cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
554
Views
0
Helpful
5
Replies

FMC: Smart Agent communication error with Smart Licensing Cloud

swscco001
Level 3
Level 3

Hello everybody,

our customer has two FPR 2110 running rel. 6.6.0 managed by
FMCv running rel. 6.6.5.2.

In the health monitor he see the error message for the FMC:

Critical Modules:1,Warning Modules:1,Normal Modules:25,Disabled Modules:15
ModuleSmart License Monitor: Smart Agent communication error with Smart Licensing Cloud
Smart License Authorization expired
(see attached screen dump)

There is currenlty no licencing issue (see attached screen dump).

I found the Field Notice:
https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72103.html
but the customer has already a fixed FMC release.

The FMC can reach tools.cisco.com:

root@FPR-Mgmt:/Volume/home/admin# ping tools.cisco.com
PING tools.cisco.com (173.37.145.8) 56(84) bytes of data.
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=1 ttl=237 time=119 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=2 ttl=237 time=119 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=3 ttl=237 time=119 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=4 ttl=237 time=119 ms
^C
--- tools.cisco.com ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4005ms
rtt min/avg/max/mdev = 119.252/119.318/119.436/0.254 ms

I am unsave whats to do now to get rid of this error mesage.

Thanks for every hint!

 


Bye
R.

5 Replies 5

marce1000
VIP
VIP

 

    -         1) Go into expert mode in the FMCv
               2) Issue the command "sudo su -"
               3) Issue the command "rm /etc/sf/gch/call_home_ca"
               4) Issue the command " "pmtool restartbyid sla"
               5) Issue the command "pmtool restartbyid CloudAgent"
               6) Try to register the FMCv again.

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

swscco001
Level 3
Level 3

Hi Marce1000,

thanks for your fast reply!

I follow your small guide in the expert mode and got no error message:

> expert
admin@FPR-Mgmt:~$ sudo su -
Password:
Last login: Wed Aug 14 08:11:54 UTC 2024 on ttyp0
root@FPR-Mgmt:~# rm /etc/sf/gch/call_home_ca
root@FPR-Mgmt:~# pmtool restartbyid sla
root@FPR-Mgmt:~# pmtool restartbyid CloudAgent
root@FPR-Mgmt:~#

Then I unregistered and tried to register the FMC again with a new generated token, but I could not regiter the FMC again.

I see the error message :
ErrorFailed to send the message to the server. Please verify the DNS Server/HTTP Proxy settings.
(see attached screen dump)

I also tried the previous token - same result.

The FMC is indicated in the Smart Software Licensing with all services.

What can I do to get the registration working again?

Thanks a lot!



Bye
R.

 

      - Checkout this thread : https://community.cisco.com/t5/network-security/cisco-fmc-1000-smart-licensing-error/td-p/4113974

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi marce1000,

I don't see an error in the curls, nslookup and dig command.

root@FPR-Mgmt:~# sudo curl -vvk https://tools.cisco.com
*   Trying 173.37.145.8...
* TCP_NODELAY set
* Connected to tools.cisco.com (173.37.145.8) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=Cisco Systems Inc.; CN=tools.cisco.com
*  start date: Dec  8 05:43:34 2023 GMT
*  expire date: Dec  7 05:42:34 2024 GMT
*  issuer: C=DE; ST=Bayern; L=Regensburg; O=Mittelbayerischer Verlag KG; OU=IT; CN=MZ PA-1 Trust; emailAddress=hostmaster@mittelbayerische.de
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: tools.cisco.com
> User-Agent: curl/7.62.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-length: 0
< Location: https://tools.cisco.com/healthcheck
< Connection: close
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

#########################################################################

root@FPR-Mgmt:~# sudo curl -vvk http://www.cisco.com
*   Trying 2.19.189.207...
* TCP_NODELAY set
* Connected to www.cisco.com (2.19.189.207) port 80 (#0)
> GET / HTTP/1.1
> Host: www.cisco.com
> User-Agent: curl/7.62.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: AkamaiGHost
< Content-Length: 0
< Location: https://www.cisco.com/
< Expires: Wed, 14 Aug 2024 08:42:25 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Wed, 14 Aug 2024 08:42:25 GMT
< Connection: keep-alive
< Server-Timing: cdn-cache; desc=HIT
< Server-Timing: edge; dur=1
< Content-Security-Policy: upgrade-insecure-requests; frame-ancestors *.cisco.com *.jasper.com *.ciscospark.com *.ciscolive.com  http://cisco.lookbookhq.com https://cisco.lookbookhq.com testcisco.marketing.adobe.com cisco.marketing.adobe.com ciscosales.my.salesforce.com test.salesforce.com zedo.com hindustantimes.com economictimes.indiatimes.com *.webex.com *.cdw.com *.cdwg.com *.cdw.ca *.meraki-go.com http://ciscopartners.lookbookhq.com https://ciscopartners.lookbookhq.com ciscolearningsystem.com ciscocustomer.lookbookhq.com cisco.lookbookhq.com ccsmedia.com *.itquotes.ie dteonline.com ampito-cisco.com arkphire.com *.insight.com *.ccsmedia.com *.ebuyer.com *.lambda-tek.com *.storm-technologies.com *.vohkus.com *.bechtle.com *.rainfocus.com *.broadbandbuyer.com *.hardware.com shop.redpontem.com *.miro.com cisco.techdatavendors.be *.service-now.com *.thousandeyes.com *.duo.com duo.com *.umbrella.com *.pricespider.com *.mapbox.com  cdnjs.cloudflare.com https://community.cisco.com/;
< Strict-Transport-Security: max-age=31536000
< Set-Cookie: c_bi=f5cbb6ec54024672b9d296be2a918670; path=/; domain=.www.cisco.com
< Server-Timing: ak_p; desc="1723624945734_388397598_255778585_15_7569_4_0_-";dur=1
<
* Connection #0 to host www.cisco.com left intact

#########################################################################

root@FPR-Mgmt:~# nslookup tools.cisco.com
Server:         10.1.20.73
Address:        10.1.20.73#53

Non-authoritative answer:
Name:   tools.cisco.com
Address: 72.163.4.38
Name:   tools.cisco.com
Address: 2001:420:1201:5::a

#########################################################################

root@FPR-Mgmt:~# dig tools.cisco.com

; <<>> DiG 9.11.26 <<>> tools.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57167
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;tools.cisco.com.               IN      A

;; ANSWER SECTION:
tools.cisco.com.        5       IN      A       72.163.4.38

;; Query time: 18 msec
;; SERVER: 10.1.20.73#53(10.1.20.73)
;; WHEN: Wed Aug 14 08:43:49 UTC 2024
;; MSG SIZE  rcvd: 60

I also checked the Firepower event log for any BLOCKs but there was nothing.

What would you do in this situation to get the registration working again?

Thanks a lot!


Bye
R.

 

  - Everything seems to work from (curl) ; could you also examine in native mode (meaning when the FMCv has effectively tried to communicate with the license server , examine (from expert mode) :
                                       /var/log/httpd/httpsd_error_log
                                            /var/log/process_stdout.log
                                           /var/log/action_queue.log

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Review Cisco Networking for a $25 gift card