Cisco ASA Smart License Registration Failed (FP2130)

latenaite2011 · ‎01-22-2021

Does anyone know why the Smart License registration would fail? The Cisco ASA is running in appliance mode and we're using the management interface with a public IP to access the internet. DNS is configured and I can ping management tools.cisco.com just fine and it resolves.

Based on some research, some suggestion was made to configure call-home and did that and it still failed, see below for logs and debug captured:

Jan 22 2021 06:28:44: %ASA-4-120006: Call-Home license message to https://tools.cisco.com/its/service/oddce/services/DDCEService failed. Reason: CONNECT_FAILED

Jan 22 2021 06:28:44: %ASA-4-120005: Call-Home license message to https://tools.cisco.com/its/service/oddce/services/DDCEService was dropped. Reason: CONNECT_FAILED

Jan 22 2021 06:28:44: %ASA-3-444303: %SMART_LIC-3-AGENT_REG_FAILED:Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: Communication message send error

Jan 22 2021 06:28:44: %ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager (CSSM) : Communication message send error

cisco# call-home test profile CiscoTAC-1

INFO: Destination callhome@cisco.com skipped. Transport method email is not enabled.

INFO: Sending test message to https://tools.cisco.com/its/service/oddce/services/DDCEService...

ERROR: Failed: CONNECT_FAILED(35)

INFO: Sending test message to http://tools.cisco.com/its/service/oddce/services/DDCEService...

ERROR: Failed: HTTP_FAILED(39)

For Call home, I even tried using http but that didn't work following another suggestion.

Marvin Rhoads · ‎01-22-2021

Does the ASA have 3DES-AES enabled?

johnlloyd_13 · ‎09-10-2022

hi marvin,

i ran into the same problem with my new FPR 2120 running ASA 9.12 in platform mode.

cisco smart license is such a HUGE PAIN!

3DES/AES strong-encryption license is disabled by default, which is why i was unable to SSH and call home to CSSM. ping to CSSM FQDN is fine/reachable.

is there an alternative way to "enable" this license?

Hardware: FPR-2120, 6828 MB RAM, CPU MIPS 1200 MHz, 1 CPU (8 cores)

1: Int: Internal-Data0/1 : address is 000f.b748.4801, irq 0
3: Ext: Management1/1 : address is acbc.d990.bd01, irq 0
4: Int: Internal-Data1/1 : address is 0000.0100.0001, irq 0

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled <<<
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 3500
AnyConnect Essentials : Disabled
Other VPN Peers : 3500
Total VPN Peers : 3500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 8000
Cluster : Disabled

# license smart register idtoken OTE2Mxx
Lic IPC: Sending Get Registation Status message of length 10
Lic IPC: Sending synchronous request message of length 10
Lic IPC: Sent message of 10 bytes total on sock 272763662
Lic IPC: Return from receive is 10, errno=Success
Lic IPC: Received message of length 12 on sock 272763662
Lic IPC: Reading 12 bytes from socket 272763662
Lic IPC: Sync socket received message of length 12
RIO1-FW01-PRI# Lic IPC: Received Synchronous response of length 12
Lic IPC: Rcvd Get Registration Status Response, reg_status=3
Lic IPC: Sending Token Set message of length 154
Lic IPC: Sent message of 154 bytes total on sock 264340366
Lic IPC: Comm IPC return from receive is 10, errno=Success
Lic IPC: Comm IPC received message of length 1860
Lic IPC: Comm IPC reading 1860 bytes from socket
Lic IPC: Comm IPC recv - rc:1860, bytes read:1860
Lic IPC: Comm IPC end of recv loop - rc:1860, errno:0, bytes read:1860
Lic IPC: Comm IPC receive return is > 0
Lic Comm: Comm socket rcvd message of length 1860
Lic Comm: Processing comm message type 1001 (CommMsg)
Lic Comm: Processed message type 1001
Lic IPC: Comm IPC return from receive is -1, errno=Resource temporarily unavailable
Lic IPC: Comm IPC receive return is < 0
Lic IPC: Nothing to read on Comm socket
Lic Comm: Allocated 20004 bytes for comm response (0x000000ffc81660e0)
Lic IPC: Sent Comm message of 16 bytes total
Lic Comm: Sent CommMsgRsp: length 0, response rc 9, send rc 1
Lic IPC: Return from receive is 10, errno=Success
Lic IPC: Received message of length 175 on sock 264340366
Lic IPC: Reading 175 bytes from socket 264340366
Lic IPC: Receive return is > 0
Lic IPC: Transport rcvd message of length 175
Lic IPC: Processing message type 1004 (SyslogMsg)
Lic IPC: seq_num= 255, msg_len = 175, payload_len = 165
Lic IPC: Processed message type 1004
Lic IPC: Receive return is < 0
Lic IPC: Nothing to read on socket
Lic IPC: Return from receive is 10, errno=Success
Lic IPC: Received message of length 12 on sock 264340366
Lic IPC: Reading 12 bytes from socket 264340366
Lic IPC: Receive return is > 0
Lic IPC: Transport rcvd message of length 12
Lic IPC: Processing message type 1009 (AgentNotify)
Lic IPC: seq_num= 256, msg_len = 12, payload_len = 2
Lic IPC: Rcvd AgentNotify message
Lic IPC: Rcvd REGISTER_FAILED AgentNotify msg
Lic IPC: Processed message type 1009
Lic IPC: Return from receive is 10, errno=Success
Lic IPC: Received message of length 149 on sock 264340366
Lic IPC: Reading 149 bytes from socket 264340366
Lic IPC: Receive return is > 0
Lic IPC: Transport rcvd message of length 149
Lic IPC: Processing message type 1004 (SyslogMsg)
Lic IPC: seq_num= 257, msg_len = 149, payload_len = 139
Lic IPC: Processed message type 1004
Lic IPC: Receive return is < 0
Lic IPC: Nothing to read on socket

# sh run license
license smart
feature tier standard
feature strong-encryption

# sh license summ

Smart Licensing is ENABLED

Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: Not Allowed
Next Registration Attempt: Sep 10 2022 11:50:15 UTC

License Authorization:
Status: EVAL MODE
Evaluation Period Remaining: 89 days, 23 hours, 17 minutes, 45 seconds

License Usage:
License Entitlement tag Count Status
-----------------------------------------------------------------------------
(FIREPOWER_2100_ASA_STA...) 1 EVAL MODE
(FPR2K-ASA-ENC) 1 EVAL MODE

balaji.bandi · ‎01-23-2021

Can you post your running-config related to smart License?

debug call-home all - post complete logs (# call-home test profile CiscoTAC-1)

here is troubleshooting tips :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215920-asa-smart-license-registration-and-troub.html

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213932-asa-smart-licensing-failures-due-to-cert.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎09-12-2022

When you create the registration token used to register the device to CSSM, you must select the check box for "Allow export-controlled functionality on the products registered with this token". If you click on the info icon next to that selection, it will tell you "Un-checking the box removes the ability to enable higher levels of product encryption functionality for products registered with this Registration Token. "

johnlloyd_13 · ‎09-12-2022

hi marvin,

just finished a TAC call and managed to apply smart license in my FPR 2120.

funny, we just changed the product registration URL to just "http" from initially "https"

profile License
destination address http http://CSSM FQDN/Transportgateway/services/DeviceRequestHandler

-----

License Authorization:
Status: AUTHORIZED
Last Communication Attempt: SUCCEEDED
Next Communication Attempt: Oct 12 2022 14:02:29 UTC

License Usage:
License Entitlement tag Count Status
-----------------------------------------------------------------------------
Firepower 2100 ASA S... (FIREPOWER_2100_ASA_STA...) 1 AUTHORIZED
Cisco Firepower 2K S... (FPR2K-ASA-ENC) 1 AUTHORIZED

Lennart Jung · ‎08-25-2023

Following @balaji.bandi hint tohttps://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215920-asa-smart-license-registration-and-troub.html#anc43, we found our SSL Cert to be invalid:

%ASA-7-725013: SSL server management:$OUR_SOURCE_IP/45723 to $SERVER/443 chooses cipher TLS_AES_256_GCM_SHA384
%ASA-7-717025: Validating certificate chain containing 3 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 9976, subject name: O=Cisco,C=US,OU=TC,CN=$SERVER.
%ASA-3-717009: Certificate validation failed. serial number: 01, subject name: CN=Cisco Licensing Root CA,O=Cisco.
%ASA-3-717027: Certificate chain failed validation. Generic validation failure occurred.
%ASA-7-725014: SSL lib error. Function: tls_process_client_certificate Reason: certificate verify failed
%ASA-4-120006: Call-Home license message to $SERVER/Transportgateway/services/DeviceRequestHandler failed. Reason: CONNECT_FAILED
%ASA-4-120005: Call-Home license message to $SERVER/Transportgateway/services/DeviceRequestHandler was dropped. Reason: CONNECT_FAILED
%ASA-3-444303: %SMART_LIC-3-AGENT_REG_FAILED:Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: Communication message send error
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager (CSSM) : Communication message send error

As a quick fix we made fall-back to http as suggested by @johnlloyd_13 . Long run should be creating a valid SSL Cert!

Also make sure to set the correct source interface!

call-home
source-interface management