- July
Posted By : Gom Jabbar
Recovering a License Activation Key for the Cisco ASA

If they would tear your world apart,
Would you intervene?
Music is a weapon;
Sounds like a threat.
Let the bass terrorize;
There’s no turning back!

Hey! Activate! Hey!
Hey! Activate! Hey!

Atari Teenage Riot

Lazy Saturday with my pet ASA, trying different file systems on the internal Compact Flash card. Atari Teenage Riot sings in the background; the new album is really quite good. Back after 10 years with a different lineup, they sound the same, but different. Old school synthetic. Still pissed about the same shit.

Bands that break up and disappear from view; they’re never really gone. The philosophical drummer, the narcissistic lead singer, the flaky guitarist; they are still somewhere out there in the world, doing designer drugs in their luxury penthouses, or shopping for Maalox at Safeway in their flip flops. Latent, in potentia. Waiting to be reassembled.

The second time I play the album, I sing along with Activate! and it not-so-subliminally makes me think to look for the missing activation key on my Cisco ASA.

A Cisco ASA with a Base license, compared with an ASA with a Security Plus license: They can boot with identical image files, use identical hardware and identical config. They just have different features enabled. Like that old myth about humans using only 10 percent of their brains, the advanced features for the Cisco ASA are there in the boot image, they just need to be unlocked via license keys. (Well, you need to unlock your wallet too.)

Just do a show version or a show activation-key to see the type of license that is installed.

ciscoasa(config)# sh activation-key
Serial Number:  JMXXXXXXXXX
Running Activation Key: 0xblahblah 0xblahblah 0xblahblah 0xblahblah 0xblahblah

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Advanced Endpoint Assessment : Disabled

This platform has a Base license.

The flash activation key is the SAME as the running key.

When you use the ERASE command in ROMMON mode, you completely wipe the Compact Flash card on a Cisco ASA. All the files and directories, even the hidden ones, are gone. Gone, baby, gone. The license files are located in the .private hidden directory, so if you wipe the Compact Flash card, the existing license information is lost. Even after you load a new boot image, the ASA will report that the license key is not valid during boot up (you can also check with a show version.) Some of the original features will be disabled until you install the correct license key.

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

This activation key is not valid.
Use default settings only

The activation keys are all tied to the serial number of the ASA, so you can’t just cut and paste a key from another ASA. So, what do you do? You go to see the wizard; ask him to give you a new key. Go to:


Log in with a cisco.com ID and you will be presented with the Product License Registration page.

Cisco Product License Registration Page
Cisco Product License Registration Page

You don’t need a PAK. Click the link for available licenses.

Select Cisco ASA 3DES AES License
Select Cisco ASA 3DES/AES License

Select Cisco ASA 3DES/AES License.

Enter Serial Number of Cisco ASA
Enter Serial Number of Cisco ASA

Enter the serial number of the Cisco ASA. You can get this by looking on the chassis, or doing a show version or a show activation-key. The license key will be emailed to you, and then all you have to do is enter it into the ASA with the activation-key command.

ciscoasa# conf t
ciscoasa(config)# activation-key 0xb1ahb1ah 0xb1ahb1ah 0xb1ahb1ah 0xb1ahb1ah 00xb1ahb1ah

Validating activation key. This may take a few minutes...

The following features available in the running permanent activation key are NOT available
in the new activation key:

Failover is different.

   running permanent activation key: Restricted (R)

   new activation key: Unrestricted (UR)

WARNING: The running activation key was not updated with the requested key.

Proceed with updating flash activation key? [y]

Flash permanent activation key was updated with the requested key.

Then do a show version to ensure that the new key has been applied.

Additional Information:

Activation-key command in the Cisco ASA 8.4 Command Reference.

Show activation-key command in the Cisco ASA 8.4 Command Reference.

Show version command in the Cisco ASA 8.4 Command Reference.