Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6635
Views
15
Helpful
15
Replies

FireSIGHT license - ASA IPS

Go to solution
Michel Derycke
Level 1
Level 1

‎07-07-2015 02:48 AM

Hi,

 

I'm currently installing a FireSIGHT virtual appliance in order to manage 2 ASA's with FirePOWER services installed.

My Defense Center is properly licensed, using the PAK key I got.

I bought 2 IPS subscription licenses for both ASA's.

 

I configured the manager on both sourcefire appliances and added them to the defense center.

Now, my problem is: I can't assign any IPS policy because there don't seem to be licenses installed on the DC to apply to the devices...

 

My question is: do I have to buy additional licenses for the DC for the IPS (Protection) features or do I miss something here? :-)

 

Thanks a lot,

Kind regards

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dhvenkat
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-07-2015 10:04 AM

Hi,

As Marvin commented, you will have a CTRL license "ASA5525-CTRL-LIC" sent along with device via a Claim Certificate. On the certificate you should see a PAK number and steps to register it to obtain the license. Please follow these.

If you have purchased a L-ASA5525-TA-LIC=, then this entitles you for obtaining signature updates for PROTECT+CONTROL features. There is no PAK or license for this PID. 

- DD

View solution in original post

15 Replies 15

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-07-2015 08:53 AM

What IPS subscription license (part number or SKU) did you purchase? It would normally be something like "L-ASA5525-TA-1Y" (1 year IPS for 5525 platform).

With that you get a PAK. That PAK plus the license key from the FireSIGHT Management Center / Defense Center is used on the cisco.com licensing portal to obtain the license for the ASAs' FirePOWER modules. You should also have the no cost base Control (CTRL) license that came with the ASAs.

Applying CTRL plus IPS licenses from FMC will get your ASA's ready to have IPS policies applied. 

Go to solution
dhvenkat
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-07-2015 10:04 AM

Hi,

As Marvin commented, you will have a CTRL license "ASA5525-CTRL-LIC" sent along with device via a Claim Certificate. On the certificate you should see a PAK number and steps to register it to obtain the license. Please follow these.

If you have purchased a L-ASA5525-TA-LIC=, then this entitles you for obtaining signature updates for PROTECT+CONTROL features. There is no PAK or license for this PID. 

- DD

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dhvenkat

‎07-07-2015 10:26 AM

Thanks for the clarification DD,

I haven't done an IPS-only in a while. Does redeeming CTRL actually issue you a license with "Features: PROTECT+CONTROL" ?

0 Helpful

Go to solution
dhvenkat
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-07-2015 02:35 PM

Hi Marvin,

Yes PAK for CTRL license (ASA5525-CTRL-LIC) provides license for both "PROTECT" and "CONTROL" features.

- DD

0 Helpful

Go to solution
Michel Derycke
Level 1
Level 1
In response to dhvenkat

‎07-07-2015 11:19 PM

Hi All,

 

Thanks for the clarifications.
The ASA came indeed with a CONTROL license, that embed the Protect license.
Quite confusing, though...
 

0 Helpful

Go to solution
S.ashok S
Level 1
Level 1
In response to Michel Derycke

‎01-12-2016 03:25 AM

Hi Marvin,

I have installed ASA5515-CTRL-LIC in FMC and the classic license page of FMC showing as never expires for "Protect and Control license". It means customer will get IPS updates forever. Please clarify

Thanks and regards,

Ashok

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to S.ashok S

‎01-12-2016 05:47 AM

Cisco does not currently have a technical enforcement method (i.e. expiring license) for the IPS updates. However, you are only entitled to download them contractually if you have a current valid subscription.

0 Helpful

Go to solution
S.ashok S
Level 1
Level 1
In response to Marvin Rhoads

‎01-12-2016 06:06 AM

Hi,

Thank you for your reply. 

Customer has taken L-ASA5515-TA-1Y. It means subscription expires after one year.

If yes where can get that details (Expiry date) in FMC.

Thanks and regards,

Ashok Kumar S.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to S.ashok S

‎01-12-2016 06:13 AM

I don't believe it can be seen in FMC. You need to check entitlement in the Cisco contract records.

0 Helpful

Go to solution
jlynch-presidio
Level 1
Level 1
In response to dhvenkat

‎08-04-2015 05:39 PM

DD,

Can you clarify this for me?  I'm assisting a customer with an install.  I have applied the control license, but if there is not a PAK for the IPS how is the L-ASA5515-TA-LIC= applied?  Must the contract number for the license be tied to the same CCO account that the control license was registered to?  How will the customer know when the license expires?

Thank you!

0 Helpful

Go to solution
dhvenkat
Cisco Employee
Cisco Employee
In response to jlynch-presidio

‎08-06-2015 07:31 AM

Hi,

L-ASA5515-TA-LIC= is a Right To use there is no license for this. Customer would have received the IPS (ASA5515-CTRL-LIC) PAK along with the device. On registering the PAK you will get license for "PROTECT+CONTROL" features.

Customer needs to the TA-LIC in order to be legally entitled to receive the signature updates for IPS (PROTECT+CONTROL).

-- DD

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dhvenkat

‎08-07-2015 08:00 AM

DD,

I just did an activation today for a 5585-X with TAMC. I found that, at least for those, the Protect+Control licenses aren't being shipped via an eDelivery Product Claim with PAK to the customer. For the lower end appliances with software modules, we seem to be getting eDelivery Claim Certificates with PAKs

Instead, we had to find the PAK in the Cisco ordering system where it was listed as the "serial number" for the "ASA5585-20CTRL-LIC" line item. Once I tracked that down, it worked fine.

Go to solution
Guillermo Estrada
Level 1
Level 1
In response to dhvenkat

‎12-07-2017 01:16 PM

Hi Team,

 

Is this still the case?  The IPS License/Subscritpion being a RTU license? Customer is concerned because they have no way to telling when their IPS subscription expires.  They purchased the firewall/subscription with another partner who lost track of their subscriptions.  We're not tasked with sorting this out.  

0 Helpful

Go to solution
Tulipomwene Haukongo
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2017 07:01 AM

Hi Marvin,

I have a 3 year subscription "L-ASA5525-TA-3Y" but I am unable to enable the IPS module, I get the error below:

Failed opening console session with module ips. Module is in "Unresponsive" state

Could  it be that I need the IPS-SSP_5525-k9.x.aip file? The device is no longer on support contract and I need to enable the module, is there any work around it?

Thanks

Tulee

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card