Most of the Customers have difficulties to understand what each numbers mean on the ASA image namings and what are the differences.
A typical ASA image name looks like this: asa841-k8.bin or asa841-11-k8.bin
After the "asa" keyword the numbers mean the version, what it will appear like 8.4.1 in the "show version" output. The first number is the Major Release (8), then the Minor Release (4) and finally the Maintenance Release (1). Some images contain an extra number which indicates that image is an intrim image (in the second example that number is 11, which appears as 8.4.1(11) in the "show version" output):
Cisco Adaptive Security Appliance Software Version 8.4(1.11)
Compiled on Tue 14-Dec-10 12:00 by builders
System image file is "disk0:/asa841-11-k8.bin"
Whats the difference between k8 and k9 images?
By the code itself, there is NO difference. K9 means that it contains an encryption enabled license for 3DES/AES. Typically you can get these images directly from Cisco Sales like ASA5505-UL-BUN-K9. This means an ASA image for ASA 5505 Unlimited License bundeled with the hardware and encryption feature enabled. You can check in the "show version" :
VPN-3DES-AES : Enabled
Between two major release Cisco creates and publish some intermediate images for ASA and PIX. This is typically because of urgent bug fixes what have been discovered since the main image has released. By the time TAC finds some critical defects and with high interactions with Business Unit the fixes are merged into the new versions.
In order to balance the timeliness of releases with the thoroughness of testing, Cisco provides two different levels of automated testing on interim builds.
1. A full regression test run consists of approximately 17,000 test cases. The images which pass this level of testing are posted on CCO for direct customer access at the regular customer download location for ASA.
2. A light regression test run consists of approximately 700 test cases. The images which pass this level of testing are posted to pages that are only accessible by Cisco Internal personnel. Due to the reduced set of testing done on these images, TAC should only provide these images to customers who are encountering an issue that is specifically addressed in the build and the customer cannot wait for the next scheduled full regression cycle.
ASA image download page including full regression tested interims:
Clicking the FREE ASA Firewall 3DES/AES link will allow you to complete the one-time, on-line agreement for the use of strong encryption, as well as obtain your FREE ASA Firewall 3DES/AES activation key.
You will not need to complete this form for any future FREE ASA Firewall 3DES/AES activation keys.
Please note: The Technical Assistance Center (TAC) will not be able to provide the FREE ASA Firewall 3DES/AES activation key to customers, and will re-direct all customers to the process described above. This process is required to meet Federal regulations surrounding the use of strong encryption.
Please contact your local Cisco Account/Sales Team to get uptodate information about the contracts.
With ASA 8.3, you no longer need duplicate licensing in Active/Standby mode. Just need to have the Botnet license on one of the failover units
The IPS License for signature updates is included in the IPS ervice contract for the SSM card (and possibly ASA chassis when purchased as a bundle). The IPS service contract goes by the name "Cisco Services for IPS". It includes the support generally covered by SmartNET as well as the IPS License for Signature Updates. Customers has the option to buy a separate contract to cover the ASA itself (presumably a SmartNET contract) and a Cisco Service for IPS to cover just the SSM.
Shared licenses enable customers to set a “pool” of licenses on a Master device . Any ASA with IP connectivity to the Master can become a participant and “lease” licenses from it. Customers will benefit from operational flexibility and investment protection, as they will be able to add devices to their deployment without the need to pre-assign a specific license to each device. Note that Shared Licensing is not intending to solve the requirement for a failover license in HA configuration.
For ASAs configured as an active/standby failover pair and as shared license servers, both ASAs must have the same shared license SKU(s). For example, if you purchase a 10,000 session shared license for the active ASA that is also a license server, you must also purchase a 10,000 session shared license for the standby unit. Because of this requirement, both units in the failover pair can act as the license server.
Before failover, the active ASA acts as the shared license server. After failover, the active and standby ASA reverses roles—the standby ASA becomes the active ASA and assumes the role of shared license server. The standby ASA continues in the active role after failover. It does not give up that role when the active unit becomes operational. The roles remain reversed, and the new active unit continues the role as the new license server.
show shared license detail
User is facing issue in licensing of ASA VPN concepts and not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number does he need?
Assuming he do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number does he need? He is assuming this is correct >> ASA5525VPN-PM250K9
AnyConnect Essentials and Premium are mutually exclusive. If you purchase the Premium license and activate it on your ASA it will deactivate your AnyConnect Essentials. For what it's worth, the Mobile license works with either.
Yes, that's the correct SKU for the ASA 5525-X with 250 AnyConnect Premium plus AnyConnect Mobile bundle.
Troubleshooting and FAQ
First of all you need to be sure that you used the correct activation-key for the correct device. The activation-key is based on the serial number and must be generated by the licensing team.
Lost activation-key: The activation-key can be regenerated by licensing team. You need to send the serial number and/or PAK number to firstname.lastname@example.org . May be licensing team could request from you different information like contract number in case.
License key is correct, but not take effect: If you see the correct activation-key under the "show activation-key", please try to reboot the device. If it doesn't help, please do the followings as a "lost activation-key".
Customer bought a new ASA, can he/she transfer the license? Licenses are permanent. Once issued, they can never be revoked or transferred. Since the only way to provide a license for a different device is by issuing a brand new one and not removing their old one, any desire to provide special discounts in this instance need to be handled through the sales process / deals desk.
VPN FLEX license: SSL VPN FLEX licenses are 2 month /60 days temporary licenses products offered to our customers. They can be used by customer who want to plan for business continuity or short-term increases of the SSL VPN seats counts.
Temporary License Expiration: When a time based license expires, the ASA will switch to the installed perm license. If no perm license is available, then ASA defaults for no license will be set. The device should not require reboot, unless a feature, such as failover, requires reboot for deactivation. For example. if failover is enabled in the temporary license but not in the perm then a reboot will be required. All VPN features should not require a reboot
How to obtain strong-crypto licenses for ASA
Update from Mike Wenstrom
The process to obtain K9 activation key has changed. Here's a summary of the steps:
Strong Crypto (3DES/AES) License
Q. How can I obtain strong-crypto licenses for my ASA?
Click the “Continue to Product License Activation” link.
Click Get Other Licenses > IPS, Crypto, Other…
Select Security Products > Cisco ASA 3DES/AES License, click Next
Enter ASA Serial number and click Next
If this is the first time you have applied for a strong crypto product, review and accept the terms of the license windows. You may need to return to http://www.cisco.com/go/license and complete the steps above.
In the 3. Review and Submit window, click the I Agree with the terms of the License check box, review your contact information, and click Submit
An email will be sent you with the ASA Activation key and instructions on how to apply the key
Has anyone successfully deployed Cisco VPN Remote Access Using Azure AD with Radius Authentication. I have a RA vpn setup where it authenticates with Radius and its working fine but now I need to make use of the Azure MFA as well.
Hi team,We are seeing a strange issue where logs from ISE are showing different MAC address format in Splunk. If we notice the logs on splunk we see few machines are with xx-xx-xx-xx format however few are xx:xx:xx:xx format. Could any let me know why is ...
Each time users connect to VPN the Anyconnect installer pop-up before or while the posture scan run, but the newer compliance module has been installed to the endpoint but it still shows the pop-up every time they connect VPN. The existing pre-deploy...
Hi Guys, I'm trying to understand what's happening here. I can see Phase 1 UP, However no traffic flow. I suspect an issue with Phase 2. Following is an output of the below debug commands. This was working perfectly fine. And no change...