Solved: ISE 2.4 Convert From Traditional to SMART Licensing

ChuckMcF · ‎05-04-2018

We're rolling out a new deployment of ISE 2.4. We're still in the 90-day trial and everything is working as expected. Now we're trying to convert to SMART licensing. Seems straight forward - Admin/Sys/Lic then click Cisco SMART Licensing, choose Direct HTTPS and wait for it to connect. Problem is that it never connects. We can see the traffic leave our FW headed to 173.37.145.8 (tools.cisco.com) as expected however we never get a response. Checked routes and firewall settings, all are correct. Anyone else able to configure SMART licensing with ISE 2.4 or had similar issues?

ChuckMcF · ‎05-14-2018

Thank you for your responses. To answer some questions: no proxy, firewall logs shows traffic in and out as expected, licenses are in SMART account.

The issue happens when you initially click "Enable SMART licensing." You can watch the traffic leave the network to the appropriate IP and return however the attempt eventually times out.

We opened a ticket with TAC but none of the suggestions ever ended in success. So we shut off the 2.4 VMs and rebuilt new 2.3 VMs (2 PAN, 2 PSN). While in version 2.3 we were able to add our SMART account (took seconds) with no issues.

The issue is resolved, looks like it's a bug with 2.4.

View solution in original post

nspasov · ‎05-06-2018

A couple of questions:

1. Do you have a proxy in your environment?

2. What does your smart licensing portal show?

Thank you for rating helpful posts!

RichardAtkin · ‎05-07-2018

Not done it myself yet, but as you can see the traffic going out, I'd start by checking your Smart License Portal. Does it actually have the licenses in it and have you accepted the Ts & Cs that go with them?

Arne Bier · ‎05-07-2018

I can only speak of my own experience in ISE 2.3 (patch 2) and Smart Licensing.

If your PAN nodes are lucky enough to have access to the internet then you should be able to choose Direct HTTPS, but I had to use an authenticated Proxy. However, the proxy works for things like SMS Gateway, but it does not work for Smart Licensing (I have a bug ID for that). I had to get my proxy guys to whitelist the PAN nodes to allow them through the proxy without presenting authentication credentials. Once I did that it all worked. The remote end is tools.cisco.com and it's a TLS connection.

When you say it never connects, what errors are you getting exactly?

Another approach is to use the Satellite Server - we started using that now because our Prime, WLC and ISE are all using Smart Licensing. Since this server is on the trusted intranet, all those Cisco products connect easily to it. Then the Satellite server builds one connection to tools.cisco.com and manages all that stuff. It's pretty clever.

ChuckMcF · ‎05-14-2018

Thank you for your responses. To answer some questions: no proxy, firewall logs shows traffic in and out as expected, licenses are in SMART account.

The issue happens when you initially click "Enable SMART licensing." You can watch the traffic leave the network to the appropriate IP and return however the attempt eventually times out.

We opened a ticket with TAC but none of the suggestions ever ended in success. So we shut off the 2.4 VMs and rebuilt new 2.3 VMs (2 PAN, 2 PSN). While in version 2.3 we were able to add our SMART account (took seconds) with no issues.

The issue is resolved, looks like it's a bug with 2.4.