Wednesday 24 May 2017

Recovering a License Activation Key for the Cisco ASA

A Cisco ASA with a Base license, compared with an ASA with a Security Plus license: They can boot with identical image files, use identical hardware and identical config. They just have different features enabled. Like that old myth about humans using only 10 percent of their brains, the advanced features for the Cisco ASA are there in the boot image, they just need to be unlocked via license keys. (Well, you need to unlock your wallet too.)
Just do a show version or a show activation-key to see the type of license that is installed.
ciscoasa(config)# sh activation-key
Serial Number:  JMXXXXXXXXX
Running Activation Key: 0xblahblah 0xblahblah 0xblahblah 0xblahblah 0xblahblah
 
Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Advanced Endpoint Assessment : Disabled
 
This platform has a Base license.
 
The flash activation key is the SAME as the running key.
When you use the ERASE command in ROMMON mode, you completely wipe the Compact Flash card on a Cisco ASA. All the files and directories, even the hidden ones, are gone. Gone, baby, gone. The license files are located in the .private hidden directory, so if you wipe the Compact Flash card, the existing license information is lost. Even after you load a new boot image, the ASA will report that the license key is not valid during boot up (you can also check with a show version.) Some of the original features will be disabled until you install the correct license key.
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
 
This activation key is not valid.
Use default settings only
The activation keys are all tied to the serial number of the ASA, so you can’t just cut and paste a key from another ASA. So, what do you do? You go to see the wizard; ask him to give you a new key. Go to:
Log in with a cisco.com ID and you will be presented with the Product License Registration page.
Cisco Product License Registration Page
Cisco Product License Registration Page
You don’t need a PAK. Click the link for available licenses.
Select Cisco ASA 3DES AES License
Select Cisco ASA 3DES/AES License
Select Cisco ASA 3DES/AES License.
Enter Serial Number of Cisco ASA
Enter Serial Number of Cisco ASA
Enter the serial number of the Cisco ASA. You can get this by looking on the chassis, or doing a show version or a show activation-key. The license key will be emailed to you, and then all you have to do is enter it into the ASA with the activation-key command.
ciscoasa# conf t
ciscoasa(config)# activation-key 0xb1ahb1ah 0xb1ahb1ah 0xb1ahb1ah 0xb1ahb1ah 00xb1ahb1ah
 
Validating activation key. This may take a few minutes...
 
The following features available in the running permanent activation key are NOT available
in the new activation key:
 
Failover is different.
 
   running permanent activation key: Restricted (R)
 
   new activation key: Unrestricted (UR)
 
WARNING: The running activation key was not updated with the requested key.
 
Proceed with updating flash activation key? [y]
 
Flash permanent activation key was updated with the requested key.
Then do a show version to ensure that the new key has been applied.
- See more at: http://www.gomjabbar.com/2011/07/17/recovering-a-license-activation-key-for-the-cisco-asa/#sthash.LrIpMLRm.dpuf

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...