Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8593
Views
40
Helpful
21
Replies

Cisco ISE 3.1 - Alarms: Smart Licensing Authorization Renewal Failure

Go to solution
milos_p
Level 1
Level 1

‎06-24-2022 12:30 AM

Hi guys,

 

I am running two node deployment with fresh ISE 3.1 patch3 installation.

 

I am getting every few days alarm like this:

Alarms: Smart Licensing Authorization Renewal Failure, with description when I open the alarm "Smart Licensing Authorization Renewal Failure: Details=Communication send error."

 

I have checked firewall, there is no block from ISE servers and communication is allowed in the exact timestamp of the alarm (I can see in the firewall logs).

Also I see in Licensing page, in "Last Authorization" column that there was successful authorization few hours after the alarm timestamp.

 

Anyone else experiencing similar behavior? Is it a bug and is there some workaround?

 

It's not affecting production in any way, just I am getting alarms approx. every second day for this matter.

 

Thanks a lot in advance!

 

Regards,

Milos

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎06-24-2022 05:01 AM

Yup, this is a common issue across multiple Cisco Smart Licensed products; not just ISE.  It seems to be related to the backend Smart Licensing systems.  Not sure if its unable to handle the load from customer products, some sort of DDoS protection, or what.  These can be safely ignored as ISE does have a grace period.  

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2022 11:01 AM

I see the same as @ahollifield mentioned - across multiple customers and products in different states. It is definitely a Cisco backend system issue.

View solution in original post

21 Replies 21

Go to solution
ahollifield
VIP
VIP

‎06-24-2022 05:01 AM

Yup, this is a common issue across multiple Cisco Smart Licensed products; not just ISE.  It seems to be related to the backend Smart Licensing systems.  Not sure if its unable to handle the load from customer products, some sort of DDoS protection, or what.  These can be safely ignored as ISE does have a grace period.  

Go to solution
milos_p
Level 1
Level 1
In response to ahollifield

‎06-24-2022 06:48 AM

Hi,

 

I couldn't find any pattern in this, apart that it's happening every day or every second day, although as I said, not having any impact on production, as next authorization following the failed one is generally always being successful.

 

Regards,

Milos

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to milos_p

‎06-24-2022 07:06 AM

Exactly the same behavior I am seeing across ISE, FMC, FDM, switches, etc.  The issue has to be somewhere in the backend of the Smart Licensing system.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2022 11:01 AM

I see the same as @ahollifield mentioned - across multiple customers and products in different states. It is definitely a Cisco backend system issue.

Go to solution
milos_p
Level 1
Level 1

‎06-24-2022 12:44 PM

Hi guys,

 

Thanks a lot for the answers, you confirmed me that there is nothing wrong with my ISE deployment.

 

Regards,

Milos

0 Helpful

Go to solution
milos_p
Level 1
Level 1

‎06-27-2022 11:49 PM

Hi to all,

 

Just to post an update as it looks like I have solved the issue.

 

So first question to everyone experiencing the same problem: Are you guys decrypting HTTPS traffic?

 

In my case, I am, and although ISE servers are matching bypass rule, it was last bypass rule after few URL bypass rules, meaning initial traffic is going to be decrypted in order to determine if traffic should be bypassed based on URL category.

When I configured hard bypass (by setting source IP addresses of ISE servers) before any kind of URL bypass rule, warning stopped and for the last 5 days not even one appeared.

 

Regards,

Milos

Go to solution
ahollifield
VIP
VIP
In response to milos_p

‎06-28-2022 03:52 AM - edited ‎06-28-2022 04:17 AM

If you have your HTTPS decryption certificate trusted in ISE for "Cisco Services" I see no technical reason why you couldn't still keep decrypting the traffic.  Not sure what the value of that would be though.  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to milos_p

‎06-28-2022 04:03 AM

None of my customers who are experiencing this problem (> 10 of them) have SSL/TLS decryption (or proxy server or restriction of outbound traffic in any way) enabled.

0 Helpful

Go to solution
milos_p
Level 1
Level 1

‎06-28-2022 05:36 AM

Hi,

 

Well, I really don't see any reason decrypting this traffic, so I want it to bypass decryption for ISE servers.

My problem was with bypass hitting some URL bypass rules, as I explained, and by putting IP bypass, it looks like it solved the issue for me.

 

Either way, I just wanted to post, as maybe someone will have same scenario as me.

 

If warning comes up again, I will update here as well, could be just a strange coincidence of configuring IP bypass and warnings not showing up for many days...

 

Regards,

Milos

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎06-28-2022 01:49 PM

I have a TAC case open for this in ISE 3.0. If they come up with anything useful as a resolution I will let you know. I have never had a good experience with Smart Licensing, as much as I find the concept interesting, the implementation leaves me unimpressed.

Go to solution
Marcelo Morais
VIP
VIP
In response to Arne Bier

‎06-28-2022 11:04 PM

Hi @Arne Bier and @milos_p ,

 please take a look at CSCwa79591 Smart Licensing Authorization Renewal Failure:Communication send error.

CSCwa79591.png

 

Note: unfortunately every time I click the link I am redirected to the following CSCwa72274 Intermittent "Communication Send error" while registering to smart licensing, hope that someone could change that, I would like to read the entire CSCwa79591 info : ) !!! 

 

Hope this helps !!!

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to Marcelo Morais

‎06-29-2022 12:58 AM

Hi,

 

Just checked bug info, says "Bug CSCwa79591 is a duplicate of the bug displayed below" as it redirects to CSCwa72274 .

 

"Conditions: This issue is seen intermittently when backend systems are overloaded"

Workaround: System retries would automatically eventually get the messages thru, if not manual execution of authorization renewal or sync commands would send the data.

 

No fixes available.

 

BTW, bug CSCwa72274 is related to Cisco License Manager, at least this is what's written in details section.

 

Just to point again, as it is really funny, but with bypass that I implemented, I still didn't get any warning for last 5 days.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to milos_p

‎06-29-2022 07:44 AM

Hi @milos_p ,

 thanks, but I would like to read the entire info from the CSCwa79591 bug (please take a look to the picture that I provided, I'm not able to check the "Conditions") ... I think that CSCwa7951 provided a better description for the issue.

 

Regards

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to Marcelo Morais

‎06-29-2022 08:47 AM

Hi Marcelo,

 

When I click on the link you provided, it takes me right here:

 
 

CSCwa79591.PNG

0 Helpful
Customers Also Viewed These Support Documents