KB ID 0001672
So we have unboxed and setup our Firepower 1010 device, simply logging into the ASDM fires off warnings that it’s only running DES and I need to register the unit go get any decent level of encryption, (seriously why is 3DES still an ‘add on’ licence, who is still doing 56bit encryption!)
So let’s get is registered and licenced.
The ‘Licence Envelope’ in the box is simply instructions on setting up a Cisco Smart Account. I already have one of those. If you don’t you will first need to setup a Cisco CCO logon account, (this is free, and you need to log into any of the Cisco Sites). Once you have that sorted you can go to https://software.cisco.com/ and request a Smart Licence (again this is free, it involves some email exchanges).
Now ‘What I do‘ is then create a ‘Virtual account‘ in that Smart account, what you use these for is up to you, but if you want to share the licensing e.g. with your colleagues or employer, then you can do so without giving them access to all your Cisco licences etc. Go back to Software central and select under Administration > Manage Smart Account (normally you just go to Smart Software Licensing).
Creating a Cisco Smart Account ‘Virtual Account’
Virtual Accounts > New Virtual Account > Give it a name and description > Set Access Level ‘Public’ > Next
Give it a name and description > Set Access Level ‘Public’ > Next.
Assign any users that you want to give access to, (you can revisit this later) > Next.
Review the settings > Create Virtual Account.
Register a Cisco FirePower 1010 With Cisco
OK, Cisco Say you need the licences to exist in your Smart account before you licence the hardware, they also say that;
Standard license—L-FPR1000-ASA=. The Standard license is free, but you still need to add it to your Smart Software Licensing account.
Security Plus license—L-FPR1010-SEC-PL=. The Security Plus license enables failover.
Strong Encryption (3DES/AES) license—L-FPR1K-ENC-K9=. This license is free. Although this license is not generally required (for example, ASA’s that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.
So I opened a call with Cisco, and was told;
L-FPR1000-ASA= license usually comes with the device and it’s free, however it has to be under a sales order in order for us to provision it into the account.As for L-FPR1K-ENC-K9 license it is not free and if you need that licenses please provide a Order under which the license is purchased.
Now getting that sales order number was a chore! I had to get it from the Disti that my company purchased the hardware from, after many emails I finally sent them the order only to be told;
Please be informed that this is a disti stocking SO. A disti stocking SO contains products and licenses that may be owned by multiple end customers.Hence, we do not get a link to assign disti stocking SOs to an end customer smart account in CCW. Also, the licenses associated with a disti stocking SO will get provisioned once the end customer registers the device on his/her respective smart account. So please ask the customer to register the devices owned by them on their smart account and the licenses will be automatically provisioned to the smart account. If, after the devices have been registered, the licenses do not get provisioned, then please revert and we will investigate the request.
So here’s what your Smart Licence Virtual Account SHOULD LOOK LIKE before you start;
How To Register a Firepower Appliance
Within your virtual account create a ‘New Token’ > Give it a description > New Token.
Copy it to the clipboard.
You need to have Smart Call-Home enabled On your FirePower 1010 First: Configuration > Device Management > Smart Call-Home > Turn it on and provide and email address > Check the Cisco TAC option > Apply.
Configuration > Device Management > Licensing > Smart Licensing > Enable Smart Licences. >Register > Paste your token in > Register.
Go and put the kettle on > After a few minutes, refresh and it should say registered.
Back in smart Licensing portal It should now look like this;
If it looks like this, then either you licence was not there to begin with, or was under a different Virtual Account!
So either documentation is wrong, or I’ve been given incorrect information by Cisco. Either way I’m not looking forward to negotiating this ‘bag of spanners’ every-time I have to install or deploy one of these!
Next Step: Cisco Firepower 1010 Configuration
Related Articles, References, Credits, or External Links
had a similar issue (im using the FTD image on the FPR1010) all the licensing seems to get lost in SA land somewhere, eventually had to open a TAC to get the appropriate licences added to the correct Customer SA account (which I have) as it wasn’t showing in Dist SA account (also which I have), still took a few days to resolve
I feel your pain Pete! I’ve been hating this process for years now – since I first installed an ASA-imaged Firepower 2100 series. Multiple feedback to Cisco – online, in person at Cisco Live and even as a UX tester for Smart Licensing hasn’t resulted in any improvement.
Hi Marvin, I’ve stuck with ‘traditional licensing’ wherever I could, but I have to accept it’s a thing of the past. Bottom line is if you try and link licensing with order process, the thing falls over, end users know nothing about Order numbers, and Different Disti’s have different processes. If a licence is ‘Free’ then you should be able to add it without involving TAC? The first response licensing guys are not really any help they have to escalate everything anyway, they just slow the process down. Also the documentation is quite simply ‘wrong’ which does not help 🙁
I’ve had my battles too with Cisco licensing, what a bloody nightmare. I thought replacing our Cisco Cluster (Hosted Environment) and getting everything configured would be the hardest part but no, it was getting it all licensed was what the real challenge was
Two FPR-1120 FTD reimaged to run ASA, in a heartbeat, only to hit a wall with licensing.
FTD registers using the chassis serial number, ASA registers using MoBo serial number so you find yourself out of compliance with ASA Stdr. license, Context and 3DES encryption.
– Call (chat didn’t work) licensing support to have them add Cisco Firepower 1000 Standard ASA Licenses.
– ASDM Smart Licensing screen defaults to 2 contexts. This actually means additional contexts and registers the device with 4 contexts instead.
I used ASDM to avoid issues when pasting the registration token via console. Reconfigured context to 2 via CLI. ASDM does not allow 0 as a value so do the math.
– 3DES… there is a self service tool for that but it does not work for Smart Licensed devices(?), you need to contact your reseller and have them order these for you at no cost. Request has to come from reseller.
Cisco online documentation only mentions “be sure to unregister the device from the Smart Software Licensing server”, that’s it.
I hope this can save someone the +4 hours I’ve wasted on the phone with Cisco, and I feel I’m not done yet.
Thanks for info Daniel!
Great guide. Might be worth a mention that you need to have “dns name-server” command set otherwise it’ll never register. Figured that out after an hour or two of pain. Failure code is generic.
Brand new FP1010. Upgrade to 9.14.2 fine. I don’t have my ASA standard license in the portal. I go ahead and register the device. I notice it enabled the 3DES-AES feature. If unregister the device it’s still enabled. Ok….
I register it again and then I enable smart-license feature and set to standard tier. It accepts but I have a -1 balance in the portal.
Can this be anymore of a cluster than this! Have ticket open with TAC and my reseller is worthless.
I agree, in this day an age as well!
Follow up on this. I received the response from TAC that the license should auto populate after I registered the device in my Smart account. After showing them it wasn’t they did fix it and populated the license.
It does seem like Cisco is taking customer feedback on Smart Licensing. They made these changes https://community.cisco.com/t5/cisco-software-documents/new-deployment-method-for-smart-licensing/ta-p/4167670
Maybe this will flow to the Firepower line.
Thank you for taking the time to post this Pete. As with your previous posts, very well documented and accurate. A great resource
Thanks Rick 🙂
Wish I would have found this article yesterday. Getting a 3DES “traditional” license used to be so easy. I’m waiting for a response from my seller (L-FPR1K-ENC-K9= is actually listed as a product they sell but the price says “Get a quote”) Reseller also sold us old PAK VPN licenses which would not convert to Smart without Cisco’s help.
Now that they are in my Smart License inventory, how do I apply those to the ASA 1010? The ASA is already registered. Do I revoke it a make a new token? I would have thought there would be a way to “push” the licenses to the ASA or tell the ASA to go fetch any licenses waiting in the inventory.
Does the Standard License allow you to use this device for a Site-to-Site VPN? Or is there an additional license required?
Yes, basic will let you create site to site VPNs, though you need the 3DES licence for any decent strength encryption though.
If I want to do VLAN Trunking on a FP 1010, is that available with the base license? or do I need the equivalent of a Security Plus License like what’s needed on an ASA 5505?
If you look at “Cisco ASA Series General Operations CLI Configuration Guide, 9.8” the 1000 series is not mentioned at all!