Saturday, July 7, 2018

Cisco ASA 3DES/AES Free License

I was configuring a site-to-site IPSec VPN on a Cisco ASA firewall and received an error:

ciscoasa(config)# crypto ipsec transform-set TSET esp-aes esp-sha-hmac
The 3DES/AES algorithms require a Encryption-3DES-AES activation key.


I verified the ASA Encryption license using the show version command but found the Encryption-3DES-AES was Disabled and the activation key were all 0s (0x00000000 0x00000000...). I suspect the activation key got lost or was corrupted while doing the image upgrade path from factory default of 8.6 > 9.0 > 9.2.

ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 9.2(4)
Device Manager Version 6.6(1)

Compiled on Tue 14-Jul-15 23:02 PDT by builders
System image file is "disk0:/asa924-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 8 days 2 hours

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0020-B1
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is f44e.059f.8b7c, irq 11
 1: Ext: GigabitEthernet0/0  : address is f44e.059f.8b81, irq 5
 2: Ext: GigabitEthernet0/1  : address is f44e.059f.8b7d, irq 5
 3: Ext: GigabitEthernet0/2  : address is f44e.059f.8b82, irq 10
 4: Ext: GigabitEthernet0/3  : address is f44e.059f.8b7e, irq 10
 5: Ext: GigabitEthernet0/4  : address is f44e.059f.8b83, irq 5
 6: Ext: GigabitEthernet0/5  : address is f44e.059f.8b7f, irq 5
 7: Ext: GigabitEthernet0/6  : address is f44e.059f.8b84, irq 10
 8: Ext: GigabitEthernet0/7  : address is f44e.059f.8b80, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is f44e.059f.8b7c, irq 0
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Disabled       perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH1838ABCD
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1
Configuration last modified by enable_15 at 23:09:02.104 UTC Mon Apr 16 2018


Since I got no backup of the activation keys, I went to Cisco's licensing portal to retrieve a free 3DES/AES Encryption license and install it using the activation-key <KEY> command.  

Go to Cisco's licensing portal (CCO login required) > Licenses > Get Licenses > IPS, Crypt, other > Security Products.


Under Product choose Cisco ASA 3DES/AES License.


Type the Serial Number from show version output.


ciscoasa(config)# activation-key d51bcf71 7417f552 e8921abc 9004bdef 421b0123

ciscoasa(config)# show version

<OUTPUT TRUNCATED>

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH1838ABCD
Running Permanent Activation Key: 0xd51bcf71 0x7417f552 0xe8921abc 0x9004bdef 0x421b0123
Configuration register is 0x1
Configuration last modified by enable_15 at 23:09:02.104 UTC Mon Apr 16 2018