Ilsos License Renewal Your Session Has Expired Please Try Again
ane.one. What is Cisco Smart Licensing?
Cisco Smart Licensing is a deject-based unified license management system that manages all of the software licenses across Cisco products. It enables customers to purchase, deploy, manage, track and renew Cisco Software licenses. It as well provides information nearly license ownership and consumption through a single user interface
The solution is comprised of online Smart Accounts (at Cisco Smart Licensing Portal) used for tracking Cisco software assets and the Cisco Smart Software Manager (CSSM) which is used to manage the Smart Accounts. CSSM is where all licensing management related tasks, such every bit registering, de-registering, moving, and transferring licenses can exist performed. Users can be added and given access and permissions to the smart business relationship and specific virtual accounts.
To learn more about Cisco Smart Licensing, visit:
a) Cisco Smart Licensing home page
b) Cisco Customs - On-Demand Trainings
For more data on the new Smart Licensing using Policy method in IOS-XE 17.3.2 and after, visit Smart Licensing using Policy on Catalyst Switches
New to Smart Licensing and/or Smart Account administration? Visit and sign upwardly for the new ambassador grooming grade and recording:
Cisco Community - Get Smart with Cisco Smart Accounts/Smart Licensing and My Cisco Entitlements
Smart accounts tin can exist created here: Smart Accounts
Smart accounts can exist managed here: Smart Software Licensing
i.2. Smart Licensing Implementation Methods
There are multiple methods in deploying Cisco Smart Licensing that tin can be leveraged depending on a company's security contour such as:
Directly Cloud Access
Cisco products send usage information straight over the Cyberspace securely using HTTPS. No additional components are needed.
Access through an HTTPS Proxy
Cisco products send usage information through an HTTP proxy server securely using HTTPS. An existing proxy server can exist used or this tin be deployed through Cisco'south Transport Gateway. (click hither for some additional information).
On-premise License Server (Also known equally Cisco Smart Software Managing director satellite)
Cisco products send usage information to an on-premise server instead of straight over the cyberspace. In one case a month the server reaches out over the cyberspace for all devices via HTTPS or can exist manually transferred to synchronize its database. CSSM On-prem (Satellite) is available equally a Virtual Car (VM) and can be downloaded here. For additional information, visit Smart Software Managing director Satellite folio.
1.3. Supported IOS XE Platforms
- From IOS XE version xvi.9.1 release onwards, the Catalyst 3650/3850 and Goad 9000 serial switch platforms support the Cisco Smart Licensing method equally the just licensing method.
- From IOS XE version 16.10.1 release onwards, router platforms such as the ASR1K, ISR1K, ISR4K, and virtual routers (CSRv / ISRv) support the Cisco Smart Licensing method every bit the just licensing method.
i.4. Migration from Legacy Licenses to Smart Licenses
There are two methods for converting a legacy license, similar Right-To-Utilise (RTU) or Product Activation Key (PAK) to a Smart License. For details on which method needs to be followed please refer to the relevant release notes and/or configuration guide for the specific Cisco device.
one.4.1. Converting through Device Led Conversion (DLC)
- Device Led Conversion (DLC) is a one-time method where the Cisco Production tin report what licenses it is using and the licenses are automatically deposited into their respective Smart Business relationship on the Cisco Smart Software Manager (CSSM). The DLC procedure is performed directly from the Command Line Interface (CLI) of the specific Cisco device.
- The DLC procedure is simply supported on the Catalyst 3650/3850 and selected router platforms. For specific router models delight refer to the individual platform configuration guide and release notes. Example:DLC process for Catalyst 3850 running Fuji 16.ix.10 releases.
one.4.2. Converting through Cisco Smart Software Manager (CSSM) or License Registration Portal (LRP)
Cisco Smart Software Manager (CSSM) Method:
1. Login to Cisco Smart Software Manager (CSSM) at https://software.cisco.com/
2. Navigate to Smart Software Licensing > Catechumen to Smart Licensing
3. Select Convert PAK or Catechumen Licenses
four. Locate the license in the table below if converting PAK license. If converting a non-PAK license utilize the "License Conversion Wizard" for step by pace directions.
Location of known PAK files associated with Account:
Location of "License Conversion Wizard" link:
5. Locate the Desired License and Product combination
half dozen. Click (under Deportment): Catechumen to Smart Licensing
7. Select desired virtual account, license, and click Adjacent
8. Review Selections, so click Convert Licenses
License Registration Portal (LRP) Method:
1. Login to the License Registration Portal (LRP) http://tools.cisco.com/SWIFT/LicensingUI/Home
2. Navigate to Devices > Add Devices
3. Enter the proper Product Family and Unique Device Identifier (UDI) production ID and serial number and then click Ok. UDI information can be obtained from "show version" or "bear witness inventory" taken from the command line interface (CLI) of the Cisco device
4. Choose the added device and Convert Licenses to Smart Licensing
5. Assign to proper Virtual Account, select licenses to catechumen and Submit
Tip: LRP tool can too be used by looking up the license/product family on the "PAKs or Tokens" tab, clicking the circle driblet downwardly next to the PAK/Token and selecting "Convert to Smart Licensing":
i.four.three. Converting through contacting Cisco Global Licensing Operations (GLO) department
The Global Licensing Operations department can be reached hither at our worldwide contact centers.
i.5. Catalyst 9500 Loftier Performance Beliefs Change from 16.9 to 16.12.3
Like other Catalyst 9000 models, the Goad 9500 Loftier Performance models were enabled with Smart Licensing in the IOS XE version xvi.nine railroad train and onwards. For the Catalyst 9500 Loftier Performance models, yet, each model had its ain specific license entitlement tag. Information technology was afterward on decided by the product and marketing teams to unify the C9500 platforms entitlement tags. This conclusion inverse the behavior on the C9500 Loftier Performance models from using specific entitlement tags to generic C9500 licenses.
This modify in behavior is documented in the following defects:
a) CSCvp30661
b) CSCvt01955
Below is the before and after of the above-mentioned changes license changes for C9500 High Performance models:
1.5.ane. IOS XE version 16.11.10 and below
Each C9600 High Performance model has its ain entitlement tags:
| Model | License |
| C9500-32C | C9500 32C NW Essentials C9500 32C NW Advantage C9500 32C DNA Essentials C9500 32C DNA Reward |
| C9500-32QC | C9500 32QC NW Essentials C9500 32QC NW Reward C9500 32QC Dna Essentials C9500 32QC DNA Advantage |
| C9500-24Y4C | C9500 24Y4C NW Essentials C9500 24Y4C NW Advantage C9500 24Y4C DNA Essentials C9500 24Y4C DNA Reward |
| C9500-48Y4C | C9500 48Y4C NW Essentials C9500 48Y4C NW Advantage C9500 48Y4C Deoxyribonucleic acid Essentials C9500 48Y4C Deoxyribonucleic acid Reward |
Note: IOS XE versions16.12.1 & 16.12.two have the following defects CSCvp30661, CSCvt01955 and are addressed in sixteen.12.3a and later.
1.v.ii. IOS XE version sixteen.12.3 and onwards
Catalyst 9500 High Functioning platforms will now use generic network license tags and separate Deoxyribonucleic acid license tags. The tabular array below shows the entitlements changes highlighted in IOS XE version 16.12.3 and onwards:
| Model | License |
| C9500-32C | C9500 Network Essentials C9500 Network Advantage C9500 32C Dna Essentials C9500 32C Deoxyribonucleic acid Advantage |
| C9500-32QC | C9500 Network Essentials C9500 Network Advantage C9500 32QC DNA Essentials C9500 32QC Deoxyribonucleic acid Advantage |
| C9500-24Y4C | C9500 Network Essentials C9500 Network Reward C9500 24Y4C DNA Essentials C9500 24Y4C DNA Advantage |
| C9500-48Y4C | C9500 Network Essentials C9500 Network Advantage C9500 48Y4C Deoxyribonucleic acid Essentials C9500 48Y4C DNA Reward |
Notation: Upgrades from IOS XE versions xvi.12.one and 16.12.2 will display this license behavior. Upgrades from IOS XE versions sixteen.9.10 ,16.10.x, 16.11.x to 16.12.3 will recognise old license configurations.
1.5.3. C9500 High Operation Change FAQ
1. Why does Cisco support classify a generic network license, when my device is consuming a device-specific network license?
Generic tags are provided as they are the right entitlement tags for the network device. This allows usage of the entitlement tags across the entire Cat9500 platform, not but the specific C9500 high operation models. Pre-16.12.3 images that ask for device-specific license tags are in compliance with the generic license tags as the more specific licenses fall nether the generic licenses in the licensing hierarchy.
2. Why exercise two network tags sometimes evidence upwards in the Smart Business relationship?
This behavior is due to the licensing hierarchy and happens when the device is running on an older image that utilizes device-specific licensing tags. Older images that ask for device-specific license tags are in compliance with the generic license tags equally the more specific tags autumn under the generic licenses in the licensing bureaucracy.
2.i. Bones configuration
Exact procedure how to configure Smart Licensing can be found in System Management Configuration Guide bachelor for each release / platform.
For example: System Direction Configuration Guide, Cisco IOS XE Fuji sixteen.9.x (Catalyst 9300 Switches)
2.two. Registration Token / Device ID Token
Before registering device, Token needs to exist generated. The registration token, besides known every bit the device id token, is a unique token generated from the smart licensing portal orCisco Smart Software Manager on-prem when initially registering a Cisco device to the corresponding smart account. An individual token tin can exist used to annals multiple Cisco devices depending on the parameters used during cosmos.
The registration token is also only required during initial registration of a Cisco device as information technology provides the information to the device to call-dwelling house to the Cisco back cease and exist tied to the correct Smart Account. After the Cisco device is registered the token is no longer required.
For more than information in regard to registration tokens and how they are generated, delight click hither for a full general guide. For more details, please refer to the configuration guide for the specific Cisco device.
2.3. Registration and License States
While deploying and configuring Smart Licensing there are multiple possible states that a Cisco device tin exist in. These states can be displayed past looking at bear witness license all or testify license status from the Command Line Interface (CLI) of the Cisco device.
Beneath is a listing of all states and their pregnant:
- Evaluation (Unidentified) State
- This is a default state of the device when first booted.
- Usually, this country is seen when a Cisco device has non withal been configured for Smart Licensing or registered to a Smart Business relationship.
- In this country all features are available and the device tin can freely alter license levels.
- The evaluation period is used when the device is in the unidentified state. The device volition not attempt to communicate with Cisco in this land.
- This volition be 90 days of usage and not 90 calendar days.Once it is expired it is never reset.
- There is one evaluation period for the entire device it is not per entitlement
- When the evaluation menstruation expires at the end of 90 days, the device goes in to EVAL Death fashion, yet there is no functional affect or disruption in functionality, even after reload. Currently in that location is no enforcement in place.
- The countdown time is maintained beyond reboots.
- The evaluation period is used if the device has not nevertheless registered with Cisco and has non received the post-obit two messages from the Cisco backend:
- Successful response to a registration request
- Successful response to an entitlement authorization asking.
- Registered Land
- This is the expected country after successfully completing registration.
- The Cisco device has been able to successfully communicate with a Cisco Smart Account and annals.
- The device receives an ID certificate valid for 1 year which will be used for future communications
- The device will transport a request to CSSM to authorize the entitlements for the licenses in use on the device
- Depending on the CSSM response the device will so enter Authorized or Out of Compliance
- The Id certificate expires at the cease of one yr. After 6 months the software Agent process will try to renew the certificate. If the Agent cannot communicate with the Cisco Smart Software Manager it will go along to try and renew the Id document until the expiration date (one twelvemonth). At the stop of i year, the agent will become back to the Un-Identified land and volition try to enable the Evaluation menstruum. The CSSM volition remove the product case from its database.
- Authorized State
- This is the expected state when device is using an entitlement and is in Compliance (no negative balance),
- The Virtual Account on CSSM had the correct type and number of licenses to authorize the consumption of the device's licenses
- At the stop of 30 days, the device will send a new asking to CSSM to renew the authorization.
- Has a fourth dimension span of xc days afterwards which (if non successfully renewed) is moved to Authorization Expired country.
- Out of Compliance Land
- This is the state when device is using an entitlement and is not in Compliance (negative balance),
- This state is seen when the device does not have an available license in the corresponding Virtual Account that the Cisco device is registered to in the Cisco Smart Account.
- To enter into Compliance / Authorized state, a customer must add the correct number and type of licenses to the Smart Account
- When in this state the device will automatically send an authorization renewal request every day
- Licenses and features will go along to operate and there is no functional impact
- Authorisation Expired State
- This is the land when device is using an entitlement has not been able to communicate with the Cisco Smart Business relationship associated for over 90 days.
- This is typically seen if the Cisco device loses net access or cannot connect to tools.cisco.com afterwards initial registration.
- Online methods of smart licensing require Cisco devices to communicate a minimum of every 90 days to prevent this status.
- CSSM will render all in utilise licenses for this device back to the pool since it has non had any communications for 90 days
- While in this state the device volition go along to effort to contact Cisco, every hour, to renew the entitlement authorization, until the registration period (id certificate) expires
- If the software Agent re-establishes communications with Cisco and receives to its asking for authorisation it volition process that reply normally and enter into one of the established states
- Starting in sixteen.9.1 for switches and 16.ten.1 for routers, a default Call-home profile named "CiscoTAC-1" is generated to assist with migrating to Smart Licensing. Past default, this profile is set up up for the Direct Cloud Access method.
#evidence call-home profile CiscoTAC-1 Profile Proper name: CiscoTAC-i Contour condition: Agile Profile mode: Full Reporting Reporting Data: Smart Phone call Home, Smart Licensing Preferred Bulletin Format: xml Message Size Limit: 3145728 Bytes Transport Method: http HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Other address(es): default <snip>
- When utilizing aCisco Smart Software Manager on-premise server, the destination accost nether the active telephone call-home configuration must indicate to it (case-sensitive!):
(config)#call-dwelling
(cfg-phone call-home)#profile "CiscoTAC-one"
(cfg-telephone call-abode-profile)#destination address http https://<IP/FQDN>/Transportgateway/services/DeviceRequestHandler
- DNS is required to resolve tools.cisco.com. If DNS server connectivity is in a VRF, ensure the proper source-interface and VRF are defined in the following:
Global Routing Table Used:
(config)#ip domain-lookup [source-interface <INTERFACE>]
(config)#ip name-server <IP>VRF Routing Table Used:
(config)#ip domain-lookup [source-interface <INTERFACE>] <<-- "ip vrf forwarding <VRF-NAME>" defined on the interface
(config)#ip proper noun-server vrf <VRF-Name> <SERVER-IP>
Alternatively, if DNS is not available, statically configure local DNS to IP mapping (based on local DNS resolution on your end-device) or replace DNS name in call-home configuration with IP address. Refer to example for direct cloud access (forCisco Smart Software Manager on-prem employ its own DNS proper name instead of tools.cisco.com):
(config)#ip host tools.cisco.com 173.37.145.8
- If communication to tools.cisco.comneeds to be originated from the interface in specific VRF (due east.g. Mgmt-vrf), then the following CLI needs to be configured:
(config)#ip http client source-interface <VRF_INTERFACE>
- A different number of licenses might exist consumed depending on the configuration of the Cisco device such every bit with Goad switches running in StackWise or StackWise Virtual:
Traditional Stack-wise Supported Switches (due east.chiliad. Goad 9300 series):
Network License: ane license is consumed per switch in the stack
Deoxyribonucleic acid License: i license is consumed per switch in the stack
Modular Chassis (due east.m. Goad 9400 series):
Network License: one license is consumed per supervisor in the chassis
Deoxyribonucleic acid License: ane license is consumed per chassis
Fixed Stack-wise Virtual Supported Switches (e.g. Catalyst 9500 series):
Network License: one license is consumed per switch in the stack
Deoxyribonucleic acid License: i license is consumed per switch in the stack
- Just 1 call-home profile can exist active for Smart Licensing.
- Licenses are only consumed if a corresponding feature is configured.
- Cisco devices configured for Smart Licensing need to exist configured with the correct organization time and date to ensure they are properly synchronized with the corresponding Cisco Smart Account. If the time offset of the Cisco device is likewise far off it, the device tin neglect to register. The clock will need to be manually set or configured via a timing protocol such as Network Fourth dimension Protocol (NTP) or Precision Time Protocol (PTP). For the exact steps required to implement these changes please refer to the configuration guide for the specific Cisco device.
- The Public Fundamental Infrastructure (PKI) key generated during the Cisco device registration needs to be saved if it is non automatically saved after registration. If the device fails to save the PKI key then a syslog is generated stating to salvage the configuration via "copy running-config startup-config" or "write retentiveness".
- If the PKI key of the Cisco device is non properly saved, and then the license state tin be lost on failovers or reloads.
- Smart Licensing does not support HTTPS Proxy SSL certificate interception by default when using tertiary political party proxies for the HTTPS Proxy method. To support this feature, you can either disable SSL interception on the Proxy, or manually import the certification sent from the Proxy.
How to Manually Import Certification as a TrustPoint:
The certificate will demand be in a BASE64 format to be copied and pasted onto the device as a TrustPoint.The following example shown below uses "LicRoot" equally the TrustPoint proper noun, however, this name tin be inverse every bit desired.
Device#conf t
Device(config)#crypto pki trustpoint LicRoot
Device(ca-trustpoint)#enrollment terminal
Device(ca-trustpoint)#revocation-bank check none
Device(ca-trustpoint)#exit
Device(config)#crypto pki authenticate LicRoot
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: XXXXXXXX
Fingerprint SHA1: XXXXXXX
% Do yous accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
- When using the Send Gateway HTTP Proxy the IP address needs to exist changed from tools.cisco.com to the Proxy like the following:
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
TO
destination address http https://<TransportGW-IP_Address>:<port_number>/Transportgateway/services/DeviceRequestHandler - The Ship Gateway IP accost can found past navigating to the HTTP Settings and looking under the HTTP Service URLs on the Cisco Send Gateway GUI.
- For more information please run across the following configuration guide for the Cisco Transport Gateway here.
When migrating a Cisco device to a Smart Licensing enabled software version the post-obit flowchart can be used as a general guide for all three methods (Direct Cloud Access, HTTPS Proxy, andCisco Smart Software Manager On-prem).
Device Upgraded or Shipped with software release that supports Smart Licensing (refer to department one.iii for list of supported IOS-XE releases).
Below troubleshooting steps mainly concentrate on a scenario in which 'device fails to register'.
4.i. Device Fails to register
After initial configuration, in order to enable Smart Licensing, Token, which is generated on CSSM /Cisco Smart Software Manager on-prem, needs to be registered on the device via CLI:
license smart annals idtoken <TOKEN>
This should generate the post-obit events:
! Smart licensing process starts
!
Registration process is in progress. Use the 'show license status' command to cheque the progress and result !
! Crypto fundamental is automatically generated for HTTPS communication
!
Generating 2048 bit RSA keys, keys will be exportable... [OK] (elapsed time was 1 seconds) %CRYPTO_ENGINE-v-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Consequence "write memory" to save new IOS PKI configuration !
! Phone call-home start registration process
! %CALL_HOME-6-SCH_REGISTRATION_IN_PROGRESS: SCH device registration is in progress. Telephone call-home volition poll SCH server for registration effect. Y'all tin also check SCH registration status with "call-home request registration-info" under EXEC mode. !
! Smart Licensing procedure connects with CSSM and check entitlement.
! %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is allowed %SMART_LIC-vi-AGENT_REG_SUCCESS: Smart Agent for Licensing Registration with the Cisco Smart Software Manager or satellitefor udi PID:<PID>,SN:<SN> %SMART_LIC-4-CONFIG_NOT_SAVED: Smart Licensing configuration has not been saved %SMART_LIC-5-IN_COMPLIANCE: All entitlements and licenses in use on this device are authorized %SMART_LIC-half-dozen-AUTH_RENEW_SUCCESS: Say-so renewal with the Cisco Smart Software Manager or satellite. State=authorized for udi PID:<PID>,SN:<SN>
To bank check call-habitation configuration, run the following CLI:
#show call-abode profile all Contour Name: CiscoTAC-i Contour status: ACTIVE Profile fashion: Full Reporting Reporting Data: Smart Telephone call Abode, Smart Licensing Preferred Message Format: xml Bulletin Size Limit: 3145728 Bytes Ship Method: http HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Other address(es): default Periodic configuration info bulletin is scheduled every 1 day of the month at 09:fifteen Periodic inventory info bulletin is scheduled every 1 twenty-four hour period of the calendar month at 09:00 Alert-group Severity ------------------------ ------------ crash debug diagnostic small-scale environment warning inventory normal Syslog-Design Severity ------------------------ ------------ APF-.-WLC_.* warning .* major
To check Smart Licensing status, run the post-obit CLI:
#evidence license summary Smart Licensing is ENABLED Registration: Status: REGISTERED Smart Business relationship: TAC Cisco Systems, Inc. Virtual Account: Krakow LAN-SW Export-Controlled Functionality: ALLOWED Last Renewal Attempt: None Adjacent Renewal Effort: Nov 22 21:24:32 2022 UTC License Say-so: Status: AUTHORIZED Terminal Communication Attempt: SUCCEEDED Adjacent Advice Attempt: Jun 25 21:24:37 2022 UTC License Usage: License Entitlement tag Count Status ----------------------------------------------------------------------------- C9500 Network Advantage (C9500 Network Advantage) 1 AUTHORIZED C9500-DNA-40X-A (C9500-40X Deoxyribonucleic acid Advantage) ane AUTHORIZED
In instance device fail to register (and Condition is dissimilar from REGISTERED as shown higher up; annotation that Out-of-Compliance points to an issue on CSSM like missing license in Smart Virtual Account, incorrect mapping (i.e. Token from dissimilar virtual account was used where licenses are non bachelor, etc.) check the following:
1. Verify configuration settings and common failure scenarios
Refer to section ii.i for basic configuration steps. Look likewise at section v for common failure scenarios observed in the field.
2. Check basic connectivity
Verify that device can achieve (and open up TCP port) to tools.cisco.com (in case of direct access) or toCisco Smart Software Manager on-premise server:
#show run all | in destination address http destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService ! ! check connectivity ! #telnet tools.cisco.com 443 /source-interface gi0/0 Trying tools.cisco.com (173.37.145.8, 443)... Open [Connection to tools.cisco.com closed by foreign host]
In case above does not piece of work, double-bank check your routing rules, source-interface and firewall settings.
Annotation that HTTP (TCP/fourscore) is being deprecated and the recommended protocol is HTTPS (TCP/443).
Refer to section: "3. Considerations and Caveats" in this document for further guidelines how to configure DNS and HTTP details.
3. Verify Smart License settings
Collect the output of:
#prove tech-back up license
and validate collected configuration / logs (attach this output in example y'all decide to open Cisco TAC case for further investigation).
four. Enable debugs
Enable the post-obit debugs to collect additional information near Smart Licensing process (notation that after enabing debugs, y'all need to try to register license again via CLi mentioned in betoken four.1):
#debug call-home smart-licensing [all | trace | error] #debug ip http client [all | api | cache | error | main | msg | socket]
For internal debugs, enable and read binary traces:
! enable debug #set platform software trace ios [switch] active R0 infra-sl debug ! ! read binary traces infra-sl process logs #prove platform software trace message ios [switch] active R0
The following are some common failure scenarios that could be experienced during or afterwards a Cisco device registration:
Scenario #ane: Switch Registration "Failure Reason: Product Already Registered"
Snip of "show license all":
Registration:
Status:UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Oct 22 14:25:31 2022 EST
Failure reason: Product Already Registered
Side by side Registration Attempt: Oct 22 14:45:34 2022 EST
Adjacent Steps:
- The Cisco device will need to be registered again.
- If the Cisco device is seen in the Cisco Smart Software Manager (CSSM), the "force" parameter volition need to be used (i.eastward. "license smart register idtoken <TOKEN> strength")
Notation: The failure reason can also show as the following:
- Failure reason: The product <10> and sudi containing udiSerialNumber:<SerialNumber>,udiPid:<Product> has already been registered.
- Failure reason: Existing Product Example has Consumption and Force Flag is Simulated
Scenario #2: Switch Registration "Failure Reason: Your request could non be processed right now. Please try again"
Snip of "bear witness license all":
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Consign-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Oct 24 xv:55:26 2022 EST
Failure reason: Your request could not be candy correct now. Delight try again
Next Registration Attempt: Oct 24 sixteen:12:15 2022 EST
Adjacent Steps:
- Enable debugs as mentioned in section 4 to go more than insights on the outcome,
- Generate new Token in CSSM in your Smart Licensing and take an another effort.
Scenario #3: Failure Reason "The device engagement 1526135268653 is get-go beyond the allowed tolerance limit
Snip of "bear witness license all":
Registration:
Condition: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on November 1117:55:46 2022 EST
Failure reason: {"timestamp":["The device date '1526135268653' is offset across the allowed tolerance limit."]}
Next Registration Attempt: Nov 11 eighteen:12:17 2022 EST
Possible Logs Seen:
%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The document (SN: XXXXXX) is non yet valid. Validity flow starts on 2018-12-12:43Z
Next Steps:
- Verify that the Cisco device clock is showing the correct time (show clock)
- Configure the Network Time Protocol (NTP) if possible to ensure the clock is set correctly
- If NTP is not possible, verify that the manually set clock (clock set) is correct (show clock) and configured as a trusted fourth dimension source by verifying that "clock agenda-valid" is configured
Notation: By default, the arrangement clock is not trusted. "clock calendar-valid" is required.
Scenario #4: Switch Registration "Failure Reason: Communication transport not available."
Snip of "testify license all":
Registration: Status: UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: Not Allowed
Initial Registration: FAILED on Mar 09 21:42:02 2022 CST
Failure reason: Communication transport not available.
Possible Logs Seen:
%CALL_HOME-three-CALL_HOME_FAILED_TO_ENABLE: Failed to enable phone call-home from Smart Amanuensis for Licensing: The command failed to enable smart telephone call home due to an existing agile user profile. If you are using a user profile other than "CiscoTAC-ane" profile to send data to SCH server in Cisco, please enter "reporting smart-licensing-information" under profile mode to configure that profile for smart licensing. For more than details about SCH, please cheque http://www.cisco.com/go/smartcallhome
%SMART_LIC-3-AGENT_REG_FAILED: Smart Agent for Licensing Registration with the Cisco Smart Software Manager or satellite failed: Advice send non bachelor.
%SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager or satellite: Communication ship not available.
Adjacent Steps:
- Verify that call-abode is enabled with "service call-dwelling house" in the "show running-config" output of the Cisco device
- Ensure that the correct call-domicile profile is active
- Verify that "reporting smart-licensing-information" is configured nether the agile call-home profile
Scenario #5: Switch License Authorization "Failure reason: Fail to send out Telephone call Home HTTP message."
Snip of "bear witness license all":
License Say-so:
Condition: OUT OF COMPLIANCE on Jul 26 09:24:09 2022 UTC
Final Communication Try: FAILED on Aug 02 14:26:23 2022 UTC
Failure reason: Fail to send out Call Home HTTP bulletin.
Next Communication Endeavour: Aug 02 fourteen:26:53 2022 UTC
Communication Deadline: Oct 25 09:21:38 2022 UTC
Possible logs are seen:
%CALL_HOME-five-SL_MESSAGE_FAILED: Fail to send out Smart Licensing message to: https://<ip>/its/service/oddce/services/DDCEService (ERR 205 : Asking Aborted)
%SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager or satellite: Fail to send out Call Home HTTP message.
%SMART_LIC-3-AUTH_RENEW_FAILED:Authorization renewal with the Cisco Smart Software Director or satellite: Communication message send error for udi PID:XXX, SN: 30
Adjacent Steps:
- Verify that the Cisco device can ping tools.cisco.com
- if DNS is non configured, configure a DNS server or a "ip host" statement for the local nslookup IP for tools.cisco.com
- Effort to telnet from the Cisco device to tools.cisco.com on TCP port 443 (port used by HTTPS)
- Verify that the HTTPs customer source interface is defined and correct
- Verify that the URL/IP in the call home profile is prepare correctly on the Cisco device via "show telephone call-domicile profile all"
- Verify the ip road is pointing to the right next hop
- EnsureTCP port 443is non existence blocked on the Cisco device, the path to Smart Call Home Server, or theCisco Smart Software Director on-prem (satellite)
- Ensure that the correct Virtual Routing and Forwarding (VRF) instance is configured under telephone call-abode if applicable
Scenario #6: Failure Reason "Missing Id cert serial number field; Missing signing cert serial number field; Signed data and certificate does non match" Log
This beliefs is seen when working with a CSSM on-premise server that has had its crypto certificate expire as documented in CSCvr41393. This is expected behavior equally the CSSM on-prem should be immune to sync and renew its document to prevent a certification sync outcome with whatsoever registering devices.
Snip of "prove license all":
Registration:
Status: UNREGISTERED
Smart Account: Instance Business relationship
Export-Controlled Functionality: Immune
License Authorization:
Status: EVAL Style
Evaluation Period Remaining: 65 days, xviii hours, 43 minutes, 0 seconds
Possible Logs Seen:
Under "show logging" or "bear witness license eventlog" the following error is seen:
SAEVT_DEREGISTER_STATUS msgStatus="LS_INVALID_DATA" error="Missing Id cert serial number field; Missing signing cert serial number field; Signed data and document does non match"
Next Steps:
- Verify that the Cisco device has IP connectivity to CSSM on-premise server
- If using HTTPS, confirm the certification C-Proper name is being used in the devices phone call-home configuration
- If a DNS server is not bachelor to resolve the certification C-Name, configure a static "ip host" statement to map the domain name and IP accost
- Verify status of certificate on CSSM on-premise is still valid
- If CSSM on-premise certificate is expired, follow one of the workarounds documented in CSCvr41393
Note: By default, HTTPS will perform a server identity check during the SSL handshake to verify the URL or IP is the same every bit the provided certificate from the server. This tin can cause issues when using IP addresses instead of a DNS entry if the hostname and IP do not match. If DNS is non possible or a static ip host argument, "no http secure server-identity-check" can be configured to disable this certification cheque.
Scenario #7: Switch License Authorization "Failure reason: Waiting for reply"
Snip of "show license all":
License Authorization:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2022 UTC
Concluding Advice Attempt: PENDING on Aug 02 fourteen:34:51 2022 UTC
Failure reason: Waiting for reply
Next Communication Attempt: Aug 02 xiv:53:58 2022 UTC
Advice Deadline: Oct 25 09:21:39 2022 UTC
Possible logs are seen:
%PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed Reason : Failed to select socket. Timeout : 5 (Connectedness timed out)
%PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed Reason : Failed to select socket. Timeout : v (Connexion timed out)
Next Steps:
- To correct this outcome the SLA-TrustPoint should exist configured as none nether the running configuration
bear witness running-config
<omitted>
crypto pki trustpoint SLA-TrustPoint
revocation-check none
What is a CRL?
A Document Revocation Listing (CRL) is a listing of revoked certificates. The CRL is created and digitally signed by the certificate authority (CA) that originally issued the certificates. The CRL contains dates for when each document was issued and when it expires. Further information in regards to CRL is bachelor here.
Scenario #viii: License in "OUT OF COMPLIANCE" condition
Snip of "show license all":
License Dominance:
Condition: OUT OF COMPLIANCE on Jul 26 09:24:09 2022 UTC
Last Communication Endeavor: Awaiting on Aug 02 14:34:51 2022 UTC
Failure reason: Waiting for reply
Next Communication Effort: Aug 02 14:53:58 2022 UTC
Advice Borderline: Oct 25 09:21:39 2022 UTC
Possible logs are seen:
%SMART_LIC-3-OUT_OF_COMPLIANCE: 1 or more entitlements are out of compliance
Next Steps:
- Verify if Token from proper Smart Virtual Account has been used,
- Verify corporeality of available licenses here.
Scenario #9: Switch License Dominance "Failure reason: Data and signature do not match "
Snip of "show license all":
License Authorization:
Status: AUTHORIZED on Mar 12 09:17:45 2022 EDT
Last Communication Endeavor: FAILED on Mar 12 09:17:45 2022 EDT
Failure reason: Information and signature do not match
Next Advice Attempt: Mar 12 09:18:15 2022 EDT
Communication Deadline: May 09 21:22:43 2022 EDT
Possible logs are seen:
%SMART_LIC-three-AUTH_RENEW_FAILED: Authority renewal with the Cisco Smart Software Manager (CSSM) : Error received from Smart Software Manager: Information and signature practise non match for udi PID:C9000,SN:XXXXXXXXXXX
Adjacent Steps:
- Deregister the switch with "License smart deregister"
- So annals the switch using a new token with "license smart register idtoken <TOKEN> force"
1) Cisco Smart Licensing home page
2) Cisco Community - On-Need Trainings.
3) Smart Business relationship - management portal: Smart Software Licensing
iv) Smart Account - create new accounts: Smart Accounts
5) Configuration guide (case) - System Management Configuration Guide, Cisco IOS XE Fuji xvi.9.x (Catalyst 9300 Switches)
clineforearephe51.blogspot.com
Source: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/214484-cisco-smart-licensing-troubleshooting.html
0 Response to "Ilsos License Renewal Your Session Has Expired Please Try Again"
Postar um comentário