cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Smart Call Home Community!

Our online forum for Smart Call Home customers to share, learn, and collaborate on Smart Call Home related topics. We encourage you to ask questions of Cisco experts, start a discussion, or share ideas and insight.

Smart Call Home enabled devices perform proactive diagnostics on their own components to provide real-time alerts and remediation advice when an issue is detected. An embedded support feature available on a broad range of Cisco products, it is provided at no additional cost with an active Smart Net Total Care Service, SP Base, Unified Computing Support Service, or Mission Critical Support Service contract for the designated products.

This Community will provide you with an overview about Cisco Smart Call Home features and how these features are embedded in a wide range of Cisco products to help your network. Smart Call Home provides higher network availability and support service quality.

1722
Views
0
Helpful
5
Replies
Highlighted
Beginner

Smart Software Manager satellite (Call-Home)

Hi community,

 

I'm having troubling with cisco's call-home service. We are using a cisco firepower4100 series and we have followed all cisco documentation in order to correctly configure the smart software licensing. It seems a tcp handshake issue, however we did set up the trustpoints...? The following errors keep occurring whether I try to establish a connection to cisco's call-home CA or attempting to connect to our internal "Smart Software Manager Satellite" server:

 

info: 192.168.1.100 = Internal Satellite Server!

***************************************************************************************************************************

FIREWALL# call-home test profile CiscoTAC-1
INFO: Destination callhome@cisco.com skipped. Transport method email is not enabled.
INFO: Sending test message to https://tools.cisco.com/its/service/oddce/services/DDCEService...
telnet/ci: processing test(Test) SCH Configuration Test
telnet/ci: [0] dispatching test message to https://tools.cisco.com/its/service/oddce/services/DDCEService
telnet/ci: Dispatch to destination https://tools.cisco.com/its/service/oddce/services/DDCEService
telnet/ci: Opening dispatch channel: httpc/4/72.163.4.38/443/ssl/verify/sch//
telnet/ci: Opened dispatch channel: httpc/4/72.163.4.38/443/ssl/verify/sch//
telnet/ci: upload 2795 bytes
ERROR: Failed: CONNECT_FAILED(35)
INFO: Sending test message to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler...
telnet/ci: http request to https://tools.cisco.com/its/service/oddce/services/DDCEService failed, rc -1
telnet/ci: [0] Dispatch message(124) test to https://tools.cisco.com/its/service/oddce/services/DDCEService failed: CONNECT_FAILED(35)
telnet/ci: [0] dispatching test message to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler
telnet/ci: Dispatch to destination https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler
telnet/ci: Opening dispatch channel: httpc/2/192.168.1.100/443/ssl/verify/sch//
telnet/ci: Opened dispatch channel: httpc/2/192.168.1.100/443/ssl/verify/sch//
telnet/ci: upload 2804 bytes
ERROR: Failed: CONNECT_FAILED(35)
FIREWALL# telnet/ci: http request to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler failed, rc -1
telnet/ci: [0] Dispatch message(125) test to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler failed: CONNECT_FAILED(35) 

***************************************************************************************************************************

Furthermore we are using the Smart Software Manager Satellite (ssms) version 5.1. Unfortunately http (port 80) has been removed and this cannot be modified on the internal ssms cli server. Connection can only be established through https (443).

 

 

Trustpoint created to internal satellite server:

 

**************************************************************************************************************************

CA Certificate
Status: Available
Certificate Serial Number: 1234
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=TG SSL CA
o=Cisco
c=US
Subject Name:
cn=192.168.1.100
ou=TC
o=Cisco
l=SJ
st=CA
c=ZZ
Validity Date:
start date: 15:21:48 UTC Nov 12 2018
end date: 15:21:48 UTC Nov 12 2033
Storage: config
Associated Trustpoints: smart_satellite

**************************************************************************************************************************

 

BTW Call Home CA Trustpoint is pre-configured

 

Any ideas?

 

5 REPLIES 5
Cisco Employee

Re: Smart Software Manager satellite (Call-Home)

Hello,

Can you confirm whether the below documentation was referenced during your initial configuration/troubleshooting?

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/213270-registration-of-a-firepower-management-c.html

Are you able to test connectivity via port 443 from the Firepower device to the Satellite as well as the Transport Gate IP?
Beginner

Re: Smart Software Manager satellite (Call-Home)

Thank you for the link however I am currently working via console or/& Telnet...

 

Why not ssh? 

 

 

Because the following license feature is not enabled yet:

 

Encryption-3DES-AES               : Disabled

 

 

To configure the device through the web I need to establish a https (443) connection right?

Http is no longer supported as far as I'm concerned.

 

Has the disabled license feature got something to do with it?

 

In order to get this feature activated my device has to somehow connect to the smart licensing server, be it the internal satellite or cisco's web server.

 

I even followed this link:

 

https://community.cisco.com/t5/security-documents/smart-call-home-on-the-asa/ta-p/3127894

 

Any more suggestions?

 

 

Cisco Employee

Re: Smart Software Manager satellite (Call-Home)

Unfortunately, I am not familiar with the feature restrictions for this platform/license combination though I do suspect this could a conflict for the sake of connectivity.

Do you have an account with the Smart Licensing portal?

http://www.cisco.com/go/license

To obtain ASA 3DES license:
Click 'Get Other Licenses'
Click 'Crypto, IPS and Other licenses
Select Security Products
Select Cisco ASA/3DES License
Click Next
Enter 'node locked information' (Hostname/Serial number/MAC address/Product ID and Serial number)
Click next/get license

Please note that in licensing your firewall you need to use the Serial Number from "show version" on CLI.
Once you apply any license on firewall it will reload so that license will take effect
Beginner

Re: Smart Software Manager satellite (Call-Home)

Do you have an account with the Smart Licensing portal?

 

re: yes we do

 

We did request the license. The license is now assigned to the smart account, however the feature cannot be enabled unless the device connects to the licensing server.

 

I have opened a TAC Case maybe that shall help.

 

Thank you for your time regardless.

Beginner

Re: Smart Software Manager satellite (Call-Home)

Re: Smart Software Manager satellite (Call-Home)

"Do you have an account with the Smart Licensing portal?" 

Re: Yes, we do.

 We did request the license. The license is currently assigned to the smart account, however the feature cannot be enabled unless the device connects to the licensing server.

 

I have opened a TAC Case maybe that shall help.

 

Thank you for your time regardless.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here