How to Upgrade the License on Cisco ASA?

March 7 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The different licensing “levels” available on the Cisco Adaptive Security Appliances allow an organization to buy only what they need while retaining the option to upgrade in the future, if necessary.

For example, a small business with 15 employees may start out with a Cisco ASA 5505 with a 25-user (or, more correctly, 25-host) license. As new employees are hired — or existing employees begin using Wi-Fi on more devices — they may approach the limit and find it necessary to upgrade to a 50- or unlimited-user license.

Once you have obtained a new “activation key”, the process of upgrading the license on a Cisco ASA is among one of the simplest tasks you can perform, although it often times will require a reload of the device to take effect.

You can see what license you currently have installed using the show activation-key command:

ciscoasa# show activation-key

Serial Number: JMX1316M41H

Running Activation Key: 0x2174cf47 0x945b4c3a 0x74159120 0xba2ca848 0x8f602feb

Licensed features for this platform:

Maximum Physical Interfaces: 8

VLANs: 3, DMZ Restricted

Inside Hosts: 10

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

VPN Peers: 10

WebVPN Peers: 2

Dual ISPs: Disabled

VLAN Trunk Ports: 0

AnyConnect for Mobile: Disabled

AnyConnect for Linksys phone: Disabled

Advanced Endpoint Assessment: Disabled

UC Proxy Sessions: 2

This platform has a Base license.

The flash activation key is the SAME as the running key.

Upgrading to our new license is simply a matter of going into global configuration mode and using theactivation-key command to provide the new license key to the ASA:

ciscoasa# configure terminal

ciscoasa(config)# activation-key 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

Failover is different.

flash activation key: Restricted(R)

new activation key: Unrestricted(UR)

Proceed with update flash activation key? [confirm]

Our new activation key was accepted. The above output shows that the activation key saved in flash memory is “Restricted” while the new one we’ve just supplied is “Unrestricted”. The ASA asks us to confirm that we want to update the key? Go ahead and press ENTER.

Failover is different.

running activation key: Restricted(R)

new activation key: Unrestricted(UR)

WARNING: The running activation key was not updated with the requested key.

The flash activation key was updated with the requested key, and will become active after the next reload.

ciscoasa(config)#

The ASA tells us that the activation key stored in flash was updated (and will take effect upon the next reload), but the running activation key was not changed. When you see this, the ASA is telling you that you need to perform a reload for the new features to take effect.

I’ll go ahead and do that, though you might need to wait for a maintenance window or planned downtime.

ciscoasa(config)# end

ciscoasa# reload

Proceed with reload? [confirm]

Once the ASA has reloaded, we can log back in and verify that our new license — and new features — are active:

ciscoasa# show activation-key

Serial Number: JMX1316M41H

Running Activation Key: 0x32841048 0x4a497a37 0xa09392c0 0xb7090030 0x053bcbc8

Licensed features for this platform:

Maximum Physical Interfaces: 8

VLANs: 20, DMZ Unrestricted

Inside Hosts: Unlimited