Solved: ASAv Smart Licensing Registration fails (certificate validation failed

Counterdoc · ‎05-14-2025

Hello,

I am trying to register a ASAv 9.18(4)53 to a Cisco SSM On-Prem Smart Licensing Server. On the ASA I get the following error:

%ASA-6-120003: Call-Home is processing license event Smart Licensing.
%ASA-6-725001: Starting SSL handshake with server inside:xxxxxxx/24359 to xxxxxx/443 for TLS session
%ASA-3-717009: Certificate validation failed. serial number: 01, subject name: CN=Cisco Licensing Root CA,O=Cisco.
%ASA-3-717027: Certificate chain failed validation. Generic validation failure occurred.
%ASA-4-120006: Call-Home license message to https://xxxxxxx .com/Transportgateway/services/DeviceRequestHandler  failed. Reason: CONNECT_FAILED
%ASA-4-120005: Call-Home license message to https://xxxxxxx.com/Transportgateway/services/DeviceRequestHandler  was dropped. Reason: CONNECT_FAILED
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager (CSSM) : Communication message send error

So the issue is that the certificate validation fails. Trying it with http instead of https works fine.

Shouldn't that certificate exist on the ASA by default? Or do I need to install the Cisco Licensing Root CA manually?

If I check the certificates on the ASA I see the following:

CA Certificate
  Status: Available
  Certificate Serial Number: 0a0142800000014523c844b500000002
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA256
  Issuer Name:
    CN=IdenTrust Commercial Root CA 1
    O=IdenTrust
    C=US
  Subject Name:
    CN=IdenTrust Commercial Root CA 1
    O=IdenTrust
    C=US
  Validity Date:
    start date: 18:12:23 UTC Jan 16 2014
    end   date: 18:12:23 UTC Jan 16 2034
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA

CA Certificate
  Status: Available
  Certificate Serial Number: 0509
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA1
  Issuer Name:
    CN=QuoVadis Root CA 2
    O=QuoVadis Limited
    C=BM
  Subject Name:
    CN=QuoVadis Root CA 2
    O=QuoVadis Limited
    C=BM
  Validity Date:
    start date: 18:27:00 UTC Nov 24 2006
    end   date: 18:23:33 UTC Nov 24 2031
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA2

Thanks for your help!

Marius

Counterdoc · ‎05-15-2025

I fixed it by replacing the product.pem certificate on the licensing servers frontend docker container which was self-signed (Cisco Licensing Root) by a signed certificate from my Company which is also deployed to our devices. Now it works.

View solution in original post

nspasov · ‎05-14-2025

Can you share the outputs from the following commands:

show version
show run call-home
show crypto ca certificates
show run all | in ssl
show run crypto ca trustpoint

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Counterdoc · ‎05-14-2025

Sure. Removed any company data from the outputs (companyxyz and xxx sections). No Cisco Licensing Root is currently installed which brings me back to my question if I need to do it manually and why it is not on the ASA by default.

show version

Cisco Adaptive Security Appliance Software Version 9.18(4)53
SSP Operating System Version 2.12(1.96)
Device Manager Version 7.18(1)152

Compiled on Thu 20-Feb-25 05:43 GMT by builders
System image file is "disk0:/asa9-18-4-53-smp-k8.bin"
Config file at boot was "startup-config"

xxxxxxx up 54 mins 14 secs
Start-up time 11 secs

Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2000 MHz,
Internal ATA Compact Flash, 1024MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x1, 0KB


 0: Ext: Management0/0       : address is 0050.56ad.cf70, irq 10
 1: Ext: GigabitEthernet0/0  : address is 0050.56ad.8e28, irq 7
 2: Ext: GigabitEthernet0/1  : address is 0050.56ad.8dc6, irq 9
 3: Ext: GigabitEthernet0/2  : address is 0050.56ad.46ba, irq 11
 4: Ext: GigabitEthernet0/3  : address is 0050.56ad.1a8f, irq 10
 5: Ext: GigabitEthernet0/4  : address is 0050.56ad.b126, irq 7
 6: Ext: GigabitEthernet0/5  : address is 0050.56ad.8abd, irq 9
 7: Ext: GigabitEthernet0/6  : address is 0050.56ad.9e3b, irq 11
 8: Ext: GigabitEthernet0/7  : address is 0050.56ad.76a0, irq 10
 9: Ext: GigabitEthernet0/8  : address is 0050.56ad.11e1, irq 7
10: Int: Internal-Data0/0    : address is 0000.0100.0001, irq 0

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
Active entitlement: ASAv-STD-1G, enforce mode: Eval period
Firewall throughput limited to 100 Kbps

Licensed features for this platform:
Maximum VLANs                     : 50
Inside Hosts                      : Unlimited
Failover                          : Active/Active
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 2
Carrier                           : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 250
Total VPN Peers                   : 250
AnyConnect for Mobile             : Disabled
AnyConnect for Cisco VPN Phone    : Disabled
Advanced Endpoint Assessment      : Disabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 2
Botnet Traffic Filter             : Enabled
Cluster                           : Enabled

Serial Number: xxx

Image type          : Release
Key version         : A

Configuration has not been modified since last system restart.

show run call-home

no call-home reporting anonymous
call-home
 contact-email-addr sch-smart-licensing@cisco.com
 source-interface inside
 profile License
  destination address http https://xxxxxx.com/Transportgateway/services/DeviceRequestHandler
  destination transport-method http
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

show crypto ca certificates

CA Certificate
  Status: Available
  Certificate Serial Number: 0a0142800000014523c844b500000002
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA256
  Issuer Name:
    CN=IdenTrust Commercial Root CA 1
    O=IdenTrust
    C=US
  Subject Name:
    CN=IdenTrust Commercial Root CA 1
    O=IdenTrust
    C=US
  Validity Date:
    start date: 18:12:23 UTC Jan 16 2014
    end   date: 18:12:23 UTC Jan 16 2034
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA

CA Certificate
  Status: Available
  Certificate Serial Number: 0509
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA1
  Issuer Name:
    CN=QuoVadis Root CA 2
    O=QuoVadis Limited
    C=BM
  Subject Name:
    CN=QuoVadis Root CA 2
    O=QuoVadis Limited
    C=BM
  Validity Date:
    start date: 18:27:00 UTC Nov 24 2006
    end   date: 18:23:33 UTC Nov 24 2031
  Storage: config
  Associated Trustpoints: _SmartCallHome_ServerCA2

CA Certificate
  Status: Available
  Certificate Serial Number: xxx
  Certificate Usage: Signature
  Public Key Type: RSA (4096 bits)
  Signature Algorithm: RSA-SHA256
  Issuer Name:
    CN=COMPANYXYZ Root CA 2
    O=COMPANYXYZ
    C=XX
  Subject Name:
    CN=COMPANYXYZ Root CA 2
    O=COMPANYXYZ
    C=XX
  Validity Date:
    start date: 07:59:43 UTC Oct 4 2018
    end   date: 08:09:42 UTC Oct 4 2048
  Storage: config
  Associated Trustpoints: COMPANYXYZ-Root-CA2

show run all | in ssl

 id-usage ssl-ipsec
 no ignore-ssl-keyusage
 id-usage ssl-ipsec
 no ignore-ssl-keyusage
 validation-usage ipsec-client ssl-client
 id-usage ssl-ipsec
 no ignore-ssl-keyusage
 validation-usage ipsec-client ssl-client
 id-usage ssl-ipsec
 no ignore-ssl-keyusage
 validation-usage ipsec-client ssl-client
 id-usage ssl-ipsec
 no ignore-ssl-keyusage
 validation-usage ipsec-client ssl-client
 id-usage ssl-ipsec
 no ignore-ssl-keyusage
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher default high
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl cipher dtlsv1 fips
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl dh-group group15
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2
 no ssl-server-check
  anyconnect ssl dtls enable
  anyconnect ssl keepalive 20
  anyconnect ssl rekey time none
  anyconnect ssl rekey method none
  anyconnect ssl compression none
  anyconnect ssl df-bit-ignore disable
compression anyconnect-ssl http-comp

show run crypto ca trustpoint

crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
 no validation-usage
 crl configure
crypto ca trustpoint COMPANYXYZ-Root-CA2
 enrollment terminal
 crl configure

Counterdoc · ‎05-15-2025

I fixed it by replacing the product.pem certificate on the licensing servers frontend docker container which was self-signed (Cisco Licensing Root) by a signed certificate from my Company which is also deployed to our devices. Now it works.