Cisco ASAv can also scale up/down to meet the needs of dynamic environments. High availability provides resilience. Consistent security everywhere. Gain consistent security policies, enforcement and protection across your physical, virtual, and cloud environments. Cisco ASAv provides advanced protocol inspection, including voice and video.
- Jun 16, 2021 Any Secure Firewall ASA Virtual license can be used on any supported ASAv vCPU/memory configuration. This allows customers to run on a wide variety of VM resource footprints. This also increases the number of supported AWS, Azure, GCP and OCI instance types.
- This chapter covers the following topics:. Licensed features on ASA. Managing licenses with activation keys. Combined licenses in failover and clustering. Shared Premium AnyConnect VPN licensing ASA offers a very comprehensive feature set that helps secure networks of all shapes and sizes. To deliver the desired.
With the realease of 9.3 for ASA’s Cisco introduced Smart Licensing where it lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance(source).
Personally, I think it’s a great way to manage all of your licenses. This comes especially helpful if you are in the Cloud sector. As a Private Cloud provider for example it allows you to manage licenses for your IAAS offering in one centralized location fast and easy. Ability to “reuse” license if one tenant no longer needs it to the second tenant is a powerful tool. Since everything going virtual, not having licenses tied to physical equipment provides leverage and speed in deployments.
Before hopping in into implementation piece I would like to provide an overview of different licenses that Cisco provides for their virtual ASA’s.
As you may know the difference is going to be in the resources/features. Before purchasing any ASAv license its crucial to identify what are your requirements such as throughput, session ,etc.
Table below provides all the information you need for Cisco four offerings (asav5, asav10, asav30, asav50) as of April 10, 2018. Highlited features are the ones I would pay close attention prior purchasing decision. For more information please visit Cisco Data Sheet including ordering part numbers.
Table 1.
| Feature | ASAv5 | ASAv10 | ASAv30 | ASAv50 |
| Stateful inspection throughput (maximum)1(UDP) | 100 Mbps | 1 Gbps | 2 Gbps | 10 Gbps |
| Stateful inspection throughput (multiprotocol)2(TCP) | 50 Mbps | 500 Mbps | 1 Gbps | 5 Gbps |
| Advanced Encryption Standard (AES) VPN throughput3 | 30 Mbps | 125 Mbps | 1 Gbps | 3 Gbps |
| Connections per second | 8,000 | 20,000 | 60,000 | 120,000 |
| Concurrent sessions | 50,000 | 100,000 | 500,000 | 2,000,000 |
| VLANs | 25 | 50 | 200 | 1024 |
| Bridge groups | 12 | 25 | 100 | 250 |
| IPsec VPN peers | 50 | 250 | 750 | 10,000 |
| Cisco AnyConnect® or clientless VPN user sessions | 50 | 250 | 750 | 10,000 |
| Cisco Unified Communications phone proxy | 50 | 250 | 1000 | Not tested |
| Cisco Cloud Web Security users | 250 | 1,000 | 5000 | Not tested |
| High availability | Active/standby VMware ESX/ESXi 6.0, 6.5; vMotion KVM Hyper-V: Windows Server 2012 R2 (Not supported for ASAv50) | |||
| Hypervisor support | ||||
| Public Cloud Support | AWS (c3.large, c3.xlarge, c4.large, c4.xlarge, M4) Azure (d3, d3_v2) (including Azure Government Cloud) | Currently not supported on Public Cloud | ||
| Modes | Routed and transparent | |||
| Virtual CPUs | 1 | 1 | 4 | 8 |
| Memory | 1 GB minimum 1.5 GB maximum | 2 GB | 8 GB | 16 GB |
| Minimum disk storage4 | 8 GB | 8 GB | 16 GB | 16 GB |
Once you purchase the license there are (2) pieces to the puzzle. First is you will need to deploy OVF file on your compute infrastructure (VMware/Hyper-V). This post does not cover the deployment of the OVF file. Please let me know if you are interested in covering that piece and I’ll be more than happy to present it. Otherwise please follow one of the Cisco KB articles on this process.
After ASAv has been deployed you will need to register it to get all the features you paid for.
By default, ASAv comes with limited resources. That can be verified by the following three commands:
ASAv# sh vm
Virtual Platform Resource Limits
——————————–
Number of vCPUs : 0
Processor Memory : 0 MB
Virtual Platform Resource Status
——————————–
Number of vCPUs : 2 (Noncompliant: Over-provisioned)
Processor Memory : 4096 MB (Noncompliant: Over-provisioned)
Hypervisor : VMware
Model Id : ASAv30
ASAv# sh ver
Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.8(1)
Compiled on Fri 02-Feb-18 06:18 PST by builders
System image file is “disk0:/asa982-20-smp-k8.bin”
Config file at boot was “startup-config”
IDS-LDEN-Demo01-ASAv up 61 days 21 hours
Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2000 MHz, 1 CPU (2 cores)
Model Id: ASAv30
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB
Cisco Asav License Cost
0: Ext: Management0/0 : address is 0050.56a1.26a7, irq 10
1: Ext: GigabitEthernet0/0 : address is 0050.56a1.1c89, irq 5
2: Ext: GigabitEthernet0/1 : address is 0050.56a1.52a8, irq 9
3: Ext: GigabitEthernet0/2 : address is 0050.56a1.399c, irq 11
4: Ext: GigabitEthernet0/3 : address is 0050.56a1.3ac9, irq 10
5: Ext: GigabitEthernet0/4 : address is 0050.56a1.0fa1, irq 5
6: Ext: GigabitEthernet0/5 : address is 0050.56a1.76ff, irq 9
7: Ext: GigabitEthernet0/6 : address is 0050.56a1.7d33, irq 11
8: Ext: GigabitEthernet0/7 : address is 0050.56a1.376d, irq 10
9: Ext: GigabitEthernet0/8 : address is 0050.56a1.3784, irq 5
License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.
ASAv# sh license status
Smart Licensing is ENABLED
Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed
Asav License Cost
License Authorization:
Status: No Licenses in Use
Registering your newly deployed ASAv will require applying tokenID that can be generated from Smart Licensing Portal. Please not you should have a account created during the purchase process.
Once logged in navigate to Smart Software Licensing URL(fig.1)
Navigate to Inventory > Licenses to verify if the license was applied to your account(fig.2).
From that point navigate to General > New Token > Create Token(fig.3).
At this point new Token should be generated(fig.4). Copy it to clipboard you’ll need it soon.
Asav License Key
In order to have a successful license installation your ASAv needs to be able to ping/resolve tools.cisco.com.
ASAv# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms
If that fails, your registration will fail. Make sure you have a proper dns domain lookup configured. This is the step that is being missed a lot of times.
ASAv(config)#dns domain-lookup outside
DNS server-group DefaultDNS
name-server 8.8.8.8
domain-name companyName.local
Now you are ready to apply Smart Licensing. First apply proper throughput level to license smart object
ASAv(config)# license smart
ASAv(config-smart-lic)# ?
Smart Licensing configuration commands:
exit Exit Smart Licensing configuration mode and apply configuration
feature Set License feature
no Negate a command
throughput Set License throughput
ASAv(config-smart-lic)# throughput level ?
Asav License Generator
smart-lic-mode mode commands/options:
100M Enable 100 Mbps throughput level
10G Enable 10 Gbps throughput level
1G Enable 1 Gbps throughput level
2G Enable 2 Gbps throughput level
Full command i.e for ASAv30 would be:
Asav License Gns3
license smart
feature tier standard
throughput level 2G
exit
Finally apply idtoken which was previously copied to your clipboard
license smart register idtoken MzE2MTMwMzItMzQ4Yy00NmUxLWI3ZjYtNWFhZGVlMDc4ZWViLTE1MjU5NzQ4%0AMDQ2MDd8RHp0NkdkbGRZOFlnSllUM0dEVUdmN0c force
To verify if the license was successfully installed check the vm status as well as license usage
ASAv# sh vm
Virtual Platform Resource Limits
——————————–
Number of vCPUs : 4
Processor Memory : 8192 MB
Virtual Platform Resource Status
——————————–
Number of vCPUs : 4 (Compliant)
Processor Memory : 8192 MB (Compliant)
Hypervisor : VMware
Model Id : ASAv30
ASAv# sh license usage
License Authorization:
Status: AUTHORIZED on Feb 09 03:08:47 2018 UTC
ASAv30 Standard – 2G (ASAv-STD-2G):
Description: ASAv30 Standard – 2G
Count: 1
Version: 1.0
Status: AUTHORIZED
If the registration failed please double check you can ping tools.cisco.com AND/OR redo the idtoken on Smart License Portal and reapply.
I hope this has been informative and let me know if you were successful or not
Thanks.
Comments are closed.