Photofunstudio Try Again After the Registartion Is Completed
ane.1. What is Cisco Smart Licensing?
Cisco Smart Licensing is a deject-based unified license management system that manages all of the software licenses beyond Cisco products. It enables customers to purchase, deploy, manage, track and renew Cisco Software licenses. It also provides information about license ownership and consumption through a single user interface
The solution is comprised of online Smart Accounts (at Cisco Smart Licensing Portal) used for tracking Cisco software assets and the Cisco Smart Software Manager (CSSM) which is used to manage the Smart Accounts. CSSM is where all licensing direction related tasks, such equally registering, de-registering, moving, and transferring licenses tin can be performed. Users can be added and given access and permissions to the smart account and specific virtual accounts.
To learn more about Cisco Smart Licensing, visit:
a) Cisco Smart Licensing home page
b) Cisco Community - On-Demand Trainings
For more information on the new Smart Licensing using Policy method in IOS-XE 17.3.ii and later, visit Smart Licensing using Policy on Catalyst Switches
New to Smart Licensing and/or Smart Business relationship administration? Visit and sign up for the new administrator training grade and recording:
Cisco Community - Get Smart with Cisco Smart Accounts/Smart Licensing and My Cisco Entitlements
Smart accounts can be created hither: Smart Accounts
Smart accounts tin exist managed here: Smart Software Licensing
1.two. Smart Licensing Implementation Methods
At that place are multiple methods in deploying Cisco Smart Licensing that tin be leveraged depending on a company's security profile such every bit:
Direct Cloud Access
Cisco products send usage information direct over the Net securely using HTTPS. No boosted components are needed.
Admission through an HTTPS Proxy
Cisco products send usage data through an HTTP proxy server securely using HTTPS. An existing proxy server can exist used or this can be deployed through Cisco's Transport Gateway. (click here for some boosted information).
On-premise License Server (Also known as Cisco Smart Software Director satellite)
Cisco products send usage information to an on-premise server instead of directly over the cyberspace. In one case a month the server reaches out over the net for all devices via HTTPS or tin be manually transferred to synchronize its database. CSSM On-prem (Satellite) is available as a Virtual Machine (VM) and can be downloaded here. For additional data, visit Smart Software Director Satellite page.
ane.iii. Supported IOS XE Platforms
- From IOS XE version 16.9.1 release onwards, the Catalyst 3650/3850 and Catalyst 9000 series switch platforms support the Cisco Smart Licensing method as the just licensing method.
- From IOS XE version 16.ten.1 release onwards, router platforms such as the ASR1K, ISR1K, ISR4K, and virtual routers (CSRv / ISRv) support the Cisco Smart Licensing method as the only licensing method.
one.4. Migration from Legacy Licenses to Smart Licenses
In that location are two methods for converting a legacy license, like Right-To-Use (RTU) or Product Activation Key (PAK) to a Smart License. For details on which method needs to be followed please refer to the relevant release notes and/or configuration guide for the specific Cisco device.
i.4.1. Converting through Device Led Conversion (DLC)
- Device Led Conversion (DLC) is a sometime method where the Cisco Product tin study what licenses it is using and the licenses are automatically deposited into their corresponding Smart Account on the Cisco Smart Software Manager (CSSM). The DLC procedure is performed directly from the Command Line Interface (CLI) of the specific Cisco device.
- The DLC process is just supported on the Catalyst 3650/3850 and selected router platforms. For specific router models delight refer to the individual platform configuration guide and release notes. Example:DLC procedure for Catalyst 3850 running Fuji 16.9.ten releases.
1.4.ii. Converting through Cisco Smart Software Managing director (CSSM) or License Registration Portal (LRP)
Cisco Smart Software Manager (CSSM) Method:
1. Login to Cisco Smart Software Manager (CSSM) at https://software.cisco.com/
two. Navigate to Smart Software Licensing > Convert to Smart Licensing
three. Select Convert PAK or Convert Licenses
iv. Locate the license in the table below if converting PAK license. If converting a non-PAK license utilise the "License Conversion Wizard" for stride by step directions.
Location of known PAK files associated with Account:
Location of "License Conversion Sorcerer" link:
5. Locate the Desired License and Product combination
six. Click (under Actions): Catechumen to Smart Licensing
7. Select desired virtual business relationship, license, and click Next
8. Review Selections, and then click Convert Licenses
License Registration Portal (LRP) Method:
ane. Login to the License Registration Portal (LRP) http://tools.cisco.com/SWIFT/LicensingUI/Home
ii. Navigate to Devices > Add Devices
three. Enter the proper Product Family unit and Unique Device Identifier (UDI) production ID and series number then click Ok. UDI information can be obtained from "testify version" or "prove inventory" taken from the control line interface (CLI) of the Cisco device
4. Choose the added device and Convert Licenses to Smart Licensing
5. Assign to proper Virtual Account, select licenses to convert and Submit
Tip: LRP tool tin also be used by looking upwards the license/product family unit on the "PAKs or Tokens" tab, clicking the circumvolve drib downward side by side to the PAK/Token and selecting "Convert to Smart Licensing":
i.4.3. Converting through contacting Cisco Global Licensing Operations (GLO) section
The Global Licensing Operations section tin be reached hither at our worldwide contact centers.
1.five. Catalyst 9500 High Performance Behavior Change from sixteen.9 to sixteen.12.iii
Like other Catalyst 9000 models, the Goad 9500 High Performance models were enabled with Smart Licensing in the IOS XE version xvi.9 railroad train and onwards. For the Catalyst 9500 High Functioning models, however, each model had its own specific license entitlement tag. It was later on decided by the production and marketing teams to unify the C9500 platforms entitlement tags. This determination changed the behavior on the C9500 High Performance models from using specific entitlement tags to generic C9500 licenses.
This change in beliefs is documented in the following defects:
a) CSCvp30661
b) CSCvt01955
Beneath is the before and later on of the higher up-mentioned changes license changes for C9500 High Performance models:
1.5.1. IOS XE version xvi.11.x and below
Each C9600 Loftier Performance model has its own entitlement tags:
Model | License |
C9500-32C | C9500 32C NW Essentials C9500 32C NW Advantage C9500 32C Deoxyribonucleic acid Essentials C9500 32C DNA Advantage |
C9500-32QC | C9500 32QC NW Essentials C9500 32QC NW Advantage C9500 32QC DNA Essentials C9500 32QC DNA Advantage |
C9500-24Y4C | C9500 24Y4C NW Essentials C9500 24Y4C NW Advantage C9500 24Y4C DNA Essentials C9500 24Y4C DNA Advantage |
C9500-48Y4C | C9500 48Y4C NW Essentials C9500 48Y4C NW Advantage C9500 48Y4C DNA Essentials C9500 48Y4C Deoxyribonucleic acid Advantage |
Note: IOS XE versions16.12.ane & 16.12.2 have the following defects CSCvp30661, CSCvt01955 and are addressed in 16.12.3a and subsequently.
1.5.two. IOS XE version 16.12.3 and onwards
Catalyst 9500 High Functioning platforms volition now use generic network license tags and carve up Deoxyribonucleic acid license tags. The tabular array below shows the entitlements changes highlighted in IOS XE version 16.12.iii and onwards:
Model | License |
C9500-32C | C9500 Network Essentials C9500 Network Advantage C9500 32C DNA Essentials C9500 32C Dna Advantage |
C9500-32QC | C9500 Network Essentials C9500 Network Advantage C9500 32QC DNA Essentials C9500 32QC Dna Reward |
C9500-24Y4C | C9500 Network Essentials C9500 Network Advantage C9500 24Y4C Deoxyribonucleic acid Essentials C9500 24Y4C DNA Advantage |
C9500-48Y4C | C9500 Network Essentials C9500 Network Advantage C9500 48Y4C Deoxyribonucleic acid Essentials C9500 48Y4C Dna Advantage |
Annotation: Upgrades from IOS XE versions 16.12.1 and sixteen.12.2 will display this license beliefs. Upgrades from IOS XE versions 16.9.x ,16.ten.x, sixteen.11.x to 16.12.three volition recognise onetime license configurations.
1.5.three. C9500 Loftier Performance Modify FAQ
1. Why does Cisco support allocate a generic network license, when my device is consuming a device-specific network license?
Generic tags are provided as they are the right entitlement tags for the network device. This allows usage of the entitlement tags across the entire Cat9500 platform, not just the specific C9500 high performance models. Pre-16.12.iii images that ask for device-specific license tags are in compliance with the generic license tags as the more specific licenses fall under the generic licenses in the licensing hierarchy.
2. Why do two network tags sometimes prove up in the Smart Account?
This beliefs is due to the licensing hierarchy and happens when the device is running on an older image that utilizes device-specific licensing tags. Older images that ask for device-specific license tags are in compliance with the generic license tags as the more specific tags fall under the generic licenses in the licensing bureaucracy.
2.1. Basic configuration
Exact procedure how to configure Smart Licensing tin be found in Arrangement Management Configuration Guide available for each release / platform.
For example: System Direction Configuration Guide, Cisco IOS XE Fuji xvi.9.x (Catalyst 9300 Switches)
ii.ii. Registration Token / Device ID Token
Before registering device, Token needs to be generated. The registration token, also known as the device id token, is a unique token generated from the smart licensing portal orCisco Smart Software Manager on-prem when initially registering a Cisco device to the respective smart account. An individual token tin can exist used to register multiple Cisco devices depending on the parameters used during creation.
The registration token is also only required during initial registration of a Cisco device as it provides the information to the device to call-dwelling to the Cisco dorsum stop and exist tied to the correct Smart Account. Later the Cisco device is registered the token is no longer required.
For more information in regard to registration tokens and how they are generated, delight click here for a general guide. For more details, delight refer to the configuration guide for the specific Cisco device.
ii.3. Registration and License States
While deploying and configuring Smart Licensing at that place are multiple possible states that a Cisco device can exist in. These states can be displayed by looking at show license all or show license status from the Command Line Interface (CLI) of the Cisco device.
Below is a listing of all states and their meaning:
- Evaluation (Unidentified) State
- This is a default land of the device when commencement booted.
- Normally, this state is seen when a Cisco device has not yet been configured for Smart Licensing or registered to a Smart Account.
- In this state all features are bachelor and the device tin can freely change license levels.
- The evaluation period is used when the device is in the unidentified state. The device will not endeavor to communicate with Cisco in this state.
- This will exist ninety days of usage and not ninety agenda days.Once information technology is expired it is never reset.
- At that place is one evaluation period for the entire device it is not per entitlement
- When the evaluation menstruum expires at the cease of 90 days, the device goes in to EVAL EXPIRY mode, however at that place is no functional impact or disruption in functionality, fifty-fifty subsequently reload. Currently at that place is no enforcement in identify.
- The countdown time is maintained across reboots.
- The evaluation catamenia is used if the device has not yet registered with Cisco and has not received the following 2 letters from the Cisco backend:
- Successful response to a registration request
- Successful response to an entitlement authorization request.
- Registered State
- This is the expected state later on successfully completing registration.
- The Cisco device has been able to successfully communicate with a Cisco Smart Account and register.
- The device receives an ID certificate valid for one year which will be used for time to come communications
- The device will ship a request to CSSM to authorize the entitlements for the licenses in use on the device
- Depending on the CSSM response the device volition then enter Authorized or Out of Compliance
- The Id certificate expires at the end of i year. After 6 months the software Agent process will try to renew the certificate. If the Agent cannot communicate with the Cisco Smart Software Director it will keep to try and renew the Id document until the expiration appointment (1 year). At the end of 1 twelvemonth, the agent volition go dorsum to the Un-Identified land and will try to enable the Evaluation menses. The CSSM volition remove the product instance from its database.
- Authorized Land
- This is the expected state when device is using an entitlement and is in Compliance (no negative balance),
- The Virtual Account on CSSM had the correct type and number of licenses to authorize the consumption of the device's licenses
- At the end of xxx days, the device volition send a new request to CSSM to renew the authorization.
- Has a time span of 90 days after which (if not successfully renewed) is moved to Authorization Expired land.
- Out of Compliance State
- This is the state when device is using an entitlement and is non in Compliance (negative balance),
- This state is seen when the device does not take an available license in the corresponding Virtual Account that the Cisco device is registered to in the Cisco Smart Account.
- To enter into Compliance / Authorized state, a customer must add the right number and type of licenses to the Smart Account
- When in this state the device volition automatically transport an dominance renewal request every twenty-four hours
- Licenses and features volition continue to operate and there is no functional impact
- Authority Expired State
- This is the land when device is using an entitlement has non been able to communicate with the Cisco Smart Business relationship associated for over 90 days.
- This is typically seen if the Cisco device loses net admission or cannot connect to tools.cisco.com after initial registration.
- Online methods of smart licensing crave Cisco devices to communicate a minimum of every 90 days to forbid this status.
- CSSM will return all in use licenses for this device back to the puddle since information technology has non had any communications for ninety days
- While in this land the device will continue to try to contact Cisco, every 60 minutes, to renew the entitlement authorization, until the registration menstruation (id certificate) expires
- If the software Agent re-establishes communications with Cisco and receives to its request for authorization it will process that answer normally and enter into 1 of the established states
- Starting in 16.9.1 for switches and 16.x.1 for routers, a default Call-habitation profile named "CiscoTAC-i" is generated to help with migrating to Smart Licensing. By default, this profile is ready for the Direct Deject Admission method.
#prove telephone call-home profile CiscoTAC-1 Profile Name: CiscoTAC-ane Profile status: ACTIVE Contour way: Full Reporting Reporting Data: Smart Call Home, Smart Licensing Preferred Bulletin Format: xml Message Size Limit: 3145728 Bytes Transport Method: http HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Other address(es): default <snip>
- When utilizing aCisco Smart Software Manager on-premise server, the destination address nether the active call-home configuration must point to it (example-sensitive!):
(config)#telephone call-habitation
(cfg-call-habitation)#profile "CiscoTAC-1"
(cfg-call-home-profile)#destination address http https://<IP/FQDN>/Transportgateway/services/DeviceRequestHandler
- DNS is required to resolve tools.cisco.com. If DNS server connectivity is in a VRF, ensure the proper source-interface and VRF are divers in the following:
Global Routing Table Used:
(config)#ip domain-lookup [source-interface <INTERFACE>]
(config)#ip proper name-server <IP>VRF Routing Table Used:
(config)#ip domain-lookup [source-interface <INTERFACE>] <<-- "ip vrf forwarding <VRF-NAME>" defined on the interface
(config)#ip proper noun-server vrf <VRF-Proper name> <SERVER-IP>
Alternatively, if DNS is not available, statically configure local DNS to IP mapping (based on local DNS resolution on your terminate-device) or supersede DNS name in telephone call-domicile configuration with IP address. Refer to case for direct cloud admission (forCisco Smart Software Managing director on-prem utilise its own DNS proper noun instead of tools.cisco.com):
(config)#ip host tools.cisco.com 173.37.145.8
- If advice to tools.cisco.comneeds to be originated from the interface in specific VRF (eastward.g. Mgmt-vrf), and then the following CLI needs to be configured:
(config)#ip http customer source-interface <VRF_INTERFACE>
- A different number of licenses might be consumed depending on the configuration of the Cisco device such as with Catalyst switches running in StackWise or StackWise Virtual:
Traditional Stack-wise Supported Switches (e.g. Catalyst 9300 series):
Network License: 1 license is consumed per switch in the stack
DNA License: 1 license is consumed per switch in the stack
Modular Chassis (due east.k. Catalyst 9400 series):
Network License: one license is consumed per supervisor in the chassis
Deoxyribonucleic acid License: 1 license is consumed per chassis
Fixed Stack-wise Virtual Supported Switches (due east.yard. Catalyst 9500 series):
Network License: 1 license is consumed per switch in the stack
DNA License: one license is consumed per switch in the stack
- Only one telephone call-home profile tin be active for Smart Licensing.
- Licenses are only consumed if a respective feature is configured.
- Cisco devices configured for Smart Licensing need to be configured with the correct arrangement time and date to ensure they are properly synchronized with the corresponding Cisco Smart Account. If the time offset of the Cisco device is as well far off it, the device tin can fail to register. The clock will need to be manually prepare or configured via a timing protocol such equally Network Time Protocol (NTP) or Precision Time Protocol (PTP). For the exact steps required to implement these changes please refer to the configuration guide for the specific Cisco device.
- The Public Key Infrastructure (PKI) key generated during the Cisco device registration needs to be saved if it is not automatically saved after registration. If the device fails to salvage the PKI primal so a syslog is generated stating to save the configuration via "copy running-config startup-config" or "write memory".
- If the PKI key of the Cisco device is not properly saved, then the license country can exist lost on failovers or reloads.
- Smart Licensing does not support HTTPS Proxy SSL document interception by default when using tertiary party proxies for the HTTPS Proxy method. To back up this feature, you can either disable SSL interception on the Proxy, or manually import the certification sent from the Proxy.
How to Manually Import Certification equally a TrustPoint:
The certificate volition need exist in a BASE64 format to exist copied and pasted onto the device as a TrustPoint.The following example shown below uses "LicRoot" as the TrustPoint name, withal, this name can exist inverse as desired.
Device#conf t
Device(config)#crypto pki trustpoint LicRoot
Device(ca-trustpoint)#enrollment terminal
Device(ca-trustpoint)#revocation-check none
Device(ca-trustpoint)#leave
Device(config)#crypto pki authenticate LicRoot
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line past itself
-----BEGIN Document-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----Cease CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: XXXXXXXX
Fingerprint SHA1: XXXXXXX
% Practise you take this certificate? [yeah/no]: yes
Trustpoint CA certificate accepted.
% Document successfully imported
- When using the Transport Gateway HTTP Proxy the IP accost needs to exist changed from tools.cisco.com to the Proxy like the following:
destination accost http https://tools.cisco.com/its/service/oddce/services/DDCEService
TO
destination accost http https://<TransportGW-IP_Address>:<port_number>/Transportgateway/services/DeviceRequestHandler - The Transport Gateway IP address can plant by navigating to the HTTP Settings and looking under the HTTP Service URLs on the Cisco Ship Gateway GUI.
- For more information please run across the following configuration guide for the Cisco Transport Gateway here.
When migrating a Cisco device to a Smart Licensing enabled software version the following flowchart can be used equally a general guide for all three methods (Straight Cloud Access, HTTPS Proxy, andCisco Smart Software Director On-prem).
Device Upgraded or Shipped with software release that supports Smart Licensing (refer to section one.3 for list of supported IOS-XE releases).
Below troubleshooting steps mainly concentrate on a scenario in which 'device fails to annals'.
4.1. Device Fails to annals
After initial configuration, in society to enable Smart Licensing, Token, which is generated on CSSM /Cisco Smart Software Director on-prem, needs to be registered on the device via CLI:
license smart register idtoken <TOKEN>
This should generate the post-obit events:
! Smart licensing process starts
!
Registration process is in progress. Apply the 'show license status' command to bank check the progress and issue !
! Crypto primal is automatically generated for HTTPS advice
!
Generating 2048 bit RSA keys, keys will exist exportable... [OK] (elapsed time was 1 seconds) %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to salvage new IOS PKI configuration !
! Telephone call-home beginning registration process
! %CALL_HOME-half dozen-SCH_REGISTRATION_IN_PROGRESS: SCH device registration is in progress. Call-home volition poll SCH server for registration result. Yous can also check SCH registration status with "telephone call-home asking registration-info" nether EXEC style. !
! Smart Licensing process connects with CSSM and check entitlement.
! %SMART_LIC-6-EXPORT_CONTROLLED: Usage of consign controlled features is allowed %SMART_LIC-6-AGENT_REG_SUCCESS: Smart Agent for Licensing Registration with the Cisco Smart Software Manager or satellitefor udi PID:<PID>,SN:<SN> %SMART_LIC-4-CONFIG_NOT_SAVED: Smart Licensing configuration has non been saved %SMART_LIC-five-IN_COMPLIANCE: All entitlements and licenses in use on this device are authorized %SMART_LIC-half dozen-AUTH_RENEW_SUCCESS: Authorization renewal with the Cisco Smart Software Director or satellite. State=authorized for udi PID:<PID>,SN:<SN>
To check phone call-home configuration, run the post-obit CLI:
#show call-dwelling profile all Profile Proper noun: CiscoTAC-1 Profile status: ACTIVE Profile fashion: Full Reporting Reporting Data: Smart Telephone call Habitation, Smart Licensing Preferred Message Format: xml Message Size Limit: 3145728 Bytes Send Method: http HTTP accost(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Other address(es): default Periodic configuration info message is scheduled every 1 day of the month at 09:15 Periodic inventory info message is scheduled every i mean solar day of the calendar month at 09:00 Alarm-group Severity ------------------------ ------------ crash debug diagnostic minor environment alert inventory normal Syslog-Blueprint Severity ------------------------ ------------ APF-.-WLC_.* warning .* major
To check Smart Licensing status, run the following CLI:
#show license summary Smart Licensing is ENABLED Registration: Status: REGISTERED Smart Account: TAC Cisco Systems, Inc. Virtual Account: Krakow LAN-SW Export-Controlled Functionality: Allowed Final Renewal Effort: None Next Renewal Attempt: November 22 21:24:32 2019 UTC License Authorization: Status: AUTHORIZED Concluding Communication Endeavour: SUCCEEDED Next Communication Attempt: Jun 25 21:24:37 2019 UTC License Usage: License Entitlement tag Count Status ----------------------------------------------------------------------------- C9500 Network Reward (C9500 Network Advantage) 1 AUTHORIZED C9500-DNA-40X-A (C9500-40X Dna Advantage) i AUTHORIZED
In case device neglect to register (and Status is different from REGISTERED as shown above; annotation that Out-of-Compliance points to an issue on CSSM like missing license in Smart Virtual Account, incorrect mapping (i.e. Token from dissimilar virtual business relationship was used where licenses are non available, etc.) check the following:
i. Verify configuration settings and common failure scenarios
Refer to section two.ane for basic configuration steps. Look also at department 5 for common failure scenarios observed in the field.
2. Check basic connectivity
Verify that device can reach (and open TCP port) to tools.cisco.com (in case of straight access) or toCisco Smart Software Managing director on-premise server:
#prove run all | in destination address http destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService ! ! check connectivity ! #telnet tools.cisco.com 443 /source-interface gi0/0 Trying tools.cisco.com (173.37.145.8, 443)... Open [Connectedness to tools.cisco.com closed by strange host]
In case above does not work, double-cheque your routing rules, source-interface and firewall settings.
Note that HTTP (TCP/80) is being deprecated and the recommended protocol is HTTPS (TCP/443).
Refer to section: "3. Considerations and Caveats" in this document for farther guidelines how to configure DNS and HTTP details.
3. Verify Smart License settings
Collect the output of:
#show tech-support license
and validate collected configuration / logs (attach this output in example you decide to open up Cisco TAC example for further investigation).
four. Enable debugs
Enable the following debugs to collect additional information about Smart Licensing process (note that subsequently enabing debugs, you need to try to register license in one case again via CLi mentioned in point 4.1):
#debug telephone call-home smart-licensing [all | trace | fault] #debug ip http client [all | api | enshroud | fault | main | msg | socket]
For internal debugs, enable and read binary traces:
! enable debug #set platform software trace ios [switch] active R0 infra-sl debug ! ! read binary traces infra-sl process logs #show platform software trace bulletin ios [switch] active R0
The following are some common failure scenarios that could be experienced during or later on a Cisco device registration:
Scenario #1: Switch Registration "Failure Reason: Product Already Registered"
Snip of "evidence license all":
Registration:
Status:UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Oct 22 xiv:25:31 2018 EST
Failure reason: Production Already Registered
Next Registration Attempt: Oct 22 14:45:34 2018 EST
Next Steps:
- The Cisco device volition need to be registered again.
- If the Cisco device is seen in the Cisco Smart Software Managing director (CSSM), the "force" parameter volition need to be used (i.e. "license smart register idtoken <TOKEN> forcefulness")
Note: The failure reason can also show as the following:
- Failure reason: The product <X> and sudi containing udiSerialNumber:<SerialNumber>,udiPid:<Product> has already been registered.
- Failure reason: Existing Product Instance has Consumption and Force Flag is False
Scenario #ii: Switch Registration "Failure Reason: Your request could not be candy right now. Delight try again"
Snip of "show license all":
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Consign-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Oct 24 15:55:26 2018 EST
Failure reason: Your request could non be processed right now. Please try again
Side by side Registration Endeavour: Oct 24 16:12:15 2018 EST
Adjacent Steps:
- Enable debugs as mentioned in section 4 to get more insights on the issue,
- Generate new Token in CSSM in your Smart Licensing and take an another attempt.
Scenario #3: Failure Reason "The device date 1526135268653 is offset beyond the immune tolerance limit
Snip of "show license all":
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Nov 1117:55:46 2018 EST
Failure reason: {"timestamp":["The device appointment '1526135268653' is offset across the allowed tolerance limit."]}
Side by side Registration Effort: Nov eleven eighteen:12:17 2018 EST
Possible Logs Seen:
%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The document (SN: XXXXXX) is non yet valid. Validity menstruation starts on 2018-12-12:43Z
Next Steps:
- Verify that the Cisco device clock is showing the correct time (evidence clock)
- Configure the Network Time Protocol (NTP) if possible to ensure the clock is set correctly
- If NTP is non possible, verify that the manually ready clock (clock set) is correct (prove clock) and configured equally a trusted time source past verifying that "clock calendar-valid" is configured
Annotation: By default, the arrangement clock is non trusted. "clock calendar-valid" is required.
Scenario #four: Switch Registration "Failure Reason: Communication send non available."
Snip of "show license all":
Registration: Status: UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: Not Allowed
Initial Registration: FAILED on Mar 09 21:42:02 2019 CST
Failure reason: Communication ship not available.
Possible Logs Seen:
%CALL_HOME-3-CALL_HOME_FAILED_TO_ENABLE: Failed to enable call-dwelling from Smart Agent for Licensing: The command failed to enable smart call home due to an existing agile user profile. If yous are using a user contour other than "CiscoTAC-i" profile to send data to SCH server in Cisco, please enter "reporting smart-licensing-data" under profile style to configure that profile for smart licensing. For more than details almost SCH, please check http://www.cisco.com/become/smartcallhome
%SMART_LIC-3-AGENT_REG_FAILED: Smart Amanuensis for Licensing Registration with the Cisco Smart Software Manager or satellite failed: Communication transport not available.
%SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager or satellite: Advice ship not available.
Adjacent Steps:
- Verify that call-home is enabled with "service call-abode" in the "show running-config" output of the Cisco device
- Ensure that the correct call-home contour is active
- Verify that "reporting smart-licensing-information" is configured under the agile call-dwelling house profile
Scenario #5: Switch License Authorization "Failure reason: Fail to send out Call Home HTTP message."
Snip of "bear witness license all":
License Authorization:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2018 UTC
Last Communication Attempt: FAILED on Aug 02 fourteen:26:23 2018 UTC
Failure reason: Fail to ship out Call Home HTTP message.
Side by side Communication Attempt: Aug 02 fourteen:26:53 2018 UTC
Advice Borderline: Oct 25 09:21:38 2018 UTC
Possible logs are seen:
%CALL_HOME-v-SL_MESSAGE_FAILED: Fail to ship out Smart Licensing message to: https://<ip>/its/service/oddce/services/DDCEService (ERR 205 : Request Aborted)
%SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager or satellite: Fail to send out Phone call Home HTTP message.
%SMART_LIC-3-AUTH_RENEW_FAILED:Potency renewal with the Cisco Smart Software Manager or satellite: Communication message ship mistake for udi PID:30, SN: Thirty
Next Steps:
- Verify that the Cisco device can ping tools.cisco.com
- if DNS is not configured, configure a DNS server or a "ip host" statement for the local nslookup IP for tools.cisco.com
- Attempt to telnet from the Cisco device to tools.cisco.com on TCP port 443 (port used by HTTPS)
- Verify that the HTTPs customer source interface is defined and correct
- Verify that the URL/IP in the phone call home profile is set correctly on the Cisco device via "show call-home contour all"
- Verify the ip route is pointing to the correct side by side hop
- EnsureTCP port 443is not beingness blocked on the Cisco device, the path to Smart Call Domicile Server, or theCisco Smart Software Director on-prem (satellite)
- Ensure that the right Virtual Routing and Forwarding (VRF) instance is configured under call-home if applicable
Scenario #6: Failure Reason "Missing Id cert serial number field; Missing signing cert serial number field; Signed data and certificate does non lucifer" Log
This behavior is seen when working with a CSSM on-premise server that has had its crypto document expire as documented in CSCvr41393. This is expected behavior every bit the CSSM on-prem should be immune to sync and renew its document to foreclose a certification sync issue with any registering devices.
Snip of "show license all":
Registration:
Status: UNREGISTERED
Smart Account: Example Account
Export-Controlled Functionality: ALLOWED
License Authorization:
Status: EVAL Fashion
Evaluation Period Remaining: 65 days, xviii hours, 43 minutes, 0 seconds
Possible Logs Seen:
Under "show logging" or "show license eventlog" the following mistake is seen:
SAEVT_DEREGISTER_STATUS msgStatus="LS_INVALID_DATA" error="Missing Id cert serial number field; Missing signing cert serial number field; Signed data and document does not match"
Next Steps:
- Verify that the Cisco device has IP connectivity to CSSM on-premise server
- If using HTTPS, ostend the certification C-Name is being used in the devices call-home configuration
- If a DNS server is non available to resolve the certification C-Name, configure a static "ip host" argument to map the domain proper noun and IP address
- Verify condition of certificate on CSSM on-premise is however valid
- If CSSM on-premise certificate is expired, follow ane of the workarounds documented in CSCvr41393
Note: By default, HTTPS will perform a server identity check during the SSL handshake to verify the URL or IP is the aforementioned as the provided certificate from the server. This tin crusade issues when using IP addresses instead of a DNS entry if the hostname and IP do not match. If DNS is not possible or a static ip host statement, "no http secure server-identity-check" tin can be configured to disable this certification check.
Scenario #7: Switch License Authorization "Failure reason: Waiting for reply"
Snip of "show license all":
License Authorization:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2018 UTC
Last Communication Attempt: PENDING on Aug 02 14:34:51 2018 UTC
Failure reason: Waiting for reply
Next Advice Attempt: Aug 02 14:53:58 2018 UTC
Communication Deadline: October 25 09:21:39 2018 UTC
Possible logs are seen:
%PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed Reason : Failed to select socket. Timeout : 5 (Connection timed out)
%PKI-three-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed Reason : Failed to select socket. Timeout : 5 (Connection timed out)
Adjacent Steps:
- To correct this result the SLA-TrustPoint should be configured as none under the running configuration
show running-config
<omitted>
crypto pki trustpoint SLA-TrustPoint
revocation-check none
What is a CRL?
A Certificate Revocation List (CRL) is a listing of revoked certificates. The CRL is created and digitally signed past the certificate authority (CA) that originally issued the certificates. The CRL contains dates for when each certificate was issued and when it expires. Further information in regards to CRL is available here.
Scenario #8: License in "OUT OF COMPLIANCE" condition
Snip of "show license all":
License Potency:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2018 UTC
Last Advice Attempt: PENDING on Aug 02 xiv:34:51 2018 UTC
Failure reason: Waiting for respond
Side by side Communication Attempt: Aug 02 14:53:58 2018 UTC
Communication Deadline: October 25 09:21:39 2018 UTC
Possible logs are seen:
%SMART_LIC-3-OUT_OF_COMPLIANCE: Ane or more entitlements are out of compliance
Side by side Steps:
- Verify if Token from proper Smart Virtual Account has been used,
- Verify corporeality of available licenses here.
Scenario #9: Switch License Authorisation "Failure reason: Data and signature do not lucifer "
Snip of "evidence license all":
License Authorization:
Condition: AUTHORIZED on Mar 12 09:17:45 2020 EDT
Last Communication Attempt: FAILED on Mar 12 09:17:45 2020 EDT
Failure reason: Information and signature do not friction match
Next Communication Attempt: Mar 12 09:eighteen:15 2020 EDT
Communication Deadline: May 09 21:22:43 2020 EDT
Possible logs are seen:
%SMART_LIC-3-AUTH_RENEW_FAILED: Authorization renewal with the Cisco Smart Software Manager (CSSM) : Error received from Smart Software Manager: Information and signature practise not match for udi PID:C9000,SN:XXXXXXXXXXX
Next Steps:
- Deregister the switch with "License smart deregister"
- And so annals the switch using a new token with "license smart register idtoken <TOKEN> force"
1) Cisco Smart Licensing home folio
two) Cisco Community - On-Demand Trainings.
iii) Smart Account - direction portal: Smart Software Licensing
4) Smart Account - create new accounts: Smart Accounts
5) Configuration guide (example) - System Management Configuration Guide, Cisco IOS XE Fuji xvi.9.x (Goad 9300 Switches)
wheelerwhicagoers.blogspot.com
Source: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/214484-cisco-smart-licensing-troubleshooting.html
0 Response to "Photofunstudio Try Again After the Registartion Is Completed"
Postar um comentário