cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3455
Views
4
Helpful
6
Replies
Highlighted
Cisco Employee

Smart Licensing on ISE: What is the exact URL ISE is talking to when using smart licensing?

Hi,

my customer would like to migrate from traditional licensing towards smart licensing. They want to use a proxy to have the ISE talking to the smart portal and want to configure this very resrective.

So the question here is: What exactly is the specific URL the ISE is talking to when using smart licensing?

Thanks in advance.

Roland

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

6 REPLIES 6
Highlighted
Cisco Employee

Highlighted

thanks for the link to the document.  I had some issues getting ISE 2.3 patch 1 talking to Smart Licensing because my customer forces all internet traffic to go through an authenticated proxy.  The tcpdump revealed that it was trying to talk to tools.cisco.com:443 - but it doesn't handle the proxy part at all (doesn't present the credentials).  We are able to use the same proxy for the SMS gateway.  I have a TAC case open for this.

Roland, I would be interested to know if you get it working through a proxy.

Highlighted

I found your TAC case. TAC is associating it with CSCvd93008 and checking with our engineering team.

Highlighted
Cisco Employee

Hi, just wondering if you finally got the proxy working for smart licensing?  If so did it required a patch or did you have a workaround for it?  Thank you.

Highlighted

Hello

We have it working now using the https proxy transport mode, but we had to make an exception on the proxy to not request authentication (because that's the issue with ISE - it will gladly use a proxy, but it doesn't remember to send the authentication credentials )

SO either you go https direct, or go https proxy, but with proxy whitelisting (just the IP's of the PAN nodes will do - we told them to whitelist those PAN IP's to go to tools.cisco.com).

There is a third option for Smart Licensing - use a Satellite Server on premise.  We have that working in some cases too and it works.  It means the ISE PANs talk to Satellite on prem and not to the internet.  The Satellite server talks to internet.

But there is an issue with ISE 2.4 and those new VM licenses.  If you happen to have purchased the more expensive license (like Medium_VM) but a node needs the Small_VM, then the Satellite server will tell you that your VM license is out of compliance.  This is a bug because Cisco allows for License Substitution - and that DOES work if you go direct to tools.cisco.com.

Go figure.

Highlighted

Thank you very much for your reply. I see most people just go back to traditional licensing until the proxy issue has been fixed so really appreciate your perseverance with this.