Upgrading Your Activation Key
Three important reasons might prompt you to upgrade or change your activation key:
■ Your Cisco Security Appliance does not have failover activated.
■ Your Security Appliance does not currently have virtual private network Data
Encryption Standard (VPN-DES) or virtual private network Triple DES (VPN-3DES)
encryption enabled.
■ You are upgrading from a connection-based license to a feature-based license.
Before the release of PIX Firewall version 6.2, the activation keys were changed in monitor
mode. Cisco PIX Firewall version 6.2 introduced a method of upgrading or changing the
license for your Cisco PIX Firewall remotely without entering monitor mode and without
replacing the software image. With this feature, you could enter a new activation key for a
different PIX Firewall license from the CLI. PIX Firewall and ASA Security Appliance
software version 7.0(x) support this feature. To enter an activation key, use the following
command:
activation-key license#
You replace license# with the key you get with your new license. For example:
activation-key 0x14355378 0xabcdef01 0x2645678ab 0xcdef0124
After changing the activation key, you must reboot the PIX Firewall to enable the new
license. If you are upgrading to a newer version and you are changing the activation key, you
must reboot the Cisco Appliance twice—once after the new image is installed, and again after
the new activation key has been configured.
If you are downgrading to a lower Cisco Appliance or PIX Firewall software version, it is
important to ensure that the activation key running on your system is not intended for a
higher version before you install the lower-version software image. If this is the case, you
must first change the activation key to one that is compatible with the lower version before
installing and rebooting. Otherwise, your system might refuse to reload after you install the
new software image.
The show activation-key command output indicates the status of the activation key:
■ If the activation key in the PIX Firewall Flash memory is the same as the activation key
running on the PIX Firewall, the show activation-key output reads as follows:
The flash activation key is the SAME as the running key.
■ If the activation key in the PIX Firewall Flash memory is different from the activation
key running on the PIX Firewall, the show activation-key output reads as follows:
The flash activation key is DIFFERENT from the running key.
The flash activation key takes effect after the next reload.
■ If the PIX Firewall Flash memory software image version is not the same as the running
PIX Firewall software image, the show activation-key output reads as follows:
The flash image is DIFFERENT from the running image.
The two images must be the same in order to examine the flash activation key.
Example 4-2 shows sample output from the show activation-key command.
show activation-key Command Output
pix(config)# show activation-key
Serial Number: 480221353 (0x1c9f98a9)
Running Activation Key: 0x14355378 0xabcdef01 0x2645678ab 0xcdef0124
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
The flash activation key is the SAME as the running key.
pix (config)