Solved: Re: Issue with ASDM and ASA5506 w/o 3DES/AES license

saiiven07 · ‎09-07-2017

Hi,

I'm trying to figure out which versions of ASA and ASDM software will allow me to successfully launch ASDM on my PC taking into account that the ASA doesn't have a 3DES/AES license. At the moment I'm running 9.7(1)4 on ASA 5506 with ASDM asdm-771.bin. I've already tried almost all Java versions and even 1.6 versions of JAVA just hang with the message "Software update completed" and then nothing happens. It seems like I'll have to downgrade ASA/ASDM software to make it work. Has anyone encountered such an issue and which versions of ASA/ASDM/Java you would recommend? Thanks.

Marvin Rhoads · ‎09-07-2017

No smartnet is required for this license. Just the ASA serial number and access to the software.cisco.com portal to enter in the serial number and get the PAK back.

View solution in original post

Marvin Rhoads · ‎09-07-2017

Unless you are working in an export-controlled region there's no reason not to install and use the free 3DES-AES license.

The problem is that the Java SSL libraries that are required by any modern ASDM version will not negotiate a common cipher with an ASA that does not support at least 3DES encryption as what is proposed by the ASA will have no overlap with the proposal from the client.

saiiven07 · ‎09-07-2017

Hi, Marvin.
Unfortunately, since I'm preparing the ASA for a customer, I'm not able to tie the AES/3DES license to the device because the SMARTnet contract is not associated with my account, etc. I'll probably try to downgrade or finish configuring it by using the console/SSH. Thanks for the advice regarding the free AES/3DES license.

Marvin Rhoads · ‎09-07-2017

No smartnet is required for this license. Just the ASA serial number and access to the software.cisco.com portal to enter in the serial number and get the PAK back.

SteelSeries 87 · ‎03-03-2019

SteelSeries 87 · ‎03-03-2019

Where specifically do you go once you're logged into the software central page? Every "PAK" based option i go to or licensing tells me i require a smartnet account.

Marvin Rhoads · ‎03-03-2019

You don't need Smartnet but you do need a cisco.com account.

Go to https://software.cisco.com and log in. Then click License > Traditional Licensing. Then click Licenses > Get Licenses > "IPS, Crypto or Other". Choose "Security Products" and then "Cisco ASA 3DES/AES License". Click "Next", provide your serial number and the "Next" again.

They will email you an activation key and also provide the opportunity to download it directly from there.

lcc · ‎02-12-2020

does this license still exist? as it appears to be missing now.

simonq3sec · ‎02-12-2020

You can find it, just type 3DES and should appear.

Marvin Rhoads · ‎02-19-2020

@lcc I just checked and it it still there.