Most of the Customers have difficulties to understand what each numbers mean on the ASA image namings and what are the differences.
A typical ASA image name looks like this: asa841-k8.bin or asa841-11-k8.bin
After the "asa" keyword the numbers mean the version, what it will appear like 8.4.1 in the "show version" output. The first number is the Major Release (8), then the Minor Release (4) and finally the Maintenance Release (1). Some images contain an extra number which indicates that image is an intrim image (in the second example that number is 11, which appears as 8.4.1(11) in the "show version" output):
Cisco Adaptive Security Appliance Software Version 8.4(1.11) Compiled on Tue 14-Dec-10 12:00 by builders System image file is "disk0:/asa841-11-k8.bin"
By the code itself, there is NO difference. K9 means that it contains an encryption enabled license for 3DES/AES. Typically you can get these images directly from Cisco Sales like ASA5505-UL-BUN-K9. This means an ASA image for ASA 5505 Unlimited License bundeled with the hardware and encryption feature enabled. You can check in the "show version" :
VPN-3DES-AES : Enabled
Between two major release Cisco creates and publish some intermediate images for ASA and PIX. This is typically because of urgent bug fixes what have been discovered since the main image has released. By the time TAC finds some critical defects and with high interactions with Business Unit the fixes are merged into the new versions.
In order to balance the timeliness of releases with the thoroughness of testing, Cisco provides two different levels of automated testing on interim builds.
1. A full regression test run consists of approximately 17,000 test cases. The images which pass this level of testing are posted on CCO for direct customer access at the regular customer download location for ASA.
2. A light regression test run consists of approximately 700 test cases. The images which pass this level of testing are posted to pages that are only accessible by Cisco Internal personnel. Due to the reduced set of testing done on these images, TAC should only provide these images to customers who are encountering an issue that is specifically addressed in the build and the customer cannot wait for the next scheduled full regression cycle.
ASA image download page including full regression tested interims:
Adaptive Security Appliance (ASA) Device Manager (ASDM):
You can check your license info under the "show version" and "show activation-key". Here is an example:
Licensed features for this platform: <-----------------FEATURES WHICH ARE AVAILABLE BY YOUR LICENSE Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled SSL VPN Peers : 2 Total VPN Peers : 25 Dual ISPs : Enabled VLAN Trunk Ports : 8 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Enabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has an ASA 5505 Security Plus license. <--------------------- TYPE OF YOUR LICENSE Serial Number: JMX00000000 <------------------SERIAL NUMBER Running Activation Key: 0x........0x........ 0x........0x........0x....... <--------- ACTIVATION KEY ASA# show activation-key Serial Number: JMX00000000 Running Permanent Activation Key: 0x------ 0x------ 0x------ 0x------ 0x------ 0x------ Running Timebased Activation Key: 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x'''''' 0x''''''
To obtain a FREE ASA Firewall 3DES/AES encryption activation key, log on to the following URL where you will see the link for the FREE ASA Firewall 3DES/AES activation key:
Clicking the FREE ASA Firewall 3DES/AES link will allow you to complete the one-time, on-line agreement for the use of strong encryption, as well as obtain your FREE ASA Firewall 3DES/AES activation key.
You will not need to complete this form for any future FREE ASA Firewall 3DES/AES activation keys.
Please note: The Technical Assistance Center (TAC) will not be able to provide the FREE ASA Firewall 3DES/AES activation key to customers, and will re-direct all customers to the process described above. This process is required to meet Federal regulations surrounding the use of strong encryption.
activation-key key [activate | deactivate] ASA# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490
PLEASE NOTE: copy and paste can include some hidden characters which can cause the license key improper. May be it worth to try to type one-by-one the key and hit ENTER.
You can get more information about the type of licensing
Please contact your local Cisco Account/Sales Team to get uptodate information about the contracts.
With ASA 8.3, you no longer need duplicate licensing in Active/Standby mode. Just need to have the Botnet license on one of the failover units
The IPS License for signature updates is included in the IPS ervice contract for the SSM card (and possibly ASA chassis when purchased as a bundle). The IPS service contract goes by the name "Cisco Services for IPS". It includes the support generally covered by SmartNET as well as the IPS License for Signature Updates. Customers has the option to buy a separate contract to cover the ASA itself (presumably a SmartNET contract) and a Cisco Service for IPS to cover just the SSM.
Other DEMO licenses
Shared licenses enable customers to set a “pool” of licenses on a Master device . Any ASA with IP connectivity to the Master can become a participant and “lease” licenses from it. Customers will benefit from operational flexibility and investment protection, as they will be able to add devices to their deployment without the need to pre-assign a specific license to each device. Note that Shared Licensing is not intending to solve the requirement for a failover license in HA configuration.
For ASAs configured as an active/standby failover pair and as shared license servers, both ASAs must have the same shared license SKU(s). For example, if you purchase a 10,000 session shared license for the active ASA that is also a license server, you must also purchase a 10,000 session shared license for the standby unit. Because of this requirement, both units in the failover pair can act as the license server.
Before failover, the active ASA acts as the shared license server. After failover, the active and standby ASA reverses roles—the standby ASA becomes the active ASA and assumes the role of shared license server. The standby ASA continues in the active role after failover. It does not give up that role when the active unit becomes operational. The roles remain reversed, and the new active unit continues the role as the new license server.
show shared license detail
User is facing issue in licensing of ASA VPN concepts and not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
First of all you need to be sure that you used the correct activation-key for the correct device. The activation-key is based on the serial number and must be generated by the licensing team.
Update from Mike Wenstrom
The process to obtain K9 activation key has changed. Here's a summary of the steps:
Strong Crypto (3DES/AES) License
Q. How can I obtain strong-crypto licenses for my ASA?
A. ASA strong crypto (3DES / AES) keys are available at: http://www.cisco.com/go/license
Thanks, Mike Wenstrom
Cisco Security Solutions Architect Supporting CDW