Re: 9200 unable so Smart License due IPv6 name resolution?? - Page 2

soportefibratel · ‎04-17-2020

Hello everyone,

I'm having an issue with the Smart License registration on a 9200 Stack running Version 16.09.04. Altough in both the Core Switch (an old 4500) and the access switch I'm trying to register (9200) I have configured the same name servers, on the 9200 it's resolving the IPv6 address for Cisco, and thus, is unable to ping to it.

Below you can see how the core switch (rigth side) resolves IPv4 addresses, but the 9200 is resolving Cisco or Facebook with IPv6. I can ping all the IPv4 addresses from the 9200, but I'm unable to ping to the names if they are resolved with IPv6

I've disabled "ipv6 unicast-routing" and also entered "ip host cisco.com 72.163.4.185" on the 9200 but still no luck.

Any ideas would be welcomed

Thanks in advance

Alex Vilciu · ‎05-08-2020

Hi soportefibratel,

Did you manage to find a solution for this or did TAC answered you?

It seems that I have the same issue with more Catalyst 9200 switches that have smart license, they are not communicating with tools.cisco.com.

When I ping the hostname it resolves it to IPv4 address, but when I telnet it on 443 it resolves it with IPv6 and then get an error.

SW#ping tools.cisco.com
...
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!

SW#telnet tools.cisco.com 443
Trying 2001:420:1201:5::A, 443 ...
% Destination unreachable; gateway or host down

I tried to ping from the switch other hosts/domains (microsoft.com, fortigate.com) and they are all resolved with IPv4 address, but when I telnet them on let's say 443 some of them are resolved with IPv4 and then shows me the port is open, but for others it resolves with IPv6 and I got the same error like above, so I guess it is something related to this IPv6 DNS name resolution.

SW#telnet vmware.com 443
Trying 2A02:E980:B5::B7, 443 ...
% Destination unreachable; gateway or host down

SW#telnet fortigate.com 443
Trying fortigate.com (96.45.36.230, 443)... Open

Thanks,

soportefibratel · ‎05-08-2020

Hi Alexvil,

So it seems you have the exact same problem. I opened a case, and couldn't find the issue. The customer's Firewall is managed by another company and we were thinking the problem is there, but now that I see that someone else has the same issue I doubt if there is something else.

Anyway, I'm having trouble to have an answer from the customer and their partner for the firewall so I'm stuck with no solution so far.

Regards

Alex Vilciu · ‎05-22-2020

Hi soportefibratel,

For what is worth, in our case the smart license communication was blocked by our Fortigate firewalls.

After our colleagues from Security made the change on firewall, the 9200 Catalyst switches reestablished communication with tools.cisco.com.

Thx,

Alex

Steven Case, MBA-ITM · ‎04-20-2020

So, I'm not sure what you've done or not (it's a long thread), I just figured I'd post this while you wait for your ticket and see if it helps.

I run a highly secured infrastructure (we're actually moving to full air gap which is another issue with reservations and blah, blah, blah), and I found that nothing works with Smart unless the following configuration exists:

ip host tools.cisco.com 72.163.4.38

ip http client source-interface {INTERFACE - VLAN1 if you desire}

license smart transport callhome

ip domain lookup source-interface {INTERFACE - VLAN1 if you desire}

I know you've tried a few things, this could be one of them, but figured it was worth a gander while you wait for support.

soportefibratel · ‎04-21-2020

Hi Steven,

Thanks, I´ve tried all your suggestions, but no luck so far.

Regards

TomChodera8028 · ‎09-23-2020

I've run into this multiple times and this is how I've fixed it.

1. Turn off DNS resolution on the switch - no ip domain-lookup

2. Set static host record for tools.cisco.com - ip host tools.cisco.com 72.163.4.38

3. Re-run the token registration - license smart register idtoken <token id> force

This seems to fix the issue of Smart Licensing trying to use IPv6 for registration, at least for me.

Florian Stroemmer · ‎10-13-2020

Hi everyone,

I faced the same issue with a new pair of C9300 stacks with 16.12.3a. One could register successfully, the other complained with the following messages:

000598: Oct 13 2020 07:43:57.659 UTC: %SMART_LIC-3-AGENT_REG_FAILED: Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: Fail to send out Call Home HTTP message.
000599: Oct 13 2020 07:43:57.659 UTC: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : Fail to send out Call Home HTTP message.

I tried all the solutions provided here but none worked. I then checked the config of the mgmt VLAN interfaces and found that one of them had the factory default IPv6 config (at least I didn't configure it and nobody else changed anything on that switch).

interface Vlan1
 description mgmt
 ip address 10.1.2.3 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
 ipv6 dhcp client request vendor
!

I removed all the IPv6-related lines and then Smart licensing registration worked like a charm.

CCIE #37979 (R/S)

Michal Stanczyk · ‎01-04-2022

With changes implemented through CSCvo50851 when the call-home transport is used with Smart Licensing we can explicitly request the device to use IPv4 for tools.cisco.com:

(config)# call-home
(cfg-call-home)#http resolve-hostname ipv4-first

Bill · ‎01-04-2022

Is a reboot required after issuing the command - http resolve-hostname ipv4-first ?

I have a9550 and a 9200 both running ver17.3.4 and still trying to use an ipv6 address eve after entering the command.

ipv6 is not configured on any interfaces.

Thanks

Bill · ‎01-04-2022

Type-o I have a "9500" and a 9200

Georg Pauwen · ‎01-04-2022

Hello,

try:

9500> enable
9500# configure terminal
9500(config)#no call-home
9500(config)#no service call-home

9500(cfg-call-home)# end

9500# configure terminal

9500(config)#service call-home
9500(config)#call-home
9500(cfg-call-home)# http resolve-hostname ipv4-first
9500(cfg-call-home)# end

Bill · ‎01-04-2022

Thanks for the quick response.

Still getting: "Unable to resolve server hostname/domain name"

Michal Stanczyk · ‎01-05-2022

My comment above was referring to call-home transport used for Smart Licensing.

In 17.3.2 onwards there is Smart Licensing Using Policy and there's different endpoint being used depending on the deployment mode.

By default, if no explicit Smart Licensing endpoint is configured the device will try to resolve something called 'cslu-local'.

If DNS can't resolve this hostname you get the "Unable to resolve server hostname/domain name" error.

In a nutshell:

1. If the device communicates directly with CSSM you can simply configure:

conf t
license smart transport smart

license smart url default

2. if the device communicates with SSM OnPrem (Satellite) then you can configure:

conf t

license smart transport cslu

license smart url cslu <CSLU Transport URL copied from OnPrem>

crypto pki trustpoint SLA-TrustPoint

revocation-check none

Bill · ‎01-05-2022

Michal

You are correct

Thank you.

Bill · ‎01-05-2022

Trying to mark your comment as Correct Answer, but I don't see the option to do that.