Cisco ASA: “Wrong Serial Number?”

KB ID 0001530

Problem

Cisco have done this for a while, the first time I saw it was years ago on a 5585, but all the NGFW models now have a ‘Serial Number” and a “Chassis Serial Number”. Normally you don’t care unless you need to log a TAC call online. So you issue a show version command, take a note of the serial number, and then it says, there’s no record of that serial number?

Solution

Just to be clear

SmartNets are registered to the Chassis Serial Number, this is NOT the serial number shown with a ‘show version‘ command.

Software (e.g. AnyConnect) is licensed to the Serial Number that IS shown with a ‘show version‘ command.

As a general rule, Cisco ASA chassis serial numbers start with JMX, and the serial numbers start with JAD.

How to Locate the Cisco ASA ‘Chassis Serial Number’

Well it’s printed on the chassis of course, but if it’s in a rack or a thousand miles away, that’s not much help! To get it remotely you use the ‘show inventory’ command;

Petes-ASA# show inventory
Name: "Chassis", DESCR: "ASA 5516-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5516           , VID: V05     , SN: JMX1234ABCD

Name: "Storage Device 1", DESCR: "ASA 5516-X SSD"
PID: ASA5516-SSD       , VID: N/A     , SN: MSA21470XXX

Petes-ASA#

How to Locate the Cisco ASA ‘Serial Number’

Same as with the old 5500 series firewalls, (and the PIX) use a show version command.

Petes-ASA# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)24
Firepower Extensible Operating System Version 2.2(2.75)
Device Manager Version 7.8(2)151

Compiled on Thu 01-Mar-18 20:21 PST by builders
System image file is "disk0:/asa982-24-lfbff-k8.SPA"
Config file at boot was "startup-config"

Petes-ASA up 146 days 1 hour
failover cluster up 146 days 1 hour

Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 00a7.42e1.6ed6, irq 255
 2: Ext: GigabitEthernet1/2  : address is 00a7.42e1.6ed7, irq 255
 3: Ext: GigabitEthernet1/3  : address is 00a7.42e1.6ed8, irq 255
 4: Ext: GigabitEthernet1/4  : address is 00a7.42e1.6ed9, irq 255
 5: Ext: GigabitEthernet1/5  : address is 00a7.42e1.6eda, irq 255
 6: Ext: GigabitEthernet1/6  : address is 00a7.42e1.6edb, irq 255
 7: Ext: GigabitEthernet1/7  : address is 00a7.42e1.6edc, irq 255
 8: Ext: GigabitEthernet1/8  : address is 00a7.42e1.6edd, irq 255
 9: Int: Internal-Data1/1    : address is 00a7.42e1.6ed5, irq 255
10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
13: Ext: Management1/1       : address is 00a7.42e1.6ed5, irq 0
14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual
VPN Load Balancing                : Enabled        perpetual


Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 8              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
VPN Load Balancing                : Enabled        perpetual

The Running Activation Key feature: 2000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Serial Number: JAD1234ABCD
Running Permanent Activation Key: 0x0037exxx 0x482ffyyy 0x04718yyy 0xaad48xxx 0x49343xxx
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration last modified by PeteLong at 13:50:02.750 GMT Tue Mar 26 2019

Petes-ASA#

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

6 Comments

  1. Hello,

    And to see the different serial numbers with 2 ASAs in failover?

    Post a Reply
    • In failover you can only see the serial numbers for the firewall you’re connecting to, remember, this does not have to be the ‘active’ firewall, you can connect to the ‘standby’ IP and query the standby firewall for its serial numbers independantly 🙂

      Post a Reply
      • You could also use the “failover exec standby” command to execute (show) commands on the standby unit from the active unit’s CLI.

        For example: “failover exec standby show inventory”, which shows the inventory of the standby unit.

        Post a Reply
        • Great Point – Yes. 🙂

          Post a Reply
  2. It also seems to me, and may be worth pointing out, that it is the chassis serial number (JMX) which is listed on the outside of the firewall itself (and I believe the packing box).

    That said… is there any point in tracking the JAD serials in one’s inventory (assuming one is reduced to manually tracking such things)?

    Post a Reply

Leave a Reply to Aurelien Cancel reply

Your email address will not be published. Required fields are marked *