The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the answers to frequently asked Cisco Secure Client licensing questions.
With Cisco Secure Client 4.x, Cisco introduced a new licensing model. Based on feedback, we found that device based session capacity planning and per appliance license management was a constant guessing game and operational challenge. Moreover, with the growing number of mobile devices that need VPN connections combined with older ASAs refreshed to newer platforms there were also budget concerns with having to rebuy licenses. To help address these issues, we moved Cisco Secure Client to a total unique user, term-based licensing model. This greatly simplified licensing calculation and consumption in a number of areas.
First, going with a total user count is very much in line with general trend towards enterprise license / seat count model which enterprises can track and manage much better than endpoints. Second, focusing on user vs endpoint removes the variability that comes when the remote end-user has multiple devices connected simultaneously, a common issue with knowledge workers. Third, focusing on total users removes having to guess how many people need service and then having to buy pandemic licenses, which sit idle most of the time. This is also more in line with general business trend of enterprises trying to make employees more productive and thus always connected. Fourth, moving to a term-based model allows budget planning to shift from a bursty CAPEX and ongoing support budget exercise to a more smooth OPEX planning process. Finally, creating a standalone bundled endpoint license separate from the headend gives you choice when selecting different headend platforms and services. This model allows you to avoid additional license costs when the head end box is swapped out or additional capacity is added or when other services are added (for example Cisco Secure Client Apex investment for VPN services can be leverage along side ISE).
Cisco Cisco Secure Client services continue to be competitively priced and very much in line with Cisco's other software pricing initiatives such as Cisco ONE.
In terms of the actual offers, Cisco Secure Client 4.x collapsed the complex older Cisco Secure Client licensing model down into two simple tiers. The first is Cisco Secure Client Plus, which includes basic VPN services such as device and per-app VPN (including 3rd party IKEv2 Remote Access VPN head-end support), always on, basic device context collection, and FIPS compliance. Cisco Secure Client Plus also includes other non-VPN services such as the Cisco Secure Client Network Access Manager 802.1X supplicant and the Cloud Web Security module. In the 1H of CY 2015 with Cisco Secure Client 4.1, Cisco Secure Client Plus also added AMP for Endpoint distribution capabilities through the AMP Enabler. Existing Cisco Secure Client customers can think of Cisco Secure Client Plus as similar to the discontinued Cisco Secure Client Essentials.The second offer is AnyConenct Apex, which includes more advanced VPN services such as endpoint posture checks, next generation encryption (including Suite B), SAML authentication, and clientless Remote Access VPN as well as all the capabilities of Cisco Secure Client Plus. In the 2H of CY 2015 with Cisco Secure Client 4.2MR1, Cisco Secure Client Apex added the Network Visibility Module, a new endpoint flow based capability that collects user and endpoint behavior on and off premises. Existing Cisco Secure Client customers can think of Cisco Secure Client Apex as similar to the discontinued Cisco Secure Client Premium and Shared. With both Cisco Secure Client Plus and Apex continuing to add additional features and services, the value of Cisco Secure Client term-based offers has and can continue to increase over time.
Please see the Cisco Secure Client Ordering Guide for detailed licensing information.
A. We have taken into account feedback from customers over many years requesting a simplified licensing model. As such, the new license model eliminates all of the add-on licenses complexity while also allowing for co-existence of license types.The new model provides shared licensing across all options without the need to have hardware in place to enforce licenses and eliminates the requirement to purchase Cisco Secure Client licenses on a per ASA basis (assisting with HW migrations).Moreover, the new model has built-in pandemic support. All term licenses include support and software entitlement, so purchasing these licenses grants you access to the current software releases.
A. The Plus and Apex licenses are available via banding-based licenses (L-AC-PLS-LIC= and L-AC-APX-LIC=) that allow you to select a specific user count (for example, 873), a specific term length (for example, 30 months) and start date (for example, term starts on date X, up to 60 days in the future). The price per user per month decreases as the user count increases and/or the term length increases. Whenever possible, this method must be used to order Plus and Apex term licenses instead of the L-AC-PLS-xYR-G/L-AC-APX-xYR-G method. The L-AC-PLS-LIC= and L-AC-APX-LIC= ordering method provides more flexibility for user counts, term duration and simpler renewals.
A. Use of Cisco Secure Client on Cisco IOS® & Android without an active Plus, Apex or VPN Only license (term or contract) expired on April 30, 2016. Cisco Secure Client customers with Essentials/Premium and Mobile (discontinued) licenses can no longer use this software. Newer platforms such as Windows Phone 8.1, Windows 10 Mobile, BlackBerry 10, and Google Chrome OS have always required active Plus, Apex or VPN Only licensing.
A. Yes. Cisco Secure Client Plus is offered as a perpetual license in addition to the 1, 3 or 5 year terms.
Cisco also offers a perpetual VPN-only license. This provides the equivalent functionality of prior Cisco Secure Client Premium plus Advanced Endpoint Assessment plus Mobile plus Phone VPN.
The VPN-only Licenses are designed for VPN only environments that have a large number of potential end users, but very infrequent use (for example, a university with 10,000 students, but with only 100 active users at any one time). With either the Plus Perpetual or VPN-only licenses, you must separately purchase support services, or you are not eligible to access software or tech support.
Cisco Secure Client VPN Only is licensed based on a single headend device and simultaneous connections (not authorized users). For active/standby pairs, only the primary headend is required to have a VPN Only license. VPN Only licenses are an alternative to the Cisco Secure Client Plus and Apex model. No other Cisco Secure Client function or service (Web Security Module, ISE Posture, Network Visibility, ASA Multi-context VPN, and so on) is available with the Cisco Secure Client VPN Only licenses. VPN Only licenses do support Clientless SSL VPN, third party IPsec IKEv2, Suite B and VPN HostScan with an ASA. The VPN Only licenses cannot be transferred, rehosted, shared, combined, split, or directly upgraded to another VPN Only license size. These licenses do not coexist with Plus or Apex licensing, or any retired Cisco Secure Client licenses.
Both VPN Only and Plus Perpetual licenses require a SWSS contract on all head-ends in order to be eligible for SW access, updates, and techical support.
A. Yes. The Cisco Secure Client VPN-only licenses are concurrent endpoint based versus total active user with Cisco Secure Client Plus and Apex. The VPN-only are applied per individual ASA, and there is no sharing of licenses between ASAs, unlike Cisco Secure Client Plus and Apex, which provide this capability. For active/standby pairs, only the primary headend is required to have a VPN Only license. The VPN-only licenses are not portable, which means that when a new ASA is purchased additional licenses also need to be purchased. VPN-only licenses are not additive, meaning that you cannot start with a set number of licenses (for example, 500 at time x) and then increase capacity over time (for example, add 100 more at time x + y). Nor can they be bought to service burst capacity requirements. As mentioned previously, VPN-only licenses require the purchasing of support services, whereas support is built into the term contracts for Cisco Secure Client Plus and Apex.
A. The Cisco Secure Client Plus and Apex model is based on total authorized users that can make use of any Cisco Secure Client service, not simultaneous connections (either on a per-ASA or shared basis) and not total active remote access users. As such, you can connect with as many devices as you want as long as you have available hardware capacity and have not exceeded your purchased authorized user count. It is your responsibility to purchase additional authorized user licenses if your usage needs increase. If you currently support 30K simultaneous user connections, but have 50K users who need Cisco Secure Client services, you would be required to buy a 50K license.If you have 100K users who need Cisco Secure Client services, you would be required to buy a 100K license. For unattended environments where there are not really individual users on the other side of a connection, each unattended device is considered a unique user.
A. The Plus license provides similar connectivity as was available with the original Essentials license, while the Apex license provides many of the same capabilities from the Premium or Shared license.A full breakdown of features is noted in the Cisco Secure Client Ordering Guide.
A. There are no restrictions on ASA versions for the Plus/Apex licenses. Any ASA capable of supporting Cisco Secure Client supports the new license model. Certain features, that is per application VPN require newer ASA versions/HW. The licenses are compatible with both original and current ASA models. PAK registration is specific to the ASA 5500/5500-X, and does not happen for the ASAv, Firepower or Cisco ISR / ASR / CSR 1000V VPN head-ends; however, the contract registration still needs to be completed in order to enable software download access and receive tech support.
A. The Cisco Secure Client Plus license is required for third party IKEv2 VPN client support. This is similar to how Cisco Secure Client Apex is required for clientless support. Cisco Secure Client Apex, which includes all Plus functionality, can also be used to enable IKEv2 VPN from 3rd party VPN clients.
A. The Cisco Secure Client Plus or Apex users license count needs to service the total unique users utilizing Cisco Secure Client, Third party IKEv2 access, or clientless services (be they active on the network or not).
A. You are eligible to use a Plus or Apex license with as many ASAs as you own during your license term as long as you do not need exceed your purchased authorized user license. Upon purchasing either license option, a Product Activation Key (PAK) is provided, which is used to unlock these services on multiple ASAs. Plus / Apex licenses are not locked to a single ASA as the Essentials or Premium / Shared licenses were.
A. Cisco Secure Client Plus or Apex license(s) are ordered separately from the head-end. Cisco Secure Client Plus or Apex licenses are not tied to a specific ASA / head-end but rather to your overall deployment. The most cost effective way to purchase a license is to cover your entire deployment. That said, Cisco Secure Client Plus and Apex can eventually be an optional item under certain ASA bundles along side other security subscriptions. Please refer to the Cisco Secure Client ordering guide for additional details.
A. It is important to order each license for a separate customer as its own line item, preferably as its own unique Sales Order so that the end user customer information is correctly recorded, and that that support services can be entitled correctly. If you order multiple quantities for either the top or second level Cisco Secure Client PIDs during the ordering process, you can receive entitlement for what you purchased but it does not generate additional Product Activation Keys. If your intenention is to order for different customers, you must be ordering for each customer as their own separate order. Minimally, you must order each license as its own unique top level line item, not by increasing the quantity for one single shared line item. For example, if ordering an Cisco Secure Client Plus Perpetual License, you would not order: L-AC-PLS-P-G Qty:2 or specify quantity 2 on the next level down, instead you would place two separate line orders, both for L-AC-PLS-G with Qty: 1.
A. A Cisco Secure Client Plus or Apex license(s) can be used across any number of ISE appliances or deployments as long as you do not need exceed the authorized user license count. Purchasing either license option along side ISE does not require any PAK file registration or loading into ISE (Cisco Secure Client's PAK files only get applied to the ASA). So in an ISE deployment, Cisco Secure Client Plus and Apex licenses are just a right to use license.
A. Yes. Cisco Secure Client 4.x still supports Hostscan functionality for VPN only posture with the Cisco ASA. AnyConect 4.x also has a unified posture agent that works across wired, wireless, and VPN, but this requires ISE 1.3 or greater. An Cisco Secure Client Apex license is required for both options.
A. No. However, using a Cisco Cisco Secure Client Plus license with Cisco ISE Plus enables the collecting and sharing of endpoint context for VPN uses cases. Cisco Cisco Secure Client Plus license works with the Cisco ISE Base license, but the detailed endpoint information cannot be collected.
A. Cisco ISE Apex is the license tier to enable compliance context collection and the use of that information as authorization attributes within ISE policies. For example, using a third-party MDM/EMM platform to detect and control access based on PIN lock status and jailbreak status requires a Cisco ISE Apex license. The Cisco ISE Apex license count required in this use case is the maximum number of potential concurrent MDM/EMM enrolled mobile endpoints active on the network and controlled by Cisco ISE, and not every MDM/EMM enrolled endpoint. Cisco ISE Apex with Cisco Secure Client Apex enables Cisco Secure Client as the unified agent for PC compliance along with all the additional value-added Cisco Cisco Secure Client services such as always on, trusted network detection, and so on. As in the previous example, the Cisco ISE Apex license count would be for the maximum number of concurrent sessions where Cisco Cisco Secure Client acts as the unified agent in the Cisco ISE deployment for posture, and so on, and not, necessarily, every endpoint that can be running Cisco Secure Client. The number of Cisco Cisco Secure Client Apex licenses needed is based on all the possible unique users that can use Cisco Cisco Secure Client Apex services and not each and every device running Cisco Cisco Secure Client. Cisco Secure Client Plus and Apex fall under a separate user-based license structure, which is different from the Cisco ISE endpoint session-based license structure.
A. License requirements are determined by head-end used, and the services available in that head end. For example, Cisco Secure Client Plus is required for VPN service to Cisco IOS® head-ends though you could also use Cisco Secure Client Apex. To use Cisco Secure Client's posture capabilities with ISE 1.3, you must order Cisco Secure Client Apex as well as ISE Apex. For other use cases including Network Access Manager, Cisco Cloud Web Security (CWS), and so on. you must have Cisco Secure Client Plus, but again they could also use Cisco Secure Client Apex. CiscoIOS head-ends must also have a Security License before Cisco Secure Client services can be used. Cisco Secure Client is compatible with ISR G2, CSR 1000V and ASR 1000 platforms. Available features varies by platform.
Note: The physical Product Activation Key (PAK) registration on the Cisco licensing portal is only applicable to the ASA. For ASAv and Cisco IOS head-ends as well as non-VPN use cases, store the PAK in a safe place as proof or purchase. You still need to complete Contract registration for SW Center access and TAC support.
A. ISR G2 – Cisco IOS 15.0(1)M, CSR1000v – Cisco IOS XE 3.12 S.
A. Yes, as long as the authorized user count is not exceeded and the license is only used during the purchased term, the license can be used with any headend covered by the license. PAK registration does not apply to non-ASA headends.
A. Network Access Manager capabilities require a Plus or Apex license per authorized (unique) user.
A. Cisco Secure Client Plus or Apex license(s) must be ordered separately for other headend or services outside of the ASA.
A. No. The Network Visibility Module is only available in the Cisco Secure Client Apex licenses.
Note: The Network Visibility modules makes use of Cisco Secure Client’s trusted network detection function in the VPN module, but excluding this capability, it can function without other Cisco Secure Client modules.
A. Yes. Cisco Secure Client Plus and Apex licenses can be mixed within the same deployment. Cisco Secure Client Plus and Apex both provide the same cross deployment capabiltiies as the discontinued Shared licenses. Cisco Secure Client Plus and Apex are licensed based on the total users for the specific Cisco Secure Client service used, so no matter how often they connect, nor how many devices they use, the new Cisco Secure Client Plus and Apex licenses remove the need for Flex (Business continuity) licenses.
A. No. Discontinued Essentials or Premium licenses do not co-exist on the same hardware as newer Plus, Apex or VPN Only licenses. Additionally, VPN Only licenses do not co-exist on the same hardware with Plus or Apex licenses.
A. Yes. But please note that ASAv, which utilizes Cisco Smart Licensing, does not require any Cisco Secure Client license to be physically applied to the actual platform. The same licenses must still be purchased and you must still link the Contract number to your Cisco.com ID for SW Center access and tech support.
A. Cisco Secure Client Plus (or Apex). Previously, Phone VPN required both a Premium license AND a Phone VPN license.
Note: This is for VPN Phone and NOT UC Proxy. UC Proxy licenses are not related to Cisco Secure Client licenses.
A. This is normal. These parts expand to allow you to register your Cisco Secure Client Plus or Apex license to all of your ASA serial numbers. This expansion SKU is not applicable to the newer banding-based Plus (L-AC-PLS-LIC=) or Apex (L-AC-APX-LIC=) SKUs or the VPN Only SKUs (L-AC-VPNO-xxxx=). See the Cisco Secure Client Ordering Guide for details on license registration per SKU type.
A. You can receive a multi-use product activation key per Plus or Apex license purchased. This multi-use product activation key gets activated on each ASA at Cisco Software Central. After activating the key, the ASA is unlocked for its maximum hardware capacity. Complying with the unique/authorized user counts and term limits are honor system and are not physically enforced by the ASA or Cisco Secure Client. If you purchase more than one Apex license, or a Plus and Apex license, you need to register each PAK to each ASA, although doing so does not change the resulting license key generated for the ASA. This is to ensure that if you open up a support case in the future, that there is a record of your license purchase,.
Warning: It is important that you DO NOT select to register all quantity on the license tool, or you can deactivate your product activation key. By default, the Cisco licensing site cannot let you do this, but if you have a pop-up blocker enabled, this function is not enforced.
A. The Product Activation Key (PAK) must be treated like cash. If you lose your product activation key before using it, the only other method we can use to locate it is with the Sales Order #. If you have previously used this PAK to register an ASA, the PAK can be located in the Cisco.com license portal for the user who performed the license registration. Cisco can look up this information based on a serial number used for a prior registration.
A. The Plus/Apex model requires a Product Activation Key (PAK) to enable an ASA and entitle support/SW access. As such, it is not possible to deliver the ASA license before the Product Activation Key is generated. Visit: Cisco Software Central. Then go to Traditional Licensing and choose Get Other Licenses > Demo and Evaluation > Security Products > Cisco Secure Client Plus/Apex (ASA) Demo License to obtain a one-month temporary ASA license. Licenses cannot be used the second you receive eDelivery notification. It can take up to 24 hours for your license PAK to become active on the License portal.
A. You most likely pasted in a trailing space after your serial number. Remove any additional spaces after your serial number, and resubmit your request. The other cause of this is that you clicked the Add Device button, which is intended to add more than one Serial Number at initial registration, but you did not actually add any other Serial Numbers. For this situation, click the Delete Device button, and submit again without the blank space which is there to add an additional serial number.
A. When you purchase any term Plus or Apex license (or SWSS for Plus perpetual or VPN Only), a contract number can be generated for your purchase. This usually takes at least a few days from the time the license PAK is electronically delivered. Speak with your reseller if you have not received this contract number from them. The contract number needs to be attached to your Cisco.com ID in order to enable SW Center access, and the ability to open a TAC case. We recommend that you link your contract to their Cisco.com ID by mailing web-help-sr@cisco.com with the Contract # and their Cisco.com ID. It is very important that your customer profile address information matches the address information on the contract prior to attempting to link a contract or sending an email. The contract number is not the same as your Product Activation Key (PAK).
A. All ASA license keys get stripped during RMA, this is a normal part of the RMA process at Cisco and is not specific to this license. Since the Product Activation Key is multi-use, you do not need a RMA case to initiate a transfer, you just re-register your PAK to your new ASA SN.
A. The countdown is based the same way that all term-based licenses work at Cisco. There is nothing Cisco Secure Client specific as part of this. The contract is set to become active one day after ship (these are electronically delivered licenses). For example, if an order ships on October 25, 2014, the service start date is October 26, 2014.
A. While there is nothing in the new licenses that specifically dictates an ASA reboot, the ASA licensing code has varied over more than a decade on how it behaves when a new license is installed. As such, a reboot can or cannot be required. A lot of this depends on the current license installed, and ASA software version, as certain features do not disappear fully until the device is rebooted. As such, you must plan for reboots to be safe. You can stagger this whenever they want.
A. Make sure you replace the licenses on all of the participant devices, and disable shared licensing on those devices before replacing the license on the device currently acting as the shared license server.
A. Your new Plus, Apex or VPN Only license key cannot use the Essentials option. In order to make use of your new license key, you must disable the Cisco Secure Client-essentials feature on your ASA by issuing a no Cisco Secure Client-essentials under webvpn. When installing your new license key, you can receive a warning that needs to be agreed to telling you that the Essentials key cannot be in the new license you are installing. As long as you have properly disable Cisco Secure Client-essentials on your ASA, you are OK to proceed. Some ASA versions can require a reboot when installing new license key to ensure it is properly activated.
A. Proactive renewal notifications are not currently in place. As such, it is your responsibility to keep track of the expiration date. This is visible in the Sales Order Subscription field or SWSS line item, and at any time by logging in to your Cisco.com linked account to your contract (CSCC), which shows the start and end date for the contract. For banding Plus/Apex SKUs (L-AC-PLS-LIC= and L-AC-APX-LIC=), you can also receive your license expiration date in your license registration email, and the expiration date can be visible inside of your Cisco license portal when viewing your registered licenses.
Note: You are not able to determine your Cisco Secure Client license tier, authorized user count, or expiration date from the show version command of a head-end.
A. We are investigating enhancements in this area.
A. All older Cisco Secure Client licenses can be removed and replaced by the new licensing model when you install your new Product Activation Key (PAK).
A. Renewals shoule be handled using the L-AC-PLS-LIC= (Cisco Secure Client Plus) and L-AC-APX-LIC= (Cisco Secure Client Apex) SKUs regardless of which SKU the original order was placed under. For both initial purchases and renewals, you must complete ASA device registration and share function with all ASAs. For renewals, you do not do anything with the license key that can be emailed to you after that (there is no requirement to re-install a different license key on the ASA at renewal time).
A. Banding Cisco Secure Client Plus (L-AC-PLS-LIC=) and Apex (L-AC-APX-LIC=) licenses can be renewed via CSCC, and are purchased via Cisco.com Cisco Commerce, Block-based Plus, or Apex SKUs are renewed/purchased exclusively via Cisco.com Cisco Commerce. Speak with your Cisco authorized reseller, or Cisco account team, for assistance purchasing or renewing a license. To simplify renewals, you must always use the banding SKUs going forward for both new purchases and renewals.
A. You are not required to adopt Cisco Secure Client 4.x as part of moving to the new licensing. However, Cisco Secure Client 3.x is already End-Of-Life (no additional fixes can be provided). If you do not upgrade to an Cisco Secure Client Plus or Apex licenses, you cannot have access to newer Cisco Secure Client versions. The Plus or Apex licensing does not require you to upgrade your Cisco Secure Client software at the same time.
A. Once a license PAK is generated, it can take up to 24 hours after the eDelivery license is delivered before the Product Activation Key (PAK) can be registered on the licensing portal. This message is what can be displayed when attempting to register a PAK which is not yet able to be registered. If more than 24 hours have passed since your license was eDelivered, and you are still receiving this error, open up a case with Cisco Global Licensing (GLO) by using the Support Case Manager (SCM). Then choose Software Licensing > Security Related Licensing > Cisco Secure Client.
A. Fall 2014. The Cisco Secure Client Plus and Apex banding SKUs and VPN Only SKUs are available for purchase as of April 2016.
A. The phase out began January 2015, and completed as of August 31, 2015. These older licenses can no longer be purchased.
A. Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, visit: Cisco Software Central. Then navigate to Traditional Licensing and choose Get Other Licenses > Demo and Evaluation > Security Products > Cisco Secure Client Plus/Apex (ASA) Demo License.
Note: The license unlocks the ASA functions, but does not grant access to the Cisco Secure Client Windows/Mac OS X/Linux software. Mobile versions of Cisco Secure Client can be accessed via the Application store for the specific OS, and can be trialed in conjunction with an evaluation license.
A. As long as the license features you were emailed are correctly displayed, this message can be safely ignored. Say yes, write the key to memory, and reboot the ASA to complete the license installation. The ASA is not able to properly validate the features available in the key in some scenarios prior to rebooting. If the correct features are not displayed in your Cisco licensing email, open up a case with Global Licensing (GLO), through the Support Case Manager (SCM), then choose Software Licensing > Security Related Licensing > Cisco Secure Client, to resolve this prior to installing the key.
A. The licensing terms and conditions are listed in the Supplemental End User Agreement (SEULA). The Cisco Cisco Secure Client privacy policy can be found at: Cisco Online Privacy Statement Summary
A.Commodity Classification Automated Tracking System (CCATS): Self-classified / Mass Market
US Export Control Classification Number (ECCN
US Encryption Registration Number (ERN
French ANSSI declaration approval #: 1211725
Details available at: Public Export Product Data
A. No, Cisco Secure Client's VPN services can only be used with appropriately licensed Cisco equipment. Use of Cisco Secure Client with non-Cisco VPN equipment is strictly prohibited by our license agreement.
A. More information is available at this link Cisco Secure Client Ordering Guide
A. Please mail your question to Cisco Secure Client-pricing@cisco.com.
A. In order to utilize Cisco Secure Client with FTD 6.2.1 and later, open up a case with Cisco Global Licensing (GLO) using the Support Case Manager (SCM). Then choose Software Licensing > Security Related Licensing > Cisco Secure Client. Once you supply the required information, and your entitlement is validated, your license entitlement in your Smart account can be popluated.
A.
To register your Cisco Secure Client Plus/Apex License (L-AC-PLS-LIC= or L-AC-APX-LIC=), start on the Cisco License Registration Portal Cisco Software Central, then go to the correct licensing type, Smart Licenses or Traditional Licenses.
Note: You need to log in with your Cisco.com ID.
After entering your PAK, click the Fulfill button. If you have just received your product activation key, allow up to 4 hours for the key to be registered. If you try to register too soon, you can receive thefollowing
error message: PAK/s or Token/s xxxxxxx is / are either Invalid or Inactive.
Do not open a Licensing Case for this error message unless you have waited at least 24 hours after receiving your Product Activation Key. The License team cannot assist you with license registration prior to the PAK becoming fully activated for use.
If you currently share licenses inside of your organization under a Smart Account, choose this account prior to clicking Next. This screen can tell you the specific license you are registering, the total number of authorized users you purchased (Quantity), and the License start and end dates.
In the ASA Serial number field, enter your ASA serial number. This serial number MUST be obtained by using show version. ASA 5500-X models have multiple serial numbers and it is important that you use the correct one or the key cannot function. If for some reason you have incorrectly entered the key, you can use the Sharing Process described to share from the incorrect Serial Number to the correct one, but you can save a lot of time doing this correctly the first time. For ASAv and non-ASA head-ends, this PAK registration process is not applicable. You can still link your Contract number to your Cisco.com ID for software access and technical support.
If you have more than one ASA, and you want to register licenses to those devices up front, you can do so by clicking the Add Device button. You can add additional ASAs later using the Share instructions listed.
You must now confirm your email address. Optionally, you can choose additional individuals to receive the license key notification. After doing so, you must then select that you agree with the license terms and click Submit.
You can receive a pop-up with License Request Status information. Check your email for the license. If you do not receive the email promptly, check your Spam folder.
This is a sample email with your initial license key. The key itself is in the Product Authorization Key section. The Serial number displayed must be the same serial number as show version on your ASA reports, or you cannot install the key.
A.
License Sharing (adding additional ASAs that share this license).
To share to another ASA, return the Cisco License Registration Portal at Cisco Software Central, then choose Traditional or Smart Licenses, as required. Choose Get Other Licenses - Share License Process – Get Activation Codes. Once you receive your activation code via email, you can return back to this same page and choose the Use Activation Codes option. You need to repeat this process for each additional ASA you wish to share with. If you have multiple product activation keys for different user counts, terms or tiers, it is recommended to register all licenses first to the initial serial number, as it can make the subsequent sharing process easier since you are able to share all available licenses at once.
Note: This process must be done using the Cisco.com ID that registered the original Product Activation Key. If this employee is no longer with your company, you need to open up a ticket with Cisco Global Licensing for further assistance. Choose the Contact Us option on the License Registration Portal for further instructions on opening a licensing support case.
You need to choose the ASA serial number that currently has the license you wish to share, and the additional serial number. This serial number MUST match what is displayed under show version for this license to function.
This is a sample email you receive with your Activation Code. If you do not receive this email promptly, check your Spam Folder.
Use the link in the email, and choose Get Other Licenses - Share License Process – Get Activation Codes.
Choose all licenses you wish to share with this additional serial number. Confirm that both the source and target serial numbers are the correct serial numbers from show version. If not, you need to start the sharing process again with the correct serial numbers.
Confirm your email address, and enter any additional email addresses for the license to be sent to. Check the box to agree with the terms and click Get License.
Your new license can be emailed promptly. If you do not receive the email, check your Spam folder. Your additional license can be found inside of the ZIP attachment.
Revision | Publish Date | Comments |
---|---|---|
5.0 |
28-May-2024 |
Removed Cisco from title. Removed italics. Corrected links. Branded Cisco IOS. |
4.0 |
26-Jun-2023 |
Updated Title, Introduction, Branding Requirements, Style Requirements, Machine Translation, and Formatting. |
3.0 |
31-Aug-2022 |
Fixed links to reach GLO team for licensing assistance. Additionally performed some minor edits for clarity. |
2.0 |
11-May-2022 |
Minor edits for clarity. |
1.0 |
15-Oct-2015 |
Initial Release |