cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8596
Views
40
Helpful
21
Replies

Cisco ISE 3.1 - Alarms: Smart Licensing Authorization Renewal Failure

milos_p
Level 1
Level 1

Hi guys,

 

I am running two node deployment with fresh ISE 3.1 patch3 installation.

 

I am getting every few days alarm like this:

Alarms: Smart Licensing Authorization Renewal Failure, with description when I open the alarm "Smart Licensing Authorization Renewal Failure: Details=Communication send error."

 

I have checked firewall, there is no block from ISE servers and communication is allowed in the exact timestamp of the alarm (I can see in the firewall logs).

Also I see in Licensing page, in "Last Authorization" column that there was successful authorization few hours after the alarm timestamp.

 

Anyone else experiencing similar behavior? Is it a bug and is there some workaround?

 

It's not affecting production in any way, just I am getting alarms approx. every second day for this matter.

 

Thanks a lot in advance!

 

Regards,

Milos

 

2 Accepted Solutions

Accepted Solutions

Yup, this is a common issue across multiple Cisco Smart Licensed products; not just ISE.  It seems to be related to the backend Smart Licensing systems.  Not sure if its unable to handle the load from customer products, some sort of DDoS protection, or what.  These can be safely ignored as ISE does have a grace period.  

View solution in original post

Marvin Rhoads
Hall of Fame
Hall of Fame

I see the same as @ahollifield mentioned - across multiple customers and products in different states. It is definitely a Cisco backend system issue.

View solution in original post

21 Replies 21

Yup, this is a common issue across multiple Cisco Smart Licensed products; not just ISE.  It seems to be related to the backend Smart Licensing systems.  Not sure if its unable to handle the load from customer products, some sort of DDoS protection, or what.  These can be safely ignored as ISE does have a grace period.  

Hi,

 

I couldn't find any pattern in this, apart that it's happening every day or every second day, although as I said, not having any impact on production, as next authorization following the failed one is generally always being successful.

 

Regards,

Milos

Exactly the same behavior I am seeing across ISE, FMC, FDM, switches, etc.  The issue has to be somewhere in the backend of the Smart Licensing system.

Marvin Rhoads
Hall of Fame
Hall of Fame

I see the same as @ahollifield mentioned - across multiple customers and products in different states. It is definitely a Cisco backend system issue.

milos_p
Level 1
Level 1

Hi guys,

 

Thanks a lot for the answers, you confirmed me that there is nothing wrong with my ISE deployment.

 

Regards,

Milos

milos_p
Level 1
Level 1

Hi to all,

 

Just to post an update as it looks like I have solved the issue.

 

So first question to everyone experiencing the same problem: Are you guys decrypting HTTPS traffic?

 

In my case, I am, and although ISE servers are matching bypass rule, it was last bypass rule after few URL bypass rules, meaning initial traffic is going to be decrypted in order to determine if traffic should be bypassed based on URL category.

When I configured hard bypass (by setting source IP addresses of ISE servers) before any kind of URL bypass rule, warning stopped and for the last 5 days not even one appeared.

 

Regards,

Milos

If you have your HTTPS decryption certificate trusted in ISE for "Cisco Services" I see no technical reason why you couldn't still keep decrypting the traffic.  Not sure what the value of that would be though.  

None of my customers who are experiencing this problem (> 10 of them) have SSL/TLS decryption (or proxy server or restriction of outbound traffic in any way) enabled.

milos_p
Level 1
Level 1

Hi,

 

Well, I really don't see any reason decrypting this traffic, so I want it to bypass decryption for ISE servers.

My problem was with bypass hitting some URL bypass rules, as I explained, and by putting IP bypass, it looks like it solved the issue for me.

 

Either way, I just wanted to post, as maybe someone will have same scenario as me.

 

If warning comes up again, I will update here as well, could be just a strange coincidence of configuring IP bypass and warnings not showing up for many days...

 

Regards,

Milos

Arne Bier
VIP
VIP

I have a TAC case open for this in ISE 3.0. If they come up with anything useful as a resolution I will let you know. I have never had a good experience with Smart Licensing, as much as I find the concept interesting, the implementation leaves me unimpressed.

Hi @Arne Bier and @milos_p ,

 please take a look at CSCwa79591 Smart Licensing Authorization Renewal Failure:Communication send error.

CSCwa79591.png

 

Note: unfortunately every time I click the link I am redirected to the following CSCwa72274 Intermittent "Communication Send error" while registering to smart licensing, hope that someone could change that, I would like to read the entire CSCwa79591 info : ) !!! 

 

Hope this helps !!!

Hi,

 

Just checked bug info, says "Bug CSCwa79591 is a duplicate of the bug displayed below" as it redirects to CSCwa72274 .

 

"Conditions: This issue is seen intermittently when backend systems are overloaded"

Workaround: System retries would automatically eventually get the messages thru, if not manual execution of authorization renewal or sync commands would send the data.

 

No fixes available.

 

BTW, bug CSCwa72274 is related to Cisco License Manager, at least this is what's written in details section.

 

Just to point again, as it is really funny, but with bypass that I implemented, I still didn't get any warning for last 5 days.

Hi @milos_p ,

 thanks, but I would like to read the entire info from the CSCwa79591 bug (please take a look to the picture that I provided, I'm not able to check the "Conditions") ... I think that CSCwa7951 provided a better description for the issue.

 

Regards

Hi Marcelo,

 

When I click on the link you provided, it takes me right here:

 
 

CSCwa79591.PNG