Introduction
This document describes how to configure and remove Time-based activation-key on Cisco Adaptive Security Appliance (ASA) for AnyConnect Premium Peers. Time-based activation-key is used to activate features for a specific time period.
Background Information
AnyConnect Premium and AnyConnect Essential were used in old licensing models and are obsolete now. As per the new licensing model, AnyConnect Apex corresponds to AnyConnect Premium and AnyConnect Plus corresponds to AnyConnect Essential. AnyConnect Apex is not compatible with old licenses. So, if you enable Apex, the Premium would not be used, however, the license consumed would be in the form of Premium licenses. Essentials are disabled, as they are not compatible. The command to check if Apex license is enabled or disabled is debug menu license 23
AnyConnect Plus license includes these VPN types:
- SSL VPN
- IPsec remote access VPN using IKEv2
AnyConnect Apex license includes these VPN types:
- SSL VPN
- Clientless SSL VPN
- IPsec remote access VPN using IKEv2
The detailed feature difference between the 2 licenses can be found in this licensing guide:
https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html
Note: The new AnyConnect Plus, Apex, or VPN Only license key no more uses the Essentials option. In order to make use of a new license, the anyconnect-essentials feature must be disabled on your ASA by issuing a no anyconnect-essentials under webvpn. While a new license key is installed, a warning shows that the Essentials key is not used when the new license is being installed. As long as anyconnect-essentials on your ASA is properly disabled, you are OK to proceed.
Configuration
Step 1. You need to get your Product Activation Key (PAK) for the device. Cisco Licensing team can help with getting time-based activation-key for the required time period.
Note: The Serial Number (SN) of the ASA to fulfill this requirement has to be fetched from show version output from your ASA and not from show inventory.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.12(2)
Firepower Extensible Operating System Version 2.6(1.141)
Device Manager Version 7.12(2)
---omitted for brevity---
Licensed features for this platform:
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 100 perpetual
Total VPN Peers : 100 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 320 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
Serial Number: 9A5KG6HTQSB
Running Permanent Activation Key: 0xa339d567 0xa8df641f 0x9193bd58 0xc6344cb4 0x031bfbaa
Step 2. You shall receive two activation-key for the same SN of your ASA platform from the licensing team.
An Example of PAK received from licensing:
-------------------------------------------------------------
THE FOLLOWING ACTIVATION KEY IS VALID FOR:
ASA SOFTWARE RELEASE 8.2+ ONLY
Platform = asa
9A5KG6HTQSB: 0x5376dfc2 0x99806c06 0x9d8c5acf 0xc0a4da97 0x8512c481
--------------------------------------------------------------
THE FOLLOWING ACTIVATION KEY IS VALID FOR:
ALL ASA SOFTWARE RELEASES, BUT EXCLUDES ANY
8.2+ FEATURES FOR BACKWARDS COMPATIBILITY.
Platform = asa
9A5KG6HTQSB: 0x2722ea6c 0x6041d059 0xc930c908 0xcfe8c498 0x463cc092
---------------------------------------------------------------
Step 3. Copy the activation-key and apply the copied key on ASA.
ASA(config)# activation-key 0x5376dfc2 0x99806c06 0x9d8c5acf 0xc0a4da97 0x8512c481
Step 4. Once the license is applied you need to save the configuration (write memory).
This completes the process to temporarily apply the license feature on your ASA platform.
Verify
The new license can be verified as shown here:
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.12(2)
Firepower Extensible Operating System Version 2.6(1.141)
Device Manager Version 7.12(2)
---omitted for brevity---
Licensed features for this platform:
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 500 14 days
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 100 perpetual
Total VPN Peers : 100 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 320 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
Serial Number: 9A5KG6HTQSB
Running Permanent Activation Key: 0xa339d567 0xa8df641f 0x9193bd58 0xc6344cb4 0x031bfbaa
Running Timebased Activation Key: 0x5376dfc2 0x99806c06 0x9d8c5acf 0xc0a4da97 0x8512c481
In the above output, we have the new time-based license valid for 2 weeks (14 days). After completion of 14 days, AnyConnect Premium license would be overwritten with the permanent activation-key on the ASA.
Note: If your ASA is running only on time-based activation-key then after that specific time period device would revert back to the default license feature.
In order to remove time-based activation-key within 14 days and to apply back the pre-existing perpetual license, deactivate running time-based key as shown here:
ASA(config)# activation-key 0x5376dfc2 0x99806c06 0x9d8c5acf 0xc0a4da97 0x8512c481 deactivate