOR A higher feature SET."
What other licensing has been done on this ASA? Are you the original owner? You may have to call the TAC to sort it out if you aren't.
11-24-2012 11:33 AM
Yes, I would contact the TAC again and have them stay on the line with you to resolve completely. Something is amiss with your license and they should be able to make it right.
12-15-2012 07:32 AM
As I noted ealier, request they escalate your service request to resolve satisfactorily.
This should have no connection to the image version. If the new device has a corrupted image and you do not have a support contract AND you are within the initial 90 day warranty, the TAC should be able to help you with direct access to a good image.
Again, you would still need to escalate the service request.
12-15-2012 10:52 AM
You're welcome.
NPE means No Payload Encryption. I did not think to ask earlier, but if you are in a country for whom the US has forbidden export of products containing strong encryption, you would not be eligible for a 3DES-AES image and activation.
General Reference:
List of countries affected:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/faqs.html#Q7
An RMA is a Return Material Authorization. It means Cisco will ship a new device in exchange for one they determine to be inoperable.
12-15-2012 11:10 AM
That's good - so the TAC should be able to get you resolved with a new image and activation key.
I'm just guessing but your equipment may have originally been part of an allocation that went to a reseller that did business with your neighboring country of Libya which is restricted.
12-20-2012 12:47 PM
Houari,
Sorry the TAC did not provide your software. As a new purchase, it should have been entitled.
What is your current software version and how much memory does your 5505 have? Running 8.3 or later on the 5505 requires 512 MB of memory. Reference. You should also be upgrading the ASDM software image to the current release.
A system software upgrade will cause a loss of service while the system reloads. If done correctly it will only be brief (<5 minutes). The ASDM upgrade does not cause any service interruption.
There is always some risk but follow the upgrade procedure and it should go fine. It is most easily done via the ASDM GUI.
12-20-2012 01:26 PM
Yes, your memory is good.
To update via the GUI, Choose "Tools, Upgrade Software from Local Computer". In the dialog box that pops up pick "Image to upload" as ASA (not the default APCF) and then browse to your local copy of the new software. It will then upload the file using https to your ASA disk0, ask you if you want to make this the new boot image (choose yes) and then ask if you want to reload and upgrade now.
Remember the updated ASDM (asdm-711.bin) will give you the most functionality with the new release. You should follow the similar process to get it on the ASA, choosing instead ASDM from the "Image to Upload" drop down menu. You won't have to reload the ASA itself after you do that, only the ASDM client.
11-21-2012 08:12 AM
Plugging that serial number into the licensing tool get the activation key you noted but also the text:
"ASA5500-ENCR-K9
Warning, our records indicate that the Cisco ASA Firewall hardware serial NUMBER that you submitted during registration has previously been licensed FOR A higher feature SET."
What other licensing has been done on this ASA? Are you the original owner? You may have to call the TAC to sort it out if you aren't.
11-21-2012 09:37 AM
Hi Marvin,
Thank you for response
I bought it new from a reseller(not directly from cisco representative), and i unpacked it by my self(it was new).
I already called the TAC, and they sent me exactly the same activation key.
Should i recall them?
Thank you.
11-24-2012 11:33 AM
Yes, I would contact the TAC again and have them stay on the line with you to resolve completely. Something is amiss with your license and they should be able to make it right.
11-27-2012 03:09 AM
I called them twice time today, the first one i've received the same license.
The second time, TAC has leveled-up my request after that i send them the screen-shoot and the result of show version.
Hope that i will get the problem resolved.
I will keep you posted.
Thank you.
12-05-2012 01:37 AM
Here is there last response (04/12/2012 14:26 from Peter Christian Avengoza):
Dear Houari Dali Youcef,
This is the same license key.
JMX152040DW: 5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa
However please send me the ?show activation-key detail? and please try to reload the ASA5505 and see how it looks.
If you need further assistance with this software license request, please let me know and I will be glad to assist you. Otherwise, if I do not hear back from you, I will file this case as ?resolved?.
Thank you for contacting Cisco.
What can i do more ? i sent to them the show activation-key, and i reloaded the firewall !
12-15-2012 07:26 AM
Here is there last response:
K8 and K9 are only license.
You can get images for this ASA:
Please provide me with output of show tech for this ASA.
But i couldn't download the image beacause i don't have service contrat ID. Is it impossible to get this image without this service contrat ?
Thank you!
12-15-2012 07:32 AM
As I noted ealier, request they escalate your service request to resolve satisfactorily.
This should have no connection to the image version. If the new device has a corrupted image and you do not have a support contract AND you are within the initial 90 day warranty, the TAC should be able to help you with direct access to a good image.
Again, you would still need to escalate the service request.
12-15-2012 10:14 AM
They already escalted my service request, here is:
2012/12/15 12.32:
Hi Houari,
I have escalated your issue again to the Business Unit to check what is the cause of the problem that you are getting. Kindly bear with us.
Best regards,
Peter Christian Avengoza
And i bought for about 6 month ago.
How do i chech if i have a corrupted image on my firewall?
Here is other email they sent to me:
2012/12/15 12:08:
I have opened a new TAC case (624204757) for you because you ASA device JMX152040DW is running a "NPE" image. This image is not capable of supporting K8/K9,we need to verify if the NPE device can be updated to K8/K9 simply by replacing the SW image (or if not, it would need to be RMA'ed).
Can you please explain me what this means ? (RMA'ed ??)
Thank you very much for your help Marvin.
12-15-2012 10:52 AM
You're welcome.
NPE means No Payload Encryption. I did not think to ask earlier, but if you are in a country for whom the US has forbidden export of products containing strong encryption, you would not be eligible for a 3DES-AES image and activation.
General Reference:
List of countries affected:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/faqs.html#Q7
An RMA is a Return Material Authorization. It means Cisco will ship a new device in exchange for one they determine to be inoperable.
12-15-2012 11:06 AM
Yes, but i'm from Algeria, i don't belong to those group of country
12-15-2012 11:10 AM
That's good - so the TAC should be able to get you resolved with a new image and activation key.
I'm just guessing but your equipment may have originally been part of an allocation that went to a reseller that did business with your neighboring country of Libya which is restricted.
12-15-2012 11:14 AM
I Hope not, i'm going to verify this tomorrow in morning.
I'll keep you posted.
Thank you again.
12-20-2012 12:29 PM
Hi,
I had to download this file: http://software.cisco.com/download/release.html?mdfid=280582808&flowid=4377&softwareid=280775065&release=9.1.1.ED&relind=AVAILABLE&rellifecycle=&reltype=latest
I asked a friend who get a valid service contrat and so have a ability to download the image for me.
The file is named: asa911-k8.bin
Do you know how to proceed the update? is there a risk that my firewall will not work correctly ?
Thank you.
12-20-2012 12:47 PM
Houari,
Sorry the TAC did not provide your software. As a new purchase, it should have been entitled.
What is your current software version and how much memory does your 5505 have? Running 8.3 or later on the 5505 requires 512 MB of memory. Reference. You should also be upgrading the ASDM software image to the current release.
A system software upgrade will cause a loss of service while the system reloads. If done correctly it will only be brief (<5 minutes). The ASDM upgrade does not cause any service interruption.
There is always some risk but follow the upgrade procedure and it should go fine. It is most easily done via the ASDM GUI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide