Solved: Re: Smart Licensing failing

Aaron D · ‎02-10-2022

Have Smart Licensing configured with 4431's in 16.x. All of the sudden none of our routers (we have MANY) are receiving authorization even though it's been working fine for >1yr.

Have a host entry pointed to 173.37.145.8 (tools.cisco.com) to get around the IPv6 bug,

Opened a TAC case, but still going in circles. Anyone else having issues?

Also noticed this odd behavior:

Pinging tools.cisco.com [173.37.145.8] with 32 bytes of data:

Reply from 173.37.145.8: bytes=32 time=46ms TTL=237




Ping statistics for 173.37.145.8:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 46ms, Maximum = 46ms, Average = 46ms

Control-C

>> ping tools.cisco.com -4




Pinging tools.cisco.com [72.163.4.38] with 32 bytes of data:

Reply from 72.163.4.38: bytes=32 time=42ms TTL=239

Reply from 72.163.4.38: bytes=32 time=39ms TTL=239







Dump of registration status: 




Registration:
Status: REGISTERED
Smart Account: XXXX
Virtual Account: XXXX
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Aug 08 13:33:56 2019 UTC
Last Renewal Attempt: SUCCEEDED on Jan 24 13:31:21 2022 UTC
Next Renewal Attempt: Jul 23 13:31:17 2022 UTC
Registration Expires: Jan 24 13:26:15 2023 UTC

License Authorization:
Status: AUTHORIZED on Feb 10 18:13:17 2022 UTC
Last Communication Attempt: FAILED on Feb 10 18:13:17 2022 UTC
Failure reason: Fail to send out Call Home HTTP message.
Next Communication Attempt: Feb 10 18:13:47 2022 UTC
Communication Deadline: May 05 18:59:42 2022 UTC

Aaron D · ‎02-10-2022

So it looks like this is a brand new bug per TAC. We had to install a new certificate using the

crypto pki trustpool import terminal

command (TAC gave us the cert). After that we ran the

license smart renew auth

and it succeeded. Problem now is we have hundreds of these routers. UGLY

Bug ID: Bug Search Tool (cisco.com) CSCwa91870

Tools healthcheck site: https://tools.cisco.com/healthcheck

Adding more information:

Field Notice: FN - 72323 - Catalyst Switching Products - QuoVadis Root Certificate Decommission Might Affect Smart Licensing and Smart Call Home Functionality, or Display Other Symptoms - Software Upgrade Recommended - Cisco

View solution in original post

balaji.bandi · ‎02-10-2022

if they working and they broken, check you have any changes in the Firewall and network ? are these device able to reach internet port 80 and 443 ?

wait for 1 more day and check is everything ok.

Time for Troublesheet :

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/214484-cisco-smart-licensing-troubleshooting.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aaron D · ‎02-10-2022

So it looks like this is a brand new bug per TAC. We had to install a new certificate using the

crypto pki trustpool import terminal

command (TAC gave us the cert). After that we ran the

license smart renew auth

and it succeeded. Problem now is we have hundreds of these routers. UGLY

Bug ID: Bug Search Tool (cisco.com) CSCwa91870

Tools healthcheck site: https://tools.cisco.com/healthcheck

Adding more information:

Field Notice: FN - 72323 - Catalyst Switching Products - QuoVadis Root Certificate Decommission Might Affect Smart Licensing and Smart Call Home Functionality, or Display Other Symptoms - Software Upgrade Recommended - Cisco

MARTIN STREULE · ‎02-10-2022

Cisco changed the root certificate in it‘s Smart License Server infrastructure.

Please check this out:

https://community.cisco.com/t5/cisco-software-discussions/action-needed-root-certificate-changed-for-cisco-smart-licensing/td-p/4549571

This may help you:

https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72323.html

Aaron D · ‎02-10-2022

Martin, thanks for the post.

For the powers that be at Cisco: It's pretty bizarre (more like ugly) that TAC was surprised and unaware until today according to them. As customers this doesn't leave us feeling warm and fuzzy, especially given that it affects our operations. If Cisco TAC missed it, how many customers did? And this concurs with the fact this bug - Bug ID: Bug Search Tool (cisco.com) CSCwa91870 <---Opened today.

Smart licensing has been quite the debacle. Now we have 100's of alerts coming in from routers due to the fact they no longer can authorize. This is one of the reasons customers are very unhappy with how Cisco has handled this 'feature'. And while we're aware of SLUP in 17.x, we are on 16.x which doesn't support it. There seems to be a real lack of awareness on Cisco's end in communicating and implementing these features. Now instead of a planned proactive migration we are being put in reactive mode.

MARTIN STREULE · ‎02-10-2022

I‘m exactly in the same position as you. We just stumbled over this issue when we did a migration and Smart License did not work. I‘m also very surprised how this is communicated and executed. A disaster in my opinon.