Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
1
Helpful
2
Replies

Smart Licence registration failure on multiple NCS540's

Go to solution
sdunc
Level 1
Level 1

‎02-26-2025 04:25 AM

Hello,

I'm trying to register a few devices with CSSM directly. I have connectivity and the devices are configured but they all fail and display the generic message "Fail to send out Call Home HTTP message". 

My firewall is permitting the traffic and showing that the CSSM server is returning a RESET on the connection. 

I've ran a few SSL debugs because it was pointing towards a cert issue and seeing the following:

RP/0/RP0/CPU0:Feb 26 10:46:12.457 UTC: http_client[331]: %SECURITY-XR_SSL-6-CERT_VERIFY_INFO : SSL Certificate verification: Certificate can be used for purpose it was meant to be
RP/0/RP0/CPU0:Feb 26 10:46:12.461 UTC: http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed
RP/0/RP0/CPU0:Feb 26 10:46:12.462 UTC: call_home[323]: CALL-HOME-ERROR: httpc_file_resp_read: "/tmp/call_home_http_1101422128.resp" size is zero
RP/0/RP0/CPU0:Feb 26 10:46:23.048 UTC: http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed
RP/0/RP0/CPU0:Feb 26 10:46:23.049 UTC: call_home[323]: CALL-HOME-ERROR: httpc_file_resp_read: "/tmp/call_home_http_1105016983.resp" size is zero
RP/0/RP0/CPU0:Feb 26 10:46:33.624 UTC: http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed
RP/0/RP0/CPU0:Feb 26 10:46:33.625 UTC: call_home[323]: CALL-HOME-ERROR: httpc_file_resp_read: "/tmp/call_home_http_1105027585.resp" size is zero
RP/0/RP0/CPU0:Feb 26 10:46:34.648 UTC: http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed
RP/0/RP0/CPU0:Feb 26 10:46:34.650 UTC: call_home[323]: CALL-HOME-ERROR: httpc_file_resp_read: "/tmp/call_home_http_1105038172.resp" size is zero
http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed
call_home[323]: CALL-HOME-ERROR: httpc_file_resp_read: "/tmp/call_home_http_1105039175.resp" size is zero
RP/0/RP0/CPU0:Feb 26 10:46:55.847 UTC: http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed
RP/0/RP0/CPU0:Feb 26 10:46:55.849 UTC: call_home[323]: CALL-HOME-ERROR: httpc_file_resp_read: "/tmp/call_home_http_1105049773.resp" size is zero
RP/0/RP0/CPU0:Feb 26 10:46:55.850 UTC: smartlicserver[190]: %LICENSE-SMART_LIC-3-AGENT_REG_FAILED : Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: Fail to send out Call Home HTTP message

I found a bug CSCvx00476 - and followed the workaround (installing new certs), but same errors - even though my software version is 7.11.2 .

I finally did a debug on pki and the following appears to be the issue:

RP/0/RP0/CPU0:Feb 26 11:59:44.486 UTC: http_client[331]: pki_validate_common_name() is entered:common name = tools.cisco.com
RP/0/RP0/CPU0:Feb 26 11:59:44.486 UTC: http_client[331]: pki_validate_domain_name() is entered: tools.cisco.com
RP/0/RP0/CPU0:Feb 26 11:59:44.488 UTC: http_client[331]: pki_validate_common_name() hostname tools.cisco.com not found
RP/0/RP0/CPU0:Feb 26 11:59:44.488 UTC: http_client[331]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR : SSL certificate verify error: Peer certificate verification failed:cert_verify_fqdn failed

What I don't know is what is causing this to happen. Does anyone recognise this error and what would be the root cause? 

Here's a snapshot of my config:

call-home
vrf xxx
service active
contact smart-licensing
source-interface Loopback97
profile CiscoTAC-1
active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method email disable
destination transport-method http

!

domain vrf CE-MGMT ipv4 host tools.cisco.com 72.163.4.38

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tkarnani
Cisco Employee
Cisco Employee

‎02-26-2025 08:01 AM

on one router; please try to configure "http client secure-verify-peer disable"
this will disable the certificate check to ensure its a certificate issue on the router vs something else

thanks

 

View solution in original post

2 Replies 2

Go to solution
tkarnani
Cisco Employee
Cisco Employee

‎02-26-2025 08:01 AM

on one router; please try to configure "http client secure-verify-peer disable"
this will disable the certificate check to ensure its a certificate issue on the router vs something else

thanks

 

Go to solution
sdunc
Level 1
Level 1

‎02-27-2025 04:32 AM

Thank you - that's worked perfectly! 

0 Helpful
Customers Also Viewed These Support Documents