Cisco ASA: “Wrong Serial Number?”

KB ID 0001530

Problem

Cisco have done this for a while, the first time I saw it was years ago on a 5585, but all the NGFW models now have a ‘Serial Number” and a “Chassis Serial Number”. Normally you don’t care unless you need to log a TAC call online. So you issue a show version command, take a note of the serial number, and then it says, there’s no record of that serial number?

Solution

Just to be clear

SmartNets are registered to the Chassis Serial Number, this is NOT the serial number shown with a ‘show version‘ command.

Software (e.g. AnyConnect) is licensed to the Serial Number that IS shown with a ‘show version‘ command.

As a general rule, Cisco ASA chassis serial numbers start with JMX, and the serial numbers start with JAD.

How to Locate the Cisco ASA ‘Chassis Serial Number’

Well it’s printed on the chassis of course, but if it’s in a rack or a thousand miles away, that’s not much help! To get it remotely you use the ‘show inventory’ command;

[box]

Petes-ASA# show inventory
Name: "Chassis", DESCR: "ASA 5516-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5516           , VID: V05     , SN: JMX1234ABCD

Name: "Storage Device 1", DESCR: "ASA 5516-X SSD"
PID: ASA5516-SSD       , VID: N/A     , SN: MSA21470XXX

Petes-ASA#

[/box]

How to Locate the Cisco ASA ‘Serial Number’

Same as with the old 5500 series firewalls, (and the PIX) use a show version command.

[box]

Petes-ASA# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)24
Firepower Extensible Operating System Version 2.2(2.75)
Device Manager Version 7.8(2)151

Compiled on Thu 01-Mar-18 20:21 PST by builders
System image file is "disk0:/asa982-24-lfbff-k8.SPA"
Config file at boot was "startup-config"

Petes-ASA up 146 days 1 hour
failover cluster up 146 days 1 hour

Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 00a7.42e1.6ed6, irq 255
 2: Ext: GigabitEthernet1/2  : address is 00a7.42e1.6ed7, irq 255
 3: Ext: GigabitEthernet1/3  : address is 00a7.42e1.6ed8, irq 255
 4: Ext: GigabitEthernet1/4  : address is 00a7.42e1.6ed9, irq 255
 5: Ext: GigabitEthernet1/5  : address is 00a7.42e1.6eda, irq 255
 6: Ext: GigabitEthernet1/6  : address is 00a7.42e1.6edb, irq 255
 7: Ext: GigabitEthernet1/7  : address is 00a7.42e1.6edc, irq 255
 8: Ext: GigabitEthernet1/8  : address is 00a7.42e1.6edd, irq 255
 9: Int: Internal-Data1/1    : address is 00a7.42e1.6ed5, irq 255
10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
13: Ext: Management1/1       : address is 00a7.42e1.6ed5, irq 0
14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual
VPN Load Balancing                : Enabled        perpetual


Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 8              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
VPN Load Balancing                : Enabled        perpetual

The Running Activation Key feature: 2000 TLS Proxy sessions exceed the limit on the platform, reduced to 1000 TLS Proxy sessions.

Serial Number: JAD1234ABCD
Running Permanent Activation Key: 0x0037exxx 0x482ffyyy 0x04718yyy 0xaad48xxx 0x49343xxx
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration last modified by PeteLong at 13:50:02.750 GMT Tue Mar 26 2019

Petes-ASA#

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco Catalyst – ‘Daughtercard inserted in this switch may not have been manufactured by Cisco’

KB ID 0001018 

Problem

In a newly deployed switch, the MACSEC link refused to establish, when I consoled in I was greeted with this;

[box]

Dec 06 01:30:07.023: %ILET-1-DEVICE_AUTHENTICATION_FAIL: The FRULink SM Daughtercard inserted in this switch may not have been manufactured by Cisco or with Cisco's authorization. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.
Dec 06 01:30:07.023: %PLATFORM_SM10G-3-AUTHENTICATION: The FRULink 10G Service Module (C3KX-SM-10G) may not have been entirely manufactured by Cisco. Module is in pass-through mode.
Dec 06 01:30:07.090: %FRNTEND_CTRLR-2-SUB_INACTIVE: The front end controller 1 is inactive
-Traceback= 4E12E0z 250AA2Cz 26A1BE8z 269C198z
Dec 06 01:30:18.079: %FRNTEND_CTRLR-2-SUB_INACTIVE: The front end controller 0 is inactive
-Traceback= 4E12E0z 250AA2Cz 26A1BE8z 269C198z
[/box]

Solution

At first I assumed the C3KX-SM-10G was faulty, so I put it in another 3560-X switch and the problem moved, problem solved (or so I thought).

However I moved the service module in it’s entirety (SFP’s as well). After some more troubleshooting it turns out the service module was fine, the entire problem was caused by a faulty SFP (GLC-SX-MMD).

Related Articles, References, Credits, or External Links

Cisco IOS – Configuring Switch to Switch MACSEC