cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
833
Views
0
Helpful
5
Replies

smart license communication requirement

manvik
Level 3
Level 3

I have an Firepower ASA with Firepower base license. Device successfully registered via smart licensing.

Now we don't want to connect it to the internet, so disconnected it from internet. Is there any issue if license authorization communication fails.

5 Replies 5

Herald Sison
Level 3
Level 3

Technically yes, because you cant get any updates from support site but if you don't want updates from support site then its fine just turn off the error message that's popping out regarding license cant connect to support site or alike.

To be honest it's still not quite clear what "Suspend licensing features" exactly means when device certificate expires after 1 year and smart licensing goes into UNREGISTERED state. Does this mean that strong encryption will be disabled and VPN connections blocked, but SSH access to the management-only interface will work? It seems official documentation has nothing about this.

 

Hi,
I don't wanna commit to this answer (usually my memory is correct) but as far as I remember I had a customer for which RAVPN ceased to work and it was related to licensing. Usually, all devices that fail to communicate with CSSM or SSM On-Prem retain their functionalities.

One exception was the SIP service on routers that stopped on earlier releases; as far as I remember (again - the newer IOS versions do not behave this way and SIP continues to work even though smart licensing may be in a 'degraded' state.

Still, in your specific case, there are options for this. Usually used by government institutions, you can use 'specific license reservation'. (SLR)

https://www.cisco.com/c/en/us/support/docs/licensing/common-licensing-issues/how-to/lic217543-how-to-reserve-licenses-slr.html

 

BR,

Octavian

 

Right, PLR or SLR or CSSM On-prem is the way to go. But just wondering why Cisco is always unable to document its products and solutions properly. BTW, there is one place in the documentation which mentions this scenario: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos2101/cli-guide/b_CLI_ConfigGuide_FXOS_2101/license_management.html

"If your device is unable to communicate with the license authority for one year, the device will enter an unregistered state but will not lose any previously enabled strong encryption capabilities".

This is for Firepower/ASA 4k, 9k, so may not apply to 2K/1K platforms.

Review Cisco Networking for a $25 gift card