Cisco ASAv Smart Licensing Explained and Registration Process

With the realease of 9.3 for ASA’s Cisco introduced Smart Licensing where it lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance(source).

Personally, I think it’s a great way to manage all of your licenses. This comes especially helpful if you are in the Cloud sector. As a Private Cloud provider for example it allows you to manage licenses for your IAAS offering in one centralized location fast and easy. Ability to “reuse” license if one tenant no longer needs it to the second tenant is a powerful tool.  Since everything going virtual, not having licenses tied to physical equipment provides leverage and speed in deployments.

Before hopping in into implementation piece I would like to provide an overview of different licenses that Cisco provides for their virtual ASA’s.

As you may know the difference is going to be in the resources/features. Before purchasing any ASAv license its crucial to identify what are your requirements such as throughput, session ,etc.

Table below provides all the information you need for Cisco four offerings (asav5, asav10, asav30, asav50) as of April 10, 2018. Highlited features are the ones I would pay close attention prior purchasing decision. For more information please visit Cisco Data Sheet including ordering part numbers.

Table 1. 

Feature ASAv5 ASAv10 ASAv30 ASAv50
Stateful inspection throughput (maximum)1(UDP) 100 Mbps 1 Gbps 2 Gbps 10 Gbps
Stateful inspection throughput (multiprotocol)2(TCP) 50 Mbps 500 Mbps 1 Gbps 5 Gbps
Advanced Encryption Standard (AES) VPN throughput3 30 Mbps 125 Mbps 1 Gbps 3 Gbps
Connections per second 8,000 20,000 60,000 120,000
Concurrent sessions 50,000 100,000 500,000 2,000,000
VLANs 25 50 200 1024
Bridge groups 12 25 100 250
IPsec VPN peers 50 250 750 10,000
Cisco AnyConnect® or clientless VPN user sessions 50 250 750 10,000
Cisco Unified Communications phone proxy 50 250 1000 Not tested
Cisco Cloud Web Security users 250 1,000 5000 Not tested
High availability Active/standby

VMware ESX/ESXi 6.0, 6.5; vMotion

KVM

Hyper-V: Windows Server 2012 R2 (Not supported for ASAv50)

Hypervisor support
Public Cloud Support AWS (c3.large, c3.xlarge, c4.large, c4.xlarge, M4)

Azure (d3, d3_v2) (including Azure Government Cloud)

Currently not supported on Public Cloud
Modes Routed and transparent
Virtual CPUs 1 1 4 8
Memory 1 GB minimum
1.5 GB maximum
2 GB 8 GB 16 GB
Minimum disk storage4 8 GB 8 GB 16 GB 16 GB

Once you purchase the license there are (2) pieces to the puzzle. First is you will need to deploy OVF file on your compute infrastructure (VMware/Hyper-V). This post does not cover the deployment of the OVF file.  Please let me know if you are interested in covering that piece and I’ll be more than happy to present it.  Otherwise please follow one of the Cisco KB articles on this process.

After ASAv has been deployed you will need to register it to get all the features you paid for.

By default, ASAv comes with limited resources. That can be verified by the following three commands:

ASAv# sh vm

Virtual Platform Resource Limits
——————————–
Number of vCPUs              :     0 
Processor Memory             :     0 MB 

Virtual Platform Resource Status
——————————–
Number of vCPUs                 :     2     (Noncompliant: Over-provisioned)
Processor Memory                :  4096 MB  (Noncompliant: Over-provisioned)
Hypervisor                      :   VMware
Model Id                        :   ASAv30


ASAv# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.8(1)

Compiled on Fri 02-Feb-18 06:18 PST by builders
System image file is “disk0:/asa982-20-smp-k8.bin”
Config file at boot was “startup-config”

IDS-LDEN-Demo01-ASAv up 61 days 21 hours

Hardware:   ASAv, 4096 MB RAM, CPU Xeon E5 series 2000 MHz, 1 CPU (2 cores)
Model Id:   ASAv30
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

 0: Ext: Management0/0       : address is 0050.56a1.26a7, irq 10
1: Ext: GigabitEthernet0/0  : address is 0050.56a1.1c89, irq 5
2: Ext: GigabitEthernet0/1  : address is 0050.56a1.52a8, irq 9
3: Ext: GigabitEthernet0/2  : address is 0050.56a1.399c, irq 11
4: Ext: GigabitEthernet0/3  : address is 0050.56a1.3ac9, irq 10
5: Ext: GigabitEthernet0/4  : address is 0050.56a1.0fa1, irq 5
6: Ext: GigabitEthernet0/5  : address is 0050.56a1.76ff, irq 9
7: Ext: GigabitEthernet0/6  : address is 0050.56a1.7d33, irq 11
8: Ext: GigabitEthernet0/7  : address is 0050.56a1.376d, irq 10
9: Ext: GigabitEthernet0/8  : address is 0050.56a1.3784, irq 5

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.


ASAv# sh license status

Smart Licensing is ENABLED

Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed

License Authorization: 
  Status: No Licenses in Use

Registering your newly deployed ASAv will require applying tokenID that can be generated from Smart Licensing Portal. Please not you should have a account created during the purchase process.

Once logged in navigate to Smart Software Licensing URL(fig.1)

smart-software-license1
fig.1

Navigate to Inventory > Licenses to verify if the license was applied to your account(fig.2).

smart-software-license2
fig.2

From that point navigate to General > New Token > Create Token(fig.3).

smart-software-license3
fig.3

At this point new Token should be generated(fig.4). Copy it to clipboard you’ll need it soon.

smart-software-license4
fig.4

In order to have a successful license installation your ASAv needs to be able to ping/resolve tools.cisco.com.

ASAv# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

If that fails, your registration will fail.  Make sure you have a proper dns domain lookup configured. This is the step that is being missed a lot of times.

ASAv(config)#dns domain-lookup outside
DNS server-group DefaultDNS
name-server 8.8.8.8
domain-name companyName.local​

Now you are ready to apply Smart Licensing. First apply proper throughput level to license smart object

ASAv(config)# license smart
ASAv(config-smart-lic)# ?

Smart Licensing configuration commands:
exit        Exit Smart Licensing configuration mode and apply configuration
feature     Set License feature
no          Negate a command
throughput  Set License throughput
ASAv(config-smart-lic)# throughput level ?

smart-lic-mode mode commands/options:
100M  Enable 100 Mbps throughput level
  10G   Enable 10 Gbps throughput level
  1G    Enable 1 Gbps throughput level
  2G    Enable 2 Gbps throughput level

Full command i.e for ASAv30 would be:

license smart
feature tier standard
throughput level 2G
exit

Finally apply idtoken which was previously copied to your clipboard

license smart register idtoken MzE2MTMwMzItMzQ4Yy00NmUxLWI3ZjYtNWFhZGVlMDc4ZWViLTE1MjU5NzQ4%0AMDQ2MDd8RHp0NkdkbGRZOFlnSllUM0dEVUdmN0c force

To verify if the license was successfully installed check the vm status as well as license usage

ASAv# sh vm

Virtual Platform Resource Limits
——————————–
Number of vCPUs              :     4
Processor Memory             :  8192 MB 

Virtual Platform Resource Status
——————————–
Number of vCPUs                 :     4     (Compliant)
Processor Memory                :  8192 MB  (Compliant)
Hypervisor                      :   VMware
Model Id                        :   ASAv30


ASAv# sh license usage 

License Authorization:
Status: AUTHORIZED on Feb 09 03:08:47 2018 UTC

ASAv30 Standard – 2G (ASAv-STD-2G):
Description: ASAv30 Standard – 2G
Count: 1
Version: 1.0
Status: AUTHORIZED

If the registration failed please double check you can ping tools.cisco.com AND/OR redo the idtoken on Smart License Portal and reapply.

I hope this has been informative and let me know if you were successful or not

Thanks.

3 Comments

Add a Comment

Your email address will not be published. Required fields are marked *