Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1338
Views
5
Helpful
3
Replies

Purchased Authorization Key for Botnet Traffic Filter but afraid to put it on becuase key sasy Anyconnect Essentials is Disabled

Go to solution
keithsauer507
Level 5
Level 5

‎07-07-2020 08:18 AM

Have two ASA5525X's.  Tried opening a ticket with TAC but as soon as I click open new case it does a few redirects and then logs me out of Cisco SSO.

 

Purchased the Botnet Traffic Filter. Went through the annoying and convoluted process to go through a website with the order number to get a PAK.  Then went to the other website to convert a PAK to an email that sends me a product authorization key.  Seriously why not just send me the friggin key... I digress...

 

What worries me is the email I've received shows the word disabled next to Anyconnect Essentials.  In our firewall it shows 750 perpetual for Anyconnect Essentials.  I'm afraid to put this key on because we have about 80 Users VPN in right now *including myself* with this key and it would be a business ending event if it was removed.

 

What should I do in this situation?  Can a feature key that is used to ADD a feature also inadvertently remove an existing?  If so, why?  This is the type of confusion why we are looking at PaloAlto and Foritgate for next year.  The whole licensing process s just a real PITA.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-07-2020 10:45 AM

The new feature should add onto the existing one(s). To be extra sure take the output of "show activation-key" first. That way you can rollback if you need.

Even if the new key removed the AnyConnect license (which it shouldn't) it would not affect any existing sessions.

By the way I'm surprised you were able to buy this license. They went end of sales in 2017:

https://www.cisco.com/c/en/us/products/collateral/security/security-manager/eos-eol-notice-c51-739220.html

The feature is pretty dated and provides minimal protection in the current threat environment.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-07-2020 10:45 AM

The new feature should add onto the existing one(s). To be extra sure take the output of "show activation-key" first. That way you can rollback if you need.

Even if the new key removed the AnyConnect license (which it shouldn't) it would not affect any existing sessions.

By the way I'm surprised you were able to buy this license. They went end of sales in 2017:

https://www.cisco.com/c/en/us/products/collateral/security/security-manager/eos-eol-notice-c51-739220.html

The feature is pretty dated and provides minimal protection in the current threat environment.

Go to solution
keithsauer507
Level 5
Level 5
In response to Marvin Rhoads

‎07-09-2020 06:05 AM

Ok when I run show activation-key and also failover exec standby show activation-key, it shows for both Running Permanent Activation Key: and its 5 groups of 10 characters, the first three starting with 0xe and the last two starting with 0xc.  Are you saying I had to, I could paste those groups of 10 characters as is back in?  

 

First I thought of just applying the license on the standby firewall, but the cluster shows as disabled in this key.  I'm not sure if I can just reboot it without a write mem command, or if applying a key is permanent on the spot.

 

It may be minimal protection, but the majority of this is now in Cloudflare.  This is just minimal in front of whatever assets we do not have "proxied" through Cloudflare.  For all others, we now have ACL's in place, tested successfully that only allow traffic from Cloudflare.  The Cloudflare has stopped a massive credential stuffing attack from botnets.

 

We just wanted something quick, cheap, and easy.  Adding firepower would have taken more time, required physical access to install the SSD drives, cost more money, and be a learning curve.  We are already doing homework for a replacement for next year. Wheater that is the latest and greatest Cisco equivalent replacement, a Palo Alto, Fortigate, or another competitor, we are open to everything, and ease of use will be on the list as well as all of the next-get capabilities.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to keithsauer507

‎07-09-2020 09:06 AM

@keithsauer507 wrote:

... Are you saying I had to, I could paste those groups of 10 characters as is back in?  

Yes, that's correct.

The activation key is not part of the running-config so wr mem (or not) doesn't really apply in this case.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card