04-17-2020 03:02 AM
Hello everyone,
I'm having an issue with the Smart License registration on a 9200 Stack running Version 16.09.04. Altough in both the Core Switch (an old 4500) and the access switch I'm trying to register (9200) I have configured the same name servers, on the 9200 it's resolving the IPv6 address for Cisco, and thus, is unable to ping to it.
Below you can see how the core switch (rigth side) resolves IPv4 addresses, but the 9200 is resolving Cisco or Facebook with IPv6. I can ping all the IPv4 addresses from the 9200, but I'm unable to ping to the names if they are resolved with IPv6
I've disabled "ipv6 unicast-routing" and also entered "ip host cisco.com 72.163.4.185" on the 9200 but still no luck.
Any ideas would be welcomed
Thanks in advance
05-08-2020 04:25 AM
Hi soportefibratel,
Did you manage to find a solution for this or did TAC answered you?
It seems that I have the same issue with more Catalyst 9200 switches that have smart license, they are not communicating with tools.cisco.com.
When I ping the hostname it resolves it to IPv4 address, but when I telnet it on 443 it resolves it with IPv6 and then get an error.
SW#ping tools.cisco.com
...
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
SW#telnet tools.cisco.com 443
Trying 2001:420:1201:5::A, 443 ...
% Destination unreachable; gateway or host down
I tried to ping from the switch other hosts/domains (microsoft.com, fortigate.com) and they are all resolved with IPv4 address, but when I telnet them on let's say 443 some of them are resolved with IPv4 and then shows me the port is open, but for others it resolves with IPv6 and I got the same error like above, so I guess it is something related to this IPv6 DNS name resolution.
SW#telnet vmware.com 443
Trying 2A02:E980:B5::B7, 443 ...
% Destination unreachable; gateway or host down
SW#telnet fortigate.com 443
Trying fortigate.com (96.45.36.230, 443)... Open
Thanks,
05-08-2020 04:52 AM
Hi Alexvil,
So it seems you have the exact same problem. I opened a case, and couldn't find the issue. The customer's Firewall is managed by another company and we were thinking the problem is there, but now that I see that someone else has the same issue I doubt if there is something else.
Anyway, I'm having trouble to have an answer from the customer and their partner for the firewall so I'm stuck with no solution so far.
Regards
05-22-2020 06:09 AM
Hi soportefibratel,
For what is worth, in our case the smart license communication was blocked by our Fortigate firewalls.
After our colleagues from Security made the change on firewall, the 9200 Catalyst switches reestablished communication with tools.cisco.com.
Thx,
Alex
09-27-2023 10:34 AM
Hello All
If I want to run the http and https traffic via the proxy server ( Barracuda gateway 810) I do not see this traffic hit the barracuda at all. I would like to know what I need to set. I have the following command config on this device.
!! commands call home
call-home
contact-email-addr sch-smart-licensing@cisco.com
http-proxy "10.32.68.31" port 3128
no http secure server-identity-check
http resolve-hostname ipv4-first
profile "test-proxy-srv"
reporting smart-licensing-data
destination transport-method http
no destination transport-method email
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
end
!! end summery
!! enable call home service and add proxy to the switch config
config t
service call-home
ip http client proxy-server 10.32.86.31 proxy-port 3128
no ip http authentication local
ip host tools.cisco.com 72.163.4.38
ip http client source-interface VLAN105
ip domain lookup source-interface VLAN105
I have tried all the steps noted in this pages but still I am not able to see the traffic going to the proxy server
I can ping tools.cisco.com but when I do telnet via port 80 or 443 i get the ipv6 lookup.
Switch#ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.163.4.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/36 ms
Switch#telnet tools.cisco.com 443
Trying 2001:420:1101:5::A, 443 ...
% Destination unreachable; gateway or host down
Switch#telnet tools.cisco.com 80
Trying 2001:420:1101:5::A, 80 ...
% Destination unreachable; gateway or host down
If I disable the ip domain lookup I am able to get the open prompt.
all and any help is welcomed
04-20-2020 08:41 AM
So, I'm not sure what you've done or not (it's a long thread), I just figured I'd post this while you wait for your ticket and see if it helps.
I run a highly secured infrastructure (we're actually moving to full air gap which is another issue with reservations and blah, blah, blah), and I found that nothing works with Smart unless the following configuration exists:
04-21-2020 12:44 AM
Hi Steven,
Thanks, I´ve tried all your suggestions, but no luck so far.
Regards
09-23-2020 09:33 AM
I've run into this multiple times and this is how I've fixed it.
1. Turn off DNS resolution on the switch - no ip domain-lookup
2. Set static host record for tools.cisco.com - ip host tools.cisco.com 72.163.4.38
3. Re-run the token registration - license smart register idtoken <token id> force
This seems to fix the issue of Smart Licensing trying to use IPv6 for registration, at least for me.
10-13-2020 12:55 AM
Hi everyone,
I faced the same issue with a new pair of C9300 stacks with 16.12.3a. One could register successfully, the other complained with the following messages:
000598: Oct 13 2020 07:43:57.659 UTC: %SMART_LIC-3-AGENT_REG_FAILED: Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: Fail to send out Call Home HTTP message. 000599: Oct 13 2020 07:43:57.659 UTC: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : Fail to send out Call Home HTTP message.
I tried all the solutions provided here but none worked. I then checked the config of the mgmt VLAN interfaces and found that one of them had the factory default IPv6 config (at least I didn't configure it and nobody else changed anything on that switch).
interface Vlan1 description mgmt ip address 10.1.2.3 255.255.255.0 ipv6 address dhcp ipv6 address autoconfig ipv6 enable ipv6 dhcp client request vendor !
I removed all the IPv6-related lines and then Smart licensing registration worked like a charm.
01-04-2022 03:04 AM
With changes implemented through CSCvo50851 when the call-home transport is used with Smart Licensing we can explicitly request the device to use IPv4 for tools.cisco.com:
(config)# call-home
(cfg-call-home)#http resolve-hostname ipv4-first
01-04-2022 01:45 PM
Is a reboot required after issuing the command - http resolve-hostname ipv4-first ?
I have a9550 and a 9200 both running ver17.3.4 and still trying to use an ipv6 address eve after entering the command.
ipv6 is not configured on any interfaces.
Thanks
01-04-2022 01:46 PM
Type-o I have a "9500" and a 9200
01-04-2022 02:00 PM
Hello,
try:
9500> enable
9500# configure terminal
9500(config)#no call-home
9500(config)#no service call-home
9500(cfg-call-home)# end
9500# configure terminal
9500(config)#service call-home
9500(config)#call-home
9500(cfg-call-home)# http resolve-hostname ipv4-first
9500(cfg-call-home)# end
01-04-2022 02:11 PM
Thanks for the quick response.
Still getting: "Unable to resolve server hostname/domain name"
01-05-2022 03:32 AM
My comment above was referring to call-home transport used for Smart Licensing.
In 17.3.2 onwards there is Smart Licensing Using Policy and there's different endpoint being used depending on the deployment mode.
By default, if no explicit Smart Licensing endpoint is configured the device will try to resolve something called 'cslu-local'.
If DNS can't resolve this hostname you get the "Unable to resolve server hostname/domain name" error.
In a nutshell:
1. If the device communicates directly with CSSM you can simply configure:
conf t
license smart transport smart
license smart url default
2. if the device communicates with SSM OnPrem (Satellite) then you can configure:
conf t
license smart transport cslu
license smart url cslu <CSLU Transport URL copied from OnPrem>
crypto pki trustpoint SLA-TrustPoint
revocation-check none
01-05-2022 05:22 AM
Michal
You are correct
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide