Saturday, March 9, 2024

Cisco Secure Firewall 3100 ASA Smart License

The license feature Encryption-3DES-AES was disabled by default and I needed to add the Standard Smart license (Essential license) for the Cisco Secure Firewall FPR 3110. The Cisco Smart Software Manager (CSSM) has allowed the Export-Controlled for its registration token by default. Refer to this link.

Essentials license: -L-FPR3110-BSE=. The Essentials license is a required license.

Strong Encryption (3DES/AES) license: -L-FPR3K-ENC-K9=. Only required if your account is not authorized for strong encryption. 

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.18(3)56
SSP Operating System Version 2.12(0.519)
Device Manager Version 7.20(1)

Compiled on Tue 12-Sep-23 19:15 GMT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp3k-lfbff.2.12.0.519.SPA"
Config file at boot was "startup-config"

ciscoasa up 1 min 57 secs
Start-up time 8 secs

Hardware:   FPR-3110, 52168 MB RAM, CPU Ryzen Zen 2 2900 MHz, 1 CPU (24 cores)

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             AE microcode        : CNN5x-MC-AE-MAIN-0007
                             SE SSL microcode    : CNN5x-MC-SE-SSL-0018
                             Number of accelerators: 1

 1: Int: Internal-Data0/1    : address is 0000.0041.0004, irq 152
 3: Int: Not licensed        : irq 0
 4: Ext: Management1/1       : address is c47e.e07e.1482, irq 0
 5: Int: Internal-Data1/1    : address is 0000.0100.0001, irq 0

License mode: Smart Licensing
              
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      
Maximum VLANs                     : 1024           
Inside Hosts                      : Unlimited      
Failover                          : Active/Active  
Encryption-DES                    : Enabled        
Encryption-3DES-AES               : Disabled       
Security Contexts                 : 2              
Carrier                           : Disabled       
AnyConnect Premium Peers          : 3000           
AnyConnect Essentials             : Disabled       
Other VPN Peers                   : 3000           
Total VPN Peers                   : 3000           
AnyConnect for Mobile             : Enabled        
AnyConnect for Cisco VPN Phone    : Enabled        
Advanced Endpoint Assessment      : Enabled        
Shared License                    : Disabled       
Total TLS Proxy Sessions          : 4000           
Cluster                           : Enabled        

Serial Number: FJZ27231234
Configuration register is 0x1
Configuration has not been modified since last system restart.


ciscoasa# show license summ

Smart Licensing is ENABLED

Registration:
  Status: UNREGISTERED
  Export-Controlled Functionality: NOT ALLOWED

License Authorization:
  Status: EVAL MODE
  Evaluation Period Remaining: 82 days, 6 hours, 37 minutes, 42 seconds

License Usage:
  License                 Entitlement tag               Count Status
  -----------------------------------------------------------------------------
                          (FPR_3110_BASE_STD)               1 EVAL MODE


I configured Smart Call Home (SCH) using the management interface and used http method only.

ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# call-home
ciscoasa(cfg-call-home)#  no profile CiscoTAC-1
INFO: default profile is reset to default configuration.
ciscoasa(cfg-call-home)# profile MY-LICENSE
ciscoasa(cfg-call-home-profile)#   active
ciscoasa(cfg-call-home-profile)#   destination address http http:/<CSSM IP>/Transportgateway/services/DeviceRequestHandler
ciscoasa(cfg-call-home-profile)# destination transport-method http
ciscoasa(cfg-call-home-profile)# license smart
INFO: License(s) corresponding to an entitlement will be activated only after an entitlement request has been authorized.
ciscoasa(config-smart-lic)#  feature tier standard

ciscoasa# license smart register idtoken <CSSM REGISTRATION TOKEN>

ciscoasa# show license summary                        

Smart Licensing is ENABLED

Registration:
  Status: REGISTERED
  Smart Account: MY-ACCOUNT
  Virtual Account: Default
  Export-Controlled Functionality: ALLOWED
  Last Renewal Attempt: None
  Next Renewal Attempt: Apr 29 2024 06:35:22 UTC

License Authorization:
  Status: AUTHORIZED
  Last Communication Attempt: SUCCEEDED
  Next Communication Attempt: Dec 01 2023 06:35:34 UTC

License Usage:
  License                 Entitlement tag               Count Status
  -----------------------------------------------------------------------------
  FPR3110 Base License    (FPR_3110_BASE_STD)               1 AUTHORIZED


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.18(3)56
SSP Operating System Version 2.12(0.519)
Device Manager Version 7.20(1)
Compiled on Tue 12-Sep-23 19:15 GMT by builders
System image file is "disk0:/installables/switch/fxos-k8-fp3k-lfbff.2.12.0.519.SPA"
Config file at boot was "startup-config"

ciscoasa up 6 mins 4 secs
Start-up time 8 secs

Hardware:   FPR-3110, 52168 MB RAM, CPU Ryzen Zen 2 2900 MHz, 1 CPU (24 cores)

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             AE microcode        : CNN5x-MC-AE-MAIN-0007
                             SE SSL microcode    : CNN5x-MC-SE-SSL-0018
                             Number of accelerators: 1

 1: Int: Internal-Data0/1    : address is 0000.0041.0004, irq 43
 3: Int: Not licensed        : irq 0
 4: Ext: Management1/1       : address is c47e.e07e.1482, irq 0
 5: Int: Internal-Data1/1    : address is 0000.0100.0001, irq 0

License mode: Smart Licensing
              
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      
Maximum VLANs                     : 1024           
Inside Hosts                      : Unlimited      
Failover                          : Active/Active  
Encryption-DES                    : Enabled        
Encryption-3DES-AES               : Enabled        
Security Contexts                 : 2              
Carrier                           : Disabled       
AnyConnect Premium Peers          : 3000           
AnyConnect Essentials             : Disabled       
Other VPN Peers                   : 3000           
Total VPN Peers                   : 3000           
AnyConnect for Mobile             : Enabled        
AnyConnect for Cisco VPN Phone    : Enabled        
Advanced Endpoint Assessment      : Enabled        
Shared License                    : Disabled       
Total TLS Proxy Sessions          : 4000           
Cluster                           : Enabled