03-21-2023 04:36 AM
I have an Firepower ASA with Firepower base license. Device successfully registered via smart licensing.
Now we don't want to connect it to the internet, so disconnected it from internet. Is there any issue if license authorization communication fails.
03-21-2023 09:44 AM - edited 03-21-2023 09:44 AM
Technically yes, because you cant get any updates from support site but if you don't want updates from support site then its fine just turn off the error message that's popping out regarding license cant connect to support site or alike.
03-21-2023 02:04 PM
Hi,
Please check this XLS file.
It will tell you what happens with a device when you don't register it, when it was registered but authorization fails to renew and so on.
BR,
Octavian
03-22-2023 05:58 AM
To be honest it's still not quite clear what "Suspend licensing features" exactly means when device certificate expires after 1 year and smart licensing goes into UNREGISTERED state. Does this mean that strong encryption will be disabled and VPN connections blocked, but SSH access to the management-only interface will work? It seems official documentation has nothing about this.
03-23-2023 12:15 PM
Hi,
I don't wanna commit to this answer (usually my memory is correct) but as far as I remember I had a customer for which RAVPN ceased to work and it was related to licensing. Usually, all devices that fail to communicate with CSSM or SSM On-Prem retain their functionalities.
One exception was the SIP service on routers that stopped on earlier releases; as far as I remember (again
Still, in your specific case, there are options for this. Usually used by government institutions, you can use 'specific license reservation'. (SLR)
BR,
Octavian
03-24-2023 02:29 AM
Right, PLR or SLR or CSSM On-prem is the way to go. But just wondering why Cisco is always unable to document its products and solutions properly. BTW, there is one place in the documentation which mentions this scenario: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos2101/cli-guide/b_CLI_ConfigGuide_FXOS_2101/license_management.html
"If your device is unable to communicate with the license authority for one year, the device will enter an unregistered state but will not lose any previously enabled strong encryption capabilities".
This is for Firepower/ASA 4k, 9k, so may not apply to 2K/1K platforms.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide