We have multiple ASA5506-X Firepower units in our FMC, each with different licensed dates for Firepower services - and it is telling me they are expiring. How can I determine which one? I don't see anywhere where it associates the license with a device to know which to go find and renew/re-register. If there is someplace I am not seeing (these are Classic licenses, by the way, as they are from different accounts) that correlates a device/license, please share!
Usually it is the health monitor on the FMC alerting you of expiring licences. On the FMC, if you go into the health > monitor, it will tell you which devices have their licenses expiring. Also, on the Licenses > Classic Licenses page, you can see license associated with every device along with expiry date. Are you not seeing this info?
It is indicating that my appliance (the FMC itself) has a MALWARE license expiring. But it only references itself, not which device that license is for, just that it expires on May 16th, 2018. But when applying the separate licenses for each device - it doesn't seem to know/indicate which device's license it is. So as this grows into more than the 6 device it has, it will be a nightmare to understand which license it expiring and needs removed and updated with a new one.
I understand what you are talking about. Are your different ASA's named differently? The license monitor under the FMC should give an error like this:
Violations due to licenses expiring within 90 days:
<Device Name>: URLFilter used count will exceed total by 1 licenses.
<Device Name>: MALWARE used count will exceed total by 1 licenses.
You can reference the Device Name to the name of the ASA when you added it into the FMC.
Another way is to go into the License page. This gives you what licenses are being used by which device and when it expires.
Could you post a screenshot of what you are seeing on the FMC (without any sensitive info of course)?
Ah OK. So all your devices are same device type, didn't realize that. My mistake.
Since Malware is a service subscription, I don't know if the subscription itself is tied to one device. But I see a problem with it expiring and not knowing which device will be affected.
If you want to eventually renew the license, you can just add a new license and have it take over the valid license count when the old one expires. If you want to remove this license, you can remove the malware feature from any 1 device among the 6 that you have and the remaining 5 will have valid licenses. This does not answer your question exactly but should help with your plan for the license expiry.
I would also recommend opening a TAC case to see if there is anyway to get this information from the individual device Firepower services CLI itself.
I will open a case on it - but this could be quite a pain. I will have to add the renewals of any device in there when it gets renewed to try and stay up, rather than know which one the expired on really belongs to. I just thought it would know somehow which device - but I guess since you have to enter the FMC serial/address to register the service, it wouldn't know the device after all - just that it has enough to cover the number of devices. Ick. Not going to be pretty. Too bad it doesn't integrate with SNTC Portal for more information!
There is no solution from Cisco on it. You can tell which ones expire, of course, but if you have numerous devices like we do, you can't tell who the license belongs to. Tracking nightmare. You just need to watch for the FP renewals for each device, and replace them as they come due. So when you get a renewal for December 15th, remove the one the expires that date. Not fun, and complicated - but that's Cisco.