Cisco ASA 5500 – Adding Licenses

KB ID 0000531 Dtd 10/11/11

Problem

Each model in the Cisco ASA 5500 range comes with a range of licences and features, to add these features you can purchase them from a Cisco reseller. You will then need to apply the licence to the device.

Solution

1. Your first step is to purchase the Licence you require from an authorised cisco reseller.

2. When your licence arrives you need to locate the PAK that is on the certificate.

Cisco PAK

3. You need the Serial number of the ASA 5500, to get this either look on the chassis of the device or issue a "show version" command.

PetesASA# show version
 
 Cisco Adaptive Security Appliance Software Version 8.0(3)
 Device Manager Version 6.1(3)
 
 Compiled on Tue 06-Nov-07 22:59 by builders
 System image file is "disk0:/asa803-k8.bin"
 Config file at boot was "startup-config"
 
 PetesASA up 5 days 17 hours
 
 Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
 Internal ATA Compact Flash, 256MB
 BIOS Flash M50FW080 @ 0xffe00000, 1024KB
 
 Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
 Boot microcode : CN1000-MC-BOOT-2.00
 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
 IPSec microcode : Cnlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0 : address is 001d.70df.3e28, irq 9
 1: Ext: Ethernet0/1 : address is 001d.70df.3e29, irq 9
 2: Ext: Ethernet0/2 : address is 001d.70df.3e2a, irq 9
 3: Ext: Ethernet0/3 : address is 001d.70df.3e2b, irq 9
 4: Ext: Management0/0 : address is 001d.70df.3e27, irq 11
 5: Int: Not used : irq 11
 6: Int: Not used : irq 5
 
 Licensed features for this platform:
 Maximum Physical Interfaces  : Unlimited
 Maximum VLANs                : 100
 Inside Hosts                 : Unlimited
 Failover                     : Active/Active
 VPN-DES                      : Enabled
 VPN-3DES-AES                 : Enabled
 Security Contexts            : 2
 GTP/GPRS                     : Disabled
 VPN Peers                    : 250
 WebVPN Peers                 : 25
 AnyConnect for Mobile        : Disabled
 AnyConnect for Linksys phone : Disabled
 Advanced Endpoint Assessment : Disabled
 
 This platform has an ASA 5510 Security Plus license.
 
 Serial Number: JMX1234ABCD
 Running Activation Key: 0x5c385c4d 0xf8344dbb 0xac3161c8 0xaf983c24 0x88888888
 Configuration register is 0x1
 Configuration has not been modified since last system restart. 

4. So the one above has a serial Number of JMX1234ABCD.

5. Now you have the PAK and the serial number, you need to register them with Cisco Go here, login with a Cisco CCO account name. Enter the PAK Code > Submit.

Cisco PAK

6. Check the PAK details, and add more as required > Click "All Done".

7. Enter the Serial Number of the ASA and tick "I Agree.." > Enter/Check your details > Enter the Licensee details (If Different) > Continue.

8. Read the Summary > Submit > Wait for it to stop saying "Processing" > When complete it should "Go Green" and say Registration Complete.

Cisco PAK

9. If can take a little while for the licence to be emailed to you and USUALLY goes straight to Junk Mail (Thanks Microsoft, that's not funny!)

10. When the Licence comes in, the detail that you need is the activation key, it will look like....

dd12eb50 9e16d5bb 45b2a92c 78901838 44999999

11. You add this licence to the ASA with an "activation-key" command:

PetesASA> enable
 Password: ***********
 PetesASA# configure terminal
 PetesASA(config)# activation-key dd12eb50 9e16d5bb 45b2a92c 78901838 44999999
 
 Licensed features for this platform:
 Maximum Physical Interfaces   : Unlimited
 Maximum VLANs                 : 100
 Inside Hosts                  : Unlimited
 Failover                      : Active/Active
 VPN-DES                       : Enabled
 VPN-3DES-AES                  : Enabled
 Security Contexts             : 2
 GTP/GPRS                      : Disabled
 VPN Peers                     : 250
 WebVPN Peers                  : 50
 AnyConnect for Mobile         : Disabled
 AnyConnect for Linksys phone  : Disabled
 Advanced Endpoint Assessment  : Disabled
 
 This platform has an ASA 5510 Security Plus license.
 
 Both running and flash activation keys were updated with the requested key.
 PetesASA(config)#

12. That's the licence added.

Note: In the example above I added a licence to increase the web VPN peers from 25 to 50 (Which you can see if you compare the two pieces of code).

To add a Licence from the ASDM

1. Connect via ASDM.

2. Navigate to > Configuration > Device Management > Licensing > Activation Key > Paste in the new activation key > Update Activation Key.

Cisco ASDM adding licences

Related Articles, References, Credits, or External Links

Cisco Catalyst Switches - Adding Licenses

 

Author: Migrated

Share This Post On