cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3301
Views
5
Helpful
7
Replies

L-ASA5506-TA-1Y

drughetto
Level 1
Level 1

Hi,

does anybody in the world know how that subscription works?

I just purchased that subscription for my ASA 5506-X with Firepower Services, but what I've got from cisco were just a couple of PDF files with the EULA. Since this is a one year subscription for IPS services, I thought that I should have tied together my ASA serial number (or maybe my Firepower Management Center serial number) with the subscription.

I opened a ticket with TAC, and they told me that my ASA has to be covered by a service contract in order to have an IPS subscription. 

From the documentation I understand that the L-ASA5506-TA-1Y product already contains a service contarct inside. Is that correct?

Thanks

Nicola

1 Accepted Solution

Accepted Solutions

The TAC engineer may have been mis-remembering the old style of Cisco IPS. Those did indeed require the Smartnet entitlement be added to be an "SU" (Software Update) type of coverage for the appliance support contract. The ASA IPS module would validate its serial number with Cisco when downloading IPS signature updates.

You're correct that currently you can make an ASA with FirePOWER work without the IPS subscription. That particular item is an "honor system" type of enforcement.

By the way, you might want to update your FireSIGHT and ASA module to version 6.0. It was released last month.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

One of the PDF files you should have received is indeed the IPS license. That one is a bit unusual in that it doesn't actually include a PAK (Product Authorization Key).

It does entitle you to download the IPS updates (VDB, Snort Rules updates, Geolocation database) from your licensed ASA. That entitlement is not enforced by technical means (license installation etc.).

You do need to have the Control licenses redeemed and applied on your ASA (either directly on the FirePOWER configuration tab of ASDM if you're using that or via the FirePOWER Manager if you have that) to apply Intrusion policies . The (no-cost) Control license actually shows up as "Control + Protect" when redeemed. It is included as a hard copy license with the necessary PAK on all new ASAs.

If it's been misplaced, your salesperson ca look it up in the Cisco ordering system using the PO number. You can also open a TAC case and ask to be queued to Global Licensing (or email licensing@cisco.com) to get that PAK.

Hi Marvin,

first of all I want to thank you for your reply. I do have a FirPOWER Manager hosted on VMWare and I've already purchased an FS-VMW-2-SW-K9 license to control my ASA5506-X from It.

You may see from the attached image all the licenses I already have. The one on the first row is the one I received from Cisco after purchasing L-ASA5506-TA-1Y (actually after opening a TAC).

As far as I understand from your reply, one could implement IPS policies through the FirePOWER Manager even without actually having and IPS subscription. In that case you just don't get any updated signature in addition to the ones already "bundled" with the FirePOWER Manager when you first install It? Is that correct?

I'm still a bit confused... :-)

You need to redeem the PAK for the ASA5506-CTRL-LIC as well as the FirePOWER Manager license.

Both of those licenses install on the manager. You then assign the CRTL (Control and Protect) license onto the ASA device once you've registered it into the FirePOWER Manager.

With that in place you can deploy Intrusion and Access policies to the ASA.

The FirePOWER manager will download and update the databases mentioned as long as it is licensed.

Hi Marvin,

bear with me, but looking at the FirePOWER management Center dashboard, I already have applied CONTROL+PROTECTION licenses to my ASA 5506-X device.

Please take a look at the attached screenshots and ASA show ver.

If that is true I could have had IPS subscription even without buying any additional IPS subscription. My ASA 5506-X came with a CONTROL license and a SECURITY PLUS license. Then, in order to manage my ASA device from the FirepoWER Management Center I ordered a FS-VMW-2-SW-K9 license.

So why buying and IPS subscription after all? Why the TAC ingeneer told me that I need a service contract in order to be entitled for IPS subscription?

Thanks for your patience

Nicola

The TAC engineer may have been mis-remembering the old style of Cisco IPS. Those did indeed require the Smartnet entitlement be added to be an "SU" (Software Update) type of coverage for the appliance support contract. The ASA IPS module would validate its serial number with Cisco when downloading IPS signature updates.

You're correct that currently you can make an ASA with FirePOWER work without the IPS subscription. That particular item is an "honor system" type of enforcement.

By the way, you might want to update your FireSIGHT and ASA module to version 6.0. It was released last month.

Hi Marvin,

thanks a lot for your support!

Looks like you're the only one out there who know things :-)

I'm having another issue now. I run through the upgrade process as you suggested. Now I'm running version 6. I didn't get any issue during the upgrade process and now the FirePOWER Management Center shows up as healthy, but when I try to edit my IPS policy the system hangs during the "Loading Policy" phase.

I did both a FirePOWER Management Center reboot and the ASA5506-X reboot, but the FirePOWER Management Center keeps hanging each time I try to edit the IPS policy.

Any idea?

Thanks

Nicola

Nicola -sorry for the delay.

I noticed the same thing on my IPS policy post-6.0 upgrade. I ended up recreating it from the initial default policy template to remedy the issue.

Even after I did that and applied the access policy to the device, I still could not go back in and edit that corrupted IPS policy. Mine is a lab unit, so no TAC support is available.

When I get around to a customer who needs to upgrade, I'll engage the TAC then - or maybe we will see a patch fixing this bug first.

Review Cisco Networking for a $25 gift card