cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1821
Views
30
Helpful
11
Replies
HOLGER ALIX
Beginner

ISE smart license with CSSM on-prem (v8-202006)

we use ISE 2.4 (and 2.6) with Smart license
According to the ISE Admin Guide the "Cisco Smart Software Manager satellite" with Smart Callhome is not supported. But there is an option "transport gateway" which is supported.
The newer CSSM satellites (version 8-202006) (now called CSSM on-prem) offer 2 different URLs a) "SmartCallhome" (for legacy products) and b) "smart transport
But I can't find any hint if this method "Smart Transport" can also make the "CSSM on-prem" usable for the ISE.

Has anyone tried or read this?

 

1 ACCEPTED SOLUTION

Accepted Solutions

See a similar community post discussion here.

No version of ISE currently supports CSSM satellite (on-prem).

View solution in original post

11 REPLIES 11
poongarg
Cisco Employee

I believe both the options are same. On ISE, we need to select the checkbox transport gateway and on CSSM on-prem need to use Smart Transport option.
However I have not tested the same.
rkazmierczak
Beginner

I wonder if anyone else knows the answer to this. it's certainly a bit confusing (admin guide vs contextual help). Does ISE support CSSM on-prem ?

 

 

See a similar community post discussion here.

No version of ISE currently supports CSSM satellite (on-prem).

View solution in original post

Is this still the case?

We are running ISE v3.0, and according to the ISE docs this is supposed to work:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/m_Licensing30.html#concept_lnz_tmr_h4b

However, it specifically says there is a dropdown option called "SSM On-Prem Server" for the 'Connection Method'.

EDIT: Looking at our ISE right now, with the latest ISE patch DOES have this option. The original release of ISE v3.0 DOES NOT have this dropdown option.

 

That would be correct, it's supported as of 3.0 patch 2. This was an old thread so at the time Greg answered this it was accurate. 

"New Features in Cisco ISE, Release 3.0 - Cumulative Patch 2

Licensing Methods for Air-Gapped Networks

Cisco ISE Release 3.0 Patch 2 supports the following licensing solution for air-gapped networks:

  • Smart Software Manager (SSM) On-Prem Connection Method

    SSM On-Prem is a connection method in which you configure an SSM On-Prem server that manages smart licensing in your Cisco ISE-enabled network. With this connection method, Cisco ISE does not require a persistent connection to the Internet."

Can we get the details of which ports are required?

 

Our ISE is currently saying it can't communicate to the On-Prem SSM server. Trying to determine if it is a port issue, or maybe it is because we don't have an SSL cert installed on either ISE or SSM yet.

 

Hi @DMel,

 please take a look at the following link: Cisco SSM On-Prem License Server. search for SSM On-Prem - Communication Channels and Ports.

"...
Cisco Products communicate with SSM On-Prem using the same protocol.
Protocol:
 User Interface: HTTPS (8443) Only
 Products: HTTP(80)/HTTPS(443)
 CSSM: HTTPS(443)
  Sync:
   api.cisco.com (old)
   swapi.cisco.com (new)
   Account Registration:
   cloudsso.cisco.com
..."

 

Hope this helps !!!

 

 

 

pan
Cisco Employee
Cisco Employee

Cisco ISE Release 3.0 Patch 2 supports the following licensing solution for air-gapped networks:

  • Smart Software Manager (SSM) On-Prem Connection Method

    SSM On-Prem is a connection method in which you configure an SSM On-Prem server that manages smart licensing in your Cisco ISE-enabled network. With this connection method, Cisco ISE does not require a persistent connection to the Internet.

Finally got this to work. My issue was something with the SSL cert we have on our SSM Server.

Hi, 

can you tell me the solution? Same problem here, I guess its because of the SSL cert

Kind regards

As stated above, you have to be running ISE 3.0sp2 or above. Cisco just introduced this functionality in that update.

 

Make sure you have the SSM on-prem SSL CA cert installed on the ISE installation, so that ISE can accept the SSL Chain that SSM uses.

 

And from my understanding, of course, you have to have port 443 open from ISE to SSM.

Content for Community-Ad