cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8532
Views
10
Helpful
8
Replies

What happens when ASA FirePower subscription expires?

Jorge.Angel10
Level 1
Level 1

What happens when ASA FirePowers subscription expires?

What happens with the ASA? services keep working? show some alarm?

 

Thanks!

Jorge

 

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

If the FirePOWER module ("sfr") is no longer associated with a current license, the policies applied by the Firesight Management Center (FMC) will no longer have any effect and you will not be updating events in the logs. FMC will alert you that your license(s) are expired assuming you have a properly applied Health Policy.

The base ASA will continue to operate as usual. The traffic redirection via service-policy into the sfr module will essentially be ineffective.

View solution in original post

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

If the FirePOWER module ("sfr") is no longer associated with a current license, the policies applied by the Firesight Management Center (FMC) will no longer have any effect and you will not be updating events in the logs. FMC will alert you that your license(s) are expired assuming you have a properly applied Health Policy.

The base ASA will continue to operate as usual. The traffic redirection via service-policy into the sfr module will essentially be ineffective.

Thanks Marvin, do you know if there is a grace period before the FirePower module be ineffective?

 

 

There's no grace period as far as I know.

That's why the Health Policy alerts you well in advance.

Thanks Marvin, I opened a case in support and licencing but they just replied me to buy a new licence, thanks!

Regards!

 

 

 

Hi guys,

 

What i gather from what was said above, is that FMC will alert you when a license has expired once your Health Policy is configured correctly.

 

If that is correct, then is there a way for the FMC to alert you before the license expires and also how do you configure the Health Policy to be able to send and alert on the dashboard and also via email.

 

Let me know if this is posssible,

 

Thanks much

I don't believe the License Monitor health policy can be changed to do what you ask. It does sound like a neat feature request though.

I'm drawing my conclusion from having checked mine and reading the following section of the FireSIGHT System User Guide (especially the last sentence):

Use the License Monitoring health status module to determine if sufficient licenses remain for Control, Protection, URL Filtering, Malware, and VPN. This module alerts if the number of remaining licenses is low or insufficient.
This module also alerts if the system detects that devices in a stacked configuration have mismatched license sets (stacked devices must have identical sets of licenses).
The License Monitoring module is automatically configured. Because you cannot change or disable this module, it does not appear on the Health Policy Configuration page.

By default, the license monitor will send an email when licenses are due to expire within 90 days. After setting mine up just now I got an e-mail as follows:

Health Monitor Alert from sfvdc.dsi.local

Time: Tue Aug  4 18:23:43 2015 UTC

Severity: warning

Module: License Monitor

Description: Violations due to licenses expiring within 90 days:

3D7125: URLFilter used count will exceed total by 1 licenses.

3D7125: MALWARE used count will exceed total by 1 licenses.

EDIT: Don't neglect to set a threshold timeout. I did that and started getting the emails every 5 minutes (= the periodicty of the Health Monitor)

Oh nice, it sent you an email telling you that you have 90 days left on your licenses.

 

Oh so how it works is that it will send you an alert with the amount of time left on your licenses. 

 

And it will send the email based on the threshold that you set? Correct me if im wrong

 

Thanks :)

Yes - 90 days is the non-configurable number that will trigger an alert for the license monitor. My licenses will actually expire on 10/26/2015 - about 83 days from now since I just added a new 90-day partner lab license last week.

The threshold is how many minutes have to pass before sending you another email (works in conjunction with the overall health monitor job polling cycle). I raised my threshold to one day after the first couple of every 5 minute emails and I believe I should get a daily email reminder going forward.

It could use some improvement but the basic functionality is there.

Review Cisco Networking for a $25 gift card