Extending the life of your Firepower Lab Enviroment

Updated: Word has it that the procedure described herein has be deprecaded in later releases (see comment below)

When working with lab environments it is often an issue obtaining the proper licenses for the devices. This usually yields a tendency of using evaluation licenses of a temporal nature. But what happens when your lab extends is life beyond what was originally intended? One answer is of course to assign the proper licensing (which can be costly) or to reset the entire lab and start over. Naturally if the lab is of permanent nature you MUST obtain the proper licensing, for non-permanent labs it is possible to ‘re-arm’ the evaluation license and obtain a new 90 days grace period. Note that there are some pitfalls to take note on when re-arming.

In an FMC deployment the FTD devices are essentially slaves of the FMC. And it is the FMC who holds the configurations and licenses (aka orchestration)

In the Firepower lab case the Firepower Management Center (not covering the on-box FDM deployment) is the puppet master of all the FTDs and thus also holds the licenses. This means that an evaluation only needs to be valid on the FMC itself. A virtual FMC comes with the option of enabling af 90 days evaluation period as a smart license (requires no interaction with Cisco).

A new install of a vFMC gives an option of 90 days evaluation license (all licenses, but note that Anyconnect will not work with an evaluation license)

The Trick

The trick is to move all the existing configuration and associations onto a new FMC server (with a new evaluation license). The procedure is much the same as when doing a backup/recovery of a FMC installation. So resetting the FMC trial license is actually more of a move of config to a new FMC with a new evaluation license. It is, to my knowledge, not possible to factory reset a virtual FMC (there is no ‘recovery’ boot option in the LILO for virtual FMCs as in the case of a Hardware appliance).

EDIT: Rolling back to a snapshot version of the running FMC is said to (though not tested) also wind back time on the license. But before you do, skip to step 2

Step 1 – Deploy a FMC .OVA as usual

You need the entitlement to download the FMC software from Cisco.com and go through the usual steps deploying it (deployment of the Virtual FMC can be referenced here).

Start by creating a new FMC by deploying the OVA

Give a new unused temporarily IP address and don’t worry about the license part yet.

The IP will be temporal and you dont need to provide anything for the license field at this time

WARNING – DO NOT upgrade the new FMC to latest and greatest blindly at this point!

Step 2 – Backup the ‘old’ FMC management

Backup of an existing FMC is relatively easy (there is a button). Simply create a Firepower management backup from the ‘old’ lab FMC and download it to local disk (can be done on-demand from the GUI).

Backup is easy, but be aware that the file (a tar.gz archive) can easily be around 250 MB.

Step 3 – Restore on the ‘new’ FMC VM

Restoring the old FMC config to the new FMC is done is much the same manner. Just browse to the temporal address of the new FMC and upload the Backup archive.

Before doing the restore there is a few things that are important to note:

  • Licenses information ARE NOT transferred in the restore process (what we want in this case)
  • IP address of the old FMC IS transferred… this means that after the restore, there will be an IP conflict until you turn off the old one.
  • The restore process er VERY picky on matching versioning (both FMC version and VDB version)

That the license follows the vFMC and are NOT moved during backup and restore could be considered a downside for normal operation but a necessity for our use case. If it was a production restore you would need to have the license changed.

The IP address transfer is usually a pretty nice features as the governed FTD devices will automatically rejoin the new FMC (Nice).

The version matching however can be a real challenge (if you don’t know it)! If your backup was done on an older FMC (either VDB or Software) than the FMC you currently are trying to import in onto it will not work! (and no… you cannot downgrade i.e. the VDB). In this case if you have the possibility go back to the old FMC, update it to the same version and do a new management backup. The old versions are available on the Cisco.com download site if you need to hit an exact version in the new FMC.

The VDB version must match. If there is a mismatch the following error is thrown,

Both the VDB and software has to match.

In this case the new FMC was upgraded to latest and greatest (FMC and the backup was done on an older FMC (FMC 6.2.2). This yielded an software version mismatch error.

It is possible to see what versions are applicable to the backup image either by opening up the archive or simply uploading it to the FMC and observe the version numbers displayed below.

Here the two failures a indicated. The versioning of the backup file is show in the picture. The restore was attempted on a Firesight with VDS build 290

When the backup file is accepted it starts the restore process and afterwards reboots into the ‘old FMC state’

When all versioning is correct and the restore process finishes, it will reboot the new FMC and come up again with the IP addresse of the old FMC

It was very nice to see that the one device hooked up to my demolab did not seem to notice that there had been a switch in FMCs and was instantly rejoined to the new FMC

FTD device rejoined automagically after the restore

And the licensing of the entire lab enviroment has been extended as shown below.

Re-armed licenses for the entire demolab environment has been successfully archived. Historical data has not been migrated with however.

Key Take-Aways

The recovery procedure works well for re-arming the FMC evaluation license but is most easily performed by

  1. Upgrade the old FMC to latest and greatest (software and VDB)
  2. Upgrade the new FMC to latest and greatest (software and VDB)
  3. Take backup of the old FMC
  4. Restore on the new FMC
  5. Shutdown the Old FMC

Again take note that this is of course only meant for EVALUATIONS!!! Not regular production nor other non-entitled uses.

4 Comments on "Extending the life of your Firepower Lab Enviroment"

  1. Thanks! BTW: snapshots, changing esxi time, and fake ntp time (hosted off a router) dont affect the eval period. I tried them all (with FMC 6.2.2). I’m building a lab out that needs to last more than 90 days too. So I’m going with your method.

  2. Hi. Thanks for the post.
    Unfortunately, this didn’t work with 6.5.0. The licenses became expired after the restore.

    • Can confirm the same on, after I restored from backup on the new FMCv, expiration time changed as well.

  3. Hello,

    I am ok with the 90 days eval period. However, the sensor is still showing unlicensed. The sensor is NGIPSv for VMware 6.6.0. The license check-boxes for Protection, Control, Malware and URL Filtering are unchecked and greyed out. How could I activate those licenses for eval purpose?

    Thank you.

Leave a comment

Your email address will not be published.