cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4450
Views
0
Helpful
10
Replies

"Error: This rule requires a Protection license, but the device does not have a Protect license"

orthicon2009
Level 1
Level 1

Hi Cisco Experts,

We have two new ASA 5525-X and we are getting an error whenever we save or apply an SFR  policy.
"Error: This rule requires a Protection license, but the device does not have a Protect license"
I've setup before a couple of ASA's with firepower enabled and managed in ASDM.
Only this time, it is setup in two ASA configured in HA. 
FYI. I have installed protect and control license on both ASA but still get the same error message.
Is there a workaround that will resolved this problem?

TIA,
Orthicon

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you using FMC or ASDM for this pair? The Protect licenses need to be installed using the tool that's managing them currently.

Hi Marvin,

Thanks for checking on my inquiry.

Yes, the protect and control license is currently installed on the active sfr. Fyi, I’m using ASDM to manage the firepower.


@Marvin Rhoads wrote:

Are you using FMC or ASDM for this pair? The Protect licenses need to be installed using the tool that's managing them currently.


Hi Marvin,

Thanks for checking on my inquiry.

Yes, the protect and control license is currently installed on the active sfr. Fyi, I’m using ASDM to manage the firepower.

Can you share the license information screen from ASDM for both the Active and Standby ASA unit? (The license needs to be installed on both.)


@Marvin Rhoads wrote:

Can you share the license information screen from ASDM for both the Active and Standby ASA unit? (The license needs to be installed on both.)


Hi Marvin,

 

Attached is license information screenshot from both ASA. I've also tried to uninstall and reinstall the license info on both ASA but still get the same error when deploying the policies created.

 

Also attached is screenshot of error when deploying the policy.

 

Additional info, SFR version on both ASA is 6.2.0-362.

 

Thanks,

Orthicon

From what you shared it appears you are doing everything correctly.

 

I didn't see any published bugs that would cause the behavior you are seeing.

 

Given where you are with troubleshooting, I would suggest one or more of the following::

 

1. Verify your ASA and ASDM images are the minimum required (9.5(2) or later and 7.7(1) or later respectively). You might upgrade ASDM to 7.8(2.151) as it's pretty mature. (The latest 7.9(1) was just released last week and may be a bit too fresh.)

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60529

 

2. Upgrade / reimage the modules to 6.2.2. There may be bugs (that aren't customer facing) that are causing the behavior and an upgrade might resolve them.

 

3. Open a TAC case and ask them to assist.


@Marvin Rhoads wrote:

From what you shared it appears you are doing everything correctly.

 

I didn't see any published bugs that would cause the behavior you are seeing.

 

Given where you are with troubleshooting, I would suggest one or more of the following::

 

1. Verify your ASA and ASDM images are the minimum required (9.5(2) or later and 7.7(1) or later respectively). You might upgrade ASDM to 7.8(2.151) as it's pretty mature. (The latest 7.9(1) was just released last week and may be a bit too fresh.)

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60529

 

2. Upgrade / reimage the modules to 6.2.2. There may be bugs (that aren't customer facing) that are causing the behavior and an upgrade might resolve them.

 

3. Open a TAC case and ask them to assist.


Hi Marvin,

 

Installed ASA and ASDM images are pretty new(see below versions) considering the device was  purchased couple of months ago.

 

ASA 5525-X
ASA Version: 9.8(1)
ASDM: 7.8(1)
SFR: 6.2.0-362

 

Firewall is currently in production and I'm a bit hesitant in re imaging the sfr module(as it requires reboot ). Anyhow, If we can't find any workarounds, then we'll do the SFR software upgrade.

Yes those are pretty new ASA and ASDM images and should be fine.

 

Re-imaging the sfr module does not require an ASA reload but I understand the hesitation in production.

 

It sounds like TAC would be your best bet for now. They may have some internal notes that go straight to your problem.

Do you found any solution to this problem?

I have the same problem, running 5516x 9.8.1 and SFR 6.2.0.3-108


@erik bakke wrote:

Do you found any solution to this problem?

I have the same problem, running 5516x 9.8.1 and SFR 6.2.0.3-108


Yep! Just reboot the sfr module and it should remove the error. :)

Review Cisco Networking for a $25 gift card