Network Guys

Share your knowledge!

Cisco ASA AES encryption disabled

Today I wanted to configure a site2site VPN on my Cisco ASA in my laboratory. When I tried to configure the transform-set I received the following error message:

Firewall(config)# crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
The 3DES/AES algorithms require a VPN-3DES-AES activation key.

I’ve never saw this message before. It was very confusing seeing the 3DES-AES feature disabled:

Firewall(config)# show activation-key
Serial Number: *****
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Disabled perpetual

You can request this license for free at cisco.com! Go to the Product License Registration, Login with your Cisco CCO ID and mouseover “Get Other Licenses” and choose “Security Products” and “Cisco ASA 3DES/AES License”:

asa-license

type in the serial number of your device (“show version”) and get the license! You will receive the license by mail or can download it via the portal. To activate the license, go to your Cisco ASA device and type in “activation-key 0x3487fs3…” in the configuration level. Save config and restart for glory! :)

2 Responses

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives