cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4451
Views
20
Helpful
10
Replies
Highlighted
Beginner

SSM Smart Software Manager On-Prem 7 - Unable to reach Cisco

Happy new year to all!

 

I'm setting this up from new and am having 3 related Issues.

  1. The main issue is that I get an error "SSO service: Unable to reach Cisco".

This happens when I try and "Approve/submit" a new account that i created within the Workspace of the Smart Software Manager On-Prem. This is a server located in my customers Datacenter.

The on-prem server makes this connection over a firewall and then a proxy server before going out to Cisco.com

I have configured the Firewall and Proxy server as per the Cisco user guide. Firewall rules/routing tested with packet-tracer.

The thing is, I can not even see 443/80 traffic getting as far as the ASA firewall. I can see other traffic from the server like dns etc.

It looks like the On-Prem server is not even sending the request out.

 

2. To look deeper into the connectivity issues, i need to access the CLI via ssh, but i can't due to a certificate issue. And the console port (or Linux prompt) will not accept any passwords i have.

 

3. Under the Smart Licencing page, within the On-Prem GUI, the "Manage Account" is grayed out. And when I try to request access to an existing account a message says the is no such account- maybe because it can’t get to Cisco to site due to point 1 above?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Hi there,

 

SSO service: Unable to reach Cisco - is due to reachability between On-Prem server and cisco.com

 

Ensure 3 following urls are  reachable from server.

 

api.cisco.com

swapi.cisco.com

cloudsso.cisco.com

 

Perform a curl  test from root shell of On-prem server.

 

Switch to root from admin cli :

 

sudo -s

 

curl -v https://api.cisco.com:443

curl -v https://swapi.cisco.com:443

curl -v https://cloudsso.cisco.com:443

 

2. 2a. Using putty to SSH to the On-Prem server is still an issue - Error message is to do with "not able to negotiate key exchange".

Putty issue. clear the keys.

 

3. "Manage Account" is still grayed out, But I'm not sure it's an issue. I can still login via my own username etc.

      You need to create local satellite account from admin page of On-prem server and register with cisco.com. This is a mandatory step.

Manage account is greyed out as you don't have any Satellite account registered with virtual account.

 

4. Trying to log a Cisco TAC case is a problem. They won't act without a contract number or a Serial Number. However, with the access I have i can not find the S/N on this VM. And there is not contract associated because this is a free download/service for people with a Smart account.

Open a case with valid device contract, CIN would route to correct Smart Software On-Prem support TAC.

 

Hope  this clarifies!

 

 

 

 

View solution in original post

Highlighted

Hi, I'm back.

The issue i was having (in point one and three) was due to me getting confused with the naming conventions use for the Accounts and virtual accounts.

The two cloud accounts (used on the software.cisco.com web site) are "Cisco Smart Accounts" and Cisco Virtual accounts"

The two On-Prem server accounts are "local accounts' and "local virtual accounts"

 

I incorrectly used my CCO account name for the "Cisco Smart Account" name so it failed.

TIP: Before you use the On-Prem server option, make sure you understand the account naming conventions and wehre they sit.

There is also a Satelite Name and account and CCO account and Smart account to understand.

So it does blow your mind a bit!

 

I'm still having problems with putty but i think i'll re-create that question in another discussion.

Anyway, thanks for your input.

 

View solution in original post

Highlighted

Good day,

 

Someone has done a paper on resetting the CLI admin password for SSMS. it is attached.

Your putty issue may be that you are using an older version of Putty. I was using .60 version and I was getting a simular issue until I downloaded a new version 0.7? and I don't have that issue any longer.

 

Hope these tidbits help.

 

Leurch

View solution in original post

10 REPLIES 10
Highlighted
Beginner

Gosh, It's quiet out there!

Must be a very new technology that little is known about.

Anyway, I've answered a few of my own questions below:

 

1. The "SSO service: Unable to reach Cisco" error was caused by the On-Prem server proxy setting - I had to change it from a hostname to an IP address. Now we don't get the error. However, a popup asks to confirm, But the "NEXT" button is grayed out so I can't go any further.

2a. Using putty to SSH to the On-Prem server is still an issue - Error message is to do with "not able to negotiate key exchange".

2b. Lost password for direct access to the Console/Linux prompt. There is no recovery procedure so we rebuilt the On-Prem VM. But, that does not get you to the root account. And not a lot of options in the on-prem utility. e.g there is ping but no traceroute.

3. "Manage Account" is still grayed out, But I'm not sure it's an issue. I can still login via my own username etc.

4. Trying to log a Cisco TAC case is a problem. They won't act without a contract number or a Serial Number. However, with the access I have i can not find the S/N on this VM. And there is not contract associated because this is a free download/service for people with a Smart account.

 

So, point 1 is the major issue. Without this, my client can not manage the new licencing service that Cisco has come up with recently.

 

Any help, is greatly appreciated.

 

 

Highlighted

Hi there,

 

SSO service: Unable to reach Cisco - is due to reachability between On-Prem server and cisco.com

 

Ensure 3 following urls are  reachable from server.

 

api.cisco.com

swapi.cisco.com

cloudsso.cisco.com

 

Perform a curl  test from root shell of On-prem server.

 

Switch to root from admin cli :

 

sudo -s

 

curl -v https://api.cisco.com:443

curl -v https://swapi.cisco.com:443

curl -v https://cloudsso.cisco.com:443

 

2. 2a. Using putty to SSH to the On-Prem server is still an issue - Error message is to do with "not able to negotiate key exchange".

Putty issue. clear the keys.

 

3. "Manage Account" is still grayed out, But I'm not sure it's an issue. I can still login via my own username etc.

      You need to create local satellite account from admin page of On-prem server and register with cisco.com. This is a mandatory step.

Manage account is greyed out as you don't have any Satellite account registered with virtual account.

 

4. Trying to log a Cisco TAC case is a problem. They won't act without a contract number or a Serial Number. However, with the access I have i can not find the S/N on this VM. And there is not contract associated because this is a free download/service for people with a Smart account.

Open a case with valid device contract, CIN would route to correct Smart Software On-Prem support TAC.

 

Hope  this clarifies!

 

 

 

 

View solution in original post

Highlighted

I'm sorry I can't be of any help, but I got the same problem here.

Everything is configured correctly I assume. I set up the proxy confiuration and I can see the request being forwarded through the firewall correctly. Unfortunately I'm not the administrator of the proxy itself, so I don't know what happens here. If I curl the three URLs as renjithg suggested I get an error. That's quite correct because curl is not using the proxy configured with the CLI.  Now if I use curl-vx proxy-ip:8080 api.cisco.com:443 everything works fine. So it's not the proxy I think.

 

After numerous problems with this kind of licensing-policy I must honestly say CISCO SmartLicensing sucks - sorry folks, but that's the truth!

 

Maybe someone has a working solution for the matter at hand. I'm pissed off generating sync-files and scoop em around...

 

Regards

Stephan

Highlighted

Finally, I made it happen!

In the proxy configuration you have to enter the proxy ip with http:// before it - NOT https:// !

If you enter the IP-address only, the software adds https:// automatically (as stated in the proxy configuration tab) but that didn't work for me. Maybe it's an issue with the proxy itself...

So I changed it to http:// manually and voilá!

 

Hope this can be of any help tp you.

Regards

Stephan

Highlighted

What is the default username for the SSH login for cisco on prem? also i would like to create routes on it. is that possible?

Highlighted

Default password should be admin.

You can create routes like on any other linux system by using ip route.

Highlighted

Hi, I'm back.

The issue i was having (in point one and three) was due to me getting confused with the naming conventions use for the Accounts and virtual accounts.

The two cloud accounts (used on the software.cisco.com web site) are "Cisco Smart Accounts" and Cisco Virtual accounts"

The two On-Prem server accounts are "local accounts' and "local virtual accounts"

 

I incorrectly used my CCO account name for the "Cisco Smart Account" name so it failed.

TIP: Before you use the On-Prem server option, make sure you understand the account naming conventions and wehre they sit.

There is also a Satelite Name and account and CCO account and Smart account to understand.

So it does blow your mind a bit!

 

I'm still having problems with putty but i think i'll re-create that question in another discussion.

Anyway, thanks for your input.

 

View solution in original post

Highlighted

Hi mate,

 

I am in similar boat, but I am getting the error as -  LCsClient#identityCert(Map) error while doing network  mode registration of new local account. I did the curl test and that was all good. the on-prem server connect to cisco but the above error is seen.

Neither am I able to connect to the CSSM from on-prem for registration, neither the offline manual method of generating the registration file is working.

The registration file gets generated from on-prem Cssm, but then when I do the registration on the Cisco CSSM and try ot generate authorization file, it shows the similar error on the cisco smart licensing portal as well. 

Please see the attached error snapshots.

 

Please provide some pointers. before heading to cisco TAC.

 

Regards,

Parag

Highlighted

Good day,

 

Someone has done a paper on resetting the CLI admin password for SSMS. it is attached.

Your putty issue may be that you are using an older version of Putty. I was using .60 version and I was getting a simular issue until I downloaded a new version 0.7? and I don't have that issue any longer.

 

Hope these tidbits help.

 

Leurch

View solution in original post

Highlighted

Thanks, regarding issue 2a. (The putty err0r)

I went from ver 0.60 to 0.67, And it all works without error now.

Thanks for you help.

Content for Community-Ad