Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
38278
Views
50
Helpful
12
Comments

How to register your Device using HTTPS to Satellite Smart-licensing Server

rokazemi
Cisco Employee
Cisco Employee

‎11-20-2018 12:34 AM - edited ‎05-20-2019 01:09 AM

Symptoms

 Can not register your Cisco device to Satellite Smart-licensing-server using HTTPS.  Works when using HTTP. 

Diagnosis

 Change Call-home URL to use HTTP and see if that works.  If it does you can use the steps below to work around the SSL handshake issue when using HTTPS. 

Change call-home URL to HTTP 

conf t

call-home

profile "CiscoTAC-1"

no  destination address http https://<your Satellite-IP-Address>/Transportgateway/services/DeviceRequestHandler

destination address http http://<your Satellite-IP-Address>/Transportgateway/services/DeviceRequestHandler

end

license smart register idtoken XXXXXXXX ,    where XXXXXXX is the actual token you get from your Satellite.

Solution

 If HTTP works as explained above, you can try these steps to fix your https  communication issue. 

1- Browse to  https://Satellite-ip-address/Transportgateway  , and view Certificate details . 

2--  As you can see below  you click on 1 and "View Certificate " and see  2 . In my case the CN , or cName is the same as the ip-address.  You need to match call-home URL to use the CN instead of Satellite ip-address .

conf t

call-home

profile "CiscoTAC-1"

destination address http https://<your Satellite-CN>/Transportgateway/services/DeviceRequestHandler

end

license smart register idtoken XXXXXXXX ,    where XXXXXXX is the actual token you get from your Satellite.

cNAME.PNG

Option-2:  You can make the cName or CN to either match the ip-address of the Satellite or an FQDN that is reachable  from your devices .  In my example  below I match the CN to Satellite ip-address . 

to do that change name taking steps 1, 2 shown below. 

Change-Satellite-Name.PNG

After you change the name to either ip-address or a valid FQDN  you go to the bottom and save .  Afterword do a full-synchronization.  This will change the CN to match ip-address or the FQDN.   Now you change your call-home URL to match this 

https://satellite-CN/Transportgateway 

NOTE: In addition to above you need to make sure under crypto "trustpoint" you changed revocation-check to " none".  By default most products have revocation-check set for "crl" .   

Sample config from a csr1000v showing this configuration .

*******************************

crypto pki trustpoint SLA-TrustPoint

enrollment terminal

revocation-check none

 *************************

If the key-chain is missing , you can import the Cisco_Root-CA from http

https://www.cisco.com/security/pki/certs/clrca.cer

To import a Cert using CLI ,  steps are 

 

Conf t

crypto pki authenticate SLA-TrustPoint

<Expect to see .....>

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

<Cut and past the Ke-chain from the URL from above including BEGIN/END below ..> and end with "quit" and confirm with "YES"  

 

NOTE:  If you use Satellite version 6.3 to change the cName ( CN )  you should modify the CN following these steps 

--login to Satellite admin portal  https://satellite-ip:8443/admin 

-- Security  and change the CN 

 

Capture-6.3-security.PNG

 

So in my example I  selected CN == to Satellite ip-address so on the Routers and Switches I need to change the URL to 

https://10.83.111.14/Transportgateway 

 

 

Labels:
Comments
adorins
Level 1
Level 1
‎12-07-2018 02:32 AM

Hi.

 

What is a correct way to register a switch stack (cat9300) to satellite? Everything looks ok (satellite sees such node as a redundant with two devices) until I perform a switchover - after a switchover I got this:

000236: Dec  7 09:43:48.383: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair2 has been removed from key storage
000237: Dec  7 09:43:50.008: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair2 has been generated or imported by crypto-engine
000238: Dec  7 09:43:50.049: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM
000239: Dec  7 09:43:52.753: %SMART_LIC-3-ID_CERT_RENEW_FAILED: Automatic registration renewal failed: Error received from Smart Software Manager: 500 Internal Server Error
000240: Dec  7 09:43:52.753: %SMART_LIC-3-ID_CERT_RENEW_FAILED: Automatic registration renewal failed: FAILED

 

#sh license status
Smart Licensing is ENABLED

Utility:
  Status: DISABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Callhome

Registration:
  Status: REGISTERED
  Smart Account: cssm_sat_prod
  Virtual Account: Default
  Export-Controlled Functionality: Allowed
  Initial Registration: First Attempt Pending
  Last Renewal Attempt: FAILED on Dec 07 09:43:52 2018 EET
    Failure reason: Agent received a failure status in a response message. Please check the Agent log file for the detailed message.
  Next Renewal Attempt: Dec 07 10:02:23 2018 EET
  Registration Expires: Dec 05 09:57:44 2019 EET

License Authorization:
  Status: AUTHORIZED on Dec 07 09:39:59 2018 EET
  Last Communication Attempt: SUCCEEDED on Dec 07 09:39:59 2018 EET
  Next Communication Attempt: Jan 06 09:39:58 2019 EET
  Communication Deadline: Mar 07 09:36:57 2019 EET

Export Authorization Key:
  Features Authorized:
    <none>

 

and satellite sees only an active switch (which previously was standby) and HA tab is gone

 

There is a chapter in user guide about Apllication Redundancy Support but I believe it does not fit to switch stack but to two separate nodes in redundant setup

 

br

rokazemi
Cisco Employee
Cisco Employee
‎12-20-2018 07:40 AM

Hi, 

     I am not sure about behavior of CAT9300 in HA mode. You need to open a TAC case and get help for experts with Cat9300. 

panayiotiscy
Level 4
Level 4
‎05-08-2019 11:23 PM

Hello,

 

In our case, we have implemented the below command as to overcome the registration failure to the local satellite server:

http client secure-verify-peer disable.

Also, the satellite server doesnt carry hostname, instead its reachable using its IP address. We didnt modify the crypto settings.

Thanks

rokazemi
Cisco Employee
Cisco Employee
‎05-09-2019 12:11 AM
Hi
Ok, I understand in your case you have disabled SSL peer-verification. This command is unique to some Cisco products and can not be use in all. In your case I would say it is bug, you should not have to disable the peer-verification.

Thanks,
Ross
Ramtin.rezaei
Level 1
Level 1
‎12-17-2019 09:43 AM

Hello,

i have deployed a smart license server satellite version 6.3.0 and every thing is ok i mean it's synchronised with smart account and i have all my licenses, but my callhome fail to send out the massage.

 

the version of my stacks switch is /

Switch Ports Model              SW Version        SW Image              Mode

------ ----- -----              ----------        ----------            ----

*    1 64    C9300-48P          16.9.1            CAT9K_IOSXE           BUNDLE

     2 64    C9300-48P          16.9.1            CAT9K_IOSXE           BUNDLE

     3 64    C9300-48P          16.9.1            CAT9K_IOSXE           BUNDLE

 

my connectivity is OK and i can telenet on port 80.

 

here is my configuration/

profile "N93K"

  reporting smart-licensing-data

  destination transport-method http

  no destination transport-method email

  destination address http http://172.18.90.120/TransportGateway/services/DeviceRequestHandler

diagnostic-signature

  profile "N93K"

 

 

ST005A-IXCMA#sho license all

Smart Licensing Status

======================

 

Smart Licensing is ENABLED

 

Registration:

  Status: REGISTERING - REGISTRATION IN PROGRESS

  Export-Controlled Functionality: Not Allowed

  Initial Registration: FAILED on Dec 17 13:49:43 2019 UTC

    Failure reason: Fail to send out Call Home HTTP message.

  Next Registration Attempt: Dec 17 14:49:46 2019 UTC

 

License Authorization:

  Status: EVAL EXPIRED on Apr 24 07:01:28 2019 UTC

 

Utility:

  Status: DISABLED

 

Data Privacy:

  Sending Hostname: yes

    Callhome hostname privacy: DISABLED

    Smart Licensing hostname privacy: DISABLED

  Version privacy: DISABLED

 

Transport:

  Type: Callhome

 

License Usage

==============

 

(C9300-48 DNA Advantage):

  Description:

  Count: 3

  Version: 1.0

  Status: EVAL EXPIRED

 

(C9300-48 Network Advantage):

  Description:

  Count: 3

  Version: 1.0

  Status: EVAL EXPIRED

 

Product Information

===================

UDI: PID:C9300-48P,SN:FOC2231Q0E9

 

HA UDI List:

    Active:PID:C9300-48P,SN:FOC2231Q0E9

    Standby:PID:C9300-48P,SN:FOC2231Q0E5

    Member:PID:C9300-48P,SN:FOC2231Z0CC

 

Agent Version

=============

Smart Agent for Licensing: 4.4.13_rel/116

Component Versions: SA:(1_3_dev)1.0.15, SI:(dev22)1.2.1, CH:(rel5)1.0.3, PK:(dev18)1.0.3

 

Reservation Info

================

License reservation: DISABLED

 

 

so could you please tell me if for switches within stacks the configuration is different?

 

or after deployment of server i have to activate something on server?

i am really stopped with this issue:-(

 

normally i think for registration we don't need to set boot level,  i mean it's for authorization am i right?

 

thanks in advance.

 

Ramtin

 

 

 

 

 

 

 

adorins
Level 1
Level 1
‎12-17-2019 09:58 PM

Hi

 

Had the same problem. The sat name in address command must match with your sat real name. For example - initially I tried to use an ip address of my sat (like in your example), but it just not worked because my sat name was "CiscoSatellite", not an "10.x.y.z", and CN name does not match in this case (idea of this problem is described by topic author at the beginning). http works fine, but not https.

 

In my case I just replaced ip address with my sat name, and added a local name resolvation command for it (ip host <sat> <ip>)

 

But I recommend to upgrade to 7.x.x train. Scheduled sync starts to work (more or less) in 7.x.x, but stack switchover problem is still there anyway

 

Ramtin.rezaei
Level 1
Level 1
‎01-29-2020 07:33 AM

Hello Adorins,

 

i got it work on port 80 but still an issue, with CSSM certificate same as you but while i change my hostname in network tab and security tab for certificate and i save ans full sync, CN does not change in Certificate i mean i found  last hostname.

 

do you have any idea about this issue.

 

thanks in advance

 

Ramtin

adorins
Level 1
Level 1
‎01-29-2020 09:40 PM

What sat version are you using? Did you tried to restart server after a hostname change?

Ramtin.rezaei
Level 1
Level 1
‎01-30-2020 06:54 AM

Adorins,

 

 

thanks for your reply.

i am running 6.3 version.

please see below:

SHOT1.pngSHOT2.png

SHOT3.png

 

 

Yes reboot is done after Full sync.

 

Br

Ramtin

adorins
Level 1
Level 1
‎02-02-2020 10:17 PM

I would recommend to upgrade to v7 if you can.

Everything looks ok in your screenshots. I have no much experience with satellite, it is not yet in production in my network.

I had the same config but with hostname instead of ip address. At the beginning of v6 it was not possible to use ip address in configuration, just a hostname. May be this is still in place

It was supposed to use a hostname in switch config and then resolve it to ip address. Because we do not configure dns on our network equipment, I was forced to add a static resolvation in switch configuration. With ip address it was just not possible to use https. 

And I also had no luck to make a scheduled sync to work in v6. V7 solved this problem

Mihran
Level 1
Level 1
‎03-24-2020 08:47 AM

Hi,

 

I've picked up the case & upgraded to V7-202001, performed a full sync, but HTTPS communication with the CSSM doesn't seem to work, even after a full sync. I believe the issue is with the hostname that just can't be an IP address, could anyone please confirm this ?

 

Thank you for your assistance.Capture.GIF

 

 

Kush Patel
Level 1
Level 1
‎05-13-2020 06:21 PM

If anyone is trying to register an ASA with an on-prem Smart Software Manager and are getting Connect_Failed(35) error due to Certificate Valaditation problems you can get to the needed CAs from the on-prem box vis ssh access.   The same problem could also be impacting Catalyst 9k series as well though I haven't had the chance to test this yet.  

 

The needed cert is located on your on-prem box at /home/deployer/ssl/product.pem

 

There is a total of three certificates in that chain and you will need to import two of the CAs.  You will need the CA of CiscoLicenseRootCA and TG-SSL CA.   I have used  https://certlogik.com/decoder/

to decode the certs from the product.pem to see what is what and import them one at a time.  


If you have time and want to see a video of what I did feel free to check out: https://www.youtube.com/watch?v=jhKpD3ZC8JQ

 

Cheers and hope this helps.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents