I was configuring a site-to-site IPSec VPN on a Cisco ASA firewall and received an error:
ciscoasa(config)# crypto ipsec transform-set TSET esp-aes esp-sha-hmac
The 3DES/AES algorithms require a Encryption-3DES-AES activation key.
I verified the ASA Encryption license using the show version command but found the Encryption-3DES-AES was Disabled and the activation key were all 0s (0x00000000 0x00000000...). I suspect the activation key got lost or was corrupted while doing the image upgrade path from factory default of 8.6 > 9.0 > 9.2.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.2(4)
Device Manager Version 6.6(1)
Compiled on Tue 14-Jul-15 23:02 PDT by builders
System image file is "disk0:/asa924-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 8 days 2 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-0020-B1
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is f44e.059f.8b7c, irq 11
1: Ext: GigabitEthernet0/0 : address is f44e.059f.8b81, irq 5
2: Ext: GigabitEthernet0/1 : address is f44e.059f.8b7d, irq 5
3: Ext: GigabitEthernet0/2 : address is f44e.059f.8b82, irq 10
4: Ext: GigabitEthernet0/3 : address is f44e.059f.8b7e, irq 10
5: Ext: GigabitEthernet0/4 : address is f44e.059f.8b83, irq 5
6: Ext: GigabitEthernet0/5 : address is f44e.059f.8b7f, irq 5
7: Ext: GigabitEthernet0/6 : address is f44e.059f.8b84, irq 10
8: Ext: GigabitEthernet0/7 : address is f44e.059f.8b80, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is f44e.059f.8b7c, irq 0
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1838ABCD
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1
Configuration last modified by enable_15 at 23:09:02.104 UTC Mon Apr 16 2018
Since I got no backup of the activation keys, I went to Cisco's licensing portal to retrieve a free 3DES/AES Encryption license and install it using the activation-key <KEY> command.
Go to Cisco's licensing portal (CCO login required) > Licenses > Get Licenses > IPS, Crypt, other > Security Products.
Under Product choose Cisco ASA 3DES/AES License.
Type the Serial Number from show version output.
ciscoasa(config)# activation-key d51bcf71 7417f552 e8921abc 9004bdef 421b0123
ciscoasa(config)# show version
<OUTPUT TRUNCATED>
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1838ABCD
Running Permanent Activation Key: 0xd51bcf71 0x7417f552 0xe8921abc 0x9004bdef 0x421b0123
Configuration register is 0x1
Configuration last modified by enable_15 at 23:09:02.104 UTC Mon Apr 16 2018
ciscoasa(config)# crypto ipsec transform-set TSET esp-aes esp-sha-hmac
The 3DES/AES algorithms require a Encryption-3DES-AES activation key.
I verified the ASA Encryption license using the show version command but found the Encryption-3DES-AES was Disabled and the activation key were all 0s (0x00000000 0x00000000...). I suspect the activation key got lost or was corrupted while doing the image upgrade path from factory default of 8.6 > 9.0 > 9.2.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.2(4)
Device Manager Version 6.6(1)
Compiled on Tue 14-Jul-15 23:02 PDT by builders
System image file is "disk0:/asa924-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 8 days 2 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-0020-B1
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is f44e.059f.8b7c, irq 11
1: Ext: GigabitEthernet0/0 : address is f44e.059f.8b81, irq 5
2: Ext: GigabitEthernet0/1 : address is f44e.059f.8b7d, irq 5
3: Ext: GigabitEthernet0/2 : address is f44e.059f.8b82, irq 10
4: Ext: GigabitEthernet0/3 : address is f44e.059f.8b7e, irq 10
5: Ext: GigabitEthernet0/4 : address is f44e.059f.8b83, irq 5
6: Ext: GigabitEthernet0/5 : address is f44e.059f.8b7f, irq 5
7: Ext: GigabitEthernet0/6 : address is f44e.059f.8b84, irq 10
8: Ext: GigabitEthernet0/7 : address is f44e.059f.8b80, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is f44e.059f.8b7c, irq 0
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1838ABCD
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1
Configuration last modified by enable_15 at 23:09:02.104 UTC Mon Apr 16 2018
Since I got no backup of the activation keys, I went to Cisco's licensing portal to retrieve a free 3DES/AES Encryption license and install it using the activation-key <KEY> command.
Go to Cisco's licensing portal (CCO login required) > Licenses > Get Licenses > IPS, Crypt, other > Security Products.
Under Product choose Cisco ASA 3DES/AES License.
Type the Serial Number from show version output.
ciscoasa(config)# activation-key d51bcf71 7417f552 e8921abc 9004bdef 421b0123
ciscoasa(config)# show version
<OUTPUT TRUNCATED>
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1838ABCD
Running Permanent Activation Key: 0xd51bcf71 0x7417f552 0xe8921abc 0x9004bdef 0x421b0123
Configuration register is 0x1
Configuration last modified by enable_15 at 23:09:02.104 UTC Mon Apr 16 2018
No comments:
Post a Comment