If you were origianlly licensed and using ASDM, moving to FMC does indeed require you to rehost the licenses. When you are doing centralized management from an FMC, the licenses are actually issued to its license key. You then assign them to any managed ASAs. You will only have that option (i.e non-grayed out check boxes) once you host the licenses on the FMC.

Hello Marvin

Thanks for your reply. I did that and it worked as you described. 

Can you tell me something about the lcensing of the FMC itself?

As of version 6.0, classic licenses (i.e. a PAK with a license key) are no longer required for FMC. It's a bit confusing since Cisco still issues PAKs for it. However when you try to redeem them, you will get the error you saw. The managed sensors with FirePOWER software (but not those with FirePOWER Threat Defense - FTD) do continue to use classic licenses managed in your FMC (or ASDM if you are using that method).

If you are managing FTD image devices with FMC, then you do need to register it in the Cisco "smart" licensing portal so you can associate the devices' smart licenses with it.

I agree it is a very confusing process at this time. I have already given feedback to Cisco sales to that efect.

Thanks, that's helpful :-)

Regarding the smart licensing; let's say I want to re-image my ASA with the FTD image. Do I need new licenses?

I currently have my 5506-X fully licensed and the (rather useless?) FMC license for two devices.

Edit: I've read, there should be something like "convert to smart license" in the licensing portal? I'm quite sure I do not have an option like this...

You're welcome.

You can rehost your licenses from the ASDM you were originally using to FMC. That would be useful to you.

Migrating to FTD is a big step and there are several features (most notably remote access VPN - i.e., AnyConnect-based) that are not available yet on FTD. Yes - all FTD requireds Smart Licensing once the original buil-in trial license expires. If your organization and/or your account have never used Smart Licensing before you will have to register for that first prior to performing and Smart Licensing actions.

Oh I think I misguided you a little bit. I indeed have rehosted my device licenses to the FMC. That's for the most part at working well. The only thing I don't really get is the supossed 50000 FMC licenses I apparently have... but.. as long as it's working.. :-)

I've read about the lack of VPN functionality with FTD, which is - sadly - a show-stopper for me. But since we're both here, I still gonna have some questions, the future implementation in my mind.

- Is there any news, when the next release (hopefully with VPN) will come out?

- As far as my understanding goes right now, I don't have to purchase new licenses for FTD, I just have to "migrate" my existing ones?

- Since I do all the FirePOWER etc. related stuff in my stare time (and I don't really see my organization implementing these features soon), is there a possibility to register for Smart Licensing without it being linked to my/any organization?

- I do have kind of a feeling that I have to pay for the Smart Licensing, right? :-)

Thanks again for the help, I really appreciate your "services" :-)

Well that's unfortunate... I guess I'll start looking into it when AnyConnect becomes available. Thanks for the detailed explanation anyway!

I suspect i might be doing something wrong, but i have hosted the license on FMC version 6.2.1 is what i am using. However, i still cannot enable the license on the device tab.

[@david.funmi@eu.didata.com]  ,

Are you using classic licenses (i.e. anything other than FTD)? What sensor type? If it's an ASA FirePOWER service module you need the free Control license first before you can apply IPS, URL or Malware licenses.

hi Marvin,

Yes, classic licenses and;

Yes ASA firePOWER module on 5506x ASA

I have uploaded a screen shot of my FMC license page.

How can i obtain the free control license?

Regards

The Control license is provided in the box with the ASA as a printed form with the PAK on it.

If you don't have it anymore, there are a couple of routes you can take:

1. If you purchased through a Tier 1 reseller or partner they can call it up in the Cisco order fulfillment system (the PAK shows up as part of the delivered hardware).

2. You can open a case with TAC (ask for Global Licensing Operations or GLO team) and provide the serial number and they can do the same.

3. You can email licensing@cisco.com for it.

In any case it is definitely required. You cannot apply any other licenses or deploy access control policies without it.