Field Notice: FN74212 - Cisco FXOS Software: ASA Smart License Entitlement Might Be Lost After Reload of Firepower Security Appliance - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|
| Adaptive Security Appliance (ASA) Software | 9 | 9.16.4.27, 9.16.4.28, 9.16.4.38, 9.16.4.42, 9.16.4.48, 9.16.4.55, 9.18.3.46, 9.18.3.53, 9.18.3.55, 9.18.3.56, 9.18.4, 9.18.4.5, 9.18.4.8, 9.19.1.12, 9.19.1.18, 9.19.1.22, 9.19.1.24, 9.19.1.27, 9.19.1.28, 9.20.1, 9.20.1.5, 9.20.2 |
Defect Information
| Defect ID | Headline |
| CSCwi76630 | FP2100/FP1000: ASA Smart licenses lost after reload |
Problem Description
Cisco Adaptive Security Appliance (ASA) Software might lose Smart License entitlement after a reload of Cisco Firepower Security Appliances. This issue affects Cisco Secure Firepower 1000 and 2100 Series Security Appliances, but might extend to other models of Cisco security appliances.
Background
Cisco uses Smart Licensing to enable a variety of product features that can be viewed by logging into the Smart Account that is associated with the platform. For more information regarding the operation of Smart Licensing on Cisco Firepower security products, see Troubleshoot ASA Smart License on FXOS Firepower Appliances.
For affected releases of Cisco FXOS Software, a software reload of Cisco Firepower 1000 or 2100 Series Security Appliances might cause the internal clock to reset to a previous time. The time change causes Cisco ASA Smart Licensed software features to fail entitlement and enter evaluation (EVAL) mode. The previous license entitlement duration is lost and licensed features will continue to operate for the 90-day evaluation period. Note that resetting the Cisco Firepower Security Appliance clock can also cause other symptoms.
This issue has been identified for the Cisco Secure Firepower 1000 and 2100 Series Security Appliances. This issue might extend to other models of Cisco security appliances that use software images that are bundled with Cisco FXOS Software.
Problem Symptom
Running the show license all command after a reload of the security appliance will indicate the Registration status as UNREGISTERED and License Authorization status as EVAL MODE. In addition, the License Usage status will be EVAL MODE.
FPR2100# show license all
Smart Licensing Status
======================
Smart Licensing is ENABLE
Registration:
Status: UNREGISTERED
Export-Controlled Functionality: NOT ALLOWED
License Authorization:
Status: EVAL MODE
Evaluation Period Remaining: 89 days, 5 hours, 16 minutes, 18 seconds
Export Authorization Key:
Features Authorized:
<none>
Utility:
Status: DISABLED
Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED
Transport:
Type: Callhome
Miscellaneus:
Custom Id: <empty>
License Usage
==============
(FIREPOWER_2100_ASA_STANDARD):
Description:
Count: 1
Version: 1.0
Status: EVAL MODE
Export status: NOT RESTRICTED
FPR2K-ASA-ENC):
Description:
Count: 1
Version: 1.0
Status: EVAL MODE
Export status: NOT RESTRICTED
Product Information
===================
UDI: PID:FPR-2130,SN:JAD12345678
Running the show clock command after a reload of the security appliance will indicate a previous date and time. The example unit experienced a reload Jan 25 2024.
FPR2100# show clock
15:35:39.949 UTC Tue Nov 21 2023 <--- Incorrect time
FXOS TS:
/opt/cisco/config/platform/logs/stdout_fxos_ntp.log
2024-01-28 11:07:22,554 - Sun Jan 1 00:00:00 UTC 2023 <--- Time reset to start of 2023
Workaround/Solution
Workaround
Manually reset the clock of the Cisco security appliance by running clock set command, as shown in the following example:
Firepower-chassis# scope system
Firepower-chassis /system # scope services
Firepower-chassis /system/services # set clock jun 24 2024 15 30 00
Firepower-chassis /system/services #
For additional information on setting the system clock, see Cisco Firepower 4100/9300 FXOS Secure Firewall Chassis Manager Configuration Guide.
After setting the clock, register with the Cisco Smart Licensing server using the command license smart register idtoken force, as shown in the following example:
Firepower-chassis# license smart register idtoken force
Solution
Upgrade to an appropriate Cisco ASA Software fixed release as shown in the following table:
| Cisco ASA Software Release | First Fixed Release |
|---|---|
| 9.16.4.27 - 9.16.4.55 | 9.16.4.56 |
| 9.18.3.46 - 9.18.4.8 | 9.18.4.22 |
| 9.19.1.12 - 9.19.1.28 | 9.19.1.29 |
| 9.20.1 - 9.20.2 | 9.20.2.10 |
| 9.22 and later | Not affected |
Download the latest release of Cisco ASA Software from the Cisco Software Download Center.
Additional Information
Cisco offers a guided upgrade experience through the Secure Firewall Upgrade program. This program will provide environment-specific software upgrade guidance, a customized procedure to follow, and a customized pre-upgrade checklist. For additional information and to register for the upgrade program, see Get access to Cisco Secure Firewall LevelUp.
Revision History
| Version | Description | Section | Date |
| 1.0 | Initial Release | — | 2024-DEC-19 |
For More Information
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
Receive Email Notification About New Field Notices
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Feedback
Unleash the Power of TAC's Virtual Assistance