已解决: C5921智能许可 — 无法发送Call Home HTTP消息

Translator · ‎03-02-2022

嗨

我有运行15.5(3)M代码的c5921，我有智能许可问题。我在CSSM中创建了令牌并发出命令：

license smart register idtoken {tokenSTRING}

我收到以下日志：

%PKI-4-NOCONFIGAUTOSAVE: Configuration was modified.  Issue "write memory" to save new IOS PKI configuration
%SMART_LIC-3-COMM_FAILED: Communications failure with Cisco licensing cloud: Fail to send out Call Home HTTP message.

问题是，我在接口上配置了vrf，而c5921只能通过vrf PUBLIC访问互联网。

c5921_312_127128#ping vrf PUBLIC software.cisco.com
Translating "software.cisco.com"...domain server (193.2.1.66) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 104.108.74.32, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/45 ms
c5921_312_127128#

因此，连接和DNS解析工作正常。此外，我尝试了是否有防火墙阻碍，并且连接似乎是打开的。

c5921_312_127128#telnet software.cisco.com 80 /vrf PUBLIC
Translating "software.cisco.com"...domain server (255.255.255.255)

Translating "software.cisco.com"...domain server (193.2.1.66) [OK]
Trying e2757.dscb.akamaiedge.net (104.108.74.32, 80)... Open

和https...

c5921_312_127128#telnet software.cisco.com 443 /vrf PUBLIC
Translating "software.cisco.com"...domain server (255.255.255.255)

Translating "software.cisco.com"...domain server (193.2.1.66) [OK]
Trying e2757.dscb.akamaiedge.net (104.108.74.32, 443)... Open

我根据Bug报告和配置的Call-Home代理的指南使用HTTP。还是没运气。以下是call-home配置：

call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 vrf PUBLIC
 profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email
  destination address http http://tools.cisco.com/its/service/oddce/services/DDCEService

似乎c5921无法使用vrf发送消息。有什么想法吗？

Translator · ‎03-02-2022

我终于成功了。这甚至奏效了

default call-home config

未配置vrf（使用https）。

我缺少的命令是：

enable
conf t
ip http client source-interface Ethernet 0/0.10

call-home config:

call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email

在原帖中查看解决方案

Translator · ‎03-02-2022

嗨
在启用注册之前，您启用了智能许可证启用，确保您只在

看起来CSSM和VRF也存在已知错误

Bug Search
CSCvm59508
Help | Feedback Feedback
VRF hostname resolution error is causing smart license register failure via HTTPS
CSCvm59508
Description
Symptom:
Smart license registration was not successful after "license smart register idtoken" was issued.
------------------------------------------------------------
smartlicserver[219]: %LICENSE-SMART_LIC-3-AGENT_REG_FAILED : Smart Agent for Licensing Registration with Cisco licensing cloud failed: Fail to send out Call Home HTTP message
smartlicserver[219]: %LICENSE-SMART_LIC-3-COMM_FAILED : Communications failure with Cisco licensing cloud: Fail to send out Call Home HTTP message
------------------------------------------------------------

Conditions:
This issue can be seen when using a smart license via HTTPS in a configured VRF.
This issue is not seen when HTTPS is used in a default VRF or HTTP is used.

------------------------------------------------------------
http client vrf 

call-home
vrf 
service active
contact smart-licensing
profile CiscoTAC-1
active
destination transport-method http
!
!

crypto ca trustpoint Trustpool
vrf 
!
------------------------------------------------------------

Workaround:
Consider to apply one of the below workarounds:

1) Disable Certificate Revocation List checking
------------------------------------------------------------
crypto ca trustpoint Trustpool
crl optional
!
------------------------------------------------------------

2) Using HTTP
Configure call-home so that HTTP is used instead of HTTPS.
------------------------------------------------------------
call-home
profile CiscoTAC-1
destination address http http://tools.cisco.com/its/service/oddce/services/DDCEService
!
!
------------------------------------------------------------
(*) HTTP is used by default when no k9sec package is installed.

Translator · ‎03-02-2022

感谢您快速回复，但我已找到下面发布的解决方案。

是的，我也查过那些bug。令人惊讶的是，我唯一需要做的就是配置http源接口，它甚至在

default call-home config

。请注意，我只能通过配置了vrf转发PUBLIC的Ethernet0/0.10访问software.cisco.com。

Translator · ‎03-02-2022

感谢您发布修复

Translator · ‎03-02-2022

我终于成功了。这甚至奏效了

default call-home config

未配置vrf（使用https）。

我缺少的命令是：

enable
conf t
ip http client source-interface Ethernet 0/0.10

call-home config:

call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email

Translator · ‎03-02-2022

大家好！!
我也有同样的问题，但NCS5504与IOS XR配合使用。（我已创建令牌）
我仅从VRF INTERNET和环回接口1访问Internet。
在本主题的示例中，我尝试在call-home和http-client中播放源接口和VRF，但结果相同。

我认为配置应该是这样

call-home
 vrf INTERNET
 service active
 contact smart-licensing
 source-interface Loopback1 
 profile CiscoTAC-1
  active
  destination transport-method http
 !  
!

http client vrf INTERNET
http client source-interface ipv4 Loopback1
!
!

因此，互联网访问可以正常运行……

RP/0/RP0/CPU0:Core1#ping tools.cisco.com source loopback 1 vrf INTERNET
Tue Aug 27 15:28:51.254 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 200/200/204 ms
RP/0/RP0/CPU0:Core1#
!

!

!

RP/0/RP0/CPU0:Core1#telnet vrf INTERNET tools.cisco.com 443 source-interface loopback 1
Trying tools.cisco.com(2001:420:1201:5::a)...
Use specified source interface(Loopback1).
Global address not present, using link local addressas source address
Not able to get link local addressCan't use Loopback1 as source interface for IPv6.
Trying tools.cisco.com(173.37.145.8)...
Use specified source interface(Loopback1).
Use 186.189.64.1 as local address.
Connected to tools.cisco.com.
Escape sequence is '^^q'.

错误与不同配置（带或不带VRF/源接口）一起存在

RP/0/RP0/CPU0:Core1#RP/0/RP0/CPU0:Aug 27 15:26:36.378 UTC: call_home[346]: SMART-LICENSE-ERROR: smart_license_req_http_send[164], Failed to send request to all URLs.
RP/0/RP0/CPU0:Aug 27 15:26:36.378 UTC: call_home[346]: SMART-LICENSE-TRACE: call_home_smart_license_stats_update[703], Update smart license stats entry, subtype REGISTRATION,stats_type 2

此外，我已检查了所有这些项目（似乎很有用）

后续方案

— 验证Cisco设备可以ping tools.cisco.com或nslookup转换的IP

— 尝试从思科设备telnet至TCP端口443（HTTPS使用的端口）上的tools.cisco.com

— 检验HTTPs客户端源接口是否正确

— 通过以下方式验证Cisco设备上Call Home配置文件中的URL/IP是否已正确设置

show call-home profile all

— 检验ip路由是否指向正确的下一跳

— 确保TCP端口443在Cisco设备、Smart Call Home Server路径或Cisco Smart Software Manager卫星上未被阻止

— 确保已配置正确的虚拟路由和转发(VRF)实例（如果适用）

从此链接
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/214484-cisco-smart-licensing-troubleshooting.html#anc17
所有测试都很好……但还是不管用。

也许IOS XR也有类似的漏洞……

Translator · ‎03-06-2023

您好@Gabriel Torrecilla我很好奇您是否在您的NCS路由器上找到了解决此问题的解决方案？我们对类似设备执行了所有相同的步骤，但在注册NCS 540时也遇到了困难。

Translator · ‎03-02-2022

嗨，

您能否发布您执行的DNS配置？

思科已要求在下面进行配置，但我想知道第7点的IP地址详细信息，从哪里获取？

enable
configure terminal
{ip | ipv6 } name-server server-address 1 [server-address 2] [server-address 3] [server-address 4] [server-address 5] [server-address 6]
ip name-server vrf Mgmt-vrf server-address 1 [server-address 2] [server-address 3] [server-address 4] [server-address 5] [server-address 6]
ip domain lookup source-interface interface-type interface-number
ip domain name example.com
```
ip host tools.cisco.com ip-address
```
interface vlan_id
ntp server ip-address [版本号] [key key-id] [prefer]
switchport access vlan vlan_id
ip route ip-address ip-mask子网掩码
许可证智能传输CallHome
ip http client source-interface interface-type interface-number
退出
copy running-config startup-config

Translator · ‎03-02-2022

这完全成功了！谢谢！

Translator · ‎03-02-2022

谢谢！

Translator · ‎03-02-2022

谢谢大家。这是我使用mgmt-vrf的ASR1001的工作配置。

##################################################################

service call-home
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
vrf Mgmt-intf
no http secure server-identity-check
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
license smart transport callhome




ip domain lookup vrf Mgmt-intf source-interface GigabitEthernet0




interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address <IP> 255.255.255.0

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 <GW>




ip http client source-interface GigabitEthernet0




once done, use "license smart register idtoken <token>

##################################################################

410722661 · ‎03-23-2023

尝试以下步骤：

1. 确认您的设备已经有正确的 DNS 解析和可以访问到目标网站软件下载网站。

2. 确认您的设备的防火墙策略没有阻碍访问软件下载网站。

3. 检查您的 Call-Home 配置，确保正确设置了正确的地址和代理信息。

4. 如果您的设备在 VRF 环境下，建议您优先使用标准网络发送消息，以避免类似问题。