I was working on a Cisco ASA this week and came across an issue where I was unable to access the secure web server. The ASA was configured to have HTTP server enabled and I also allowed the interesting traffic to reach it via HTTPS.
Displaying the version resulted in the following licensing table:
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Disabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : 250 perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual IPS Module : Disabled perpetual
Notice that I am not licensed for VPN-3DES-AES. This is a problem for me now and when I try to configure VPN. I was pretty damn sure that the Security Plus license came with encryption. I shouted out to the Twitter community hoping someone has came across the same issue.
I quickly got a response from @layer_3 who came up with the solution on Cisco’s support forums.
@rowelldionicio @packetologist I think you can request a separate activation key for 3DES running on K8. (?) supportforums.cisco.com/docs/DOC-17464
— Christopher Church (@layer_3) May 30, 2013
You’ll need your ASA serial and request a special VPN-3DES-AES license activation code. Add the activation code into the asa
ciscoasa# config t ciscoasa(config)# activation-key xxxx xxxx xxxx xxxxx
Once the new key is activated, type show version.
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual
Now we have VPN-3DES-AES enabled. But I found that I still couldn’t access the ASA via HTTPS.
The resolution is to enable it with this command:
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
If you notice that some of my features were disabled, it’s because I incorrectly typed in my activation key. Typing in the 8.2+ activation key made everything work.