THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
03-Aug-20 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
Smart Software Manager satellite |
7 |
7-201910 |
Cisco Smart Software Manager On-Prem versions 7-201910 and 7-202001 are affected |
NON-IOS |
Smart Software Manager satellite |
8 |
8-202004 |
Cisco Smart Software manager On-Prem version 8-202004 is affected |
Defect ID | Headline |
---|---|
CSCvu49664 | Smart Licensing Satellite Returning Expired ID Cert |
Devices registered to Cisco Smart Software Manager On-Prem (CSSM On-Prem) might incorrectly revert to an unlicensed state before their registration authorization would normally expire. Affected devices require manual intervention, in some cases a reboot, in order to recover.
Affected versions of CSSM On-Prem set the device registration ID certificate (ID cert) expiration date incorrectly when a device is initially registered or when the user manually renews the registration on the device. Normal device ID certs expire one year from the date the device is registered or renewed. Affected versions of CSSM On-Prem erroneously set the expiration date to 90 days. Under normal conditions, registered devices automatically renew their ID cert six months before expiry and the ID cert expiration is extended to one year from the renewal date. On devices with affected ID certs, the automatic renewal fails since the ID cert has already expired when the device's software agent first attempts the automatic renewal. Devices with affected ID certs must be manually renewed every 90 days or the ID cert will expire and the device will revert to an unlicensed state.
A registered device will enter an unlicensed state if the ID cert is allowed to expire. Device behavior in the unlicensed state (that is, due to ID cert expiry) varies from product to product. For details on your particular product, complete these steps:
Many products continue to function normally and produce syslog messages to indicate the ID cert has expired. Some products will disable licensed features. Severe symptoms are observed in these two specific Cisco product families:
The problem might also be observed in affected versions of CSSM On-Prem in the System Log. In order to view the System Log, complete these steps:
This example is a device registration log entry from an affected CSSM On-Prem system. Note the retry_interval in boldface.
Jun 28 04:17:56 ha-10 179298c50953: <Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"><Body><response encodingStyle=""><![CDATA[{"signature":{"type":"SHA256","value":"I6WUJJTBeX2SWzjNuDerwpZweF/TpVsWcYRtNu/vao2Wh6Cp0b3s0NUB0ipKWNjz\nLcbY2TVF1MhK48s9YDSxOx+/WOFmAiup90B+s7FQM53hyPcUJKTTbpMuQbwqTI9l\nF+ZWIrF9frM3gdRVW2PhzvmvRRc7p15O0bRL9v6qfQXBkZ0JtdQtnLLZTxdld7JH\nGUhFuEUhK4CwMTINiefOQaf+9yFqEXn0OEsGdhX9Ip6PTCm16BkG+XxI61K12hfy\nk7lBkEocwJNu5U+so4lkpDP7LLCqOTSYMf287DsOgGbyF24mXxSu59k9v9AdQFEG\nbhXV/uD/LUsdspTRSXQYEA=="},"response":"{\"header\":{\"request_type\":\"ENTITLEMENT\",\"sudi\":{\"udi_pid\":\"CSR1000V\",\"udi_serial_number\":\"9LZ966424N6\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"signing_cert_serial_number\":\"2313210\",\"id_cert_serial_number\":\"150177\",\"product_instance_identifier\":\"a95d115d-d18e-45a0-97bb-eea90282ba5f\",\"connect_info\":{\"name\":\"C_agent\",\"version\":\"4.6.7_rel/98\",\"production\":true,\"capabilities\":[\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\"]}},\"status_code\":\"OK\",\"status_message\":\"OK\",\"response_data\":\"{\\\"compliance_status\\\":\\\"OOC\\\",\\\"product_instance_identifier\\\":\\\"a95d115d-d18e-45a0-97bb-eea90282ba5f\\\",\\\"nonce\\\":\\\"6243579629562031260\\\",\\\"sudi\\\":{\\\"udi_pid\\\":\\\"CSR1000V\\\",\\\"udi_serial_number\\\":\\\"9LZ966424N6\\\"},\\\"start_date\\\":1593317756179,\\\"expiry_date\\\":1592396589586,\\\"retry_interval\\\":-1,\\\"messages\\\":[{\\\"name\\\":\\\"regid.2014-05.com.cisco.ax_100M,1.0_2fff5ed6-e23c-455d-ade3-83ba3c8ed890\\\",\\\"version\\\":\\\"1.0\\\",\\\"vendor_string\\\":\\\"2fff5ed6-e23c-455d-ade3-83ba3c8ed890\\\",\\\"compliance_status\\\":\\\"OOC\\\",\\\"display_name\\\":\\\"CSR 1KV AX 100M\\\",\\\"description\\\":\\\"CSR 1KV AX 100M\\\",\\\"info_message\\\":\\\"\\\",\\\"subscription\\\":null}],\\\"pool_name\\\":\\\"Default\\\",\\\"hostname\\\":\\\"CSR35\\\",\\\"ip_address\\\":null,\\\"validation_context\\\":null,\\\"errors\\\":{}}\"}"}]]></response><result>succeeded</result></Body></Envelope>
Customers are strongly encouraged to upgrade their CSSM On-Prem to Version 8-202006 or later. Version 8-202006 contains a fix for the ID cert problem. CSSM On-Prem Version 8-202006 or later will automatically renew unexpired device ID certs and correct the expiration interval to one year.
An alternate workaround is to manually renew the ID cert on each device at least every 90 days to prevent expiration of the ID cert. The ID cert is renewed on a registered device with the license smart renew id CLI command.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
If you open a service request on Cisco.com, be sure to choose Open New Case -> Software Licensing -> OnPrem CSSM (Satellite)
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance