Solved: Re: Cisco FMC failed communication with Smart Licensing Cloud

Amen · ‎02-21-2022

Since Friday our FMC has been displaying this error regarding a communication error with the Smart Licensing Cloud.:

We also received this field notice: https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html recommending an upgrade to version 7 and a restart of the Smart Licensing process, or a manual certificate update. The problem is that our current version 6.6.5 (build 81) is not in the affected version list, but listed as a version where this issue is fixed. Should we try to remove the call_home_ca and restart the process with the pmtool command or do you recommend another course of action ?

Marvin Rhoads · ‎02-22-2022

@Amen the order isn't critical since Hotfix DE can be installed on either 6.6.5 or 6.6.5.1.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/available-hotfixes.html#Cisco_Reference.dita_4fdba94b-2836-440c-8ed9-59d890966a1b

Since it is only a hotfix, "Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2-8.sh.REL.tar" will not include the fixes in the 6.6.5.1 patch.

View solution in original post

Marvin Rhoads · ‎02-21-2022

Cisco has been having some issues with the Smart licensing cloud-based service on several fronts: availability, certificates, etc.

I'd recommend patching to 6.6.5.1 and then applying hotfix DE (also referred to as 6.6.5.2).

Those address both the QuoVadis server CA issue (related to Smart licensing - https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html) as well as the Security Intelligence feed certificate (bug CSCwa70008 - may or may not be publicly visible at https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa70008 ).

Amen · ‎02-21-2022

Thank you, I will try that and come back to u.

Amen · ‎02-22-2022

We were already planning an upgrade to version 6.6.5.1 in the middle of March, but until then, would you recommend doing the manual procedure for updating the certificate described in this article : https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html ?

Also is there a way to upgrade directly to 6.6.5.2 or do we have to do it in 2 stages ?

Marvin Rhoads · ‎02-22-2022

It wouldn't hurt to try the manual procedure. Note that the issue with the Security Intelligence feed certificate will start affecting you by 5 March.

https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72332.html

You can apply the hotfix apart from the 6.6.5.1 upgrade. But it is not cumulative so you will still need to do the 6.6.5.1 patch (and upgrade to 6.6.5 if you aren't already there).

Amen · ‎02-22-2022

We are currently at version 6.6.5, but just to make sure we are on the same page on the upgrade procedure (on both FMC and FTD), should we start by upgrading 6.6.5.1 and then apply the hotfix 6.6.5.1 DE (named 6.6.5.2 on cisco.com), or the order isn’t that important as they are not cumulative ?

Marvin Rhoads · ‎02-22-2022

@Amen the order isn't critical since Hotfix DE can be installed on either 6.6.5 or 6.6.5.1.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes/available-hotfixes.html#Cisco_Reference.dita_4fdba94b-2836-440c-8ed9-59d890966a1b

Since it is only a hotfix, "Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2-8.sh.REL.tar" will not include the fixes in the 6.6.5.1 patch.