Field Notice: FN - 70582 - Devices Registered to Cisco Smart Software Manager On-Prem Might Incorrectly Revert to an Unlicensed State - Software Upgrade Recommended

Available Languages

Updated:August 10, 2020

Document ID:FN70582

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	03-Aug-20	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Smart Software Manager satellite	7	7-201910	Cisco Smart Software Manager On-Prem versions 7-201910 and 7-202001 are affected
NON-IOS	Smart Software Manager satellite	8	8-202004	Cisco Smart Software manager On-Prem version 8-202004 is affected

Defect Information

Defect ID	Headline
CSCvu49664	Smart Licensing Satellite Returning Expired ID Cert

Problem Description

Devices registered to Cisco Smart Software Manager On-Prem (CSSM On-Prem) might incorrectly revert to an unlicensed state before their registration authorization would normally expire. Affected devices require manual intervention, in some cases a reboot, in order to recover.

Background

Affected versions of CSSM On-Prem set the device registration ID certificate (ID cert) expiration date incorrectly when a device is initially registered or when the user manually renews the registration on the device. Normal device ID certs expire one year from the date the device is registered or renewed. Affected versions of CSSM On-Prem erroneously set the expiration date to 90 days. Under normal conditions, registered devices automatically renew their ID cert six months before expiry and the ID cert expiration is extended to one year from the renewal date. On devices with affected ID certs, the automatic renewal fails since the ID cert has already expired when the device's software agent first attempts the automatic renewal. Devices with affected ID certs must be manually renewed every 90 days or the ID cert will expire and the device will revert to an unlicensed state.

Problem Symptom

A registered device will enter an unlicensed state if the ID cert is allowed to expire. Device behavior in the unlicensed state (that is, due to ID cert expiry) varies from product to product. For details on your particular product, complete these steps:

Go to the Cisco Smart Licensing page.
Click View Smart-Enabled Product Families.
From the Behaviors drop-down list, look in the Authorization Expired (failure to communicate) row.

Many products continue to function normally and produce syslog messages to indicate the ID cert has expired. Some products will disable licensed features. Severe symptoms are observed in these two specific Cisco product families:

Cisco Adaptive Security Virtual Appliance (ASAv) products that run software earlier than Version 9.14(1) reboot daily until the affected ID cert is renewed.
Cisco Integrated Services Virtual Router (ISRv) and Cisco Cloud Services Router 1000v products enter the feature restricted mode which requires a full system reboot to recover.

The problem might also be observed in affected versions of CSSM On-Prem in the System Log. In order to view the System Log, complete these steps:

In the CSSM On-Prem admin portal, click Support Center.
Click Download All Logs.
In the Select a Log to View drop-down list, choose System Log.
In the Search Log Text field, enter expiry_date.
Click Search.
Choose any one of the resulting device registration log entries and look for "retry_interval". A retry_interval of "-1" indicates that the ID Cert expiry date is less than the start date and the system is affected by this problem.

This example is a device registration log entry from an affected CSSM On-Prem system. Note the retry_interval in boldface.

Jun 28 04:17:56 ha-10 179298c50953: <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"><Body><response encodingStyle=""><![CDATA[{"signature":{"type":"SHA256","value":"I6WUJJTBeX2SWzjNuDerwpZweF/TpVsWcYRtNu/vao2Wh6Cp0b3s0NUB0ipKWNjz\nLcbY2TVF1MhK48s9YDSxOx+/WOFmAiup90B+s7FQM53hyPcUJKTTbpMuQbwqTI9l\nF+ZWIrF9frM3gdRVW2PhzvmvRRc7p15O0bRL9v6qfQXBkZ0JtdQtnLLZTxdld7JH\nGUhFuEUhK4CwMTINiefOQaf+9yFqEXn0OEsGdhX9Ip6PTCm16BkG+XxI61K12hfy\nk7lBkEocwJNu5U+so4lkpDP7LLCqOTSYMf287DsOgGbyF24mXxSu59k9v9AdQFEG\nbhXV/uD/LUsdspTRSXQYEA=="},"response":"{\"header\":{\"request_type\":\"ENTITLEMENT\",\"sudi\":{\"udi_pid\":\"CSR1000V\",\"udi_serial_number\":\"9LZ966424N6\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"signing_cert_serial_number\":\"2313210\",\"id_cert_serial_number\":\"150177\",\"product_instance_identifier\":\"a95d115d-d18e-45a0-97bb-eea90282ba5f\",\"connect_info\":{\"name\":\"C_agent\",\"version\":\"4.6.7_rel/98\",\"production\":true,\"capabilities\":[\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\"]}},\"status_code\":\"OK\",\"status_message\":\"OK\",\"response_data\":\"{\\\"compliance_status\\\":\\\"OOC\\\",\\\"product_instance_identifier\\\":\\\"a95d115d-d18e-45a0-97bb-eea90282ba5f\\\",\\\"nonce\\\":\\\"6243579629562031260\\\",\\\"sudi\\\":{\\\"udi_pid\\\":\\\"CSR1000V\\\",\\\"udi_serial_number\\\":\\\"9LZ966424N6\\\"},\\\"start_date\\\":1593317756179,\\\"expiry_date\\\":1592396589586,\\\"retry_interval\\\":-1,\\\"messages\\\":[{\\\"name\\\":\\\"regid.2014-05.com.cisco.ax_100M,1.0_2fff5ed6-e23c-455d-ade3-83ba3c8ed890\\\",\\\"version\\\":\\\"1.0\\\",\\\"vendor_string\\\":\\\"2fff5ed6-e23c-455d-ade3-83ba3c8ed890\\\",\\\"compliance_status\\\":\\\"OOC\\\",\\\"display_name\\\":\\\"CSR 1KV AX 100M\\\",\\\"description\\\":\\\"CSR 1KV AX 100M\\\",\\\"info_message\\\":\\\"\\\",\\\"subscription\\\":null}],\\\"pool_name\\\":\\\"Default\\\",\\\"hostname\\\":\\\"CSR35\\\",\\\"ip_address\\\":null,\\\"validation_context\\\":null,\\\"errors\\\":{}}\"}"}]]></response><result>succeeded</result></Body></Envelope>

Workaround/Solution

Customers are strongly encouraged to upgrade their CSSM On-Prem to Version 8-202006 or later. Version 8-202006 contains a fix for the ID cert problem. CSSM On-Prem Version 8-202006 or later will automatically renew unexpired device ID certs and correct the expiration interval to one year.

An alternate workaround is to manually renew the ID cert on each device at least every 90 days to prevent expiration of the ID cert. The ID cert is renewed on a registered device with the license smart renew id CLI command.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

If you open a service request on Cisco.com, be sure to choose Open New Case -> Software Licensing -> OnPrem CSSM (Satellite)

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Smart Software Manager