Updated: Word has it that the procedure described herein has be deprecaded in later releases (see comment below)
When working with lab environments it is often an issue obtaining the proper licenses for the devices. This usually yields a tendency of using evaluation licenses of a temporal nature. But what happens when your lab extends is life beyond what was originally intended? One answer is of course to assign the proper licensing (which can be costly) or to reset the entire lab and start over. Naturally if the lab is of permanent nature you MUST obtain the proper licensing, for non-permanent labs it is possible to ‘re-arm’ the evaluation license and obtain a new 90 days grace period. Note that there are some pitfalls to take note on when re-arming.
In the Firepower lab case the Firepower Management Center (not covering the on-box FDM deployment) is the puppet master of all the FTDs and thus also holds the licenses. This means that an evaluation only needs to be valid on the FMC itself. A virtual FMC comes with the option of enabling af 90 days evaluation period as a smart license (requires no interaction with Cisco).
The trick is to move all the existing configuration and associations onto a new FMC server (with a new evaluation license). The procedure is much the same as when doing a backup/recovery of a FMC installation. So resetting the FMC trial license is actually more of a move of config to a new FMC with a new evaluation license. It is, to my knowledge, not possible to factory reset a virtual FMC (there is no ‘recovery’ boot option in the LILO for virtual FMCs as in the case of a Hardware appliance).
EDIT: Rolling back to a snapshot version of the running FMC is said to (though not tested) also wind back time on the license. But before you do, skip to step 2
Step 1 – Deploy a FMC .OVA as usual
You need the entitlement to download the FMC software from Cisco.com and go through the usual steps deploying it (deployment of the Virtual FMC can be referenced here).
Give a new unused temporarily IP address and don’t worry about the license part yet.
WARNING – DO NOT upgrade the new FMC to latest and greatest blindly at this point!
Step 2 – Backup the ‘old’ FMC management
Backup of an existing FMC is relatively easy (there is a button). Simply create a Firepower management backup from the ‘old’ lab FMC and download it to local disk (can be done on-demand from the GUI).
Step 3 – Restore on the ‘new’ FMC VM
Restoring the old FMC config to the new FMC is done is much the same manner. Just browse to the temporal address of the new FMC and upload the Backup archive.
Before doing the restore there is a few things that are important to note:
- Licenses information ARE NOT transferred in the restore process (what we want in this case)
- IP address of the old FMC IS transferred… this means that after the restore, there will be an IP conflict until you turn off the old one.
- The restore process er VERY picky on matching versioning (both FMC version and VDB version)
That the license follows the vFMC and are NOT moved during backup and restore could be considered a downside for normal operation but a necessity for our use case. If it was a production restore you would need to have the license changed.
The IP address transfer is usually a pretty nice features as the governed FTD devices will automatically rejoin the new FMC (Nice).
The version matching however can be a real challenge (if you don’t know it)! If your backup was done on an older FMC (either VDB or Software) than the FMC you currently are trying to import in onto it will not work! (and no… you cannot downgrade i.e. the VDB). In this case if you have the possibility go back to the old FMC, update it to the same version and do a new management backup. The old versions are available on the Cisco.com download site if you need to hit an exact version in the new FMC.
Both the VDB and software has to match.
It is possible to see what versions are applicable to the backup image either by opening up the archive or simply uploading it to the FMC and observe the version numbers displayed below.
When the backup file is accepted it starts the restore process and afterwards reboots into the ‘old FMC state’
It was very nice to see that the one device hooked up to my demolab did not seem to notice that there had been a switch in FMCs and was instantly rejoined to the new FMC
And the licensing of the entire lab enviroment has been extended as shown below.
The recovery procedure works well for re-arming the FMC evaluation license but is most easily performed by
- Upgrade the old FMC to latest and greatest (software and VDB)
- Upgrade the new FMC to latest and greatest (software and VDB)
- Take backup of the old FMC
- Restore on the new FMC
- Shutdown the Old FMC
Again take note that this is of course only meant for EVALUATIONS!!! Not regular production nor other non-entitled uses.
Thanks! BTW: snapshots, changing esxi time, and fake ntp time (hosted off a router) dont affect the eval period. I tried them all (with FMC 6.2.2). I’m building a lab out that needs to last more than 90 days too. So I’m going with your method.
Hi. Thanks for the post.
Unfortunately, this didn’t work with 6.5.0. The licenses became expired after the restore.
Can confirm the same on 18.104.22.168, after I restored from backup on the new FMCv, expiration time changed as well.
I am ok with the 90 days eval period. However, the sensor is still showing unlicensed. The sensor is NGIPSv for VMware 6.6.0. The license check-boxes for Protection, Control, Malware and URL Filtering are unchecked and greyed out. How could I activate those licenses for eval purpose?