Recovering a License Activation Key for the Cisco ASA

A Cisco ASA with a Base license, compared with an ASA with a Security Plus license: They can boot with identical image files, use identical hardware and identical config. They just have different features enabled. Like that old myth about humans using only 10 percent of their brains, the advanced features for the Cisco ASA are there in the boot image, they just need to be unlocked via license keys. (Well, you need to unlock your wallet too.)

Just do a show version or a show activation-key to see the type of license that is installed.

ciscoasa(config)# sh activation-key Serial Number:  JMXXXXXXXXX Running Activation Key: 0xblahblah 0xblahblah 0xblahblah 0xblahblah 0xblahblah   Licensed features for this platform: Maximum Physical Interfaces  : 8 VLANs                        : 3, DMZ Restricted Inside Hosts                 : 10 Failover                     : Disabled VPN-DES                      : Enabled VPN-3DES-AES                 : Enabled VPN Peers                    : 10 WebVPN Peers                 : 2 Dual ISPs                    : Disabled VLAN Trunk Ports             : 0 Advanced Endpoint Assessment : Disabled   This platform has a Base license.   The flash activation key is the SAME as the running key.

When you use the ERASE command in ROMMON mode, you completely wipe the Compact Flash card on a Cisco ASA. All the files and directories, even the hidden ones, are gone. Gone, baby, gone. The license files are located in the .private hidden directory, so if you wipe the Compact Flash card, the existing license information is lost. Even after you load a new boot image, the ASA will report that the license key is not valid during boot up (you can also check with a show version.) Some of the original features will be disabled until you install the correct license key.

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000   This activation key is not valid. Use default settings only

The activation keys are all tied to the serial number of the ASA, so you can’t just cut and paste a key from another ASA. So, what do you do? You go to see the wizard; ask him to give you a new key. Go to:

http://www.cisco.com/web/go/license

Log in with a cisco.com ID and you will be presented with the Product License Registration page.

Cisco Product License Registration Page

You don’t need a PAK. Click the link for available licenses.

Select Cisco ASA 3DES/AES License

Select Cisco ASA 3DES/AES License.

Enter Serial Number of Cisco ASA

Enter the serial number of the Cisco ASA. You can get this by looking on the chassis, or doing a show version or a show activation-key. The license key will be emailed to you, and then all you have to do is enter it into the ASA with the activation-key command.

ciscoasa# conf t ciscoasa(config)# activation-key 0xb1ahb1ah 0xb1ahb1ah 0xb1ahb1ah 0xb1ahb1ah 00xb1ahb1ah   Validating activation key. This may take a few minutes...   The following features available in the running permanent activation key are NOT available in the new activation key:   Failover is different.      running permanent activation key: Restricted (R)      new activation key: Unrestricted (UR)   WARNING: The running activation key was not updated with the requested key.   Proceed with updating flash activation key? [y]   Flash permanent activation key was updated with the requested key.

Then do a show version to ensure that the new key has been applied.

- See more at: http://www.gomjabbar.com/2011/07/17/recovering-a-license-activation-key-for-the-cisco-asa/#sthash.LrIpMLRm.dpuf