Transcription
ASA Smart License on FXOS esRequirementsComponents UsedBackground InformationSmart Licensing ArchitectureOverall ArchitectureConfigurationFailover (High Availability)ASA ClusterVerification & DebuggingChassis (MIO) Sample Outputs of Verification CommandsASA Sample Outputs of Verification CommandsSample Outputs from Chassis CLICommon License Problems on FXOS Chassis (MIO)License Issues on ASA - 1xxx/21xx SeriesEngage Cisco TAC SupportFrequently Asked Questions (FAQ)Related InformationIntroductionThis document describes the Adaptive Security Appliance (ASA) Smart Licensing feature onFirepower eXtensible Operating System (FXOS). Smart Licensing on FXOS is used when there isan ASA installed on the chassis. For Firepower Threat Defense (FTD) and FirepowerManagement Center (FMC), Smart Licensing check FMC and FTD Smart License Registrationand Troubleshooting.This document covers mainly the scenarios where the FXOS chassis has direct Internet access. Ifyour FXOS chassis cannot access the Internet then you need to consider either a Satellite Serveror Permanent License Reservation (PLR). Check the FXOS configuration guide for more detailson Offline Management.PrerequisitesRequirementsThere are no specific requirements for this document.
Components UsedThe information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.Background InformationSmart Licensing ArchitectureA high-level overview of the chassis components:Both Management Input/Output (MIO) and individual modules play roles in Smart LicensingMIO itself does not require any licenses for its operationSA Application(s) running on each module needs to be licensedThe FXOS supervisor is the Management Input/Output (MIO). The MIO contains 3 maincomponents: Smart AgentLicense ManagerAppAGOverall Architecture
NomenclatureTermCisco License AuthoritySmart License AccountToken IDEntitlementProduct Activation Key (PAK)DescriptionThe Cisco license backend for Smart Licensing. Maintains all thecustomer product licensing related information including entitlementsand device information.A customer account that has all the entitlements for the appliance.An identifier used to distinguish the Smart License Account whenregistering an appliance.Equivalent to a license. May correspond to an individual feature or anentire feature tier.The older licensing mechanism. Tied to a single appliance.Smart Agent horizedOut Of ComplianceAuthorization expiredDescriptionSmart licensing is not enabledSmart licensing has been enabled but the Smart Agent has not yetcontacted Cisco to registerThe agent has contacted the Cisco licensing authority and registeredWhen an agent receives an in compliance status in response to anentitlement authorization requestWhen an agent receives an Out of Compliance (OOC) status inresponse to an Entitlement Authorization requestIf the agent has not communicated with Cisco for 90 daysASA EntitlementsThese are the supported ASA entitlements: Standard tierMulti contextStrong Encryption (3DES)Mobile/Service Provider (GTP)
ConfigurationFollow the instructions from these documents:Smart Software Licensing (ASAv, ASA on Firepower)License Management for the ASABefore any feature tier configuration asa(config-smart-lic)# show license allSmart licensing enabled: YesCompliance status: In complianceOverall licensed status: Invalid (0)No entitlements in useSerial Number:FCH12345ABCLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 10Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: *********************************WARNING****THIS DEVICE IS NOT LICENSED WITH A VALID FEATURE TIER ***************************************Configure standard tier:asa(config)# license smartINFO: License(s) corresponding to an entitlement will be activated only after an entitlementrequest has been authorized.asa(config-smart-lic)# feature tier standardasa(config-smart-lic)# show license allSmart licensing enabled: YesCompliance status: In compliance
Overall licensed status: Authorized (3)Entitlement(s):Feature tier:Tag: regid.2015-10.com.cisco.FIREPOWER 4100 ASA STANDARD,1.0 7d7f5ee2-1398-4b0e-acedb3f7fb1cacfcVersion: 1.0Enforcement mode: AuthorizedHandle: 1Requested time: Tue, 04 Aug 2020 07:58:13 UTCRequested count: 1Request status: CompleteSerial Number: FCH12345ABCLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : EnabledSecurity Contexts : 10Carrier : DisabledAnyConnect Premium Peers : 20000AnyConnect Essentials : DisabledOther VPN Peers : 20000Total VPN Peers : 20000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : EnabledShared License : DisabledTotal TLS Proxy Sessions : 15000ClustetextFailover (High Availability)As it is documented in the ASA Configuration Guide, each Firepower unit must be registered withthe License Authority or satellite server. Verification from the ASA CLI:asa# show failover include hostThis host: Primary - ActiveOther host: Secondary - Standby Readyasa# show license allSmart licensing enabled: YesCompliance status: In complianceOverall licensed status: Authorized (3)Entitlement(s):Feature tier:Tag: regid.2015-10.com.cisco.FIREPOWER 4100 ASA STANDARD,1.0 7d7f5ee2-1398-4b0e-acedb3f7fb1cacfcVersion: 1.0
Enforcement mode: AuthorizedHandle: 1Requested time: Tue, 04 Aug 2020 07:58:13 UTCRequested count: 1Request status: CompleteSerial Number:FCH12345ABCLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 10Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: EnabledFailover cluster licensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 20Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: EnabledThe standby unit:asa# show failover i hostThis host: Secondary - Standby ReadyOther host: Primary - Activeasa# show license allSmart licensing enabled: YesCompliance status: In complianceOverall licensed status: Not applicable in standby state
No entitlements in useSerial Number:FCH12455DEFLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: DisabledSecurity Contexts: 10Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: EnabledFailover cluster licensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 20Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: EnabledCase Study: ASA HA license on FP2100On 2100 the ASA communicates with the Cisco Smart Licensing portal (cloud) using the ASAinterfaces, not the FXOS managementYou need to register both ASAs to the Cisco Smart Licensing portal (cloud)In this case, HTTP local authentication is used on outside interface: ciscoasa(config)# show run httphttp server enablehttp 0.0.0.0 0.0.0.0 outsideciscoasa(config)# show run aaaaaa authentication http console LOCALciscoasa(config)# show run usernameusername cisco password ***** pbkdf2
You can only connect to the ASA via ASDM if there is a 3DES/AES license enabled. For an ASAthat is not already registered this is possible only on an interface that is management-only. Perconfiguration guide: "Strong Encryption (3DES/AES) is available for management connectionsbefore you connect to the License Authority or Satellite server so you can launch ASDM. Note thatASDM access is only available on management-only interfaces with the default encryption.Through the box traffic is not allowed until you connect and obtain the Strong Encryption license".In different case you get:ciscoasa(config)# debug ssl 255debug ssl enabled at level 255.error:1408A0C1:SSL routines:ssl3 get client hello:no shared cipherTo overcome the ASA has management-only configured on the Internet-facing interface and thusASDM connection is possible:interface Ethernet1/2management-onlynameif outsidesecurity-level 100ip address 192.168.123.111 255.255.255.0 standby 192.168.123.112Configure the Smart Licensing on Primary ASA:
Navigate to Monitoring Properties Smart License to check the status of the registration:Primary ASA CLI verification:ciscoasa/pri/act# show license allSmart Licensing Status Smart Licensing is ENABLEDRegistration:
Status: REGISTEREDSmart Account: Cisco Systems, Inc.Virtual Account: NGFWExport-Controlled Functionality: AllowedInitial Registration: SUCCEEDED on Nov 25 2020 16:43:59 UTCLast Renewal Attempt: NoneNext Renewal Attempt: May 24 2021 16:43:58 UTCRegistration Expires: Nov 25 2021 16:39:12 UTCLicense Authorization:Status: AUTHORIZED on Nov 25 2020 16:47:42 UTCLast Communication Attempt: SUCCEEDED on Nov 25 2020 16:47:42 UTCNext Communication Attempt: Dec 25 2020 16:47:41 UTCCommunication Deadline: Feb 23 2021 16:42:46 UTCUtility:Status: DISABLEDData Privacy:Sending Hostname: yesCallhome hostname privacy: DISABLEDSmart Licensing hostname privacy: DISABLEDVersion privacy: DISABLEDTransport:Type: CallhomeLicense Usage Firepower 2100 ASA Standard (FIREPOWER 2100 ASA STANDARD):Description: Firepower 2100 ASA StandardCount: 1Version: 1.0Status: AUTHORIZEDProduct Information UDI: PID:FPR-2140,SN:JAD12345ABCAgent Version Smart Agent for Licensing: 4.3.6 rel/38ciscoasa/pri/act# show run licenselicense smartfeature tier standardciscoasa/pri/act# show license featuresSerial Number: JAD12345ABCExport Compliant: YESLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : EnabledSecurity Contexts : 2Carrier : Disabled
AnyConnect Premium Peers : 10000AnyConnect Essentials : DisabledOther VPN Peers : 10000Total VPN Peers : 10000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : EnabledShared License : DisabledTotal TLS Proxy Sessions : 10000Cluster : DisabledFailover cluster licensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : EnabledSecurity Contexts : 4Carrier : DisabledAnyConnect Premium Peers : 10000AnyConnect Essentials : DisabledOther VPN Peers : 10000Total VPN Peers : 10000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : EnabledShared License : DisabledTotal TLS Proxy Sessions : 10000Cluster : DisabledConnect via ASDM to the standby ASA (this will be only possible if the ASA has been configuredwith a standby IP). The standby ASA is shown as UNREGISTERED and this is expected since ithas not been registered yet to the Smart Licensing portal:
The standby ASA CLI shows:ciscoasa/sec/stby# show license allSmart Licensing Status
Smart Licensing is ENABLEDRegistration:Status: UNREGISTEREDExport-Controlled Functionality: Not AllowedLicense Authorization:Status: No Licenses in UseUtility:Status: DISABLEDData Privacy:Sending Hostname: yesCallhome hostname privacy: DISABLEDSmart Licensing hostname privacy: DISABLEDVersion privacy: DISABLEDTransport:Type: CallhomeLicense Usage No licenses in useProduct Information UDI: PID:FPR-2140,SN:JAD123456AAgent Version Smart Agent for Licensing: 4.3.6 rel/38ciscoasa/sec/stby# show run licenselicense smartfeature tier standardThe license features enabled on the standby ASA:ciscoasa/sec/stby# show license featuresSerial Number: JAD123456AExport Compliant: NOLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : DisabledSecurity Contexts : 2Carrier : DisabledAnyConnect Premium Peers : 10000AnyConnect Essentials : DisabledOther VPN Peers : 10000Total VPN Peers : 10000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : Enabled
Shared License : DisabledTotal TLS Proxy Sessions : 10000Cluster : DisabledFailover cluster licensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : EnabledSecurity Contexts : 4Carrier : DisabledAnyConnect Premium Peers : 10000AnyConnect Essentials : DisabledOther VPN Peers : 10000Total VPN Peers : 10000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : EnabledShared License : DisabledTotal TLS Proxy Sessions : 10000Cluster : DisabledRegister the standby ASA:The result on standby ASA is that it is REGISTERED:
CLI verification on standby ASA:ciscoasa/sec/stby# show license allSmart Licensing Status Smart Licensing is ENABLEDRegistration:Status: REGISTEREDSmart Account: Cisco Systems, Inc.Virtual Account: NGFWExport-Controlled Functionality: AllowedInitial Registration: SUCCEEDED on Nov 25 2020 17:06:51 UTCLast Renewal Attempt: NoneNext Renewal Attempt: May 24 2021 17:06:51 UTCRegistration Expires: Nov 25 2021 17:01:47 UTCLicense Authorization:Status: AUTHORIZED on Nov 25 2020 17:07:28 UTCLast Communication Attempt: SUCCEEDED on Nov 25 2020 17:07:28 UTCNext Communication Attempt: Dec 25 2020 17:07:28 UTCCommunication Deadline: Feb 23 2021 17:02:15 UTCUtility:Status: DISABLEDData Privacy:Sending Hostname: yesCallhome hostname privacy: DISABLEDSmart Licensing hostname privacy: DISABLEDVersion privacy: DISABLEDTransport:Type: CallhomeLicense Usage
No licenses in useProduct Information UDI: PID:FPR-2140,SN:JAD123456AXAgent Version Smart Agent for Licensing: 4.3.6 rel/38ciscoasa/sec/stby# show license featureSerial Number: JAD123456AExport Compliant: YESLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : EnabledSecurity Contexts : 2Carrier : DisabledAnyConnect Premium Peers : 10000AnyConnect Essentials : DisabledOther VPN Peers : 10000Total VPN Peers : 10000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : EnabledShared License : DisabledTotal TLS Proxy Sessions : 10000Cluster : DisabledFailover cluster licensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 1024Inside Hosts : UnlimitedFailover : Active/ActiveEncryption-DES : EnabledEncryption-3DES-AES : EnabledSecurity Contexts : 4Carrier : DisabledAnyConnect Premium Peers : 10000AnyConnect Essentials : DisabledOther VPN Peers : 10000Total VPN Peers : 10000AnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : EnabledAdvanced Endpoint Assessment : EnabledShared License : DisabledTotal TLS Proxy Sessions : 10000Cluster : DisabledASA ClusterIf the devices have a license mismatch then the cluster is not formed:
Cluster unit unit-1-1 transitioned from DISABLED to MASTERNew cluster member unit-2-1 rejected due to encryption license mismatchA successful cluster setup:asa(config)#cluster group GROUP1asa(cfg-cluster)# enableRemoved all entitlements except per-unit entitlement configuration before joining cluster asslave unit.Detected Cluster Master.Beginning configuration replication from Master.Cryptochecksum (changed): ede485ad d7fb9644 2847deaf ba16830bEnd configuration replication from Master.Cluster Masterasa# show cluster info i stateThis is "unit-1-1" in state MASTERUnit "unit-2-1" in state SLAVEasa# show license allSmart licensing enabled: YesCompliance status: In complianceOverall licensed status: Authorized (3)Entitlement(s):Feature tier:Tag: regid.2015-10.com.cisco.FIREPOWER 4100 ASA STANDARD,1.0 7d7f5ee2-1398-4b0e-acedb3f7fb1cacfcVersion: 1.0Enforcement mode: AuthorizedHandle: 2Requested time: Mon, 10 Aug 2020 08:12:38 UTCRequested count: 1Request status: CompleteSerial Number:FCH12345ABCLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 10Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: Enabled
Advanced Endpoint AssessmentShared LicenseTotal TLS Proxy over cluster licensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 20Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: EnabledCluster Slave:asa# show cluster info i stateThis is "unit-2-1" in state SLAVEUnit "unit-1-1" in state MASTERasa# show license allSmart licensing enabled: YesCompliance status: In complianceOverall licensed status: Authorized (3)Entitlement(s):Strong encryption:Tag: regid.2015-10.com.cisco.FIREPOWER 4100 ASA ENCRYPTION,1.0 052986db-c5ad-40da-97b1ee0438d3b2c9Version: 1.0Enforcement mode: AuthorizedHandle: 3Requested time: Mon, 10 Aug 2020 07:29:45 UTCRequested count: 1Request status: CompleteSerial Number:FCH12345A6BLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 10
CarrierAnyConnect Premium PeersAnyConnect EssentialsOther VPN PeersTotal VPN PeersAnyConnect for MobileAnyConnect for Cisco VPN PhoneAdvanced Endpoint AssessmentShared LicenseTotal TLS Proxy ilover cluster licensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 20Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: EnabledVerification & DebuggingChassis (MIO) Summary of Verification CommandsFPR4125# show license allFPR4125# show license techsupportFPR4125# scope monitoringFPR4125 /monitoring # scope callhomeFPR4125 /monitoring/callhome # show expandFPR4125# scope systemFPR4125 /system # scope servicesFPR4125 /system/services # show dnsFPR4125 /system/services # show ntp-serverFPR4125# scope securityFPR4125 /security # show trustpointFPR4125# show clockFPR4125# show timezoneFPR4125# show license usageConfiguration VerificationFPR4125-1# scope systemFPR4125-1 /system # scope servicesFPR4125-1 /system/services # show configurationASA Summary of Verification Commandsasa# show run license
asa#asa#asa#asa#asa#show license allshow license entitlementshow license featuresshow tech-support licensedebug license 255Chassis (MIO) Sample Outputs of Verification CommandsFPR4125-1# show license allSmart Licensing Status Smart Licensing is ENABLEDRegistration:Status: REGISTEREDSmart Account: TAC Cisco Systems, Inc.Virtual Account: EU TACExport-Controlled Functionality: ALLOWEDInitial Registration: SUCCEEDED on Dec 10 2018 23:30:02 UTCLast Renewal Attempt: SUCCEEDED on Mar 12 2020 23:16:11 UTCNext Renewal Attempt: Sep 08 2020 23:16:10 UTCRegistration Expires: Mar 12 2021 23:11:09 UTCLicense Authorization:Status: AUTHORIZED on Aug 04 2020 07:58:46 UTCLast Communication Attempt: SUCCEEDED on Aug 04 2020 07:58:46 UTCNext Communication Attempt: Sep 03 2020 07:58:45 UTCCommunication Deadline: Nov 02 2020 07:53:44 UTCLicense Conversion:Automatic Conversion Enabled: TrueStatus: Not startedExport Authorization Key:Features Authorized: none Utility:Status: DISABLEDData Privacy:Sending Hostname: yesCallhome hostname privacy: DISABLEDSmart Licensing hostname privacy: DISABLEDVersion privacy: DISABLEDTransport:Type: CallhomeLicense Usage Firepower 4100 ASA Standard (FIREPOWER 4100 ASA STANDARD):Description: Firepower 4100 ASA StandardCount: 1Version: 1.0Status: AUTHORIZEDExport status: NOT RESTRICTEDProduct Information
UDI: PID:FPR-4125-SUP,SN:JAD12345678Agent Version Smart Agent for Licensing: 4.6.9 rel/104Reservation Info License reservation: DISABLEDFPR4125-1# scope monitoringFPR4125-1 /monitoring # scope callhomeFPR4125-1 /monitoring/callhome # show expandCallhome:Admin State: OffThrottling State: OnContact Information:Customer Contact Email:From Email:Reply To Email:Phone Contact e.g., 1-011-408-555-1212:Street Address:Contract Id:Customer Id:Site Id:Switch Priority: DebuggingEnable/Disable HTTP/HTTPS Proxy: OffHTTP/HTTPS Proxy Server Address:HTTP/HTTPS Proxy Server Port: 80SMTP Server Address:SMTP Server Port: 25Anonymous Reporting:Admin State----------OffCallhome periodic system inventory:Send periodically: OffInterval days: 30Hour of day to send: 0Minute of hour: 0Time last sent: NeverNext scheduled: NeverDestination Profile:Name: full txtLevel: WarningAlert Groups: All,Cisco Tac,Diagnostic,EnvironmentalMax Size: 5000000Format: Full TxtReporting: Smart Call Home DataName: short txtLevel: WarningAlert Groups: All,Cisco Tac,Diagnostic,EnvironmentalMax Size: 5000000Format: Short TxtReporting: Smart Call Home DataName: SLProfile
Level: NormalAlert Groups: Smart LicenseMax Size: 5000000Format: XmlReporting: Smart License DataDestination:Name Transport Protocol Email or HTTP/HTTPS URL Address---------- ------------------ ------------------------------SLDest Https /DDCEServiceFPR4125-1# scope systemFPR4125-1 /system # scope servicesFPR4125-1 /system/services # show dnsDomain Name Servers:IP Address: 172.16.200.100FPR4125-1 /system/services # show ntp-serverNTP server .108.14172.18.108.15FPR4125-1# scope securityFPR4125-1 /security # show trustpointTrustpoint Name: CHdefaultTrustpoint certificate chain: -----BEGIN CERTIFICATE----MIIFtzCCA5 k0x 8eOx79 Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u-----END CERTIFICATE----Cert Status: ValidTrustpoint Name: CiscoLicRootTrustpoint certificate chain: -----BEGIN BAQsFADAyMQ4wDAYDVQQKEwVDaXNj QYYWqUCT4ElNEKt1J hvc5MuNbWIYv2uAnUVb3GbsvDWl99/KA -----END CERTIFICATE----Cert Status: ValidTrustpoint Name: CSCO2099SUDITrustpoint certificate chain: -----BEGIN GCSqGSIb3DQEBCwUAMC0xDjAMBgNV PKkmBlNQ9hQcNM3CSzVvEAK0CCEo/NJ/xzZ6WX1/f8Df1eXbFg -----END CERTIFICATE----Cert Status: ValidTrustpoint Name: CSCOBA2099SUDITrustpoint certificate chain: -----BEGIN GCSqGSIb3DQEBCwUAMD0xDjAMBgNV b/JPEAZkbji0RQTWLyfR82LWFLo0-----END CERTIFICATE----Cert Status: ValidFPR4125-1#show clockTue Aug 4 09:55:50 UTC 2020FPR4125-1# show timezoneTimezone:FPR4125-1# scope systemTime Sync Status---------------Unreachable Or Invalid NtpTime SynchronizedCandidate
FPR4125-1 /system # scope servicesFPR4125-1 /system/services # show configurationscope servicescreate ssh-server host-key rsadelete ssh-server host-key ecdsadisable ntp-authenticationdisable telnet-serverenable httpsenable ssh-serverenter dns 173.38.200.100enter ip-block 0.0.0.0 0 httpsexitenter ip-block 0.0.0.0 0 sshexitenter ntp-server 10.62.148.75set ntp-sha1-key-id 0!set ntp-sha1-key-stringexitenter ntp-server 172.18.108.14set ntp-sha1-key-id 0!set ntp-sha1-key-stringexitenter ntp-server 172.18.108.15set ntp-sha1-key-id 0!set ntp-sha1-key-stringexitscope shell-session-limitsset per-user 32set total 32exitscope telemetrydisableexitscope web-session-limitsset per-user 32set total 256exitset domain-name ""set https auth-type cred-authset https cipher-suite A: HIGH: EXP"set https cipher-suite-mode high-strengthset https crl-mode strictset https keyring defaultset https port 443set ssh-server host-key ecdsa secp256r1set ssh-server host-key rsa 2048set ssh-server kex-algorithm diffie-hellman-group14-sha1set ssh-server mac-algorithm hmac-sha1 hmac-sha2-256 hmac-sha2-512set ssh-server encrypt-algorithm aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbcaes256-ctr chacha20-poly1305 openssh comset ssh-server rekey-limit volume none time noneset ssh-client kex-algorithm diffie-hellman-group14-sha1set ssh-client mac-algorithm hmac-sha1 hmac-sha2-256 hmac-sha2-512set ssh-client encrypt-algorithm aes128-ctr aes192-ctr aes256-ctrset ssh-client rekey-limit volume none time noneset ssh-client stricthostkeycheck disableset timezone ""exitFPR4125-1# show license usage
License Authorization:Status: AUTHORIZED on Aug 04 2020 07:58:46 UTCFirepower 4100 ASA Standard (FIREPOWER 4100 ASA STANDARD):Description: Firepower 4100 ASA StandardCount: 1Version: 1.0Status: AUTHORIZEDExport status: NOT RESTRICTEDASA Sample Outputs of Verification Commandsasa# show run licenselicense smartfeature tier standardasa# show license allSmart licensing enabled: YesCompliance status: In complianceOverall licensed status: Authorized (3)Entitlement(s):Feature tier:Tag: regid.2015-10.com.cisco.FIREPOWER 4100 ASA STANDARD,1.0 7d7f5ee2-1398-4b0e-acedb3f7fb1cacfcVersion: 1.0Enforcement mode: AuthorizedHandle: 1Requested time: Tue, 04 Aug 2020 07:58:13 UTCRequested count: 1Request status: CompleteSerial Number:FCH12345ABCLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 10Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: DisabledTotal TLS Proxy Sessions: 15000Cluster: Enabledasa# show license entitlement
Entitlement(s):Feature tier:Tag: regid.2015-10.com.cisco.FIREPOWER 4100 ASA STANDARD,1.0 7d7f5ee2-1398-4b0e-acedb3f7fb1cacfcVersion: 1.0Enforcement mode: AuthorizedHandle: 1Requested time: Tue, 04 Aug 2020 07:58:13 UTCRequested count: 1Request status: Completeasa# show license featuresSerial Number: FCH12345ABCLicense mode: Smart LicensingLicensed features for this platform:Maximum Physical Interfaces: UnlimitedMaximum VLANs: 1024Inside Hosts: UnlimitedFailover: Active/ActiveEncryption-DES: EnabledEncryption-3DES-AES: EnabledSecurity Contexts: 10Carrier: DisabledAnyConnect Premium Peers: 20000AnyConnect Essentials: DisabledOther VPN Peers: 20000Total VPN Peers: 20000AnyConnect for Mobile: EnabledAnyConnect for Cisco VPN Phone: EnabledAdvanced Endpoint Assessment: EnabledShared License: Disabled
The Cisco license backend for Smart Licensing. Maintains all the customer product licensing related information including entitlements and device information. Smart License Account A customer account that has all the entitlements for the appliance. Token ID An identifier used to distinguish the Smart License Account when registering an appliance.
