Smart License

amralrazzaz · ‎12-19-2021

Hi All

i have ASA 5516-X and im trying to resync the smart net license but i got error same as below and same as attached picture say :Lost connection for 0 days (Next Sync on 19 Dec 2021 11:59 PM). Please check and make sure the management address is connected to the Internet.

BTW i already have reach ability to cisco.com and 8.8.8.8 from firewall but it cant sync the license and cant connect to smart net cisco license server ?

thanks and appreciate your advance support

amr alrazzaz

Marvin Rhoads · ‎12-19-2021

It appears you are running the FTD image on your ASA appliance.

Do you have connectivity to cisco.com via https from the FTD management address?

You can test from the cli (expert mode) by using the following command:

curl -vvk https://tools.cisco.com

This article is written for FMC but many of the concepts apply for an FDM-managed FTD as well:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html

amralrazzaz · ‎12-13-2022

Smart License

CONNECTION ISSUEFAILED TO CONNECT WITH LICENSE SERVER

Last sync: 05 Oct 2022 09:51 PM

Next sync: 05 Oct 2022 10:01 PM

Go to Cloud Services

Lost connection for 68 days (Next Sync on 05 Oct 2022 10:01 PM). Please check and make sure the management address is connected to the Internet.

IT was working before but since couple of months i got this error massage !!

I can ping 8.8.8.8 - I can ping software.cisco.com

amr alrazzaz

Rob Ingram · ‎12-13-2022

@amralrazzaz possibly this bug relating to certificates - https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html

amralrazzaz · ‎01-11-2023

Hi rub i have tried to sync many times and no hope please check attach

> show version

---------------[ 101-Firepower ]----------------

Model : Cisco ASA5516-X Threat Defense (75) Version 6.6.5.1 (Build 15)

UUID : 8b6ebab4-5347-11eb-b351-b67ba7c78576

Rules update version : 2022-03-28-001-vrt

VDB version : 353

amr alrazzaz

Rob Ingram · ‎01-11-2023

@amralrazzaz did you check the link provided above and check the certificates?

amralrazzaz · ‎01-11-2023

i have checked the link yes but what shall i do with this link plz

i just checked my SW version is not getting issue as its not mentioned on the list of ios issue impacted !

actually what can cause the issue ? maybe the management port should be has connectivity to internet ? or maybe DNS issue ?

amr alrazzaz

Marvin Rhoads · ‎01-11-2023

The management port does require internet access and valid DNS configured. When you test from cli, use "ping system..." and not simply "ping". Otherwise the appliance will use the outside interface to connect to the destination which does not validate the management interface connectivity.

amralrazzaz · ‎01-11-2023

amr alrazzaz

amralrazzaz · ‎01-11-2023

thanks for you reply , so if i can ping cisco software website is that mean that my device can reach to internet !! as i didnt do any changes as i remember and how to make sure that management if get access to internet ? , i can access to asa remotely via vpn using https/ ssh ! is that mean mgmt if access to internet ?

amr alrazzaz

Marvin Rhoads · ‎01-11-2023

You can check management access to the internet with "ping system tools.cisco.com".

You can further confirm https access to the site from the cli if you change to expert mode and then "sudo su -" to become root user. Then "curl -vvk https://tools.cisco.com".

Reference: https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html

amralrazzaz · ‎01-11-2023

HYG the output dear

> ping system tools.cisco.com
PING tools.cisco.com (173.37.145.8) 56(84) bytes of data.
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=1 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=2 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=3 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=4 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=5 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=6 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=7 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=8 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=9 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=10 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=11 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=12 ttl=236 time=156 ms
^C
--- tools.cisco.com ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 11007ms
rtt min/avg/max/mdev = 156.068/156.188/156.395/0.493 ms
>
> expert
admin@101-Firepower:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
root@101-Firepower:/home/admin# ping tools.cisco.com
PING tools.cisco.com (173.37.145.8) 56(84) bytes of data.
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=1 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=2 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=3 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=4 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=5 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=6 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=7 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=8 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=9 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=10 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=11 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=12 ttl=236 time=156 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_seq=13 ttl=236 time=156 ms
^C
--- tools.cisco.com ping statistics ---
13 packets transmitted, 13 received, 0% packet loss, time 12009ms
rtt min/avg/max/mdev = 156.025/156.209/156.378/0.102 ms

-----------
root@101-Firepower:/home/admin# curl -vvk https://tools.cisco.com
* Rebuilt URL to: https://tools.cisco.com/
* Trying 72.163.4.38...
* Connected to tools.cisco.com (72.163.4.38) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=tools.cisco.com; O=Cisco Systems Inc.; L=San Jose; ST=California; C=US
* start date: 2022-01-19 22:03:08 GMT
* expire date: 2023-01-19 22:03:07 GMT
* issuer: C=US; O=IdenTrust; OU=HydrantID Trusted Certificate Service; CN=HydrantID Server CA O1
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: tools.cisco.com
> User-Agent: curl/7.44.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-length: 0
< Location: https://tools.cisco.com/healthcheck
< Connection: close
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
root@101-Firepower:/home/admin#
--------------------
root@101-Firepower:/home/admin# nslookup tools.cisco.com
Server: 217.52.47.130
Address: 217.52.47.130#53

Non-authoritative answer:
Name: tools.cisco.com
Address: 72.163.4.38
Name: tools.cisco.com
Address: 2001:420:1101:5::a
-------------------------

amr alrazzaz

Marvin Rhoads · ‎01-11-2023

Your connectivity all looks good now. Is your licensing page still showing an error? If so, can you check your smart licenses at software.cisco.com and verify the ASA 5516 FTD has registered the expected licenses?

amralrazzaz · ‎01-12-2023

i have check the license for ASA and getting screenshots as below

amr alrazzaz

Marvin Rhoads · ‎01-12-2023

I noticed your license screenshot from the Firepower Device Manager says "Next sync: 05 Oct 2022" ". Is your local clock really set to October 2022? If so, that can cause SSL/TLS to fail to connect properly due to certificate dates being invalid.