Cisco ASAv Smart Licensing Explained and Registration Process
April 10, 2018
With the realease of 9.3 for ASA’s Cisco introduced Smart Licensing where it lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance(source).
Personally, I think it’s a great way to manage all of your licenses. This comes especially helpful if you are in the Cloud sector. As a Private Cloud provider for example it allows you to manage licenses for your IAAS offering in one centralized location fast and easy. Ability to “reuse” license if one tenant no longer needs it to the second tenant is a powerful tool. Since everything going virtual, not having licenses tied to physical equipment provides leverage and speed in deployments.
Before hopping in into implementation piece I would like to provide an overview of different licenses that Cisco provides for their virtual ASA’s.
As you may know the difference is going to be in the resources/features. Before purchasing any ASAv license its crucial to identify what are your requirements such as throughput, session ,etc.
Table below provides all the information you need for Cisco four offerings (asav5, asav10, asav30, asav50) as of April 10, 2018. Highlited features are the ones I would pay close attention prior purchasing decision. For more information please visit Cisco Data Sheet including ordering part numbers.
Azure (d3, d3_v2) (including Azure Government Cloud)
Currently not supported on Public Cloud
Routed and transparent
1 GB minimum
1.5 GB maximum
Minimum disk storage4
Once you purchase the license there are (2) pieces to the puzzle. First is you will need to deploy OVF file on your compute infrastructure (VMware/Hyper-V). This post does not cover the deployment of the OVF file. Please let me know if you are interested in covering that piece and I’ll be more than happy to present it. Otherwise please follow one of the Cisco KB articles on this process.
After ASAv has been deployed you will need to register it to get all the features you paid for.
By default, ASAv comes with limited resources. That can be verified by the following three commands:
ASAv# sh vm
Virtual Platform Resource Limits
——————————– Number of vCPUs : 0 Processor Memory : 0 MB
Virtual Platform Resource Status
Number of vCPUs : 2 (Noncompliant: Over-provisioned)
Processor Memory : 4096 MB (Noncompliant: Over-provisioned) Hypervisor : VMware Model Id : ASAv30
ASAv# sh ver
Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.8(1)
Compiled on Fri 02-Feb-18 06:18 PST by builders
System image file is “disk0:/asa982-20-smp-k8.bin”
Config file at boot was “startup-config”
IDS-LDEN-Demo01-ASAv up 61 days 21 hours
Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2000 MHz, 1 CPU (2 cores) Model Id: ASAv30
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB
0: Ext: Management0/0 : address is 0050.56a1.26a7, irq 10
1: Ext: GigabitEthernet0/0 : address is 0050.56a1.1c89, irq 5
2: Ext: GigabitEthernet0/1 : address is 0050.56a1.52a8, irq 9
3: Ext: GigabitEthernet0/2 : address is 0050.56a1.399c, irq 11
4: Ext: GigabitEthernet0/3 : address is 0050.56a1.3ac9, irq 10
5: Ext: GigabitEthernet0/4 : address is 0050.56a1.0fa1, irq 5
6: Ext: GigabitEthernet0/5 : address is 0050.56a1.76ff, irq 9
7: Ext: GigabitEthernet0/6 : address is 0050.56a1.7d33, irq 11
8: Ext: GigabitEthernet0/7 : address is 0050.56a1.376d, irq 10
9: Ext: GigabitEthernet0/8 : address is 0050.56a1.3784, irq 5
License mode: Smart Licensing ASAv Platform License State: Unlicensed No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.
ASAv# sh license status
Smart Licensing is ENABLED
Export-Controlled Functionality: Not Allowed
License Authorization: Status: No Licenses in Use
Registering your newly deployed ASAv will require applying tokenID that can be generated from Smart Licensing Portal. Please not you should have a account created during the purchase process.
Once logged in navigate to Smart Software Licensing URL(fig.1)
Navigate to Inventory > Licenses to verify if the license was applied to your account(fig.2).
From that point navigate to General > New Token > Create Token(fig.3).
At this point new Token should be generated(fig.4). Copy it to clipboard you’ll need it soon.
In order to have a successful license installation your ASAv needs to be able to ping/resolve tools.cisco.com.
ASAv# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms
If that fails, your registration will fail. Make sure you have a proper dns domain lookup configured. This is the step that is being missed a lot of times.
ASAv(config)#dns domain-lookup outside
DNS server-group DefaultDNS
Now you are ready to apply Smart Licensing. First apply proper throughput level to license smart object
Bart is passionate about new technologies and their impact on our lives. He does not believe in titles or amount of certifications but positive attitude and motivation. Simply the guy that make things happen. You can reach him via Linkedin or meet him on CSGO. Currently focusing on architecting and designing custom-build hybrid cloud solutions around IaaS, DRaaS, BaaS realm.