Solved: Re: Encryption-3DES-AES" is disabled on Cisco Firepower 4110 asa

mohamed_safwat · ‎10-25-2019

I have a pair of 4110s, and I had a problem SSHing to the logical ASA's. Having looked at the licensing, it appears that the "Encryption-3DES-AES" is disabled, which is causing it to only accept SSHv1 connections. The problem is, i don't have access to the internet or smart license, show version:

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                     : 1024
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Disabled
Security Contexts                 : 10
Carrier                           : Disabled
AnyConnect Premium Peers          : 10000
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 10000
Total VPN Peers                   : 10000
AnyConnect for Mobile             : Enabled
AnyConnect for Cisco VPN Phone    : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 10000
Cluster                           : Enabled

and i tried to request license from licensing portal but it gives error "unknown product type"

Marvin Rhoads · ‎10-27-2019

The license type you need to request is known as Permanent License Reservation (PLR).

You have to request your account be made eligible for this license type as Cisco will do some export control eligibility verifications etc. before approving it.

A PLR license does not require Internet access for the licensed device(s). Setting it up (once approved) is described here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/license_management.html#id_22096

View solution in original post

Marius Gunnerud · ‎10-26-2019

What output on the 4110 are you using for the serial number are you using to request the license?

Alternately you could contact cisco licensing@cisco.com an ask for assistance.

--
Please remember to select a correct answer and rate helpful posts

mohamed_safwat · ‎10-26-2019

how to request license and it accepts only smart license. it is not like the old ASA appliances to request PAK file. so what i can tell licensing@cisco.com?

Marius Gunnerud · ‎10-27-2019

Just give Licensing the serial number of the old and new devices as well as your smart account info and that you need the 3des-AES strong encryption license

--
Please remember to select a correct answer and rate helpful posts

mohamed_safwat · ‎10-27-2019

the problem i don't have access to the internet. actually i don't know why cisco did that. it is not logic to be able to ssh to the device i get license, any other firewalls don't have the same issue. and smart license is the worst thing ever.

@Marius Gunnerud wrote:
Just give Licensing the serial number of the old and new devices as well as your smart account info and that you need the 3des-AES strong encryption license

Marvin Rhoads · ‎10-27-2019

The license type you need to request is known as Permanent License Reservation (PLR).

You have to request your account be made eligible for this license type as Cisco will do some export control eligibility verifications etc. before approving it.

A PLR license does not require Internet access for the licensed device(s). Setting it up (once approved) is described here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/license_management.html#id_22096

mohamed_safwat · ‎01-27-2020

Hello Marvin,

thank you for your reply. it is good solution if we don't have internet access and we have request this license from the beginning before getting the standard license.

thanks,

MaclaneMatsuoka · ‎04-12-2024

Is Cisco support required for this?

Or if they have a lab unit but no support on it can this still be achieved?

Encryption-3DES-AES" is disabled on Cisco Firepower 4110 asa logical device