Guest

Cisco PIX 500 Series Security Appliances

PIX/ASA: License Key Upgrade on a Failover Pair

Cisco - PIX/ASA : Upgrading a License Key on a Failover Pair

Document ID: 70390

Updated: Mar 09, 2009

   Print

Introduction

While upgrading the license for failover units, it is not possible to avoid the network downtime. However, the downtime can be minimized. This document focuses on how to minimize the downtime during the upgrade of license in failover pair.

Cisco PIX 515, 515E, 525, and 535 Security Appliances support the concept of a Platform License. License levels range from Restricted ®), Unrestricted (UR), Failover (FO), and Failover-Active/Active (FO-AA).

The security appliance supports two failover configurations: Active/Active Failover and Active/Standby Failover.

For a sample configuration that includes a brief introduction to the PIX/ASA Active/Standby Failover, refer to PIX/ASA: Active/Standby Failover Configuration Example.

For a sample configuration that includes a brief introduction to the PIX/ASA Active/Active Failover, refer to PIX/ASA : Active/Active Failover Configuration Example.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco PIX 515, 515E, 525, and 535 Security Appliances with 7.x and later version

The information in this document was created from the devices in a specific lab environment.

Related Products

You can also use this configuration with Cisco ASA Security Appliance version 7.x and later.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Procedure For Upgrading License

The following steps are used to upgrade the license in failover pairs:

New Activation Key

By default, the license on the PIX will be 'Restricted'(®). A new activation key is required in order to upgrade from a 'Restricted' software bundle to a bundle which supports additional features such as more number of connections, Failover, IPSec or additional interfaces. Also, a new activation key is sometimes necessary after a Flash upgrade on a PIX.

In order to request an activation key, send an email to licensing@cisco.com providing the serial number of PIX (or if you are upgrading the flash, provide the serial number of Flash Card) and the output of the show version command. Go to the Cisco ASA 3DES/AES License Registration (registered customers only) page to request an AES/3DES activation key.

Note: If you receive the ERROR: Failed to update flash activation key error, which is due to a problem in the activation key, request a new activation key to resolve this error.

The following show version command sample shows the serial number and the activation key for the security appliance.

pix# show version

Cisco PIX Security Appliance Software Version 7.1(1)
Device Manager Version 5.1(1)

Compiled on Thu 19-Jan-06 15:02 by builders
System image file is "flash:/pix711.bin"
Config file at boot was "startup-config"

pix up 7 days 20 hours

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 000f.908f.2d45, irq 10
 1: Ext: Ethernet1           : address is 000f.908f.2d46, irq 11
 2: Ext: Ethernet2           : address is 0005.5d19.7ad0, irq 11
 3: Ext: Ethernet3           : address is 0005.5d19.7ad1, irq 10
 4: Ext: Ethernet4           : address is 0005.5d19.7ad2, irq 9
 5: Ext: Ethernet5           : address is 0005.5d19.7ad3, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 808150103
Running Activation Key: 0x8f5bdba6 0x0963cc7f 0xfeffd300 0x9b00f19d
Configuration last modified by enable_15 at 01:42:55.492 UTC Wed May 31 2006

Upgrading License

Once you receive the new activation key from Cisco, log into each PIX and enter the key manually in the config terminal mode.

Note: Some licenses require you to reload the security appliance after you activate them. For the list of the licenses that require reloading, refer to License Reloading Requirements.

The PIX Security Appliance version 7.0 and later support two kinds of license keys:

  • Existing 4-tuple license key for PIX version 6.3 or earlier

  • A new 5-tuple license key for PIX Security Appliance version 7.0 and later only

Syntax: activation-key [activation-key-four-tuple | activation-key-five-tuple]

Example:

pix(config)# activation-key 0xe02888da
	 0x4ba7bed6 0xf1c123ae 0xffd8624e

Upgrading the License for a Failover using CLI (No Reload Required)

Use the following procedure if your new license does not require you to reload. This procedure ensures that there is no downtime.

  1. Disable failover on the active unit using the no failover command on the active unit. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.

  2. Install the new license on the active unit using the activation-key key command on the active unit. Make sure this license is for the active unit serial number.

  3. Install the new license on the standby unit using the activation-key key command on the standby unit. Make sure this license is for the standby unit serial number.

  4. Turn failover back on in the active unit using the failover command. This completes the procedure.

    Note: Before you upgrade the license, make sure both units are operating correctly, the Failover LAN interface is up, and there is not an imminent failover event; for example, monitored interfaces are operating normally. On each unit, enter the show failover command. Or, in ASDM go to Monitoring > Properties > Failover > Status to view the failover status and the monitored interface status.

Upgrading the License for a Failover using ASDM (No Reload Required)

Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.

  1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.

  2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.

  3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.

  4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.

  5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.

  6. Click Apply. This completes the procedure.

Upgrading the License for a Failover using CLI (Reload Required)

Use the following procedure if your new license requires you to reload. Reloading the failover pair causes a loss of connectivity during the reload.

  1. Disable failover on the active unit using the no failover command on the active unit. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.

  2. Install the new license on the active unit using the activation-key key command on the active unit. Make sure this license is for the active unit serial number.

    Note: If you need to reload, you will see this message: WARNING: The running activation key was not updated with the requested key. The flash activation key was updated with the requested key, and will become active after the next reload.

  3. Install the new license on the standby unit using the activation-key key command on the standby unit. Make sure this license is for the standby unit serial number.

  4. Reload the standby unit using the reload command.

  5. Reloads the active unit. When you are prompted to save the configuration before reloading, answer No. This means that when the active unit comes back up, failover will still be enabled. This completes the procedure.

    Note: Before you upgrade the license, be sure that both units are operating correctly, the Failover LAN interface is up, and there is not an imminent failover event; for example, monitored interfaces are operating normally. On each unit, enter the show failover command. Or, in ASDM, go to Monitoring > Properties > Failover > Status to view the failover status and the monitored interface status.

Upgrading the License for a Failover using ASDM (Reload Required)

Use the following procedure using ASDM if your new license requires you to reload. Reloading the failover pair causes a loss of connectivity during the reload.

  1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.

  2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.

  3. Log into the standby unit by double-clicking its address in the Device List. If you the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.

  4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.

  5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box. Now click Apply.

  6. Schedule a reload of the active security appliance by choosing Tools > System Reload.

  7. Choose the reload options to reload the security appliance at a time you desire, and click Schedule Reload. Choose a time when the loss of service has the least impact.

  8. Log into the standby unit again by double-clicking its address in the Device List.

  9. Schedule a reload of the standby security appliance by choosing Tools > System Reload.

  10. Choose the reload options to reload the security appliance at the same time you choose for the active unit, then click Schedule Reload.

  11. Both units will reload at the same time, and the new licenses will be in effect. This completes the procedure.

Note: If the primary unit is in Standby, reverse the following procedure. That is in the place of Primary PIX put Secondary PIX, and in place of Secondary put Primary PIX.

Verify the Key

You can verify the updated license by issuing the show version or show activation-key command in both primary and secondary units.

Related Information

Updated: Mar 09, 2009
Document ID: 70390