Asav License

With the realease of 9.3 for ASA’s Cisco introduced Smart Licensing where it lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance(source).

In this Configure Cisco ASAv on GNS3 for Hands-on Labs, we delve into getting the most popular Cisco virtualised firewall ASAv in GNS3 step by step. GNS3 labs must be rich and cover contexts of networking which gives great hands-on experience for the student and professional alike.

  1. Jun 04, 2021 Register the ASAv with the License Authority. When you register the ASAv, the License Authority issues an ID certificate for communication between the ASAv and the License Authority. It also assigns the ASAv to the appropriate virtual account. Normally, this procedure is a one-time instance.
  2. The Cisco ASAv license supports use in tiered data center and fabric-based configurations; It’s low-touch deployment saves time; The Cisco APIC provides network and security control from a single interface; It has built-in monitoring tools to ensure peak performance.
  3. Sep 17, 2020 For the ASAv, the only required feature license is for CPUs (1 to 4), but you can purchase other feature keys as well. Request an activation key from Cisco.com for the serial number according to the ASA licensing guide.

Personally, I think it’s a great way to manage all of your licenses. This comes especially helpful if you are in the Cloud sector. As a Private Cloud provider for example it allows you to manage licenses for your IAAS offering in one centralized location fast and easy. Ability to “reuse” license if one tenant no longer needs it to the second tenant is a powerful tool. Since everything going virtual, not having licenses tied to physical equipment provides leverage and speed in deployments.

Before hopping in into implementation piece I would like to provide an overview of different licenses that Cisco provides for their virtual ASA’s.

As you may know the difference is going to be in the resources/features. Before purchasing any ASAv license its crucial to identify what are your requirements such as throughput, session ,etc.

Table below provides all the information you need for Cisco four offerings (asav5, asav10, asav30, asav50) as of April 10, 2018. Highlited features are the ones I would pay close attention prior purchasing decision. For more information please visit Cisco Data Sheet including ordering part numbers.

Table 1.

FeatureASAv5ASAv10ASAv30ASAv50
Stateful inspection throughput (maximum)1(UDP)100 Mbps1 Gbps2 Gbps10 Gbps
Stateful inspection throughput (multiprotocol)2(TCP)50 Mbps500 Mbps1 Gbps5 Gbps
Advanced Encryption Standard (AES) VPN throughput330 Mbps125 Mbps1 Gbps3 Gbps
Connections per second8,00020,00060,000120,000
Concurrent sessions50,000100,000500,0002,000,000
VLANs25502001024
Bridge groups1225100250
IPsec VPN peers5025075010,000
Cisco AnyConnect® or clientless VPN user sessions5025075010,000
Cisco Unified Communications phone proxy502501000Not tested
Cisco Cloud Web Security users2501,0005000Not tested
High availabilityActive/standby

VMware ESX/ESXi 6.0, 6.5; vMotion

KVM

Hyper-V: Windows Server 2012 R2 (Not supported for ASAv50)

Hypervisor support
Public Cloud SupportAWS (c3.large, c3.xlarge, c4.large, c4.xlarge, M4)

Azure (d3, d3_v2) (including Azure Government Cloud)

Currently not supported on Public Cloud
ModesRouted and transparent
Virtual CPUs1148
Memory1 GB minimum
1.5 GB maximum
2 GB8 GB16 GB
Minimum disk storage48 GB8 GB16 GB16 GB

Once you purchase the license there are (2) pieces to the puzzle. First is you will need to deploy OVF file on your compute infrastructure (VMware/Hyper-V). This post does not cover the deployment of the OVF file. Please let me know if you are interested in covering that piece and I’ll be more than happy to present it. Otherwise please follow one of the Cisco KB articles on this process.

After ASAv has been deployed you will need to register it to get all the features you paid for.

By default, ASAv comes with limited resources. That can be verified by the following three commands:

ASAv# sh vm

Virtual Platform Resource Limits
——————————–
Number of vCPUs : 0
Processor Memory : 0 MB

Virtual Platform Resource Status
——————————–
Number of vCPUs : 2 (Noncompliant: Over-provisioned)
Processor Memory : 4096 MB (Noncompliant: Over-provisioned)
Hypervisor : VMware
Model Id : ASAv30

ASAv# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.8(1)

Compiled on Fri 02-Feb-18 06:18 PST by builders
System image file is “disk0:/asa982-20-smp-k8.bin”
Config file at boot was “startup-config”

IDS-LDEN-Demo01-ASAv up 61 days 21 hours

Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2000 MHz, 1 CPU (2 cores)
Model Id: ASAv30
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

Asav

0: Ext: Management0/0 : address is 0050.56a1.26a7, irq 10
1: Ext: GigabitEthernet0/0 : address is 0050.56a1.1c89, irq 5
2: Ext: GigabitEthernet0/1 : address is 0050.56a1.52a8, irq 9
3: Ext: GigabitEthernet0/2 : address is 0050.56a1.399c, irq 11
4: Ext: GigabitEthernet0/3 : address is 0050.56a1.3ac9, irq 10
5: Ext: GigabitEthernet0/4 : address is 0050.56a1.0fa1, irq 5
6: Ext: GigabitEthernet0/5 : address is 0050.56a1.76ff, irq 9
7: Ext: GigabitEthernet0/6 : address is 0050.56a1.7d33, irq 11
8: Ext: GigabitEthernet0/7 : address is 0050.56a1.376d, irq 10
9: Ext: GigabitEthernet0/8 : address is 0050.56a1.3784, irq 5

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

ASAv# sh license status

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed

License Authorization:
Status: No Licenses in Use

Registering your newly deployed ASAv will require applying tokenID that can be generated from Smart Licensing Portal. Please not you should have a account created during the purchase process.

Once logged in navigate to Smart Software Licensing URL(fig.1)

Navigate to Inventory > Licenses to verify if the license was applied to your account(fig.2).

From that point navigate to General > New Token > Create Token(fig.3).

At this point new Token should be generated(fig.4). Copy it to clipboard you’ll need it soon.

In order to have a successful license installation your ASAv needs to be able to ping/resolve tools.cisco.com.

ASAv# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

If that fails, your registration will fail. Make sure you have a proper dns domain lookup configured. This is the step that is being missed a lot of times.

ASAv(config)#dns domain-lookup outside
DNS server-group DefaultDNS
name-server 8.8.8.8
domain-name companyName.local​

Cisco Asav License Cost

Now you are ready to apply Smart Licensing. First apply proper throughput level to license smart object

ASAv(config)# license smart
ASAv(config-smart-lic)# ?

Smart Licensing configuration commands:
exit Exit Smart Licensing configuration mode and apply configuration
feature Set License feature
no Negate a command
throughput Set License throughput
ASAv(config-smart-lic)# throughput level ?

smart-lic-mode mode commands/options:
100M Enable 100 Mbps throughput level
10G Enable 10 Gbps throughput level
1G Enable 1 Gbps throughput level
2G Enable 2 Gbps throughput level

Full command i.e for ASAv30 would be:

license smart
feature tier standard
throughput level 2G
exit

Finally apply idtoken which was previously copied to your clipboard

license smart register idtoken MzE2MTMwMzItMzQ4Yy00NmUxLWI3ZjYtNWFhZGVlMDc4ZWViLTE1MjU5NzQ4%0AMDQ2MDd8RHp0NkdkbGRZOFlnSllUM0dEVUdmN0c force

To verify if the license was successfully installed check the vm status as well as license usage

ASAv# sh vm

Virtual Platform Resource Limits
——————————–
Number of vCPUs : 4
Processor Memory : 8192 MB

Virtual Platform Resource Status
——————————–
Number of vCPUs : 4 (Compliant)
Processor Memory : 8192 MB (Compliant)
Hypervisor : VMware
Model Id : ASAv30

ASAv# sh license usage

Asav License Activation

License Authorization:
Status: AUTHORIZED on Feb 09 03:08:47 2018 UTC

ASAv30 Standard – 2G (ASAv-STD-2G):
Description: ASAv30 Standard – 2G
Count: 1
Version: 1.0
Status: AUTHORIZED

If the registration failed please double check you can ping tools.cisco.com AND/OR redo the idtoken on Smart License Portal and reapply.

I hope this has been informative and let me know if you were successful or not

Thanks.

Related Posts