Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4361
Views
0
Helpful
13
Replies

FirePOWER Smart Licensing / Satellite Server

GRANT3779
Spotlight
Spotlight

‎05-31-2018 03:08 AM - edited ‎02-21-2020 07:49 AM

Hi CSC (Marvin... I hope you are lurking :-) )

 

I am trying to register our FMC against our internal Sat Server (both on same subnet). I would have expected this to be painless enough.

On the FMC - System / Integration / Smart Software Licensing.

Connect to Cisco Software Satellite Server and using the following URL of my SAT Server

 

https://x.x.x.x:8443/Transportgateway/services/DeviceRequestHandler

 

Click Apply and it saves config (doesn't look like any actual checks are done here - just saves what you put in)

I then go to System / Licenses / Smart Licenses / Register and stick in my token and Apply Changes.

It thinks about it for a while and I get the following error which seems to be quite generic -

 

Error
Failed to send the message to the server. Please verify the DNS Server/HTTP Proxy settings.

Am I missing something obvious here? Not sure why DNS or HTTP Proxy would come into it as I use IP address in the URL and comms between FMC and the Sat Server should be layer 2 only.

 

1 person had this problem
Labels:
0 Helpful
13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-31-2018 04:38 AM

@GRANT3779,

 

Yes the error is pretty generic and mostly unhelpful, even misleading, in your case.

 

You didn't mention if you put in the satellite server certificate on your FMC. It will need that to trust the SSL certificate in order to establish an SSL/TLS session.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/licensing_the_firepower_system.html#task_F5157FCDC3814D7D9A9D0ED4A87C9488

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Marvin Rhoads

‎05-31-2018 04:53 AM

@Marvin Rhoads

 

Hi Marvin,

 

For the Certificate side of things - Looking through previous documents and the one you posted, it seems to provide a link to the following https://www.cisco.com/security/pki/certs/clrca.cer

 

Is this the certificate I would need to use also for calling to my internal satellite server from the FMC? Or is that cert only if calling to Cisco direct?

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to GRANT3779

‎05-31-2018 04:59 AM

Yes - that's the certificate for the Cisco Licensing root CA.

 

If your FMC trusts that, I believe it should then trust the Satellite server since it has a certificate issued by that CA.

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Marvin Rhoads

‎06-06-2018 02:32 PM

Ended up getting TAC on this one. 

Few things seemed to be causing an issue. Rather than use the ip address of the sat server within the integration tab of FMC, we used the domain name (ensure dns entry is created). Also used port 443 when pointing the FMC to the SS URL. I was using port 8443, same as i used for https link, but seems 443 is used for the communication between actual SS and FMC. 

0 Helpful

MKH
Level 1
Level 1
In response to Marvin Rhoads

‎11-27-2018 03:55 AM - edited ‎11-27-2018 03:57 AM

Hello

Could you solve your problem.

I think my problem is as yours.

I used below link in FMC to connect it to smart server manager satellite.

URL >>> https://<Smart License Satellite Server IP>:8443

but I couldn’t register FMC in satellite server and I confront with below message:

“Failed to send the message to the server. Please verify the DNS Server/HTTP Proxy settings.”

Is my inserted URL correct?

I have a little doubt about it.

Thank you.

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to MKH

‎11-27-2018 05:35 AM

Hi,

You are using the below url to register FMC..?

1.png

2.png

add the ssl cert from http://www.cisco.com/security/pki/certs/clrca.cer

If the url copied from satellite server didn't works then try the same url with HTTP and try to register with FMC

 

HTH

Abheesh

 

0 Helpful

MKH
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 07:51 AM

Hi

Can you explain me how can I get to the page that you show in first page?

Thank you

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to MKH

‎11-27-2018 07:54 AM

hi,
From the smart satellite server you can get the url to register with FMC.
0 Helpful

MKH
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 09:25 AM

Hi

I know, but I don't have this url in my satellite.

Thanks.

 

Preview file
38 KB
0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to MKH

‎11-27-2018 09:33 AM

i think you dont have a satellite server, Once you register your satellite server to Cisco smart licensing portal you cannot generate tokens from cisco portal. Token need to generated from Satellite server.

HTH
Abheesh
0 Helpful

MKH
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 09:45 AM - edited ‎11-27-2018 09:48 AM

Hi

It was the picture of our satellite server that I have sent you.

Do I need to buy licence for binding FMC to satellite server?

Thanks.

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to MKH

‎11-27-2018 09:49 AM - edited ‎11-27-2018 10:06 AM

which version of satellite server your running...???

 

https://software.cisco.com/download/home/286285506/type/286285517/os/Linux/release/6.1.0

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to MKH

‎11-27-2018 09:55 AM

No need of separate license.
Satellite severer is the offline method of FTD licensing.

HTH
Abheesh
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card