12-06-2017 04:51 AM - edited 02-21-2020 06:54 AM
Hi Cisco Experts,
We have two new ASA 5525-X and we are getting an error whenever we save or apply an SFR policy.
"Error: This rule requires a Protection license, but the device does not have a Protect license"
I've setup before a couple of ASA's with firepower enabled and managed in ASDM.
Only this time, it is setup in two ASA configured in HA.
FYI. I have installed protect and control license on both ASA but still get the same error message.
Is there a workaround that will resolved this problem?
TIA,
Orthicon
12-06-2017 06:23 AM
Are you using FMC or ASDM for this pair? The Protect licenses need to be installed using the tool that's managing them currently.
12-06-2017 09:19 AM
12-06-2017 09:21 AM
@Marvin Rhoads wrote:
Are you using FMC or ASDM for this pair? The Protect licenses need to be installed using the tool that's managing them currently.
Hi Marvin,
Thanks for checking on my inquiry.
Yes, the protect and control license is currently installed on the active sfr. Fyi, I’m using ASDM to manage the firepower.
12-06-2017 04:59 PM
Can you share the license information screen from ASDM for both the Active and Standby ASA unit? (The license needs to be installed on both.)
12-07-2017 11:52 PM
@Marvin Rhoads wrote:
Can you share the license information screen from ASDM for both the Active and Standby ASA unit? (The license needs to be installed on both.)
Hi Marvin,
Attached is license information screenshot from both ASA. I've also tried to uninstall and reinstall the license info on both ASA but still get the same error when deploying the policies created.
Also attached is screenshot of error when deploying the policy.
Additional info, SFR version on both ASA is 6.2.0-362.
Thanks,
Orthicon
12-08-2017 01:34 AM
From what you shared it appears you are doing everything correctly.
I didn't see any published bugs that would cause the behavior you are seeing.
Given where you are with troubleshooting, I would suggest one or more of the following::
1. Verify your ASA and ASDM images are the minimum required (9.5(2) or later and 7.7(1) or later respectively). You might upgrade ASDM to 7.8(2.151) as it's pretty mature. (The latest 7.9(1) was just released last week and may be a bit too fresh.)
2. Upgrade / reimage the modules to 6.2.2. There may be bugs (that aren't customer facing) that are causing the behavior and an upgrade might resolve them.
3. Open a TAC case and ask them to assist.
12-08-2017 06:27 AM
@Marvin Rhoads wrote:
From what you shared it appears you are doing everything correctly.
I didn't see any published bugs that would cause the behavior you are seeing.
Given where you are with troubleshooting, I would suggest one or more of the following::
1. Verify your ASA and ASDM images are the minimum required (9.5(2) or later and 7.7(1) or later respectively). You might upgrade ASDM to 7.8(2.151) as it's pretty mature. (The latest 7.9(1) was just released last week and may be a bit too fresh.)
2. Upgrade / reimage the modules to 6.2.2. There may be bugs (that aren't customer facing) that are causing the behavior and an upgrade might resolve them.
3. Open a TAC case and ask them to assist.
Hi Marvin,
Installed ASA and ASDM images are pretty new(see below versions) considering the device was purchased couple of months ago.
ASA 5525-X
ASA Version: 9.8(1)
ASDM: 7.8(1)
SFR: 6.2.0-362
Firewall is currently in production and I'm a bit hesitant in re imaging the sfr module(as it requires reboot ). Anyhow, If we can't find any workarounds, then we'll do the SFR software upgrade.
12-08-2017 06:50 AM
Yes those are pretty new ASA and ASDM images and should be fine.
Re-imaging the sfr module does not require an ASA reload but I understand the hesitation in production.
It sounds like TAC would be your best bet for now. They may have some internal notes that go straight to your problem.
12-28-2017 01:27 AM
Do you found any solution to this problem?
I have the same problem, running 5516x 9.8.1 and SFR 6.2.0.3-108
01-02-2018 06:40 PM
@erik bakke wrote:
Do you found any solution to this problem?
I have the same problem, running 5516x 9.8.1 and SFR 6.2.0.3-108
Yep! Just reboot the sfr module and it should remove the error. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide