Saturday, September 7, 2019

Activating Software License on a Cisco 1900 ISR G2 Router

I needed to configure my Cisco 1921 lab router for Site-to-Site IPsec VPN with a Cisco FTD but I don't have the Security license installed. So I just activated the 60-day Evaluation license instead. Here's a good Cisco link about Cisco ISR G2 and 4K router software packages and licenses.



License Types Available on the ISR G2

Permanent Licenses

Permanent licenses are valid for the life of the device on which it is installed. Some examples of permanent licenses are IOS Technology Packages (IPB, UC, SEC, DATA), Feature Licenses such as SSL VPN etc.


Temporary Licenses

Temporary licenses are used for evaluating new capabilities or in emergency situations. A temporary license allows a feature set to be used for 60 days of actual usage. When the 60-day period expires, the device will continue to operate normally until reloaded. After the reload, the device will default to the original functionality before the temporary license was enabled. Only actual time that the temporary license is enabled counts towards the 60 day limit. The Cisco Technical Assistance Center (TAC) can provide an extension license for longer trials or other circumstances.


Feature Licenses

Some individual features can be enabled or disabled by license keys. These features check for their licenses before enabling themselves. A feature license will typically have a prerequisite before it will function such as a requirement for a Universal Communication license before a CUBE feature license will function. Some examples of feature licenses are CME, CUBE etc.

There are two types of Feature licenses:

Software Activation Feature Licenses

These are typically upgrades to one or more technology Package Licenses and can be included on new routers or upgraded through Cisco Software Activation. These licenses are enforced through Cisco Software Licensing framework.

Right to Use Feature Licenses

These licenses follow the traditional licensing model and do not use Cisco Software Activation. They can be ordered when the router is initially purchased or at a later date.


Subscription Licenses

Subscription licenses are time-based licenses that require the subscriber to periodically renew or the license will expire after an agreed-upon time. Some examples of Subscription license are URL Filtering and IPS.


Counted Licenses

Feature licenses can be either uncounted licenses or counted licenses. Uncounted licenses do not have any count and simply enable the unrestricted feature on the router when activated. Counted licenses enable a defined number of uses e.g. CME User Licenses


You can verify the router's software package and features either using the show version and show license CLI commands.


Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

Router uptime is 2 minutes
System returned to ROM by power-on
System restarted at 10:03:01 UTC Wed Aug 7 2019
System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FGL16312ABC
2 Gigabit Ethernet interfaces
1 Serial(sync/async) interface
1 terminal line
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO1921/K9          FGL16312ABC 
         

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot 
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
data          None          None           None

Configuration register is 0x2102


Router#show crypto
% Incomplete command.    // UNABLE TO ISSUE CRYPTO RELATED COMMANDS

Router#show license
Index 1 Feature: ipbasek9                      
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 2 Feature: securityk9                    
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 3 Feature: datak9                        
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 4 Feature: SSL_VPN                       
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: 0/0  (In-use/Violation)
        License Priority: None
Index 5 Feature: ios-ips-update                
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 6 Feature: WAAS_Express                  
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#license ?
  accept     Accept all further License Agreements
  agent      Configure LIC_AGENT
  boot       license boot config commands
  call-home  license call-home config commands

Router(config)#license boot ?
  module  which module to boot

Router(config)#license boot module ?
  c1900  license boot module for c1900

Router(config)#license boot module c1900 ?
  technology-package  product technology group

Router(config)#license boot module c1900 technology-package ?
  datak9      data technology
  securityk9  security technology

Router(config)#license boot module c1900 technology-package securityk9 ?
  disable  disable the technology
  <cr>

Router(config)#license boot module c1900 technology-package securityk9
PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.

Use of this product feature requires  an additional license from Cisco,
together with an additional  payment.  You may use this product feature
on an evaluation basis, without payment to Cisco, for 60 days. Your use
of the  product,  including  during the 60 day  evaluation  period,  is
subject to the Cisco end user license agreement
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
60 day  evaluation  period,  your  use of the  product  feature will be
governed  solely by the Cisco  end user license agreement (link above),
together  with any supplements  relating to such product  feature.  The
above  applies  even if the evaluation  license  is  not  automatically
terminated  and you do  not receive any notice of the expiration of the
evaluation  period.  It is your  responsibility  to  determine when the
evaluation  period is complete and you are required to make  payment to
Cisco for your use of the product feature beyond the evaluation period.

Your  acceptance  of  this agreement  for the software  features on one
product  shall be deemed  your  acceptance  with  respect  to all  such
software  on all Cisco  products  you purchase  which includes the same
software.  (The foregoing  notwithstanding, you must purchase a license
for each software  feature you use past the 60 days evaluation  period,
so  that  if you enable a software  feature on  1000  devices, you must
purchase 1000 licenses for use past  the 60 day evaluation period.)   

Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.


ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot

Router(config)#
Aug  7 10:09:24.559: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = securityk9 and License = securityk9
Aug  7 10:09:24.955: %LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been accepted. UDI=CISCO1921/K9:FGL163126BV; StoreIndex=0:Built-In License Storage
Router(config)#end
Router#
Aug  7 10:09:33.315: %SYS-5-CONFIG_I: Configured from console by console
Router#write   
Building configuration...
[OK]

Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

Router uptime is 6 minutes
System returned to ROM by power-on
System restarted at 10:03:01 UTC Wed Aug 7 2019
System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FGL16312ABC
2 Gigabit Ethernet interfaces
1 Serial(sync/async) interface
1 terminal line
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO1921/K9          FGL16312ABC 
         

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot 
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           securityk9
data          None          None           None

Configuration register is 0x2102


Router#show license
Index 1 Feature: ipbasek9                      
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 2 Feature: securityk9                    
        Period left: 8  weeks 4  days
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA accepted
        License Count: Non-Counted
        License Priority: Low
Index 3 Feature: datak9                        
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 4 Feature: SSL_VPN                       
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: 0/0  (In-use/Violation)
        License Priority: None
Index 5 Feature: ios-ips-update                
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 6 Feature: WAAS_Express                  
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None

Router#reload    // NEED A REBOOT OR RELOAD TO TAKE EFFECT
Proceed with reload? [confirm]

Aug  7 10:10:17.031: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Copyright (c) 2011 by cisco Systems, Inc.

Total memory size = 512 MB
CISCO1921/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC disabled


Readonly ROMMON initialized
program load complete, entry point: 0x80903000, size: 0x4c4a0
program load complete, entry point: 0x80903000, size: 0x4c4a0


IOS Image Load Test
___________________
Digitally Signed Release Software
program load complete, entry point: 0x81000000, size: 0x34890b0
Self decompressing the image :

<SNIP>


Press RETURN to get started!


Jan  2 12:00:02.587: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = ipbasek9 and License = ipbasek9
Jan  2 12:00:02.843: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = securityk9 and License = securityk9
Aug  7 10:12:13.163: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized
Aug  7 10:12:13.167: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled
Aug  7 10:12:13.879: %LINK-
Router>3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Aug  7 10:12:13.879: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
Aug  7 10:12:13.879: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
Aug  7 10:12:14.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
Aug  7 10:12:14.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
Aug  7 10:12:14.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down
Aug  7 10:12:19.627: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
Aug  7 10:12:22.079: %SYS-5-CONFIG_I: Configured from memory by console
Aug  7 10:12:24.043: %LINK-5-CHANGED: Interface Embedded-Service-Engine0/0, changed state to administratively down
Aug  7 10:12:24.043: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
Aug  7 10:12:24.043: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
Aug  7 10:12:24.047: %LINK-5-CHANGED: Interface Serial0/0/0, changed state to administratively down
Aug  7 10:12:25.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down
Aug  7 10:12:25.479: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team
Aug  7 10:12:25.483: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
Aug  7 10:12:26.095: %SYS-6-BOOTTIME: Time taken to reboot after reload =  130 seconds
Aug  7 10:12:26.719: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Aug  7 10:12:26.719: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
Aug  7 10:12:26.719: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Aug  7 10:12:26.719: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
Router>enable

Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

Router uptime is 1 minute
System returned to ROM by reload at 10:10:15 UTC Wed Aug 7 2019
System restarted at 10:11:48 UTC Wed Aug 7 2019
System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FGL16312ABC
2 Gigabit Ethernet interfaces
1 Serial(sync/async) interface
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO1921/K9          FGL16312ABC    


Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot 
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    EvalRightToUse securityk9
data          None          None           None

Configuration register is 0x2102


Router#show license
Index 1 Feature: ipbasek9                      
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 2 Feature: securityk9                    
        Period left: 8  weeks 4  days
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Low
Index 3 Feature: datak9                        
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 4 Feature: SSL_VPN                       
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: 0/0  (In-use/Violation)
        License Priority: None
Index 5 Feature: ios-ips-update                
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 6 Feature: WAAS_Express                  
        Period left: Not Activated
        Period Used: 0  minute  0  second 
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None


I was able to issue crypto related commands and establish a IKE Security Association (SA) with the Cisco FTD afterwards.

Router#show crypto ?  
  call             Show crypto call admission info
  ctcp             cTCP connections
  datapath         Data Path
  debug-condition  Debug Condition filters
  dynamic-map      Crypto map templates
  eli              Encryption Layer Interface
  engine           Show crypto engine info
  entropy          Entropy sources
  gdoi             Show crypto gdoi
  ha               Crypto High Availability information
  identity         Show crypto identity list
  ikev2            Shows ikev2 info
  ipsec            Show IPSEC policy
  isakmp           Show ISAKMP
  key              Show long term public keys
  map              Crypto maps
  mib              Show Crypto-related MIB Parameters
  optional         Optional Encryption Status
  pki              Show PKI
  route            Show crypto VPN routes
  ruleset          Show crypto rules on outgoing packets
  session          Show crypto sessions (tunnels)
  sockets          Secure Socket Information
  tech-support     Displays relevant crypto information