cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1581
Views
0
Helpful
4
Replies

FirePower 1010 ASA - Cisco Smart Licensing chicken-&-egg situation

Trying to build a HA pair of FirePower 1010's running ASA software.  Hit an issue with enabling failover without Smart Licensing being active.

Issuing any failover command says 'ERROR: Command requires failover license'.  I didn't have the same issue with some FP2130's that were licensed after installation.

These FP1010's weren't originally going to have Internet access as this is a MPLS customer.  I realise that a satellite server can be installed to deal with this, however it isn't part of the project so far.

Just wondering whether there was any way around this?  Upgraded them both to 9.15.1 and still not possible.

 

Cheers

Andy

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

It genreally requirement some form of Proxy or Internet connection to smart server to connect License the kit.

 

Cisco making hard time with smart Licene, when the device can not required Interenet more of closed network like you have difficulties.

 

CSSM not feasible for 1 or 2 kits, it is good for lasr enterprise. (they need to come with alternative option for offline devices)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Probably a schoolboy error on my part..

The 'Smart Licensing Feature Tier' wasn't set to anything.  I set this to 'standard' (which is the only option) and set the feature to 'security-plus'.  They are now in evaluation mode and I can enable failover for 90-days, which should be more than enough to sort the other bits out.

I don't recall having to do this with the FP2130's I put in recently and I've built several ASAv's and don't recall having to set the license tier - again there is only one option of 'standard' so I'm a bit confused as to why this isn't a default?

 

Any

balaji.bandi
Hall of Fame
Hall of Fame

no worries, end results in working condition important, glad all ok for now.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

After I got this working it turned out that the distributor didn't provide the free-of-charge Base or 3DES/AES licenses so after getting these registered they immediately went out of compliance as they only had the Security Plus licenses in the Virtual Account as these were ordered separately.  The FoC Base & 3DES/AES licenses weren't provided.  Its taken a while to get these sorted, however its taken longer than 90-days which has now broken things.

The primary unit is now licensed properly and there are licenses for the standby unit in the virtual account, however the Base & 3DES/AES licenses were deposited just after the 90-days so the standby unit now only has the failover interface active as it won't support failover without being licensed (back to a chicken-&-egg situation...).  Failover is partially working - i.e. from the active unit I can issue commands to the standby unit with 'failover exec mate xxxx', however if I do a 'failover exec mate show ip' it only shows the failover interface as active.  If I try any failover commands 'failover exec mate show failover' I get an error saying it requires a license for failover.

I am hoping that if I force a failover from the active unit that it will cause the standby unit to go active and enable its interfaces.  At which point it should have access to the Smart Licensing servers and re-enable the Security Plus license (as well as the Base & 3DES/AES licenses).  However never having done this before and this now being a live service I'm a little concerned it won't.

This is all remote in a DC so emergency console cable access isn't something I can do quickly.

Anyone else got themselves into a similar situation?  Will forcing a failover bring the interfaces online on the standby unit?

 

 

Review Cisco Networking for a $25 gift card