The different licensing “levels” available on the Cisco Adaptive Security Appliances allow an organization to buy only what they need while retaining the option to upgrade in the future, if necessary.
For example, a small business with 15 employees may start out with a Cisco ASA 5505 with a 25-user (or, more correctly, 25-host) license. As new employees are hired — or existing employees begin using Wi-Fi on more devices — they may approach the limit and find it necessary to upgrade to a 50- or unlimited-user license.
Once you have obtained a new “activation key”, the process of upgrading the license on a Cisco ASA is among one of the simplest tasks you can perform, although it often times will require a reload of the device to take effect.
You can see what license you currently have installed using the show activation-key command:
ciscoasa# show activation-key Serial Number: JMX1316M41H Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 10 Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 This platform has a Base license. The flash activation key is the SAME as the running key.
Upgrading to our new license is simply a matter of going into global configuration mode and using the activation-key command to provide the new license key to the ASA:
ciscoasa# configure terminal ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8 Failover is different. flash activation key: Restricted(R) new activation key: Unrestricted(UR) Proceed with update flash activation key? [confirm]
Our new activation key was accepted. The above output shows that the activation key saved in flash memory is “Restricted” while the new one we’ve just supplied is “Unrestricted”. The ASA asks us to confirm that we want to update the key? Go ahead and press ENTER.
Failover is different. running activation key: Restricted(R) new activation key: Unrestricted(UR) WARNING: The running activation key was not updated with the requested key. The flash activation key was updated with the requested key, and will become active after the next reload. ciscoasa(config)#
The ASA tells us that the activation key stored in flash was updated (and will take effect upon the next reload), but the running activation key was not changed. When you see this, the ASA is telling you that you need to perform a reload for the new features to take effect.
I’ll go ahead and do that, though you might need to wait for a maintenance window or planned downtime.
ciscoasa(config)# end ciscoasa# reload Proceed with reload? [confirm]
Once the ASA has reloaded, we can log back in and verify that our new license — and new features — are active:
ciscoasa# show activation-key Serial Number: JMX1316M41H Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8 Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 This platform has an ASA 5505 Security Plus license. The flash activation key is the SAME as the running key. ciscoasa#
… and that’s it! The ASA is back up and running and you can start using the additional features that your new license provides! Were you expecting it to be harder? =)
{ 11 comments… read them below or add one }
I can’t recognize the appliance on photo. But it isn’t a Cisco ASA 5505…
It is.
Or you can build a pfSense box and be unrestricted without paying a dime for an extortion^Wactivation key. :-)
Sonicwall
Hy Jeremy,
I bought me an 5505 for test purposes; do you know if there is a methode to generate new activation keys so I can test additional functionality?
So generating without the help of cisco?
In other words, you want to create your own license keys without paying for them?
No.
Hi Jeremy,
Nice post, quick question, I bought 2 5505 but with basic licence that is bun-k9 now I want to upgrade it to Sec-bun-k9, the problem is licence is very expensive can i buy 1 licence and use it on 2 devices.
Keeping in mind that is just for the home lab.
Regards
Mahir
No, the activation key is based on the serial number of the device. You would not be able to purchase one license and use it on both devices.
where and how can i upgrade my license please? i have 10 users license and it’s exhausted already.
Call your Cisco reseller; they will be happy to sell you a license upgrade.
Can the host license be transferred from one asa5505 that has the 50 host to another asa5505 running the default 10 host?
I own both and would rather not physically replace them due to locations.
(Corporate and remote site)