Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3702
Views
0
Helpful
5
Replies

Smart Software Manager satellite (Call-Home)

islow1303
Level 1
Level 1

‎11-14-2018 02:02 AM

Hi community,

 

I'm having troubling with cisco's call-home service. We are using a cisco firepower4100 series and we have followed all cisco documentation in order to correctly configure the smart software licensing. It seems a tcp handshake issue, however we did set up the trustpoints...? The following errors keep occurring whether I try to establish a connection to cisco's call-home CA or attempting to connect to our internal "Smart Software Manager Satellite" server:

 

info: 192.168.1.100 = Internal Satellite Server!

***************************************************************************************************************************

FIREWALL# call-home test profile CiscoTAC-1
INFO: Destination callhome@cisco.com skipped. Transport method email is not enabled.
INFO: Sending test message to https://tools.cisco.com/its/service/oddce/services/DDCEService...
telnet/ci: processing test(Test) SCH Configuration Test
telnet/ci: [0] dispatching test message to https://tools.cisco.com/its/service/oddce/services/DDCEService
telnet/ci: Dispatch to destination https://tools.cisco.com/its/service/oddce/services/DDCEService
telnet/ci: Opening dispatch channel: httpc/4/72.163.4.38/443/ssl/verify/sch//
telnet/ci: Opened dispatch channel: httpc/4/72.163.4.38/443/ssl/verify/sch//
telnet/ci: upload 2795 bytes
ERROR: Failed: CONNECT_FAILED(35)
INFO: Sending test message to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler...
telnet/ci: http request to https://tools.cisco.com/its/service/oddce/services/DDCEService failed, rc -1
telnet/ci: [0] Dispatch message(124) test to https://tools.cisco.com/its/service/oddce/services/DDCEService failed: CONNECT_FAILED(35)
telnet/ci: [0] dispatching test message to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler
telnet/ci: Dispatch to destination https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler
telnet/ci: Opening dispatch channel: httpc/2/192.168.1.100/443/ssl/verify/sch//
telnet/ci: Opened dispatch channel: httpc/2/192.168.1.100/443/ssl/verify/sch//
telnet/ci: upload 2804 bytes
ERROR: Failed: CONNECT_FAILED(35)
FIREWALL# telnet/ci: http request to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler failed, rc -1
telnet/ci: [0] Dispatch message(125) test to https://192.168.1.100:443/Transportgateway/services/DeviceRequestHandler failed: CONNECT_FAILED(35) 

***************************************************************************************************************************

Furthermore we are using the Smart Software Manager Satellite (ssms) version 5.1. Unfortunately http (port 80) has been removed and this cannot be modified on the internal ssms cli server. Connection can only be established through https (443).

 

 

Trustpoint created to internal satellite server:

 

**************************************************************************************************************************

CA Certificate
Status: Available
Certificate Serial Number: 1234
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=TG SSL CA
o=Cisco
c=US
Subject Name:
cn=192.168.1.100
ou=TC
o=Cisco
l=SJ
st=CA
c=ZZ
Validity Date:
start date: 15:21:48 UTC Nov 12 2018
end date: 15:21:48 UTC Nov 12 2033
Storage: config
Associated Trustpoints: smart_satellite

**************************************************************************************************************************

 

BTW Call Home CA Trustpoint is pre-configured

 

Any ideas?

 

Labels:
0 Helpful
5 Replies 5

Justin Sprake
Cisco Employee
Cisco Employee

‎11-14-2018 06:48 AM

Hello,

Can you confirm whether the below documentation was referenced during your initial configuration/troubleshooting?

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/213270-registration-of-a-firepower-management-c.html

Are you able to test connectivity via port 443 from the Firepower device to the Satellite as well as the Transport Gate IP?
0 Helpful

islow1303
Level 1
Level 1
In response to Justin Sprake

‎11-14-2018 08:11 AM

Thank you for the link however I am currently working via console or/& Telnet...

 

Why not ssh? 

 

 

Because the following license feature is not enabled yet:

 

Encryption-3DES-AES               : Disabled

 

 

To configure the device through the web I need to establish a https (443) connection right?

Http is no longer supported as far as I'm concerned.

 

Has the disabled license feature got something to do with it?

 

In order to get this feature activated my device has to somehow connect to the smart licensing server, be it the internal satellite or cisco's web server.

 

I even followed this link:

 

https://community.cisco.com/t5/security-documents/smart-call-home-on-the-asa/ta-p/3127894

 

Any more suggestions?

 

 

0 Helpful

Justin Sprake
Cisco Employee
Cisco Employee
In response to islow1303

‎11-14-2018 08:33 AM

Unfortunately, I am not familiar with the feature restrictions for this platform/license combination though I do suspect this could a conflict for the sake of connectivity.

Do you have an account with the Smart Licensing portal?

http://www.cisco.com/go/license

To obtain ASA 3DES license:
Click 'Get Other Licenses'
Click 'Crypto, IPS and Other licenses
Select Security Products
Select Cisco ASA/3DES License
Click Next
Enter 'node locked information' (Hostname/Serial number/MAC address/Product ID and Serial number)
Click next/get license

Please note that in licensing your firewall you need to use the Serial Number from "show version" on CLI.
Once you apply any license on firewall it will reload so that license will take effect
0 Helpful

best_behaviour
Level 1
Level 1
In response to Justin Sprake

‎11-14-2018 08:59 AM

Do you have an account with the Smart Licensing portal?

 

re: yes we do

 

We did request the license. The license is now assigned to the smart account, however the feature cannot be enabled unless the device connects to the licensing server.

 

I have opened a TAC Case maybe that shall help.

 

Thank you for your time regardless.

0 Helpful

islow1303
Level 1
Level 1
In response to Justin Sprake

‎11-15-2018 12:31 AM

Re: Smart Software Manager satellite (Call-Home)

"Do you have an account with the Smart Licensing portal?" 

Re: Yes, we do.

 We did request the license. The license is currently assigned to the smart account, however the feature cannot be enabled unless the device connects to the licensing server.

 

I have opened a TAC Case maybe that shall help.

 

Thank you for your time regardless.

0 Helpful
Customers Also Viewed These Support Documents