Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
2
Helpful
9
Replies

ASA VPN smart license

Go to solution
qsosan20
Level 1
Level 1

‎05-14-2024 06:07 AM - edited ‎05-14-2024 06:08 AM

Hello Experts . 

 

I have FP 2110 with ASA installed , all my VPN is working fine , however my smart license is not registered with Cisco license portal ,and evaluation period already expired , my question now is how VPN works without license and do i need to purchase a license and register it to portal ? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight
In response to qsosan20

‎05-16-2024 02:25 AM

Well, it can be the case that this device was registered before, the corresponding smart account was for the customer who is not from a restricted country and hence, when device was registered, "export-controlled" flag was set on the registration token and export-controlled functionality became enabled on the ASA. After a year, if the ASA couldn't contact the licensing portal, it became unregistered, but export-controlled functionality remains enabled in this case.

AnyConnect licenses are not enabled/installed on Firepower devices. There is no such CLI under "license smart". The max number of AnyConnect sessions always equals to the max hardware capacity of the firewall model.

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
tvotna
Spotlight
Spotlight

‎05-14-2024 06:24 AM

If you never registered the device to smart licensing portal, you should have strong encryption disabled and 3DES/AES ciphers should not be available. How do you use VPN then? Do you use ASA 9.12 (or below) and DES?

In eval mode VPN will work just fine, both L2L and RA, although legally you need to purchase AnyConnect licenses for RA VPN (they are not installed to the device though).

 

0 Helpful

Go to solution
qsosan20
Level 1
Level 1
In response to tvotna

‎05-14-2024 06:49 AM

I have 3DES enabled and anyconnect peers as 1500 : 

ASA1/pri/act(config)# show license status

Smart Licensing is ENABLED

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Allowed

License Authorization:
Status: EVAL EXPIRED on Sep 14 2020 14:33:06 EEST

ASA1/pri/act(config)# sh license features
Export Compliant: NO

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 4
Carrier : Disabled
AnyConnect Premium Peers : 1500
AnyConnect Essentials : Disabled
Other VPN Peers : 1500
Total VPN Peers : 1500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 4000
Cluster : Disabled

ASA1/pri/act(config)# sh version

Cisco Adaptive Security Appliance Software Version 9.12(4)4
SSP Operating System Version 2.6(1.214)
Device Manager Version 7.13(1)

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to qsosan20

‎05-14-2024 08:19 AM

From my experience it shouldn't be like this and 3DES should be disabled. And notice that two commands display contradicting info:

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Allowed

License Authorization:
Status: EVAL EXPIRED on Sep 14 2020 14:33:06 EEST

ASA1/pri/act(config)# sh license features
Export Compliant: NO

I have output stored in a file on my laptop collected before 2100 was registered to smart account, when eval period has not ended yet. In this case 3DES was disabled.

show tech license
Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed

License Authorization:
Status: No Licenses in Use

Evaluation Period:
Evaluation Mode: Not In Use
Evaluation Period Remaining: 90 days, 0 hours, 0 minutes, 0 seconds

License Usage
=============
No Licenses in use
...

You can double-check with the following commands and also check if 3DES and AES are available in config mode. If yes, you're safe to go.

debug menu license 13
show ssl cipher

 

0 Helpful

Go to solution
qsosan20
Level 1
Level 1
In response to tvotna

‎05-14-2024 11:50 PM

ASA1/pri/act# sh running-config all license
license smart
  feature tier standard
  feature context 2
  feature strong-encryption



ASA1/pri/act# debug menu license 13
Name Count Handle Mode PrevMode Compliant Cached Transient

FIREPOWER_2100_ASA_STANDARD 1 4 Eval-expired Invalid Not Compliant False False
FIREPOWER_2100_ASA_PU 0 0 Invalid Invalid Not Compliant False False
FIREPOWER_2100_ASA_CARRIER 0 0 Invalid Invalid Not Compliant False False
FIREPOWER_2100_ASA_CONTEXT 2 5 Eval-expired Invalid Not Compliant False False
FIREPOWER_2100_ASA_STRONG_ENCRYPTION 1 6 Eval-expired Invalid Not Compliant False False
FIREPOWER_2100_ASA_STRONG_ENCRYPTION_EC 1 0 Authorized Invalid Compliant False False

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to qsosan20

‎05-15-2024 12:11 AM

FIREPOWER_2100_ASA_STRONG_ENCRYPTION_EC is Authorized which means that Export-controlled functionality (i.e. strong crypto) is enabled. This flag is typically inherited from smart account when device is registered. I don't know why it is set in this case, but you are able to use strong crypto for sure.

 

0 Helpful

Go to solution
qsosan20
Level 1
Level 1
In response to tvotna

‎05-15-2024 11:27 PM

So as a conclusion , Export-controlled enabled means that the device was registered to License portal before ?

Also from Cisco document AnyConnect showing unlicensed : 

 

qsosan20_0-1715840698466.png

So this means i don't need to add a license for AnyConnect to work ?

 

Go to solution
tvotna
Spotlight
Spotlight
In response to qsosan20

‎05-16-2024 02:25 AM

Well, it can be the case that this device was registered before, the corresponding smart account was for the customer who is not from a restricted country and hence, when device was registered, "export-controlled" flag was set on the registration token and export-controlled functionality became enabled on the ASA. After a year, if the ASA couldn't contact the licensing portal, it became unregistered, but export-controlled functionality remains enabled in this case.

AnyConnect licenses are not enabled/installed on Firepower devices. There is no such CLI under "license smart". The max number of AnyConnect sessions always equals to the max hardware capacity of the firewall model.

 

0 Helpful

Go to solution
qsosan20
Level 1
Level 1
In response to tvotna

‎05-16-2024 02:56 AM

Thanks @tvotna for your help , 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to qsosan20

‎05-16-2024 02:45 AM - edited ‎05-16-2024 02:58 AM

Goodluck

MHM

Customers Also Viewed These Support Documents