cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7570
Views
15
Helpful
8
Replies

Smart Licensing using SSM On-Prem & FMC 6.5

Octavian Szolga
Level 4
Level 4

Hi,

I'm struggling to use smart licensing & smart software manager on-prem on a virtual FMC (tried with ver. 6.3.0.2, 6.5 and 6.5.0.1).

I've installed Smart Software Manager On-Prem (ver. 7-201910) and succesfully added ESA, ISE and Cat9300 to its inventory using the smart satellite URL (in my case https://ssmop.test.net/Transportgateway/services/DeviceRequestHandler).

As a side note, the domain address is resolvable by my internal lab DNS and its also configured to be the CN of the certificate.

 

Still, I cannot enroll FMC to this SSM On-Prem VM. I've followed the FMC to smart software satellite enrollment procedure described here:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/213270-registration-of-a-firepower-management-c.html

 

When I try to add the token that I've generated from SSM On-Prem, FMC throws the following message:

The token you have entered is invalid. It doesn't even tries to contact the on-prem SSM.

 

Take into account that I've compared a cisco cloud generated token with an on-prem token and they don't match in length.

The same FMC can be added to my cisco (cloud) smart account.

Furthermore, if I add some extra characters to the on-prem generated token just to match the length of the cisco cloud token, FMC seems to analyze the info, connects to the on-prem VM and throws an error afterwards, not in an instant like with the on-prem generated token.

 

Example:

cisco.com token: Yzc2ZGFj123456NhMi00NDIwLTkyZDYtZmE1YjIxY1234561LTE1NzY4NjUwOTMxNDF8SVBRTjE1Mi9SSXRBeXJxUnVvR3pFOHJQMXNrS05FbDZnMm1GNC85Z1hiMD0%3DTT0%3D%0A

on-prem token:

NDI3YTFk123456VlZC00M2IyLWE3YTMtZWY1OTRlO1234565LTE1NzY3NjYwMTE2NTN8UTBRWElvd1dOdC9HTVZDSkVxVW00T0RaUTFrN0FFMi9Hc29SVFZUQnhBRT0%3D

 

Has anyone else encountered this issue?

 

Thanks,

Octavian

2 Accepted Solutions

Accepted Solutions

It looks like we/you are facing bug CSCvs56822. Had the same problem...

View solution in original post

Hi,

 

Thank you for your feedback! You're right.

Meanwhile, Cisco published a new version that solves this issue. (SSM_On-Prem_7-202001)

I did an upgrade and FMC to SSM On-Prem registration works now.

 

Best regards,

Octavian

View solution in original post

8 Replies 8

nspasov
Cisco Employee
Cisco Employee

A couple of things to check here:

1. What is the URL that you are using for the connection to the satellite server and does that match the CN (Common Name) of the certificate installed on the satellite server?

2. Is DNS properly configured so the FMC can resolve the URL mentioned above?

Thank you for rating helpful posts!

Hi,

Belive me, I've checked all that. I you read closely my post, you'll see that FMC doesn't even try to connect to SSM.

It's like it doesn't validate the input. I've tried with several tokens generated from SSM On-Prem, not just one. All of them are shorter than their cloud version.

 

The URL is https://ssmop.test.net/Transportgateway/services/DeviceRequestHandler

The domain is lab only and it's resolvable by FMC.

> expert
nslookadmin@fmcv:~$ nslookup ssmop.test.net
Server: 172.16.104.10
Address: 172.16.104.10#53

Name: ssmop.test.net
Address: 172.16.104.30

admin@fmcv:~$

 

The CN is correct on SSM On-Prem. The same URL based on domain name has been succesfully used on Cat9300, ISE and ESA.

 

 

I have exactly the same problem. My solution was to re-install the SSMS On-Prem, I choose the previous version, I`m glad that I only have a couple of devices in my deployment that are using SSMS.

Hi,

Thanks for your feedback. Can you please check the version that you're using?

Still, doesn't feel right that SSM On-Prem hasn't been tested before being released.

 

Thanks,

Octavian

It looks like we/you are facing bug CSCvs56822. Had the same problem...

Hi,

 

Thank you for your feedback! You're right.

Meanwhile, Cisco published a new version that solves this issue. (SSM_On-Prem_7-202001)

I did an upgrade and FMC to SSM On-Prem registration works now.

 

Best regards,

Octavian

what do you have to upgrade the Satellite server or the FMC? or both?

Only the SSM needs to be upgraded to address this bug.

Review Cisco Networking for a $25 gift card