Saturday, January 2, 2021

Cisco ASA 5506-X Security Plus License

I had to configure a pair of Cisco ASA 5506-X firewalls and apply a Security Plus license in order to support the Active/Standby Failover (High Availability) feature. You'll find the comparison between the Base license vs. Security Plus license feature on this link.

You'll be prompted a warning message for the lack of failover license support when you try to configure the standby (failover) IP address on an ASA interface.

ASA5506-X(config-if)# interface BVI1

ASA5506-X(config-if)# nameif inside

ASA5506-X(config-if)# security-level 100

ASA5506-X(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

WARNING: Cannot configure standby IP address because this unit lack failover license support.

 

 

ASA5506-X# show version

 

Cisco Adaptive Security Appliance Software Version 9.8(2)

Firepower Extensible Operating System Version 2.2(2.52)

Device Manager Version 7.8(2)

 

Compiled on Thu 02-Apr-20 10:19 PDT by builders

System image file is "disk0:/asa982-lfbff-k8.SPA"

Config file at boot was "startup-config"

 

ASA5506-X up 25 mins 29 secs

 

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Internal ATA Compact Flash, 8000MB

BIOS Flash M25P64 @ 0xfed01000, 16384KB

 

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

                             Number of accelerators: 1

 

 1: Ext: GigabitEthernet1/1  : address is bc5a.5681.d596, irq 255

 2: Ext: GigabitEthernet1/2  : address is bc5a.5681.d597, irq 255

 3: Ext: GigabitEthernet1/3  : address is bc5a.5681.d598, irq 255

 4: Ext: GigabitEthernet1/4  : address is bc5a.5681.d599, irq 255

 5: Ext: GigabitEthernet1/5  : address is bc5a.5681.d59a, irq 255

 6: Ext: GigabitEthernet1/6  : address is bc5a.5681.d59b, irq 255

 7: Ext: GigabitEthernet1/7  : address is bc5a.5681.d59c, irq 255

 8: Ext: GigabitEthernet1/8  : address is bc5a.5681.d59d, irq 255

 9: Int: Internal-Data1/1    : address is bc5a.5681.d595, irq 255

10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0

11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0

12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0

13: Ext: Management1/1       : address is bc5a.5681.d595, irq 0

14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

 

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 5              perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Disabled       perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Cluster                           : Disabled       perpetual

 

This platform has a Base license.

 

Serial Number: JAD24111234

Running Permanent Activation Key: 0xd71be575 0xb069db6f 0xb0523db4 0x949058c8 0x44221234

Configuration register is 0x1

Image type                : Release

Key Version               : A

Configuration last modified by enable_15 at 11:56:07.469 UTC Tue Nov 10 2020

 

 

You'll need to register and retrieve the license key in the Cisco Licensing portal. Next, apply the license key using the global config activation-key <KEY> command and issue a reload for the license to take effect.

 

ASA5506-X(config-if)# activation-key 3c2dfa64 2c9281c9 5491edd8 8b4c40a4 cb356789

Validating activation key. This may take a few minutes...

Failover is different.

   running permanent activation key: Restricted(R)

   new permanent activation key: Unrestricted(UR)

WARNING: The running activation key was not updated with the requested key.

Proceed with update flash activation key? [confirm] <ENTER>

The flash permanent activation key was updated with the requested key,

and will become active after the next reload.

ASA5506-X(config-if)# end

ASA5506-X# reload

Proceed with reload? [confirm]

ASA5506-X#

 

 

***

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

Shutting down License Controller

Shutting down File system

 

 

 

***

*** --- SHUTDOWN NOW ---

Process shutdown finished

Rebooting... (status 0x9)

 

 

<OUTPUT TRUNCATED>

 

 

Notice the ASA 5506-X now has the Security Plus license as well as the Maximum VLANs is now 30, Failover has been enabled for Active/Standby and VPN peers was increased to 50 (for AnyConnect VPN). The support for AnyConnect requires a separate AnyConnect Plus or Apex license.

 

ASA5506-X# show version

 

Cisco Adaptive Security Appliance Software Version 9.8(2)

Firepower Extensible Operating System Version 2.2(2.52)

Device Manager Version 7.8(2)

 

Compiled on Thu 02-Apr-20 10:19 PDT by builders

System image file is "disk0:/asa982-lfbff-k8.SPA"

Config file at boot was "startup-config"

 

ASA5506-X up 13 mins 34 secs

 

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

Internal ATA Compact Flash, 8000MB

BIOS Flash M25P64 @ 0xfed01000, 16384KB

 

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

                             Number of accelerators: 1

 

 1: Ext: GigabitEthernet1/1  : address is bc5a.5681.d596, irq 255

 2: Ext: GigabitEthernet1/2  : address is bc5a.5681.d597, irq 255

 3: Ext: GigabitEthernet1/3  : address is bc5a.5681.d598, irq 255

 4: Ext: GigabitEthernet1/4  : address is bc5a.5681.d599, irq 255

 5: Ext: GigabitEthernet1/5  : address is bc5a.5681.d59a, irq 255

 6: Ext: GigabitEthernet1/6  : address is bc5a.5681.d59b, irq 255

 7: Ext: GigabitEthernet1/7  : address is bc5a.5681.d59c, irq 255

 8: Ext: GigabitEthernet1/8  : address is bc5a.5681.d59d, irq 255

 9: Int: Internal-Data1/1    : address is bc5a.5681.d595, irq 255

10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0

11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0

12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0

13: Ext: Management1/1       : address is bc5a.5681.d595, irq 0

14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

 

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 30             perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Standby perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Carrier                           : Disabled       perpetual

AnyConnect Premium Peers          : 4              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 50             perpetual

Total VPN Peers                   : 50             perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Shared License                    : Disabled       perpetual

Total TLS Proxy Sessions          : 160            perpetual

Botnet Traffic Filter             : Disabled       perpetual

Cluster                           : Disabled       perpetual

 

This platform has an ASA 5506 Security Plus license.

 

Serial Number: JAD24111234

Running Permanent Activation Key: 0x3c2dfa64 0x2c9281c9 0x5491edd8 0x8b4c40a4 0xcb356789

Configuration register is 0x1

Image type                : Release

Key Version               : A

Configuration has not been modified since last system restart.


No comments:

Post a Comment