Solved: SSM Smart Software Manager On-Prem 7 - Unable to reach Cisco

jvujcich · ‎01-14-2020

Happy new year to all!

I'm setting this up from new and am having 3 related Issues.

The main issue is that I get an error "SSO service: Unable to reach Cisco".

This happens when I try and "Approve/submit" a new account that i created within the Workspace of the Smart Software Manager On-Prem. This is a server located in my customers Datacenter.

The on-prem server makes this connection over a firewall and then a proxy server before going out to Cisco.com

I have configured the Firewall and Proxy server as per the Cisco user guide. Firewall rules/routing tested with packet-tracer.

The thing is, I can not even see 443/80 traffic getting as far as the ASA firewall. I can see other traffic from the server like dns etc.

It looks like the On-Prem server is not even sending the request out.

2. To look deeper into the connectivity issues, i need to access the CLI via ssh, but i can't due to a certificate issue. And the console port (or Linux prompt) will not accept any passwords i have.

3. Under the Smart Licencing page, within the On-Prem GUI, the "Manage Account" is grayed out. And when I try to request access to an existing account a message says the is no such account- maybe because it can’t get to Cisco to site due to point 1 above?

renjithg · ‎02-25-2020

Hi there,

SSO service: Unable to reach Cisco - is due to reachability between On-Prem server and cisco.com

Ensure 3 following urls are reachable from server.

api.cisco.com

swapi.cisco.com

cloudsso.cisco.com

Perform a curl test from root shell of On-prem server.

Switch to root from admin cli :

sudo -s

curl -v https://api.cisco.com:443

curl -v https://swapi.cisco.com:443

curl -v https://cloudsso.cisco.com:443

2. 2a. Using putty to SSH to the On-Prem server is still an issue - Error message is to do with "not able to negotiate key exchange".

Putty issue. clear the keys.

3. "Manage Account" is still grayed out, But I'm not sure it's an issue. I can still login via my own username etc.

You need to create local satellite account from admin page of On-prem server and register with cisco.com. This is a mandatory step.

Manage account is greyed out as you don't have any Satellite account registered with virtual account.

4. Trying to log a Cisco TAC case is a problem. They won't act without a contract number or a Serial Number. However, with the access I have i can not find the S/N on this VM. And there is not contract associated because this is a free download/service for people with a Smart account.

Open a case with valid device contract, CIN would route to correct Smart Software On-Prem support TAC.

Hope this clarifies!

View solution in original post

jvujcich · ‎05-18-2020

Hi, I'm back.

The issue i was having (in point one and three) was due to me getting confused with the naming conventions use for the Accounts and virtual accounts.

The two cloud accounts (used on the software.cisco.com web site) are "Cisco Smart Accounts" and Cisco Virtual accounts"

The two On-Prem server accounts are "local accounts' and "local virtual accounts"

I incorrectly used my CCO account name for the "Cisco Smart Account" name so it failed.

TIP: Before you use the On-Prem server option, make sure you understand the account naming conventions and wehre they sit.

There is also a Satelite Name and account and CCO account and Smart account to understand.

So it does blow your mind a bit!

I'm still having problems with putty but i think i'll re-create that question in another discussion.

Anyway, thanks for your input.

View solution in original post

gliggins · ‎07-25-2020

Good day,

Someone has done a paper on resetting the CLI admin password for SSMS. it is attached.

Your putty issue may be that you are using an older version of Putty. I was using .60 version and I was getting a simular issue until I downloaded a new version 0.7? and I don't have that issue any longer.

Hope these tidbits help.

Leurch

View solution in original post

jvujcich · ‎01-21-2020

Gosh, It's quiet out there!

Must be a very new technology that little is known about.

Anyway, I've answered a few of my own questions below:

1. The "SSO service: Unable to reach Cisco" error was caused by the On-Prem server proxy setting - I had to change it from a hostname to an IP address. Now we don't get the error. However, a popup asks to confirm, But the "NEXT" button is grayed out so I can't go any further.

2a. Using putty to SSH to the On-Prem server is still an issue - Error message is to do with "not able to negotiate key exchange".

2b. Lost password for direct access to the Console/Linux prompt. There is no recovery procedure so we rebuilt the On-Prem VM. But, that does not get you to the root account. And not a lot of options in the on-prem utility. e.g there is ping but no traceroute.

3. "Manage Account" is still grayed out, But I'm not sure it's an issue. I can still login via my own username etc.

4. Trying to log a Cisco TAC case is a problem. They won't act without a contract number or a Serial Number. However, with the access I have i can not find the S/N on this VM. And there is not contract associated because this is a free download/service for people with a Smart account.

So, point 1 is the major issue. Without this, my client can not manage the new licencing service that Cisco has come up with recently.

Any help, is greatly appreciated.

renjithg · ‎02-25-2020

Hi there,

SSO service: Unable to reach Cisco - is due to reachability between On-Prem server and cisco.com

Ensure 3 following urls are reachable from server.

api.cisco.com

swapi.cisco.com

cloudsso.cisco.com

Perform a curl test from root shell of On-prem server.

Switch to root from admin cli :

sudo -s

curl -v https://api.cisco.com:443

curl -v https://swapi.cisco.com:443

curl -v https://cloudsso.cisco.com:443

2. 2a. Using putty to SSH to the On-Prem server is still an issue - Error message is to do with "not able to negotiate key exchange".

Putty issue. clear the keys.

3. "Manage Account" is still grayed out, But I'm not sure it's an issue. I can still login via my own username etc.

You need to create local satellite account from admin page of On-prem server and register with cisco.com. This is a mandatory step.

Manage account is greyed out as you don't have any Satellite account registered with virtual account.

4. Trying to log a Cisco TAC case is a problem. They won't act without a contract number or a Serial Number. However, with the access I have i can not find the S/N on this VM. And there is not contract associated because this is a free download/service for people with a Smart account.

Open a case with valid device contract, CIN would route to correct Smart Software On-Prem support TAC.

Hope this clarifies!

drehstrom · ‎03-30-2020

I'm sorry I can't be of any help, but I got the same problem here.

Everything is configured correctly I assume. I set up the proxy confiuration and I can see the request being forwarded through the firewall correctly. Unfortunately I'm not the administrator of the proxy itself, so I don't know what happens here. If I curl the three URLs as renjithg suggested I get an error. That's quite correct because curl is not using the proxy configured with the CLI. Now if I use curl-vx proxy-ip:8080 api.cisco.com:443 everything works fine. So it's not the proxy I think.

After numerous problems with this kind of licensing-policy I must honestly say CISCO SmartLicensing sucks - sorry folks, but that's the truth!

Maybe someone has a working solution for the matter at hand. I'm pissed off generating sync-files and scoop em around...

Regards

Stephan

drehstrom · ‎03-30-2020

Finally, I made it happen!

In the proxy configuration you have to enter the proxy ip with http:// before it - NOT https:// !

If you enter the IP-address only, the software adds https:// automatically (as stated in the proxy configuration tab) but that didn't work for me. Maybe it's an issue with the proxy itself...

So I changed it to http:// manually and voilá!

Hope this can be of any help tp you.

Regards

Stephan

Nisha Chandy · ‎04-22-2020

What is the default username for the SSH login for cisco on prem? also i would like to create routes on it. is that possible?

drehstrom · ‎04-23-2020

Default password should be admin.

You can create routes like on any other linux system by using ip route.

jvujcich · ‎05-18-2020

Hi, I'm back.

The issue i was having (in point one and three) was due to me getting confused with the naming conventions use for the Accounts and virtual accounts.

The two cloud accounts (used on the software.cisco.com web site) are "Cisco Smart Accounts" and Cisco Virtual accounts"

The two On-Prem server accounts are "local accounts' and "local virtual accounts"

I incorrectly used my CCO account name for the "Cisco Smart Account" name so it failed.

TIP: Before you use the On-Prem server option, make sure you understand the account naming conventions and wehre they sit.

There is also a Satelite Name and account and CCO account and Smart account to understand.

So it does blow your mind a bit!

I'm still having problems with putty but i think i'll re-create that question in another discussion.

Anyway, thanks for your input.

parag_waghmare · ‎11-01-2020

Hi mate,

I am in similar boat, but I am getting the error as - LCsClient#identityCert(Map) error while doing network mode registration of new local account. I did the curl test and that was all good. the on-prem server connect to cisco but the above error is seen.

Neither am I able to connect to the CSSM from on-prem for registration, neither the offline manual method of generating the registration file is working.

The registration file gets generated from on-prem Cssm, but then when I do the registration on the Cisco CSSM and try ot generate authorization file, it shows the similar error on the cisco smart licensing portal as well.

Please see the attached error snapshots.

Please provide some pointers. before heading to cisco TAC.

Regards,

Parag

gliggins · ‎07-25-2020

Good day,

Someone has done a paper on resetting the CLI admin password for SSMS. it is attached.

Your putty issue may be that you are using an older version of Putty. I was using .60 version and I was getting a simular issue until I downloaded a new version 0.7? and I don't have that issue any longer.

Hope these tidbits help.

Leurch

jvujcich · ‎08-02-2020

Thanks, regarding issue 2a. (The putty err0r)

I went from ver 0.60 to 0.67, And it all works without error now.

Thanks for you help.

stefan.thierolf · ‎09-10-2021

I ran into the same issue and based on the attached text file I made a blog post with screenshots of the recovery process.

https://www.thierolf.org/blog/2021/cisco-ssm-on-prem-password-recovery-procedure/

Hope it helps.

Michael.Heimann · ‎03-08-2022

Stefan, that blogpost helped a lot - thanks!

Just in case someone finds this and needs the a UI password reset, too - like I did.

Follow this guide:

1) Login on the CLI via SSH, admin user

2) become superuser (root password):

su -

3) find the docker container ID that is your database:

docker ps -f name=db

4) on the output, we need the container ID for the next command. mine was "xxx"

5) start a shell in that docker instance

docker exec -it xxx bash

6)open the DB

psql -U postgres

7) connect to the database atlantis

\c atlantis

just to verify/backup, get the currently stored hash of the password. The example gets the hash for the user "admin".

SELECT password_digest FROM users WHERE uid='xxx';

9) generate a new hash for the desired password. I used python on my linux box. You choose your weapon.

python3 -c 'import bcrypt; passwort=str.encode("yourNewPasswordHere"); print(bcrypt.hashpw(passwort, bcrypt.gensalt(rounds=12)))'

10)update the digest with the new value.

UPDATE users SET password_digest = 'xxx' WHERE uid = 'xxx';

Login with the new password on the UI.