cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

4746
Views
35
Helpful
19
Replies
Highlighted

ASA5505-50-BUN-K9 3DES license problem [Resolved]

Hi,

I have ASA505 with 3DES disabled, i heard that i can have the 3DES license without fee, so i contacted cisco more than 10 times to have the license, and every time they send me the same licence as my parmanent base key: 5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa

I don't understand the problem, here is the show activation key output:

Running Permanent Activation Key: 
0x5321ec6e 0x102e534b 0xfc21e96c 0x841c8ca8 0xce1727aa
Licensed features for this platform:
 
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 50             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Disabled       perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.

And the license key that cisco send me every time isexactely the same but it should activate the 3DES encryption algorithm:

Inside Hosts                    : 50        
Failover                        : Disabled  
Encryption-DES                  : Enabled   
Encryption-3DES-AES             : Enabled   
Security Contexts               : Default   
GTP/GPRS                        : Disabled  
AnyConnect Premium Peers        : Default   
Other VPN Peers                 : Default   
Advanced Endpoint Assessment    : Disabled  
AnyConnect for Mobile           : Disabled  
AnyConnect for Cisco VPN Phone  : Disabled  
Shared License                  : Disabled  
UC Phone Proxy Sessions         : Default   
Total UC Proxy Sessions         : Default   
AnyConnect Essentials           : Disabled  
Botnet Traffic Filter           : Disabled  
Intercompany Media Engine       : Disabled  
Platform = asa

JMX152040DW:      5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa

ASA5505.jpg

Can someone tell me where is the problem please?

Thank you in advance.

7 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Master

ASA5505-50-BUN-K9 3DES license problem

Plugging that serial number into the licensing tool get the activation key you noted but also the text:

"ASA5500-ENCR-K9

Warning, our records indicate that the Cisco ASA Firewall hardware serial NUMBER that you submitted during registration has previously been licensed FOR A higher feature SET."

What other licensing has been done on this ASA? Are you the original owner? You may have to call the TAC to sort it out if you aren't.

Hall of Fame Master

ASA5505-50-BUN-K9 3DES license problem

Yes, I would contact the TAC again and have them stay on the line with you to resolve completely. Something is amiss with your license and they should be able to make it right.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

As I noted ealier, request they escalate your service request to resolve satisfactorily.

This should have no connection to the image version. If the new device has a corrupted image and you do not have a support contract AND you are within the initial 90 day warranty, the TAC should be able to help you with direct access to a good image.

Again, you would still need to escalate the service request.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

You're welcome.

NPE means No Payload Encryption. I did not think to ask earlier, but if you are in a country for whom the US has forbidden export of products containing strong encryption, you would not be eligible for a 3DES-AES image and activation.

General Reference:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

List of countries affected:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/faqs.html#Q7

An RMA is a Return Material Authorization. It means Cisco will ship a new device in exchange for one they determine to be inoperable.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

That's good - so the TAC should be able to get you resolved with a new image and activation key.

I'm just guessing but your equipment may have originally been part of an allocation that went to a reseller that did business with your neighboring country of Libya which is restricted.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

Houari,

Sorry the TAC did not provide your software. As a new purchase, it should have been entitled.

What is your current software version and how much memory does your 5505 have? Running 8.3 or later on the 5505 requires 512 MB of memory. Reference. You should also be upgrading the ASDM software image to the current release.

A system software upgrade will cause a loss of service while the system reloads. If done correctly it will only be brief (<5 minutes). The ASDM upgrade does not cause any service interruption.

There is always some risk but follow the upgrade procedure and it should go fine. It is most easily done via the ASDM GUI.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

Yes, your memory is good.

To update via the GUI, Choose "Tools, Upgrade Software from Local Computer". In the dialog box that pops up pick "Image to upload" as ASA (not the default APCF) and then browse to your local copy of the new software. It will then upload the file using https to your ASA disk0, ask you if you want to make this the new boot image (choose yes) and then ask if you want to reload and upgrade now.

Remember the updated ASDM (asdm-711.bin) will give you the most functionality with the new release. You should follow the similar process to get it on the ASA, choosing instead ASDM from the "Image to Upload" drop down menu. You won't have to reload the ASA itself after you do that, only the ASDM client.

19 REPLIES 19
Hall of Fame Master

ASA5505-50-BUN-K9 3DES license problem

Plugging that serial number into the licensing tool get the activation key you noted but also the text:

"ASA5500-ENCR-K9

Warning, our records indicate that the Cisco ASA Firewall hardware serial NUMBER that you submitted during registration has previously been licensed FOR A higher feature SET."

What other licensing has been done on this ASA? Are you the original owner? You may have to call the TAC to sort it out if you aren't.

ASA5505-50-BUN-K9 3DES license problem

Hi Marvin,

Thank you for response

I bought it new from a reseller(not directly from cisco representative), and i unpacked it by my self(it was new).

I already called the TAC, and they sent me exactly the same activation key.

Should i recall them?

Thank you.

Hall of Fame Master

ASA5505-50-BUN-K9 3DES license problem

Yes, I would contact the TAC again and have them stay on the line with you to resolve completely. Something is amiss with your license and they should be able to make it right.

Re: ASA5505-50-BUN-K9 3DES license problem

I called them twice time today, the first one i've received the same license.

The second time, TAC has leveled-up my request after that i send them the screen-shoot and the result of show version.

Hope that i will get the problem resolved.

I will keep you posted.

Thank you.

Re: ASA5505-50-BUN-K9 3DES license problem

Here is there last response (04/12/2012 14:26 from Peter Christian Avengoza):

Dear Houari Dali Youcef,

This is the same license key.

JMX152040DW:   5321ec6e 102e534b fc21e96c 841c8ca8 ce1727aa

However please send me the ?show activation-key detail? and please try to reload the ASA5505 and see how it looks.

If you need further assistance with this software license request, please let me know and I will be glad to assist you. Otherwise, if I do not hear back from you, I will file this case as ?resolved?.

Thank you for contacting Cisco.

What can i do more ? i sent to them the show activation-key, and i reloaded the firewall !

Re: ASA5505-50-BUN-K9 3DES license problem

Here is there last response:

K8 and K9 are only license.

You can get images for this ASA:

http://software.cisco.com/download/release.html?mdfid=280582808&flowid=4377&softwareid=280775065&release=9.1.1.ED&relind=AVAILABLE&rellifecycle=&reltype=latest

Please provide me with output of show tech for this ASA.

But i couldn't download the image beacause i don't have service contrat ID. Is it impossible to get this image without this service contrat ?

Thank you!

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

As I noted ealier, request they escalate your service request to resolve satisfactorily.

This should have no connection to the image version. If the new device has a corrupted image and you do not have a support contract AND you are within the initial 90 day warranty, the TAC should be able to help you with direct access to a good image.

Again, you would still need to escalate the service request.

Re: ASA5505-50-BUN-K9 3DES license problem

They already escalted my service request, here is:

2012/12/15  12.32:

Hi Houari,

I have escalated your issue again to the Business Unit to check what is the cause of the problem that you are getting. Kindly bear with us.

Best regards,

Peter Christian Avengoza

And i bought for about 6 month ago.

How do i chech if i have a corrupted image on my firewall?

Here is other email they sent to me:

2012/12/15 12:08:

I have opened a new TAC case (624204757) for you because you ASA device JMX152040DW is running a "NPE" image. This image is not capable of supporting K8/K9,we need to verify if the NPE device can be updated to K8/K9 simply by replacing the SW image (or if not, it would need to be RMA'ed).

Can you please explain me what this means ? (RMA'ed ??)

Thank you very much for your help Marvin.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

You're welcome.

NPE means No Payload Encryption. I did not think to ask earlier, but if you are in a country for whom the US has forbidden export of products containing strong encryption, you would not be eligible for a 3DES-AES image and activation.

General Reference:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

List of countries affected:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/faqs.html#Q7

An RMA is a Return Material Authorization. It means Cisco will ship a new device in exchange for one they determine to be inoperable.

Re: ASA5505-50-BUN-K9 3DES license problem

Yes, but i'm from Algeria, i don't belong to those group of country

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

That's good - so the TAC should be able to get you resolved with a new image and activation key.

I'm just guessing but your equipment may have originally been part of an allocation that went to a reseller that did business with your neighboring country of Libya which is restricted.

Re: ASA5505-50-BUN-K9 3DES license problem

I Hope not, i'm going to verify this tomorrow in morning.

I'll keep you posted.

Thank you again.

Re: ASA5505-50-BUN-K9 3DES license problem

Hi,

I had to download this file: http://software.cisco.com/download/release.html?mdfid=280582808&flowid=4377&softwareid=280775065&release=9.1.1.ED&relind=AVAILABLE&rellifecycle=&reltype=latest

I asked a friend who get a valid service contrat and so have a ability to download the image for me.

The file is named: asa911-k8.bin

Do you know how to proceed the update? is there a risk that my firewall will not work correctly ?

Thank you.

Hall of Fame Master

Re: ASA5505-50-BUN-K9 3DES license problem

Houari,

Sorry the TAC did not provide your software. As a new purchase, it should have been entitled.

What is your current software version and how much memory does your 5505 have? Running 8.3 or later on the 5505 requires 512 MB of memory. Reference. You should also be upgrading the ASDM software image to the current release.

A system software upgrade will cause a loss of service while the system reloads. If done correctly it will only be brief (<5 minutes). The ASDM upgrade does not cause any service interruption.

There is always some risk but follow the upgrade procedure and it should go fine. It is most easily done via the ASDM GUI.