Solved: Re: Firepower 2K Strong Encryption Licence

chris-goulder · ‎11-15-2021

Hi,

Could someone confirm exactly what the FPR2K-ENC-K9 'strong encryption (3DES/AES)' licence covers on firepower boxes?

Cisco doco states: -
Strong Encryption (3DES/AES) license—FPR2K-ENC-K9 .

Although this license is not generally required (for example, ASA’s that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.

It is a separately order-able item on FPR-2110-ASA-K9 boxes

But as i understood it the -K9 boxes can do 3DES/AES IPsec S2S tunnels on its standard licence

and the above Cisco blurb adds to the confusion

What is FPR2K-ENC-K9 for and what would you need it on FPR-2110-ASA-K9 boxes for ?

thanks in advance,

Chris

chris-goulder · ‎12-23-2021

In case it helps anyone else confused by Cisco's documentation (?) on the topic

From experience with a FPR2110 running ASA code in appliance mode

On first boot with { sh ver / sh lic feat } the initial status shows as: -

Encryption-3DES-AES : Disabled

Once the device is set with smart lic config to contact the tools.cisco.com portal and it registers successfully, then the status changes to: -

Export Compliant: YES

Encryption-3DES-AES : Enabled

The only smart lic involved was the Cisco FPR2110 ASA Licence ( L-FPR2100-ASA )

There was no need for the Strong Encryption 3DES/AES licence ( FPR2K-ENC-K9 )

Draw you own conclusions / YMMV

View solution in original post

Rob Ingram · ‎11-15-2021

@chris-goulder you need this license to use the strong encryption algorithms, without you cannot, it is free however. Export regulations control access to this license, so it may not necessarily come pre-installed on a brand-new Cisco device by default.

chris-goulder · ‎11-15-2021

Thanks for the quick reply Rob

Its all Smart Licence on the Firepower boxes

As you say its a $0 lic at box order time but Cisco Lic TAC say it is a chargeable lic if you want to retrospectively order it for an already delivered box - hence why i'm trying to understand exactly what it is for in the Firepower product line

As a general point, if it really is needed to config a box for 3DES/AES - It doesn't make sense to me that it is not included by default (like the ASA standard lic) in the FPR-2110-ASA-K9 boxes. After all a firewall that doesn't support 3DES/AES is pretty much a brick

Export regulations control could still control whether the lic could be applied under Smart Licencing

And what totally confused was the Cisco Firepower documentation that makes the statement "this license is not generally required"

chris-goulder · ‎11-15-2021

And elsewhere in the Firepower smart lic doco it lists strong encryption depending on the (smart) account export compliance

Kind of suggesting a std smart lic'd box would get 3DES/AES type stuff as long as the smart account has export compliance status

General Licenses
Encryption	Base (DES) or Strong (3DES/AES), depending on the account's export compliance setting

chris-goulder · ‎12-23-2021