ASAv Smart Licensing Registration fails (certificate validation failed

Counterdoc — Wed, 14 May 2025 14:23:58 GMT

Hello,

I am trying to register a ASAv 9.18(4)53 to a Cisco SSM On-Prem Smart Licensing Server. On the ASA I get the following error:

%ASA-6-120003: Call-Home is processing license event Smart Licensing.
%ASA-6-725001: Starting SSL handshake with server inside:xxxxxxx/24359 to xxxxxx/443 for TLS session
%ASA-3-717009: Certificate validation failed. serial number: 01, subject name: CN=Cisco Licensing Root CA,O=Cisco.
%ASA-3-717027: Certificate chain failed validation. Generic validation failure occurred.
%ASA-4-120006: Call-Home license message to https://xxxxxxx .com/Transportgateway/services/DeviceRequestHandler  failed. Reason: CONNECT_FAILED
%ASA-4-120005: Call-Home license message to https://xxxxxxx.com/Transportgateway/services/DeviceRequestHandler  was dropped. Reason: CONNECT_FAILED
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager (CSSM) : Communication message send error

So the issue is that the certificate validation fails. Trying it with http instead of https works fine.

Shouldn't that certificate exist on the ASA by default? Or do I need to install the Cisco Licensing Root CA manually?

If I check the certificates on the ASA I see the following:

CA Certificate
  Status: Available
  Certificate Serial Number: 0a0142800000014523c844b500000002
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA256
  Issuer Name:
    CN=IdenTrust Commercial Root CA 1
    O=IdenTrust
    C=US
  Subject Name:
    CN=IdenTrust Commercial Root CA 1
    O=IdenTrust
    C=US
  Validity Date:
    start date: 18:12:23 UTC Jan 16 2014
    end   date: 18:12:23 UTC Jan 16 2034
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA

CA Certificate
  Status: Available
  Certificate Serial Number: 0509
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA1
  Issuer Name:
    CN=QuoVadis Root CA 2
    O=QuoVadis Limited
    C=BM
  Subject Name:
    CN=QuoVadis Root CA 2
    O=QuoVadis Limited
    C=BM
  Validity Date:
    start date: 18:27:00 UTC Nov 24 2006
    end   date: 18:23:33 UTC Nov 24 2031
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA2

Thanks for your help!

Marius

Re: ASAv Smart Licensing Registration fails (certificate validation fa

nspasov — Wed, 14 May 2025 20:08:46 GMT

Can you share the outputs from the following commands:

show version
show run call-home
show crypto ca certificates
show run all | in ssl
show run crypto ca trustpoint

Thank you for rating helpful posts!

Re: ASAv Smart Licensing Registration fails (certificate validation fa

Counterdoc — Thu, 15 May 2025 05:25:35 GMT

Sure. Removed any company data from the outputs (companyxyz and xxx sections). No Cisco Licensing Root is currently installed which brings me back to my question if I need to do it manually and why it is not on the ASA by default.

show version

Cisco Adaptive Security Appliance Software Version 9.18(4)53 SSP Operating System Version 2.12(1.96) Device Manager Version 7.18(1)152 Compiled on Thu 20-Feb-25 05:43 GMT by builders System image file is "disk0:/asa9-18-4-53-smp-k8.bin" Config file at boot was "startup-config" xxxxxxx up 54 mins 14 secs Start-up time 11 secs Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2000 MHz, Internal ATA Compact Flash, 1024MB Slot 1: ATA Compact Flash, 8192MB BIOS Flash Firmware Hub @ 0x1, 0KB 0: Ext: Management0/0 : address is 0050.56ad.cf70, irq 10 1: Ext: GigabitEthernet0/0 : address is 0050.56ad.8e28, irq 7 2: Ext: GigabitEthernet0/1 : address is 0050.56ad.8dc6, irq 9 3: Ext: GigabitEthernet0/2 : address is 0050.56ad.46ba, irq 11 4: Ext: GigabitEthernet0/3 : address is 0050.56ad.1a8f, irq 10 5: Ext: GigabitEthernet0/4 : address is 0050.56ad.b126, irq 7 6: Ext: GigabitEthernet0/5 : address is 0050.56ad.8abd, irq 9 7: Ext: GigabitEthernet0/6 : address is 0050.56ad.9e3b, irq 11 8: Ext: GigabitEthernet0/7 : address is 0050.56ad.76a0, irq 10 9: Ext: GigabitEthernet0/8 : address is 0050.56ad.11e1, irq 7 10: Int: Internal-Data0/0 : address is 0000.0100.0001, irq 0 License mode: Smart Licensing ASAv Platform License State: Unlicensed Active entitlement: ASAv-STD-1G, enforce mode: Eval period Firewall throughput limited to 100 Kbps Licensed features for this platform: Maximum VLANs : 50 Inside Hosts : Unlimited Failover : Active/Active Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 2 Carrier : Disabled AnyConnect Premium Peers : 2 AnyConnect Essentials : Disabled Other VPN Peers : 250 Total VPN Peers : 250 AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled Shared License : Disabled Total TLS Proxy Sessions : 2 Botnet Traffic Filter : Enabled Cluster : Enabled Serial Number: xxx Image type : Release Key version : A Configuration has not been modified since last system restart.

show run call-home

no call-home reporting anonymous call-home contact-email-addr sch-smart-licensing@cisco.com source-interface inside profile License destination address http https://xxxxxx.com/Transportgateway/services/DeviceRequestHandler destination transport-method http profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily

show crypto ca certificates

CA Certificate Status: Available Certificate Serial Number: 0a0142800000014523c844b500000002 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: RSA-SHA256 Issuer Name: CN=IdenTrust Commercial Root CA 1 O=IdenTrust C=US Subject Name: CN=IdenTrust Commercial Root CA 1 O=IdenTrust C=US Validity Date: start date: 18:12:23 UTC Jan 16 2014 end date: 18:12:23 UTC Jan 16 2034 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: RSA-SHA1 Issuer Name: CN=QuoVadis Root CA 2 O=QuoVadis Limited C=BM Subject Name: CN=QuoVadis Root CA 2 O=QuoVadis Limited C=BM Validity Date: start date: 18:27:00 UTC Nov 24 2006 end date: 18:23:33 UTC Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA2 CA Certificate Status: Available Certificate Serial Number: xxx Certificate Usage: Signature Public Key Type: RSA (4096 bits) Signature Algorithm: RSA-SHA256 Issuer Name: CN=COMPANYXYZ Root CA 2 O=COMPANYXYZ C=XX Subject Name: CN=COMPANYXYZ Root CA 2 O=COMPANYXYZ C=XX Validity Date: start date: 07:59:43 UTC Oct 4 2018 end date: 08:09:42 UTC Oct 4 2048 Storage: config Associated Trustpoints: COMPANYXYZ-Root-CA2

show run all | in ssl

id-usage ssl-ipsec no ignore-ssl-keyusage id-usage ssl-ipsec no ignore-ssl-keyusage validation-usage ipsec-client ssl-client id-usage ssl-ipsec no ignore-ssl-keyusage validation-usage ipsec-client ssl-client id-usage ssl-ipsec no ignore-ssl-keyusage validation-usage ipsec-client ssl-client id-usage ssl-ipsec no ignore-ssl-keyusage validation-usage ipsec-client ssl-client id-usage ssl-ipsec no ignore-ssl-keyusage ssl server-version tlsv1.2 dtlsv1.2 ssl client-version tlsv1.2 ssl cipher default high ssl cipher tlsv1 fips ssl cipher tlsv1.1 fips ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256" ssl cipher dtlsv1 fips ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256" ssl dh-group group15 ssl ecdh-group group19 ssl certificate-authentication fca-timeout 2 no ssl-server-check anyconnect ssl dtls enable anyconnect ssl keepalive 20 anyconnect ssl rekey time none anyconnect ssl rekey method none anyconnect ssl compression none anyconnect ssl df-bit-ignore disable compression anyconnect-ssl http-comp

show run crypto ca trustpoint

crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint _SmartCallHome_ServerCA2 no validation-usage crl configure crypto ca trustpoint COMPANYXYZ-Root-CA2 enrollment terminal crl configure

Re: ASAv Smart Licensing Registration fails (certificate validation fa

Counterdoc — Thu, 15 May 2025 08:32:03 GMT

I fixed it by replacing the product.pem certificate on the licensing servers frontend docker container which was self-signed (Cisco Licensing Root) by a signed certificate from my Company which is also deployed to our devices. Now it works.

topic Re: ASAv Smart Licensing Registration fails (certificate validation fa in Network Security

ASAv Smart Licensing Registration fails (certificate validation failed

Re: ASAv Smart Licensing Registration fails (certificate validation fa

Re: ASAv Smart Licensing Registration fails (certificate validation fa

Re: ASAv Smart Licensing Registration fails (certificate validation fa