Solved: Hi,

Michel Derycke · ‎07-07-2015

Hi,

I'm currently installing a FireSIGHT virtual appliance in order to manage 2 ASA's with FirePOWER services installed.

My Defense Center is properly licensed, using the PAK key I got.

I bought 2 IPS subscription licenses for both ASA's.

I configured the manager on both sourcefire appliances and added them to the defense center.

Now, my problem is: I can't assign any IPS policy because there don't seem to be licenses installed on the DC to apply to the devices...

My question is: do I have to buy additional licenses for the DC for the IPS (Protection) features or do I miss something here? :-)

Thanks a lot,

Kind regards

dhvenkat · ‎07-07-2015

Hi,

As Marvin commented, you will have a CTRL license "ASA5525-CTRL-LIC" sent along with device via a Claim Certificate. On the certificate you should see a PAK number and steps to register it to obtain the license. Please follow these.

If you have purchased a L-ASA5525-TA-LIC=, then this entitles you for obtaining signature updates for PROTECT+CONTROL features. There is no PAK or license for this PID.

- DD

View solution in original post

Marvin Rhoads · ‎07-07-2015

What IPS subscription license (part number or SKU) did you purchase? It would normally be something like "L-ASA5525-TA-1Y" (1 year IPS for 5525 platform).

With that you get a PAK. That PAK plus the license key from the FireSIGHT Management Center / Defense Center is used on the cisco.com licensing portal to obtain the license for the ASAs' FirePOWER modules. You should also have the no cost base Control (CTRL) license that came with the ASAs.

Applying CTRL plus IPS licenses from FMC will get your ASA's ready to have IPS policies applied.

dhvenkat · ‎07-07-2015

Hi,

As Marvin commented, you will have a CTRL license "ASA5525-CTRL-LIC" sent along with device via a Claim Certificate. On the certificate you should see a PAK number and steps to register it to obtain the license. Please follow these.

If you have purchased a L-ASA5525-TA-LIC=, then this entitles you for obtaining signature updates for PROTECT+CONTROL features. There is no PAK or license for this PID.

- DD

Marvin Rhoads · ‎07-07-2015

Thanks for the clarification DD,

I haven't done an IPS-only in a while. Does redeeming CTRL actually issue you a license with "Features: PROTECT+CONTROL" ?

dhvenkat · ‎07-07-2015

Hi Marvin,

Yes PAK for CTRL license (ASA5525-CTRL-LIC) provides license for both "PROTECT" and "CONTROL" features.

- DD

Michel Derycke · ‎07-07-2015

Hi All,

Thanks for the clarifications.
The ASA came indeed with a CONTROL license, that embed the Protect license.
Quite confusing, though...

S.ashok S · ‎01-12-2016

Hi Marvin,

I have installed ASA5515-CTRL-LIC in FMC and the classic license page of FMC showing as never expires for "Protect and Control license". It means customer will get IPS updates forever. Please clarify

Thanks and regards,

Ashok

Marvin Rhoads · ‎01-12-2016

Cisco does not currently have a technical enforcement method (i.e. expiring license) for the IPS updates. However, you are only entitled to download them contractually if you have a current valid subscription.

S.ashok S · ‎01-12-2016

Hi,

Thank you for your reply.

Customer has taken L-ASA5515-TA-1Y. It means subscription expires after one year.

If yes where can get that details (Expiry date) in FMC.

Thanks and regards,

Ashok Kumar S.

Marvin Rhoads · ‎01-12-2016

I don't believe it can be seen in FMC. You need to check entitlement in the Cisco contract records.

jlynch-presidio · ‎08-04-2015

DD,

Can you clarify this for me? I'm assisting a customer with an install. I have applied the control license, but if there is not a PAK for the IPS how is the L-ASA5515-TA-LIC= applied? Must the contract number for the license be tied to the same CCO account that the control license was registered to? How will the customer know when the license expires?

Thank you!

dhvenkat · ‎08-06-2015

Hi,

L-ASA5515-TA-LIC= is a Right To use there is no license for this. Customer would have received the IPS (ASA5515-CTRL-LIC) PAK along with the device. On registering the PAK you will get license for "PROTECT+CONTROL" features.

Customer needs to the TA-LIC in order to be legally entitled to receive the signature updates for IPS (PROTECT+CONTROL).

-- DD

Marvin Rhoads · ‎08-07-2015

DD,

I just did an activation today for a 5585-X with TAMC. I found that, at least for those, the Protect+Control licenses aren't being shipped via an eDelivery Product Claim with PAK to the customer. For the lower end appliances with software modules, we seem to be getting eDelivery Claim Certificates with PAKs

Instead, we had to find the PAK in the Cisco ordering system where it was listed as the "serial number" for the "ASA5585-20CTRL-LIC" line item. Once I tracked that down, it worked fine.

Guillermo Estrada · ‎12-07-2017

Hi Team,

Is this still the case? The IPS License/Subscritpion being a RTU license? Customer is concerned because they have no way to telling when their IPS subscription expires. They purchased the firewall/subscription with another partner who lost track of their subscriptions. We're not tasked with sorting this out.

Tulipomwene Haukongo · ‎07-13-2017

Hi Marvin,

I have a 3 year subscription "L-ASA5525-TA-3Y" but I am unable to enable the IPS module, I get the error below:

Failed opening console session with module ips. Module is in "Unresponsive" state

Could it be that I need the IPS-SSP_5525-k9.x.aip file? The device is no longer on support contract and I need to enable the module, is there any work around it?

Thanks

Tulee

FireSIGHT license - ASA IPS