Image of Cortney & Jeremy

How to Upgrade the License on a Cisco ASA

by Jeremy L. Gaddis on December 16, 2011 · 16 comments

in Networking

Post image for How to Upgrade the License on a Cisco ASA

The different licensing “levels” available on the Cisco Adaptive Security Appliances allow an organization to buy only what they need while retaining the option to upgrade in the future, if necessary.

For example, a small business with 15 employees may start out with a Cisco ASA 5505 with a 25-user (or, more correctly, 25-host) license. As new employees are hired — or existing employees begin using Wi-Fi on more devices — they may approach the limit and find it necessary to upgrade to a 50- or unlimited-user license.

Once you have obtained a new “activation key”, the process of upgrading the license on a Cisco ASA is among one of the simplest tasks you can perform, although it often times will require a reload of the device to take effect.

You can see what license you currently have installed using the show activation-key command:

ciscoasa# show activation-key
Serial Number:  JMX1316M41H
Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

The flash activation key is the SAME as the running key.

Upgrading to our new license is simply a matter of going into global configuration mode and using the activation-key command to provide the new license key to the ASA:

ciscoasa# configure terminal
ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8
Failover is different.
   flash activation key: Restricted(R)
   new activation key: Unrestricted(UR)
Proceed with update flash activation key? [confirm]

Our new activation key was accepted. The above output shows that the activation key saved in flash memory is “Restricted” while the new one we’ve just supplied is “Unrestricted”. The ASA asks us to confirm that we want to update the key? Go ahead and press ENTER.

Failover is different.
   running activation key: Restricted(R)
   new activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
The flash activation key was updated with the requested key, and will
become active after the next reload.
ciscoasa(config)#

The ASA tells us that the activation key stored in flash was updated (and will take effect upon the next reload), but the running activation key was not changed. When you see this, the ASA is telling you that you need to perform a reload for the new features to take effect.

I’ll go ahead and do that, though you might need to wait for a maintenance window or planned downtime.

ciscoasa(config)# end
ciscoasa# reload
Proceed with reload? [confirm]

Once the ASA has reloaded, we can log back in and verify that our new license — and new features — are active:

ciscoasa# show activation-key
Serial Number:  JMX1316M41H
Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 20, DMZ Unrestricted
Inside Hosts                 : Unlimited
Failover                     : Active/Standby
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 25
WebVPN Peers                 : 2
Dual ISPs                    : Enabled
VLAN Trunk Ports             : 8
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2         

This platform has an ASA 5505 Security Plus license.

The flash activation key is the SAME as the running key.
ciscoasa#

… and that’s it! The ASA is back up and running and you can start using the additional features that your new license provides! Were you expecting it to be harder? =)

Image Source

{ 16 comments… read them below or add one }

Joël N December 16, 2011 at 11:53 am

I can’t recognize the appliance on photo. But it isn’t a Cisco ASA 5505…

Reply

Anonymous December 17, 2011 at 12:43 am

It is.

Reply

Jim December 16, 2011 at 7:09 pm

Or you can build a pfSense box and be unrestricted without paying a dime for an extortion^Wactivation key. :-)

Reply

guest February 6, 2012 at 4:24 am

Sonicwall

Reply

Hardinxcore March 13, 2012 at 4:08 pm

Hy Jeremy, 

I bought me an 5505 for test purposes; do you know if there is a methode to generate new activation keys so I can test additional functionality? 

So generating without the help of cisco?

Reply

jlgaddis October 16, 2012 at 1:29 am

In other words, you want to create your own license keys without paying for them?

No.

Reply

Mahir Ali Ahmed May 12, 2012 at 10:51 pm

Hi Jeremy,

Nice post, quick question, I bought 2 5505 but with basic licence that is bun-k9 now I want to upgrade it to Sec-bun-k9, the problem is licence is very expensive can i buy 1 licence and use it on 2 devices.

Keeping in mind that is just for the home lab.

Regards
Mahir

Reply

jlgaddis October 16, 2012 at 1:29 am

No, the activation key is based on the serial number of the device. You would not be able to purchase one license and use it on both devices.

Reply

Yinka January 28, 2013 at 12:27 pm

where and how can i upgrade my license please? i have 10 users license and it’s exhausted already.

Reply

Jeremy L. Gaddis February 9, 2013 at 11:55 pm

Call your Cisco reseller; they will be happy to sell you a license upgrade.

Reply

Chris March 15, 2013 at 1:33 pm

Can the host license be transferred from one asa5505 that has the 50 host to another asa5505 running the default 10 host?
I own both and would rather not physically replace them due to locations.
(Corporate and remote site)

Reply

asa5505 May 29, 2013 at 11:38 am

ciscoasa(config)# activation-key 0×32841048 0x4a497a37 0xa09392c0 0xb7090030 0$
Validating activation key. This may take a few minutes…
ERROR: The requested activation key was not saved because it is not
valid for this system.
ciscoasa(config)#

Reply

CloserIT July 1, 2013 at 1:50 pm

Hi,

I bought an ASA 5505 with 10 licences. As we are more since few weeks, I bought an upgrade from 10 to 50 users. But I did not find the activation key !
Do you know where can I find it ?

Cheers.

Reply

Jeremy L. Gaddis July 7, 2013 at 8:14 am

@CloserIT: You should have received a Product Activation Key (PAK) from your vendor. You then use that PAK on Cisco’s web site to generate the new activation key for your ASA, which you can then install as described in the article. HTH.

Reply

pradeep November 12, 2013 at 6:13 am

Thank you very much.. very valuable details shared..

Reply

Phil March 18, 2014 at 4:57 am

Hi,

What if I have to ASA and they are in HA configuration, do they share the licences?

Specifically the SSL VPN licenses?

Reply

Leave a Comment

Previous post:

Next post: