Solved: Re: Smart licensing : Fail to send out Call Home HTTP message

IT-ina · ‎05-10-2022

Hi,

Our APIC have recently raised this message : "Fail to send out Call Home HTTP message" during the renew of the smart license.

It worked as expected during 2 years, but now I have this message and smart licensing release the license because apic didn't contact the site during 90 days. It seems that APIC cannot contact the smart licensing url anymore.

When I test in a shell on the apic :

curl https://tools.cisco.com/its/service/oddce/services/DDCEService it seems ok

response :

<h1>DDCEService</h1>
<p>Hi there, this is an AXIS service!</p>
<i>Perhaps there will be a form for invoking the service here...</i>

but smart licensing never see the connection in the log.

Is there a way to have a more detailed log for this request and the SCCM config in the apic ?

Tahnks a lot

Robert Burns · ‎05-11-2022

Leo is correct. This is the revocation of the QuoVadis CA cert. Updating the root CA will resolve this. This is a known caveat in the 4.2(7) release notes as CSCwa97230. There's a field notice with a fix to address this: https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72115.html

Robert

View solution in original post

Leo Laohoo · ‎05-11-2022

Raise a TAC Case. This issue could be due to expiration of the QuoVadis Root CA 2 certificate which has affected a lot of Cisco products.

brlehigh · ‎05-11-2022

This is interesting. My fabric started throwing this fault on 5/5 as
well. I opened a TAC case about it yesterday. I'll let you know what they
find.

Leo Laohoo · ‎05-11-2022

If you have any Catalyst switches and routers that run on IOS-XE, you need to check them. If their logs are spamming errors about Smart Licensing, do the workaround or upgrade the firmware.

If the workaround (or IOS-XE upgrade which fixes the problem) is not actioned, there will be a memory leak in the "keyman" process of the control-plane.

brlehigh · ‎05-11-2022

This hasn't worked for me just yet, but here's the article for the issue
and fix for ACI from TAC:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa97230

brlehigh · ‎05-11-2022

Well, I take that back. I just went through the process a second time and
my fabric now shows as Registered / Authorized. Hopefully, this will work
for you as well.
The procedure I used:
1. Generated a new token from the Cisco Smart License portal
2. On APIC; Import new certificate (from the article)
3. Reregister the fabric under System > Smart Licensing > Tools using the
new token generated in step 1.

Robert Burns · ‎05-11-2022

Leo is correct. This is the revocation of the QuoVadis CA cert. Updating the root CA will resolve this. This is a known caveat in the 4.2(7) release notes as CSCwa97230. There's a field notice with a fix to address this: https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72115.html

Robert

Cristiano Caldas · ‎06-04-2022

Exactly!!

I did the certificate exchange procedure in the APIC ACI Graphical Interface and it was successful, when consulting the CLI, (show license status) the license was successfully consumed.

I use the certificate below.

https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72115.html