The different licensing “levels” available on the Cisco Adaptive Security Appliances allow an organization to buy only what they need while retaining the option to upgrade in the future, if necessary.
For example, a small business with 15 employees may start out with a Cisco ASA 5505 with a 25-user (or, more correctly, 25-host) license. As new employees are hired — or existing employees begin using Wi-Fi on more devices — they may approach the limit and find it necessary to upgrade to a 50- or unlimited-user license.
Once you have obtained a new “activation key”, the process of upgrading the license on a Cisco ASA is among one of the simplest tasks you can perform, although it often times will require a reload of the device to take effect.
You can see what license you currently have installed using the show activation-key command:
ciscoasa# show activation-key Serial Number: JMX1316M41H Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 10 Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 This platform has a Base license. The flash activation key is the SAME as the running key.
Upgrading to our new license is simply a matter of going into global configuration mode and using the activation-key command to provide the new license key to the ASA:
ciscoasa# configure terminal ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8 Failover is different. flash activation key: Restricted(R) new activation key: Unrestricted(UR) Proceed with update flash activation key? [confirm]
Our new activation key was accepted. The above output shows that the activation key saved in flash memory is “Restricted” while the new one we’ve just supplied is “Unrestricted”. The ASA asks us to confirm that we want to update the key? Go ahead and press ENTER.
Failover is different. running activation key: Restricted(R) new activation key: Unrestricted(UR) WARNING: The running activation key was not updated with the requested key. The flash activation key was updated with the requested key, and will become active after the next reload. ciscoasa(config)#
The ASA tells us that the activation key stored in flash was updated (and will take effect upon the next reload), but the running activation key was not changed. When you see this, the ASA is telling you that you need to perform a reload for the new features to take effect.
I’ll go ahead and do that, though you might need to wait for a maintenance window or planned downtime.
ciscoasa(config)# end ciscoasa# reload Proceed with reload? [confirm]
Once the ASA has reloaded, we can log back in and verify that our new license — and new features — are active:
ciscoasa# show activation-key Serial Number: JMX1316M41H Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8 Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 25 WebVPN Peers : 2 Dual ISPs : Enabled VLAN Trunk Ports : 8 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 This platform has an ASA 5505 Security Plus license. The flash activation key is the SAME as the running key. ciscoasa#
… and that’s it! The ASA is back up and running and you can start using the additional features that your new license provides! Were you expecting it to be harder? =)