When configuring a reimaged ASA device either using ASA or Firepower hardware, the device will not have a 3DES-AES license, which will mean cryptographic functionality will be disabled, this includes SSL, SSH and IPSec. For example, If configuring SSL ciphers, you may receive errors as per the output below.
ASA(config)# ssl cipher tlsv1.2 custom "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256" ERROR: Invalid version/level combination: no compatible ciphers found ERROR: Unable to update ciphers.
You can confirm the 3DES-AES license is enabled or disabled by running the command show version from the CLI.
This post covers acquiring the 3DES-AES license for the ASA hardware and enabling the cryptographic features.
Requesting the 3DES-AES License
- Login to the Cisco Smart Licensing Portal – https://www.cisco.com/c/en/us/buy/licensing.html
- Navigate to Smart Software Manager and click Manage Licenses
- Click Inventory, then New Token
- Enter a description, then click Create Token
- Select the token and press CTRL + C to copy the token.
Register License
- From the CLI of the ASA enter the command license smart register idtoken
<token id>
ASA# license smart register idtoken MjBiYWM5YmEtYjI3MS00MmQ4LTk4YjMtNjljNzYw$%
- Run the command show version and confirm Encryption-3DES-AES is Enabled
You should now be able to configure and use crypto services without errors.
ASA(config)# ssl cipher tlsv1.2 custom "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDS$
ASA(config)# show run ssl
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256"
integrating IT 
what happens when ASA does not have internet later and re-authorization fails. After the grace period does 3DES license gets removed.
LikeLike