Problem accessing ASA with ASDM in multi-context config

ronald.nutter · ‎05-23-2013

I am setting up an ASA in multi-context mode. Have run into one problem that I havent been able to resolve. I can access with ASA on the interface I am talking to it on by Telnet and SSH just fine. ASDM wont response. I have made sure that the http server is enabled.

My suspicion is that it is somehow related to not being licensed for 3DES. I noticed after I had most of the configuration in place that the ASA wasnt licensed for 3DES. I went to the Cisco licensing website and downloaded the license. I got a message that the the restricted license could not be applied. Would prefer not to have to put the ASA's back into single mode so that I can apply the license and the switch back to multi context and reconfigure.

I have looked on the licensing website and dont see any other license that I can get to resolve this. What I have done in the past to get ASDM working on a mode single firewall isnt fixing the problem I have run into on a multi context one. Have been searching the web and Cisco.com but no luck on the fix for the problem I have run into.

Suggestions ?

Ron

Jouni Forss · ‎05-23-2013

Hi,

So I assume that you have the ASDM image to be used configured under the System Context of the ASA?

I find it strange that you would have an ASA without 3DES/AES License. All of our units have them by default. I wonder its related to the part number when the device was ordered. To my understanding K9 have 3DES/AES. Then theres K8, maybe they dont have the 3DES/AES by default.

The times I have had to get the license for some old PIX firewalls I have never had any problems inserting the license key.

I think when there is some problems with the ASDM connection in particular there are commands like

ssl encryption

ssl server-version

To set the needed ones. I have never had to dable with these settings as I have had next to no problems with ASDM, then again I rarely use it. Most problems have been related to Java problems

- Jouni

Julio Carvajal · ‎05-23-2013

Hello Ronald,

The AES-3DES license is a Must for this,

Can you paste here the exact log you are getting when you apply it on your box?

Note: Remember that on the 5500-X series you have 2 serial numbers:

The one on the show version- Used to order licenses

The one on the show inventory- Used to create the contract for support,RMA's.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ronald.nutter · ‎05-23-2013

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 250

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Enabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1630X1C3

Running Activation Key: 0x8e08fc43 0x68fb1247 0x41f33d6c 0xfb0c7884 0x4804d1b9

Configuration register is 0x1

Configuration last modified by enable_15 at 09:45:06.433 CDT Thu May 23 2013

NSG-ASA(config)# activation-key ce3ded51 0ca7599b 0520799c f1787008 0a1fcd87

Validating activation key. This may take a few minutes...

Restricted License is not accepted in Multiple mode.

ERROR: Failed to update flash activation key

This is the license key I got from the Cisco licensing website.

Ron

Julio Carvajal · ‎05-23-2013

Hello Ronald,

You are applying it on the system execution space right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ronald.nutter · ‎05-23-2013

Yes on the system execution space. Your other message hasnt posted here but I did see a copy on email. The only time I have seen a problem with the 3DES license not being there is when I have done a complete wipe of the unit and then I had to re-apply the license to get 3DES/AES back.

Do I need to get a TAC case opened on this or is there another license i can get that will enable 3DES/AES ?

Wouldnt think there would be a problem activiating the license on an ASA whether it was in single or multi-mode.

Ron

Julio Carvajal · ‎05-23-2013

Hello Ronald,

I will be honest with you, I have not seen this error before,

but what I think u will need to do is to open a case with cisco licensing and then explain them you need to have the current license plus the 3DES/AES license into one activation key number because it seems like while you are trying to overwrite the activation key with the new one the ASA is complaining about the new one not having the required to run on multiple context,

So you must have both of them combined into one so you can run it in multiple context, that's my opinion....

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ronald.nutter · ‎05-23-2013

As a test, I took the standby firewall and reverted it back to single mode and tried the 3des license. Got this error message -

NSG-ASA(config)# activation-key 650dca4f e46d663a fda1a514 fe040088 8c08c3b6

Validating activation key. This may take a few minutes...

The following features available in flash activation key are NOT

available in new activation key:

2 Security Contexts

Failover is different.

flash activation key: Unrestricted(UR)

new activation key: Restricted(R)

Proceed with update flash activation key? [confirm]

Sounds like there is a problem with the key ?

Ron