Cisco Firepower 1010 Licensing

KB ID 0001672

Problem

So we have unboxed and setup our Firepower 1010 device, simply logging into the ASDM fires off warnings that it’s only running DES and I need to register the unit go get any decent level of encryption, (seriously why is 3DES still an ‘add on’ licence, who is still doing 56bit encryption!) 

So let’s get is registered and licenced.

Solution

The ‘Licence Envelope’ in the box is simply instructions on setting up a Cisco Smart Account. I already have one of those. If you don’t you will first need to setup a Cisco CCO logon account, (this is free, and you need to log into any of the Cisco Sites). Once you have that sorted you can go to https://software.cisco.com/ and request a Smart Licence (again this is free, it involves some email exchanges).

Now ‘What I do‘ is then create a ‘Virtual account‘ in that Smart account, what you use these for is up to you, but if you want to share the licensing e.g. with your colleagues or employer, then you can do so without giving them access to all your Cisco licences etc. Go back to Software central and select under Administration > Manage Smart Account (normally you just go to Smart Software Licensing).

Creating a Cisco Smart Account ‘Virtual Account’

Virtual Accounts > New Virtual Account > Give it a name and description > Set Access Level ‘Public’  > Next

Give it a name and description > Set Access Level ‘Public’  > Next.

Assign any users that you want to give access to, (you can revisit this later) > Next.

Review the settings > Create Virtual Account.

Register a Cisco FirePower 1010 With Cisco

OK, Cisco Say you need the licences to exist in your Smart account before you licence the hardware, they also say that;

Standard license—L-FPR1000-ASA=. The Standard license is free, but you still need to add it to your Smart Software Licensing account.
Security Plus license—L-FPR1010-SEC-PL=. The Security Plus license enables failover.
Strong Encryption (3DES/AES) license—L-FPR1K-ENC-K9=. This license is free. Although this license is not generally required (for example, ASA’s that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.

Reference

So I opened a call with Cisco, and was told;

Hey Pete,
L-FPR1000-ASA= license usually comes with the device and it’s free, however it has to be under a sales order in order for us to provision it into the account.As for L-FPR1K-ENC-K9 license it is not free and if you need that licenses please provide a Order under which the license is purchased.

Now getting that sales order number was a chore! I had to get it from the Disti that my company purchased the hardware from, after many emails I finally sent them the order only to be told;

Hey Pete,
Please be informed that this is a disti stocking SO. A disti stocking SO contains products and licenses that may be owned by multiple end customers.Hence, we do not get a link to assign disti stocking SOs to an end customer smart account in CCW. Also, the licenses associated with a disti stocking SO will get provisioned once the end customer registers the device on his/her respective smart account. So please ask the customer to register the devices owned by them on their smart account and the licenses will be automatically provisioned to the smart account. If, after the devices have been registered, the licenses do not get provisioned, then please revert and we will investigate the request.

So here’s what your Smart Licence Virtual Account SHOULD LOOK LIKE before you start;

FirePOWER Licence Pre-Added

How To Register a Firepower Appliance

Within your virtual account create a ‘New Token’ > Give it a description > New Token.

Copy it to the clipboard.

You need to have Smart Call-Home enabled On your FirePower 1010 First: Configuration > Device Management > Smart Call-Home > Turn it on and provide and email address > Check the Cisco TAC option > Apply.

 Configuration > Device Management > Licensing > Smart Licensing > Enable Smart Licences. >Register > Paste your token in > Register.

Go and put the kettle on > After a few minutes, refresh and it should say registered.

 

Back in smart Licensing portal It should now look like this;

FirePOWER Licence In UseIf it looks like this, then either you licence was not there to begin with, or was under a different Virtual Account!

So either documentation is wrong, or I’ve been given incorrect information by Cisco. Either way I’m not looking forward to negotiating this ‘bag of spanners’ every-time I have to install or deploy one of these!

Next Step: Cisco Firepower 1010 Configuration

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

20 Comments

  1. had a similar issue (im using the FTD image on the FPR1010) all the licensing seems to get lost in SA land somewhere, eventually had to open a TAC to get the appropriate licences added to the correct Customer SA account (which I have) as it wasn’t showing in Dist SA account (also which I have), still took a few days to resolve

    Post a Reply
  2. I feel your pain Pete! I’ve been hating this process for years now – since I first installed an ASA-imaged Firepower 2100 series. Multiple feedback to Cisco – online, in person at Cisco Live and even as a UX tester for Smart Licensing hasn’t resulted in any improvement.

    Post a Reply
    • Hi Marvin, I’ve stuck with ‘traditional licensing’ wherever I could, but I have to accept it’s a thing of the past. Bottom line is if you try and link licensing with order process, the thing falls over, end users know nothing about Order numbers, and Different Disti’s have different processes. If a licence is ‘Free’ then you should be able to add it without involving TAC? The first response licensing guys are not really any help they have to escalate everything anyway, they just slow the process down. Also the documentation is quite simply ‘wrong’ which does not help 🙁

      Post a Reply
  3. I’ve had my battles too with Cisco licensing, what a bloody nightmare. I thought replacing our Cisco Cluster (Hosted Environment) and getting everything configured would be the hardest part but no, it was getting it all licensed was what the real challenge was

    Post a Reply
  4. Heads up?

    Two FPR-1120 FTD reimaged to run ASA, in a heartbeat, only to hit a wall with licensing.

    FTD registers using the chassis serial number, ASA registers using MoBo serial number so you find yourself out of compliance with ASA Stdr. license, Context and 3DES encryption.
    – Call (chat didn’t work) licensing support to have them add Cisco Firepower 1000 Standard ASA Licenses.
    – ASDM Smart Licensing screen defaults to 2 contexts. This actually means additional contexts and registers the device with 4 contexts instead.
    I used ASDM to avoid issues when pasting the registration token via console. Reconfigured context to 2 via CLI. ASDM does not allow 0 as a value so do the math.
    – 3DES… there is a self service tool for that but it does not work for Smart Licensed devices(?), you need to contact your reseller and have them order these for you at no cost. Request has to come from reseller.

    Cisco online documentation only mentions “be sure to unregister the device from the Smart Software Licensing server”, that’s it.
    https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#task_vhy_5kc_sgb

    I hope this can save someone the +4 hours I’ve wasted on the phone with Cisco, and I feel I’m not done yet.

    Post a Reply
  5. Great guide. Might be worth a mention that you need to have “dns name-server” command set otherwise it’ll never register. Figured that out after an hour or two of pain. Failure code is generic.

    Post a Reply
  6. Brand new FP1010. Upgrade to 9.14.2 fine. I don’t have my ASA standard license in the portal. I go ahead and register the device. I notice it enabled the 3DES-AES feature. If unregister the device it’s still enabled. Ok….

    I register it again and then I enable smart-license feature and set to standard tier. It accepts but I have a -1 balance in the portal.

    Can this be anymore of a cluster than this! Have ticket open with TAC and my reseller is worthless.

    Post a Reply
  7. Thank you for taking the time to post this Pete. As with your previous posts, very well documented and accurate. A great resource

    Post a Reply
    • Wish I would have found this article yesterday. Getting a 3DES “traditional” license used to be so easy. I’m waiting for a response from my seller (L-FPR1K-ENC-K9= is actually listed as a product they sell but the price says “Get a quote”) Reseller also sold us old PAK VPN licenses which would not convert to Smart without Cisco’s help.

      Now that they are in my Smart License inventory, how do I apply those to the ASA 1010? The ASA is already registered. Do I revoke it a make a new token? I would have thought there would be a way to “push” the licenses to the ASA or tell the ASA to go fetch any licenses waiting in the inventory.

      Post a Reply
  8. Does the Standard License allow you to use this device for a Site-to-Site VPN? Or is there an additional license required?

    Post a Reply
    • Yes, basic will let you create site to site VPNs, though you need the 3DES licence for any decent strength encryption though.

      Post a Reply
  9. If I want to do VLAN Trunking on a FP 1010, is that available with the base license? or do I need the equivalent of a Security Plus License like what’s needed on an ASA 5505?
    Thank you.

    Post a Reply
    • If you look at “Cisco ASA Series General Operations CLI Configuration Guide, 9.8” the 1000 series is not mentioned at all!

      P

      Post a Reply
  10. Pete, thank you for your work and I (we!) appreciate your postings.

    We continuously have the issue where the standard license is not available and we involve TAC to provision the license. I suspect this falls apart with different distributors not registering the product properly when sold. TAC has always resolved the issue.

    I am frustrated by the cisco SKUs. Traditionally an ASA (firmware) device with a K9 suffix included the strong encryption (3DES) license. On the FP1010-ASA-K9 (for instance) the K9 apparently means absolutely nothing.

    Anyone purchasing a FP device with ASA firmware (or FTD and reimaging to ASA) needs to ALSO order one of the following SKUs (at $0.00) – just needs to be included on a sales order from the seller so that it can be provisioned in smart licensing.

    1. Yes, these SHOULD be “free” SKUs (though nothing I suppose prevents a reseller from charging)
    2. Yes, if running ASA firmware and desire strong encryption (3DES/AES) you MUST have this SKU
    3. Plan on a two day delay if reimaging or upon initial purchase

    Here are the SKUs (the appropriate hardware should be obvious in the SKU)
    L-FPR1K-ENC-K9=
    L-FPR2K-ENC-K9=
    L-FPR3K-ENC-K9=
    L-FPR4K-ENC-K9=
    L-F9K-ASA-ENCR-K9=

    Cisco has dropped to the lowest operational SKU, but has continued to use the K9 identifier (inappropriately IMHO) as strong encryption “capable” vs included.

    If Cisco is going down the road of licensing each part – why not sell the chassis, the firmware, the encryption, the power cord, etc. all separately and insure that distribution enforces the “kit” components. Right, that would be annoying. Somehow the strong encryption issue while maintaining the K9 suffix is OK.

    Post a Reply
  11. It seems like this is dependent on the ASA having access to the internet, what would you recommend for ASA which don’t have internet connectivity such as in the OT environments?

    Post a Reply
    • Honestly – Not sure – I’m supposing you would have to set it up and license it online, that does not explain subscription based licenses though 🙁

      Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *