Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)

In my previous post "Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)", I tested the importing both OVA and VMDK file into Workstation and ESXi, but both ways failed. Those files are found and downloaded from Internet for only testing purpose. I believe those are good files and somebody has tested them. The only reason for my failure is because I am not using a right way to do it. In my old testing posts I have tested other versions such as 9.2.1, 8.42 and 8.02. All were successful loaded in either Vmware Workstation or ESXi.

Here are all related posts in this blog:

• ASA 8.02 in Vmware Workstation
• ASA 8.42 in VMware Workstation
• ASA 9.21 in Vmware Workstation 10
• Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)
• Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)
• Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi 

To find out the why this time failed I searched online again. My searching is based on error message I got from ESXi:

"The OVF package requires support for OVF PropertiesLine 264: Unsupported element 'Property'."

Following two links explains why , also both gives a solution , which is Vmware vCenter will be able to help load ASAv 9.4.1 into ESXi or ESX. Actually Vmeare vSphere Client has to connect to vCenter first then deploy this asav941.ova into ESX/ESXi host.

• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/dfa/troubleshooting/guide/b-dfa-trouble/b-DFA-Troubleshooting_chapter_0100.html
• https://www-304.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/ICON/topics/tsicn_ovafailsproperty.html

Here are the procedures when I were using vCenter to help load ASAv 9.4.1 into ESXi. (I will have another post to present how to install vCenter into ESXi. I did meet lots of challenges and I spent almost whole day to figure them out. Some are quite tricky.)

1. ESXi vSphere Client connecting to vCenter5.5. 

I am assuming you have installed vCenter as I did. If not, you can wait my next post to show you how to do it. I managed to install vCenter Appliance into my ESXi server.

2. File -> Delply OVF Template...

Acutally if you have vCenter in your environment, all procedures are same as deploying other virtual machines. 

3. Choose downloaded asav941.ova file as the template.

When license agreement window popped up, accept it then next.

4. Choose vm's name

5. NICs configuration. 

By default, there are 10 NICs and all of them are in same virtual network. In my case, it automatically set to connect to VM DMZ network.

6. Some other parameters.

You can customize some or leave them as default. I did not tell too much difference for those settings.

7. Review all configuration

8. After 3-5 minutes importing process deponding on your connection speed, you should get a new VM in your ESXi. 

And you can power VM on and get booting window from console.

9. VM will reboot itself once then you will get this lovely ciscoasa prompt

During my full rebooting process, it will reboot itself once because some information is not consistent. I will try to record it next time.

10. Basic configuration for SSH

Interface management 0/0 is Network adapter 1. I changed it to VM Internet network to make management interface connect to my client pc network.

There are some basic configuration to get you SSH session enabled on your ASAv.

interface Management0/0
 ip address 192.168.2.12 255.255.255.0
 nameif management
!

ssh 192.168.2.0 255.255.255.0 management

ssh version 2

username admin password cisco

aaa authentication ssh console LOCAL

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.4(1)

Device Manager Version 7.4(1)

Compiled on Sat 21-Mar-15 11:43 PDT by builders

System image file is "boot:/asa941-smp-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 7 hours 11 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon 5500 series 2294 MHz,

Internal ATA Compact Flash, 256MB

Slot 1: ATA Compact Flash, 8192MB

BIOS Flash Firmware Hub @ 0x0, 0KB

 0: Ext: Management0/0       : address is 0050.5682.88e4, irq 10

 1: Ext: GigabitEthernet0/0  : address is 0050.5682.6bf2, irq 5

 2: Ext: GigabitEthernet0/1  : address is 0050.5682.7af1, irq 9

 3: Ext: GigabitEthernet0/2  : address is 0050.5682.6bce, irq 11

 4: Ext: GigabitEthernet0/3  : address is 0050.5682.55a3, irq 10

 5: Ext: GigabitEthernet0/4  : address is 0050.5682.837f, irq 5

 6: Ext: GigabitEthernet0/5  : address is 0050.5682.969e, irq 9

 7: Ext: GigabitEthernet0/6  : address is 0050.5682.d2a0, irq 11

 8: Ext: GigabitEthernet0/7  : address is 0050.5682.435c, irq 10

 9: Ext: GigabitEthernet0/8  : address is 0050.5682.3b99, irq 5

License mode: Smart Licensing

ASAv Platform License State: Unlicensed

Active entitlement: ASAv-STD-100M, enforce mode: Eval period

Licensed features for this platform:

Maximum Physical Interfaces       : 10             perpetual

Maximum VLANs                     : 50             perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Standby perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 0              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Enabled        perpetual

Cluster                           : Disabled       perpetual

Licensing mode is Smart Licensing

Serial Number: 9ACPEXD4VEW

Image type          : Release

Key version         : A

Configuration last modified by enable_15 at 02:21:28.579 UTC Mon Jun 1 2015

11. Guidelines for the ASAv

Context Mode Guidelines

Supported in single context mode only. Does not support multiple context mode.

Failover Guidelines

For failover deployments, make sure that the standby unit has the same model license; for example, both units should be ASAv30s.

Unsupported ASA Features

The ASAv does not support the following ASA features:

• Clustering
• Multiple context mode
• Active/Active failover
• EtherChannels
• Shared AnyConnect Premium Licenses

12. Defaults for Smart Software Licensing

Since ASAv only support Smart Software Licensing, the old way in previous post to use Cisco ASA 5540 v8.2(1) Keymaker v1.0 to generate license activation-key is not working any more. There is no activation-key command. By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. Command "license smart register idtoken" will be the new command for register your ASAv.

• The ASAv default configuration includes a Smart Call Home profile called “License” that specifies the URL for the Licensing Authority.

call-home

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

• When you deploy the ASAv, you set the feature tier and throughput level. Only the standard level is available at this time.

license smart

feature tier standard

throughput level {100M | 1G | 2G}

• Also during deployment, you can optionally configure an HTTP proxy.

call-home

http-proxy ip_address port port

13. ASDM 7.4(1)

Enter following two commands to enable ASDM http access:

http server enable

http 192.168.2.0 255.255.255.0 management

Open your browser and type url https://192.168.2.12/admin

Click the button Install ASDM Launcher, type username admin and password cisco to download ASDM software on your local machine. You may be asked to install Java.

Reference: