Re: Cisco FP 1120 FDM not able to register Smart license

akrimpma · ‎12-15-2022

Again, an old issue where I did not find a solution when searching in the community.

FP 1120 is not able to access Cisco's smart licensing server.

Here is my configuration:

> show network

===============[ System Information ]===============

Hostname : zzz

Domains : xxx.yyy.com

DNS Servers : 192.168.2.25

Management port : 8305

IPv4 Default route

Gateway : 192.168.2.6

Netmask : 0.0.0.0

==================[ management0 ]===================

State : Enabled

Link : Up

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 1500

MAC Address : 68:87:C6:71:9C:00

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 192.168.2.19

Netmask : 255.255.255.0

Gateway : 192.168.2.6

----------------------[ IPv6 ]----------------------

Configuration : Disabled

===============[ Proxy Information ]================

State : Disabled

Authentication : Disabled

> show interface ip brief

Interface IP-Address OK? Method Status Protocol

Internal-Data0/0 unassigned YES unset up up

Ethernet1/1 192.168.0.6 YES manual up up

Ethernet1/2 192.168.1.6 YES manual admin down down

Ethernet1/3 unassigned YES unset admin down down

Ethernet1/4 unassigned YES unset admin down down

Ethernet1/5 unassigned YES unset admin down down

Ethernet1/6 unassigned YES unset admin down down

Ethernet1/7 unassigned YES unset admin down down

Ethernet1/8 unassigned YES unset admin down down

Ethernet1/9 192.168.2.6 YES manual up up

Ethernet1/10 unassigned YES unset admin down down

Ethernet1/11 unassigned YES unset admin down down

Ethernet1/12 unassigned YES unset admin down down

Internal-Control1/1 unassigned YES unset up up

Internal-Data1/1 169.254.1.1 YES unset up up

Internal-Data1/2 unassigned YES unset up up

Management1/1 unassigned YES unset up up

> show route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside

C 192.168.0.0 255.255.255.0 is directly connected, outside

L 192.168.0.6 255.255.255.255 is directly connected, outside

C 192.168.2.0 255.255.255.0 is directly connected, inside

L 192.168.2.6 255.255.255.255 is directly connected, inside

> ping 192.168.2.25

Sending 5, 100-byte ICMP Echos to 192.168.2.25, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

> ping system 192.168.2.25

Command execution timed out. Please try again.

> ping 192.168.2.19

Sending 5, 100-byte ICMP Echos to 192.168.2.19, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

> ping system 192.168.2.19

Command execution timed out. Please try again.

> ping google.com

Sending 5, 100-byte ICMP Echos to 142.251.143.78, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms

> ping 192.168.0.1

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I also used 192.168.2.23 as an alternative gateway for the management interface, it did not work either (this is another way to the internet).

Does anybody has a clue how to fix this?

Thx,

Andreas

Marvin Rhoads · ‎12-15-2022

When your "ping system 192.168.2.25" failed, that indicates your configured name server (DNS) is not reachable from your management interface.

The management interface must have Internet connectivity, the ability to resolve Cisco's FQDNs and be able to reach them via https.

You must also have a relatively recent release or patch to account for Cisco having updated the Certificate Authority (CA) used by the licensing servers.

akrimpma · ‎12-16-2022

Well, the DNS server resolves FQDNs to IP addresses appropriately - but only through the data interface. As the internal DNS server is reachable through the data interface, I believe it is more or less a management port issue (configuration?). I have added a small picture showing the current environment.

akrimpma · ‎12-16-2022

Just a small enhancement:

> traceroute system 192.168.2.25
traceroute to 192.168.2.25 (192.168.2.25), 30 hops max, 60 byte packets
1 AKF206 (192.168.2.19) 2998.101 ms !H 2998.048 ms !H 2998.047 ms !H
> ping system 192.168.2.25
PING 192.168.2.25 (192.168.2.25) 56(84) bytes of data.
From 192.168.2.19 icmp_seq=1 Destination Host Unreachable
^C
--- 192.168.2.25 ping statistics ---
6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 4999ms
pipe 4
> ping system 192.168.2.19
PING 192.168.2.19 (192.168.2.19) 56(84) bytes of data.
64 bytes from 192.168.2.19: icmp_seq=1 ttl=64 time=0.073 ms
64 bytes from 192.168.2.19: icmp_seq=2 ttl=64 time=0.055 ms
64 bytes from 192.168.2.19: icmp_seq=3 ttl=64 time=0.055 ms
^C
--- 192.168.2.19 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.055/0.061/0.073/0.008 ms

It seems that there is a path to the DNS server