Wednesday, June 3, 2015

Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)

In my previous post "Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)", I tested the importing both OVA and VMDK file into Workstation and ESXi, but both ways failed. Those files are found and downloaded from Internet for only testing purpose. I believe those are good files and somebody has tested them. The only reason for my failure is because I am not using a right way to do it. In my old testing posts I have tested other versions such as 9.2.1, 8.42 and 8.02. All were successful loaded in either Vmware Workstation or ESXi.

To find out the why this time failed I searched online again. My searching is based on error message I got from ESXi:
"The OVF package requires support for OVF PropertiesLine 264: Unsupported element 'Property'."
Following two links explains why , also both gives a solution , which is Vmware vCenter will be able to help load ASAv 9.4.1 into ESXi or ESX. Actually Vmeare vSphere Client has to connect to vCenter first then deploy this asav941.ova into ESX/ESXi host.

Here are the procedures when I were using vCenter to help load ASAv 9.4.1 into ESXi. (I will have another post to present how to install vCenter into ESXi. I did meet lots of challenges and I spent almost whole day to figure them out. Some are quite tricky.)

1. ESXi vSphere Client connecting to vCenter5.5. 

I am assuming you have installed vCenter as I did. If not, you can wait my next post to show you how to do it. I managed to install vCenter Appliance into my ESXi server.

2. File -> Delply OVF Template...

Acutally if you have vCenter in your environment, all procedures are same as deploying other virtual machines. 

3. Choose downloaded asav941.ova file as the template.

When license agreement window popped up, accept it then next.

4. Choose vm's name

5. NICs configuration. 

By default, there are 10 NICs and all of them are in same virtual network. In my case, it automatically set to connect to VM DMZ network.

6. Some other parameters.

You can customize some or leave them as default. I did not tell too much difference for those settings.

7. Review all configuration

8. After 3-5 minutes importing process deponding on your connection speed, you should get a new VM in your ESXi. 

And you can power VM on and get booting window from console.

9. VM will reboot itself once then you will get this lovely ciscoasa prompt

During my full rebooting process, it will reboot itself once because some information is not consistent. I will try to record it next time.

10. Basic configuration for SSH

Interface management 0/0 is Network adapter 1. I changed it to VM Internet network to make management interface connect to my client pc network.

There are some basic configuration to get you SSH session enabled on your ASAv.

interface Management0/0
 ip address
 nameif management
ssh management
ssh version 2

username admin password cisco
aaa authentication ssh console LOCAL

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.4(1)

Compiled on Sat 21-Mar-15 11:43 PDT by builders
System image file is "boot:/asa941-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 7 hours 11 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon 5500 series 2294 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

 0: Ext: Management0/0       : address is 0050.5682.88e4, irq 10
 1: Ext: GigabitEthernet0/0  : address is 0050.5682.6bf2, irq 5
 2: Ext: GigabitEthernet0/1  : address is 0050.5682.7af1, irq 9
 3: Ext: GigabitEthernet0/2  : address is 0050.5682.6bce, irq 11
 4: Ext: GigabitEthernet0/3  : address is 0050.5682.55a3, irq 10
 5: Ext: GigabitEthernet0/4  : address is 0050.5682.837f, irq 5
 6: Ext: GigabitEthernet0/5  : address is 0050.5682.969e, irq 9
 7: Ext: GigabitEthernet0/6  : address is 0050.5682.d2a0, irq 11
 8: Ext: GigabitEthernet0/7  : address is 0050.5682.435c, irq 10
 9: Ext: GigabitEthernet0/8  : address is 0050.5682.3b99, irq 5

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
Active entitlement: ASAv-STD-100M, enforce mode: Eval period

Licensed features for this platform:
Maximum Physical Interfaces       : 10             perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        perpetual
Cluster                           : Disabled       perpetual

Licensing mode is Smart Licensing

Serial Number: 9ACPEXD4VEW

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 02:21:28.579 UTC Mon Jun 1 2015

11. Guidelines for the ASAv

Context Mode Guidelines
Supported in single context mode only. Does not support multiple context mode.
Failover Guidelines
For failover deployments, make sure that the standby unit has the same model license; for example, both units should be ASAv30s.
Unsupported ASA Features
The ASAv does not support the following ASA features:
  • Clustering
  • Multiple context mode
  • Active/Active failover
  • EtherChannels
  • Shared AnyConnect Premium Licenses

12. Defaults for Smart Software Licensing

Since ASAv only support Smart Software Licensing, the old way in previous post to use Cisco ASA 5540 v8.2(1) Keymaker v1.0 to generate license activation-key is not working any more. There is no activation-key command. By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. Command "license smart register idtoken" will be the new command for register your ASAv.
  • The ASAv default configuration includes a Smart Call Home profile called “License” that specifies the URL for the Licensing Authority.
profile License
destination address http
  • When you deploy the ASAv, you set the feature tier and throughput level. Only the standard level is available at this time.
license smart
feature tier standard
throughput level {100M | 1G | 2G}
  • Also during deployment, you can optionally configure an HTTP proxy.
http-proxy ip_address port port

13. ASDM 7.4(1)

Enter following two commands to enable ASDM http access:

http server enable
http management

Open your browser and type url

Click the button Install ASDM Launcher, type username admin and password cisco to download ASDM software on your local machine. You may be asked to install Java.


Monday, June 1, 2015

Install Vmware vCenter into ESXi 5.5 and Reset ESXi into Evaluation Mode

VMware vCenter Server provides centralized visibility, proactive management and extensibility for VMware vSphere from a single console.

The easiest way to deploy vCenter server is to use vCenter server appliance, which is a Linux-based virtual appliance used to manage vSphere. Following steps shows the procedures how this virtual appliacne deployed into ESXi environment.

1. Download Software

There are a couple of options you can download.
a. Download .iso file to install vCenter into windows / linux environment.
b. Download .ova virtual appliance to deploy it into virtual environment
c. Download ovf file, vmdk system disk and vmdk data disk to deploy template into virtual environment.

In my lab, I selected single 2g single ova file to download and deploy it into my ESXi 5.5 server.

2. Deploy it into ESXi

Deployment procedure for this virtual vCenter appliace is same as other virtual appliances. After imported into ESXi, you can review Vmware vCenter Server Appliance's Virtual Machine Properties again. By default, it uses 8G memory, 2 CPUs, Hard disk 1 is 25G system disk and Hard disk 2 is 100G data disk.

3. Power on Vmware vCenter Server Appliance

After system fully powers on, you will get vSphere Web Client URL. In my this case, it is

 4. Log into Web Client using a browser with default username root and password vmware.

5. Use Vmware vSphere Client to log into vCenter using ip address

6. Add ESXi into vCenter 

 Enter my ESXi 5.5 ip address192.168.2.201, root username and password , then next step.

7. Problem to add ESXi

My ESXi has been used for more than 1 year, and evaluation expired. I did get a free license from Vmware website for my personal usage. Unfortunately, vCenter can not allow any expired or non-evaluation ESXi machine to be added.

Based on KB1018275,
If an ESXi host is licensed with the free version of the license key, you cannot add it to vCenter Server. This license does not contain the VirtualCenter Agent, which is necessary to manage a host with vCenter Server. This feature remains locked as long as the host is licensed with the free version of the license key.
To add ESXi hosts to vCenter Server, you must license the ESXi hosts with:
  • vSphere Essentials

    Licensing an ESXi host with vSphere Essentials allows you to manage three ESXi hosts using vCenter Server. For 
    more information on purchasing vSphere Essentials, see VMware vSphere and VMware vCenter Server Pricing.
  • vSphere Standard, Enterprise, or Enterprise Plus

    Licensing the ESXi host with one these products unlocks the add-on features that allow you to manage ESXi hosts using vCenter Server. For more information about these products, see Compare vSphere Editions.

Official way is to get an license for your vSphere. But we will have another easy way to reset ESXi into an evaluation mode for 60 days. You always can reset it again after expired. 

8. Reset my ESXi to evaluation mode

a. For ESXi 4.1/5.0
cd /etc/vmware
rm-r vmware.lic
rm-r license.cfg
"reboot" or " restart"

b.For ESXi 5.1 + (used for my machine ESXi 5.5)
rm -r /etc/vmware/license.cfg
cp /etc/vmware/.#license.cfg /etc/vmware/license.cfg
/etc/init.d/vpxa restart

After did above steps reset the machine into evaluation mode, please go to Licence configuration page and put back to Evaluate Mode for 60 new Days

9. Assign License again after reset license in ESXi

This time, vCenter will find your ESXi is in evaluation mode, and allow you go to next steps.

10. Check ESXi 5.5's Settings

Finally, my vCenter virtual machine is running into ESXi environment. I am able to test vCenter's other features.


a. vCenter Server 5.5.0b Release Notes
b. Adding an ESXi host to vCenter Server fails with the error: Host cannot be added to the vCenter as there are not enough Virtual Center Agent Licenses (1018275)

Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)

Cisco released ASA Software Version 9.4(x) on March 2015. Thre are some new features from release note in the Cisco website. I am going to give it a try to add it into my testing environment using Vmware workstation or ESXi. Some old ASA versions have been tested in my previous posts:
Download ASA v 9.4.1

Here are some download links we could find from Internet.
1. Cisco Software Download Site

2. from (Link has been removed)

Problems when importing into Vmware Workstation / ESXi

1. Using OVA file

But When tried to open in the workstation, there is error which says "Line 264: Unsupported element 'Property'."

Tried again in ESXi 5.5, File -> Deploy OVF Template ...
But it seems same error message when tried to open downloaded asav941.ova file.
The OVF package requires support for OVF Properties
Line 264: Unsupported element 'Property'.

2. Using vmdk File

I thought I may use vmdk's file to add them into workstation or ESXi. I did find a vmware package from with following files:

Unfortunately, it does not boot properly into configuration mode. Eventually it will dip into a reboot loop. Captured screenshots with my testing in Vmware workstation and ESXi show all steps below:

2.1. Opened in the Vmware Workstation

 2.2. Since my Vmware Workstation host does not support VT-x, it will not be able to power on.

2.3. Workstation Connect to ESXi

2.4. Upload workstation vm into ESXi. That was successful

2.5. ESXi vm's configuraiton

 2.6. It got into a rebooting loop.

Cause and Solutions:

Please check my next post - "Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)".