07-14-2022 11:39 PM
Hello Fellow Cisco Community Members,
we have recently bought Firepower 1120 (FPR-1120). We are running ASA software on it. I have issue with registration via tokenid.
Relevant config/output snippets:
service call-home
call-home
contact-email-addr admin@example.com
profile CiscoTAC-1
(...)
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
FW/pri/act# ping tcp tools.cisco.com 443
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 72.163.4.38 port 443
from 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/116/116 ms
debug ssl / smart license:
sch_module: processing license(Smart License) Smart Licensing
sch_module: processing license(Smart License) Smart Licensing
sch_module: Dispatching license event.
sch_module: Message(180) license(Smart License) to https://tools.cisco.com/its/service/oddce/services/DDCEService queued for transmission
sch_module: Start dispatch rate limit timer
sch_dispatcher: [1] dispatching license message to https://tools.cisco.com/its/service/oddce/services/DDCEService
sch_dispatcher: Dispatch to destination https://tools.cisco.com/its/service/oddce/services/DDCEService
sch_dispatcher: Opening dispatch channel: httpc/13/72.163.4.38/443/ssl/verify/sch//
sch_dispatcher: Opened dispatch channel: httpc/13/72.163.4.38/443/ssl/verify/sch//
sch_dispatcher: upload 4869 bytes
error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available@s23_clnt.c:657
sch_dispatcher: http request to https://tools.cisco.com/its/service/oddce/services/DDCEService failed, rc -1
sch_dispatcher: [1] Dispatch message(180) license to https://tools.cisco.com/its/service/oddce/services/DDCEService failed: CONNECT_FAILED(35)
sch_dispatcher: No response to licensing message
In the show version I can see I do not have 3DES/AES license. Could it be related to that as it is ssl debug says "SSL23_CLIENT_HELLO:no ciphers available"?
If this is the case how can I apply license if I am not able to connect to cisco registration service?
Thanks in advance!
Solved! Go to Solution.
07-20-2022 01:45 AM
Which version is running ? Try last Interim since sometimes Trustpoints für Smart Callhome change with certficates.
07-15-2022 01:12 AM
- You may find this document useful : https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html
M.
07-15-2022 01:39 AM - edited 07-15-2022 01:41 AM
@cinexor yes you'll need a 3DES/AES license. You can download this for free from the Smart Licensing site.
https://networkguy.de/cisco-asa-aes-encryption-disabled/
There is also a field notice in regard to Smart Licensing issues due to certificate issues.https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html
07-15-2022 01:59 AM
Is it the same for smart license which is on FP?
07-15-2022 08:48 AM - edited 07-15-2022 08:48 AM
When you run an ASA image on a Firepower appliance it uses Smart Licenses exclusively. So the key to setting it up to be able to communicate is to make sure the token used to register is generated with the option to allow Export-Controlled Features. That should automatically enable the 3DES-AES license. The earlier references to getting a free license via downloading a license file from software.cisco.com are applicable only to ASA running on ASA hardware appliances which use the old PAK-based method.
Reference:
07-18-2022 11:56 PM
If you see in my post I have issues with connection to tools.cisco.com. It is failing because of missing SSL ciphers.
07-19-2022 01:15 AM
- FYI : https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html
M.
07-19-2022 05:24 AM
Missing SSL ciphers is most often symptomatic of not having the 3DES-AES license active.
07-19-2022 06:58 AM
That's my point, how can I register with smart license to obtain 3DES/AES license when the same license is required to use smart license? It makes no sense to me.
07-19-2022 07:44 PM
Did you make sure "make sure the token used to register is generated with the option to allow Export-Controlled Features"?
07-19-2022 11:30 PM
Yes, I did. Any further ideas?
07-20-2022 01:45 AM
Which version is running ? Try last Interim since sometimes Trustpoints für Smart Callhome change with certficates.
07-20-2022 05:51 AM
Bingo! It was not working on 9.14.4.12 and is working on latest code 9.16.3.15.
Thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide