Solved: Re: Firepower 1120 Smart License registration fails

cinexor · ‎07-14-2022

Hello Fellow Cisco Community Members,

we have recently bought Firepower 1120 (FPR-1120). We are running ASA software on it. I have issue with registration via tokenid.

Relevant config/output snippets:

service call-home
call-home
contact-email-addr admin@example.com
profile CiscoTAC-1
(...)
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http

FW/pri/act# ping tcp tools.cisco.com 443
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 72.163.4.38 port 443
from 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/116/116 ms

debug ssl / smart license:

sch_module: processing license(Smart License) Smart Licensing
sch_module: processing license(Smart License) Smart Licensing
sch_module: Dispatching license event.
sch_module: Message(180) license(Smart License) to https://tools.cisco.com/its/service/oddce/services/DDCEService queued for transmission
sch_module: Start dispatch rate limit timer
sch_dispatcher: [1] dispatching license message to https://tools.cisco.com/its/service/oddce/services/DDCEService
sch_dispatcher: Dispatch to destination https://tools.cisco.com/its/service/oddce/services/DDCEService
sch_dispatcher: Opening dispatch channel: httpc/13/72.163.4.38/443/ssl/verify/sch//
sch_dispatcher: Opened dispatch channel: httpc/13/72.163.4.38/443/ssl/verify/sch//
sch_dispatcher: upload 4869 bytes
error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available@s23_clnt.c:657
sch_dispatcher: http request to https://tools.cisco.com/its/service/oddce/services/DDCEService failed, rc -1
sch_dispatcher: [1] Dispatch message(180) license to https://tools.cisco.com/its/service/oddce/services/DDCEService failed: CONNECT_FAILED(35)
sch_dispatcher: No response to licensing message

In the show version I can see I do not have 3DES/AES license. Could it be related to that as it is ssl debug says "SSL23_CLIENT_HELLO:no ciphers available"?

If this is the case how can I apply license if I am not able to connect to cisco registration service?

Thanks in advance!

kerstin-534 · ‎07-20-2022

Which version is running ? Try last Interim since sometimes Trustpoints für Smart Callhome change with certficates.

View solution in original post

marce1000 · ‎07-15-2022

- You may find this document useful : https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rob Ingram · ‎07-15-2022

@cinexor yes you'll need a 3DES/AES license. You can download this for free from the Smart Licensing site.

https://networkguy.de/cisco-asa-aes-encryption-disabled/

There is also a field notice in regard to Smart Licensing issues due to certificate issues.https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html

cinexor · ‎07-15-2022

Is it the same for smart license which is on FP?

Marvin Rhoads · ‎07-15-2022

When you run an ASA image on a Firepower appliance it uses Smart Licenses exclusively. So the key to setting it up to be able to communicate is to make sure the token used to register is generated with the option to allow Export-Controlled Features. That should automatically enable the 3DES-AES license. The earlier references to getting a free license via downloading a license file from software.cisco.com are applicable only to ASA running on ASA hardware appliances which use the old PAK-based method.

Reference:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215920-asa-smart-license-registration-and-troub.html#anc17

cinexor · ‎07-18-2022

If you see in my post I have issues with connection to tools.cisco.com. It is failing because of missing SSL ciphers.

marce1000 · ‎07-19-2022

- FYI : https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Marvin Rhoads · ‎07-19-2022

Missing SSL ciphers is most often symptomatic of not having the 3DES-AES license active.

cinexor · ‎07-19-2022

That's my point, how can I register with smart license to obtain 3DES/AES license when the same license is required to use smart license? It makes no sense to me.

Marvin Rhoads · ‎07-19-2022

Did you make sure "make sure the token used to register is generated with the option to allow Export-Controlled Features"?

cinexor · ‎07-19-2022

Yes, I did. Any further ideas?

kerstin-534 · ‎07-20-2022

Which version is running ? Try last Interim since sometimes Trustpoints für Smart Callhome change with certficates.

cinexor · ‎07-20-2022

Bingo! It was not working on 9.14.4.12 and is working on latest code 9.16.3.15.

Thanks a lot!