To be honest it's still not quite clear what "Suspend licensing features" exactly means when device certificate expires after 1 year and smart licensing goes into UNREGISTERED state. Does this mean that strong encryption will be disabled and VPN connections blocked, but SSH access to the management-only interface will work? It seems official documentation has nothing about this.

Hi,
I don't wanna commit to this answer (usually my memory is correct) but as far as I remember I had a customer for which RAVPN ceased to work and it was related to licensing. Usually, all devices that fail to communicate with CSSM or SSM On-Prem retain their functionalities.

One exception was the SIP service on routers that stopped on earlier releases; as far as I remember (again - the newer IOS versions do not behave this way and SIP continues to work even though smart licensing may be in a 'degraded' state.

Still, in your specific case, there are options for this. Usually used by government institutions, you can use 'specific license reservation'. (SLR)

https://www.cisco.com/c/en/us/support/docs/licensing/common-licensing-issues/how-to/lic217543-how-to-reserve-licenses-slr.html

BR,

Octavian

Right, PLR or SLR or CSSM On-prem is the way to go. But just wondering why Cisco is always unable to document its products and solutions properly. BTW, there is one place in the documentation which mentions this scenario: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos2101/cli-guide/b_CLI_ConfigGuide_FXOS_2101/license_management.html

"If your device is unable to communicate with the license authority for one year, the device will enter an unregistered state but will not lose any previously enabled strong encryption capabilities".

This is for Firepower/ASA 4k, 9k, so may not apply to 2K/1K platforms.