Showing results for 
Search instead for 
Did you mean: 

How to register your Device using HTTPS to Satellite Smart-licensing Server



 Can not register your Cisco device to Satellite Smart-licensing-server using HTTPS.  Works when using HTTP. 


 Change Call-home URL to use HTTP and see if that works.  If it does you can use the steps below to work around the SSL handshake issue when using HTTPS. 

Change call-home URL to HTTP 

conf t


profile "CiscoTAC-1"

no  destination address http https://<your Satellite-IP-Address>/Transportgateway/services/DeviceRequestHandler

destination address http http://<your Satellite-IP-Address>/Transportgateway/services/DeviceRequestHandler


license smart register idtoken XXXXXXXX ,    where XXXXXXX is the actual token you get from your Satellite.


 If HTTP works as explained above, you can try these steps to fix your https  communication issue. 

1- Browse to  https://Satellite-ip-address/Transportgateway  , and view Certificate details . 

2--  As you can see below  you click on 1 and "View Certificate " and see  2 . In my case the CN , or cName is the same as the ip-address.  You need to match call-home URL to use the CN instead of Satellite ip-address .

conf t


profile "CiscoTAC-1"

destination address http https://<your Satellite-CN>/Transportgateway/services/DeviceRequestHandler


license smart register idtoken XXXXXXXX ,    where XXXXXXX is the actual token you get from your Satellite.


Option-2:  You can make the cName or CN to either match the ip-address of the Satellite or an FQDN that is reachable  from your devices .  In my example  below I match the CN to Satellite ip-address . 

to do that change name taking steps 1, 2 shown below. 


After you change the name to either ip-address or a valid FQDN  you go to the bottom and save .  Afterword do a full-synchronization.  This will change the CN to match ip-address or the FQDN.   Now you change your call-home URL to match this 


NOTE: In addition to above you need to make sure under crypto "trustpoint" you changed revocation-check to " none".  By default most products have revocation-check set for "crl" .   

Sample config from a csr1000v showing this configuration .


crypto pki trustpoint SLA-TrustPoint

enrollment terminal

revocation-check none


If the key-chain is missing , you can import the Cisco_Root-CA from http

To import a Cert using CLI ,  steps are 


Conf t

crypto pki authenticate SLA-TrustPoint

<Expect to see .....>

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

<Cut and past the Ke-chain from the URL from above including BEGIN/END below ..> and end with "quit" and confirm with "YES"  


NOTE:  If you use Satellite version 6.3 to change the cName ( CN )  you should modify the CN following these steps 

--login to Satellite admin portal  https://satellite-ip:8443/admin 

-- Security  and change the CN 




So in my example I  selected CN == to Satellite ip-address so on the Routers and Switches I need to change the URL to 






What is a correct way to register a switch stack (cat9300) to satellite? Everything looks ok (satellite sees such node as a redundant with two devices) until I perform a switchover - after a switchover I got this:

000236: Dec  7 09:43:48.383: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair2 has been removed from key storage
000237: Dec  7 09:43:50.008: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair2 has been generated or imported by crypto-engine
000238: Dec  7 09:43:50.049: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM
000239: Dec  7 09:43:52.753: %SMART_LIC-3-ID_CERT_RENEW_FAILED: Automatic registration renewal failed: Error received from Smart Software Manager: 500 Internal Server Error
000240: Dec  7 09:43:52.753: %SMART_LIC-3-ID_CERT_RENEW_FAILED: Automatic registration renewal failed: FAILED


#sh license status
Smart Licensing is ENABLED

  Status: DISABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

  Type: Callhome

  Smart Account: cssm_sat_prod
  Virtual Account: Default
  Export-Controlled Functionality: Allowed
  Initial Registration: First Attempt Pending
  Last Renewal Attempt: FAILED on Dec 07 09:43:52 2018 EET
    Failure reason: Agent received a failure status in a response message. Please check the Agent log file for the detailed message.
  Next Renewal Attempt: Dec 07 10:02:23 2018 EET
  Registration Expires: Dec 05 09:57:44 2019 EET

License Authorization:
  Status: AUTHORIZED on Dec 07 09:39:59 2018 EET
  Last Communication Attempt: SUCCEEDED on Dec 07 09:39:59 2018 EET
  Next Communication Attempt: Jan 06 09:39:58 2019 EET
  Communication Deadline: Mar 07 09:36:57 2019 EET

Export Authorization Key:
  Features Authorized:


and satellite sees only an active switch (which previously was standby) and HA tab is gone


There is a chapter in user guide about Apllication Redundancy Support but I believe it does not fit to switch stack but to two separate nodes in redundant setup



Cisco Employee


     I am not sure about behavior of CAT9300 in HA mode. You need to open a TAC case and get help for experts with Cat9300. 




In our case, we have implemented the below command as to overcome the registration failure to the local satellite server:

http client secure-verify-peer disable.

Also, the satellite server doesnt carry hostname, instead its reachable using its IP address. We didnt modify the crypto settings.


Cisco Employee
Ok, I understand in your case you have disabled SSL peer-verification. This command is unique to some Cisco products and can not be use in all. In your case I would say it is bug, you should not have to disable the peer-verification.



i have deployed a smart license server satellite version 6.3.0 and every thing is ok i mean it's synchronised with smart account and i have all my licenses, but my callhome fail to send out the massage.


the version of my stacks switch is /

Switch Ports Model              SW Version        SW Image              Mode

------ ----- -----              ----------        ----------            ----

*    1 64    C9300-48P          16.9.1            CAT9K_IOSXE           BUNDLE

     2 64    C9300-48P          16.9.1            CAT9K_IOSXE           BUNDLE

     3 64    C9300-48P          16.9.1            CAT9K_IOSXE           BUNDLE


my connectivity is OK and i can telenet on port 80.


here is my configuration/

profile "N93K"

  reporting smart-licensing-data

  destination transport-method http

  no destination transport-method email

  destination address http


  profile "N93K"



ST005A-IXCMA#sho license all

Smart Licensing Status



Smart Licensing is ENABLED




  Export-Controlled Functionality: Not Allowed

  Initial Registration: FAILED on Dec 17 13:49:43 2019 UTC

    Failure reason: Fail to send out Call Home HTTP message.

  Next Registration Attempt: Dec 17 14:49:46 2019 UTC


License Authorization:

  Status: EVAL EXPIRED on Apr 24 07:01:28 2019 UTC



  Status: DISABLED


Data Privacy:

  Sending Hostname: yes

    Callhome hostname privacy: DISABLED

    Smart Licensing hostname privacy: DISABLED

  Version privacy: DISABLED



  Type: Callhome


License Usage



(C9300-48 DNA Advantage):


  Count: 3

  Version: 1.0



(C9300-48 Network Advantage):


  Count: 3

  Version: 1.0



Product Information


UDI: PID:C9300-48P,SN:FOC2231Q0E9


HA UDI List:





Agent Version


Smart Agent for Licensing: 4.4.13_rel/116

Component Versions: SA:(1_3_dev)1.0.15, SI:(dev22)1.2.1, CH:(rel5)1.0.3, PK:(dev18)1.0.3


Reservation Info


License reservation: DISABLED



so could you please tell me if for switches within stacks the configuration is different?


or after deployment of server i have to activate something on server?

i am really stopped with this issue:-(


normally i think for registration we don't need to set boot level,  i mean it's for authorization am i right?


thanks in advance.













Had the same problem. The sat name in address command must match with your sat real name. For example - initially I tried to use an ip address of my sat (like in your example), but it just not worked because my sat name was "CiscoSatellite", not an "10.x.y.z", and CN name does not match in this case (idea of this problem is described by topic author at the beginning). http works fine, but not https.


In my case I just replaced ip address with my sat name, and added a local name resolvation command for it (ip host <sat> <ip>)


But I recommend to upgrade to 7.x.x train. Scheduled sync starts to work (more or less) in 7.x.x, but stack switchover problem is still there anyway



Hello Adorins,


i got it work on port 80 but still an issue, with CSSM certificate same as you but while i change my hostname in network tab and security tab for certificate and i save ans full sync, CN does not change in Certificate i mean i found  last hostname.


do you have any idea about this issue.


thanks in advance




What sat version are you using? Did you tried to restart server after a hostname change?





thanks for your reply.

i am running 6.3 version.

please see below:





Yes reboot is done after Full sync.





I would recommend to upgrade to v7 if you can.

Everything looks ok in your screenshots. I have no much experience with satellite, it is not yet in production in my network.

I had the same config but with hostname instead of ip address. At the beginning of v6 it was not possible to use ip address in configuration, just a hostname. May be this is still in place

It was supposed to use a hostname in switch config and then resolve it to ip address. Because we do not configure dns on our network equipment, I was forced to add a static resolvation in switch configuration. With ip address it was just not possible to use https. 

And I also had no luck to make a scheduled sync to work in v6. V7 solved this problem




I've picked up the case & upgraded to V7-202001, performed a full sync, but HTTPS communication with the CSSM doesn't seem to work, even after a full sync. I believe the issue is with the hostname that just can't be an IP address, could anyone please confirm this ?


Thank you for your assistance.Capture.GIF




If anyone is trying to register an ASA with an on-prem Smart Software Manager and are getting Connect_Failed(35) error due to Certificate Valaditation problems you can get to the needed CAs from the on-prem box vis ssh access.   The same problem could also be impacting Catalyst 9k series as well though I haven't had the chance to test this yet.  


The needed cert is located on your on-prem box at /home/deployer/ssl/product.pem


There is a total of three certificates in that chain and you will need to import two of the CAs.  You will need the CA of CiscoLicenseRootCA and TG-SSL CA.   I have used

to decode the certs from the product.pem to see what is what and import them one at a time.  

If you have time and want to see a video of what I did feel free to check out:


Cheers and hope this helps.



CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey