The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to work with Cisco Smart Licensing (cloud-based system) to manage software licenses on Catalyst switches.
Cisco Smart Licensing is a cloud-based unified license management system that manages all of the software licenses across Cisco products. It enables you to purchase, deploy, manage, track, and renew Cisco Software licenses. It also provides information about license ownership and consumption through a single user interface
The solution is comprised of online Smart Accounts (at Cisco Smart Licensing Portal) used to track Cisco software assets and the Cisco Smart Software Manager (CSSM), which is used to manage the Smart Accounts. CSSM is where all licensing management-related tasks, such as registering, de-registering, moving, and transferring licenses can be performed. Users can be added and given access and permissions to the smart account and specific virtual accounts.
To learn more about Cisco Smart Licensing, visit:
a) Cisco Smart Licensing home page
b) Cisco Community - On-Demand Trainings
For more information on the new Smart Licensing using Policy method in Cisco IOS® XE 17.3.2 and later, visit Smart Licensing using Policy on Catalyst Switches.
New to Smart Licensing and/or Smart Account administration? Visit and sign up for the new administrator training course and recording:
Cisco Community - Get Smart with Cisco Smart Accounts/Smart Licensing and My Cisco Entitlements.
Smart accounts can be created here: Smart Accounts
Smart accounts can be managed here: Smart Software Licensing
There are multiple methods in deploying Cisco Smart Licensing that can be leveraged depending on a company’s security profile such as:
Cisco products send usage information directly over the Internet securely using HTTPS. No additional components are needed.
Cisco products send usage information through an HTTP proxy server securely using HTTPS. An existing proxy server can be used or this can be deployed through the Cisco Transport Gateway (click here for some additional information).
Cisco products send usage information to an on-premise server instead of directly over the internet. Once a month the server reaches out over the internet for all devices via HTTPS or can be manually transferred to synchronize its database. CSSM On-prem (Satellite) is available as a Virtual Machine (VM) and can be downloaded here. For additional information, visit Smart Software Manager Satellite page.
There are two methods to convert a legacy license, like Right-To-Use (RTU) or Product Activation Key (PAK) to a Smart License. For details on which method needs to be followed, refer to the relevant release notes and/or configuration guide for the specific Cisco device.
Cisco Smart Software Manager (CSSM) Method:
1. Log in to Cisco Smart Software Manager (CSSM) at https://software.cisco.com/.
2. Navigate to Smart Software Licensing > Convert to Smart Licensing.
3. Choose Convert PAK or Convert Licenses.
4. To convert a PAK license, locate the license in this table. To convert a non-PAK license, use the License Conversion Wizard for step-by-step directions.
Location of known PAK files associated with Account:
Location of "License Conversion Wizard" link:
5. Locate the Desired License and Product combination.
6. Click (under Actions): Convert to Smart Licensing.
7. Choose virtual account, license, and click Next.
8. Review Selections, then click Convert Licenses.
License Registration Portal (LRP) Method:
1. Log in to the License Registration Portal (LRP) https://slexui.cloudapps.cisco.com/SWIFT/LicensingUI/Home/a>
2. Navigate to Devices > Add Devices.
3. Enter the proper Product Family and Unique Device Identifier (UDI) product ID and serial number, then click Ok. UDI information can be obtained from show version or show inventory taken from the command line interface (CLI) of the Cisco device.
4. Choose the added device and Convert Licenses to Smart Licensing.
5. Assign to proper Virtual Account, choose licenses to convert and click Submit.
Tip: LRP tool can also be used by looking up the license/product family on the PAKs or Tokens tab. Click the circle drop down next to the PAK/Token and choose Convert to Smart Licensing:
The Global Licensing Operations department can be reached here at our worldwide contact centers.
Like other Catalyst 9000 models, the Catalyst 9500 High Performance models were enabled with Smart Licensing in the Cisco IOS XE version 16.9 train and onwards. For the Catalyst 9500 High Performance models, however, each model had its own specific license entitlement tag. It was decided later, by the product and marketing teams, to unify the C9500 platforms entitlement tags. This decision changed the behavior on the C9500 High Performance models from using specific entitlement tags to generic C9500 licenses.
This change in behavior is documented in these defects:
Here is the before and after of the above-mentioned changes license changes for C9500 High Performance models:
Each C9600 High Performance model has its own entitlement tags.
Model | License |
C9500-32C |
C9500 32C NW Essentials C9500 32C NW Advantage C9500 32C DNA Essentials C9500 32C DNA Advantage |
C9500-32QC |
C9500 32QC NW Essentials C9500 32QC NW Advantage C9500 32QC DNA Essentials C9500 32QC DNA Advantage |
C9500-24Y4C |
C9500 24Y4C NW Essentials C9500 24Y4C NW Advantage C9500 24Y4C DNA Essentials C9500 24Y4C DNA Advantage |
C9500-48Y4C |
C9500 48Y4C NW Essentials C9500 48Y4C NW Advantage C9500 48Y4C DNA Essentials C9500 48Y4C DNA Advantage |
Note: Cisco IOS XE versions 16.12.1 and 16.12.2 have defects Cisco bug ID CSCvp30661 and Cisco bug ID CSCvt01955. These defects are addressed in 16.12.3a and later.
Catalyst 9500 High Performance platforms now use generic network license tags and separate DNA license tags. This table shows the entitlements changes that are highlighted in Cisco IOS XE version 16.12.3 and later:
Model | License |
C9500-32C |
C9500 Network Essentials C9500 Network Advantage C9500 32C DNA Essentials C9500 32C DNA Advantage |
C9500-32QC |
C9500 Network Essentials C9500 Network Advantage C9500 32QC DNA Essentials C9500 32QC DNA Advantage |
C9500-24Y4C |
C9500 Network Essentials C9500 Network Advantage C9500 24Y4C DNA Essentials C9500 24Y4C DNA Advantage |
C9500-48Y4C |
C9500 Network Essentials C9500 Network Advantage C9500 48Y4C DNA Essentials C9500 48Y4C DNA Advantage |
Note: Upgrades from Cisco IOS XE versions 16.12.1 and 16.12.2 display this license behavior. Upgrades from Cisco IOS XE versions 16.9.x ,16.10.x, 16.11.x to 16.12.3 recognize old license configurations.
1. Why does Cisco support allocate a generic network license, when my device is consuming a device-specific network license?
Generic tags are provided as they are the right entitlement tags for the network device. This allows usage of the entitlement tags across the entire Cat9500 platform, not just the specific C9500 high performance models. Pre-16.12.3 images that ask for device-specific license tags are in compliance with the generic license tags as the more specific licenses fall under the generic licenses in the licensing hierarchy.
2. Why do two network tags sometimes show up in the Smart Account?
This behavior is due to the licensing hierarchy and happens when the device is running on an older image that utilizes device-specific licensing tags. Older images that ask for device-specific license tags are in compliance with the generic license tags as the more specific tags fall under the generic licenses in the licensing hierarchy.
Exact procedure on how to configure Smart Licensing can be found in System Management Configuration Guide available for each release / platform.
For example: System Management Configuration Guide, Cisco IOS XE Fuji 16.9.x (Catalyst 9300 Switches)
Before registering device, a token needs to be generated. The registration token, also known as the device id token, is a unique token generated from the smart licensing portal or Cisco Smart Software Manager on-prem when initially registering a Cisco device to the corresponding smart account. An individual token can be used to register multiple Cisco devices depending on the parameters used during creation.
The registration token is also only required during initial registration of a Cisco device as it provides the information to the device to call-home to the Cisco back end and be tied to the correct Smart Account. After the Cisco device is registered, the token is no longer required.
For more information in regard to registration tokens and how they are generated, click here for a general guide. For more details, please refer to the configuration guide for the specific Cisco device.
While deploying and configuring Smart Licensing, there are multiple possible states that a Cisco device can be in. These states can be displayed by looking at show license all or show license status from the Command Line Interface (CLI) of the Cisco device.
Here is a list of all states and their description:
Starting in 16.9.1 for switches and 16.10.1 for routers, a default Call-home profile named CiscoTAC-1 is generated to assist with migrating to Smart Licensing. By default, this profile is set up for the Direct Cloud Access method.
#show call-home profile CiscoTAC-1 Profile Name: CiscoTAC-1 Profile status: ACTIVE Profile mode: Full Reporting Reporting Data: Smart Call Home, Smart Licensing Preferred Message Format: xml Message Size Limit: 3145728 Bytes Transport Method: http HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Other address(es): default <snip>
When utilizing a Cisco Smart Software Manager on-premise server, the destination address under the active call-home configuration must point to it (case-sensitive!):
(config)#call-home
(cfg-call-home)#profile "CiscoTAC-1"
(cfg-call-home-profile)#destination address http https://<IP/FQDN>/Transportgateway/services/DeviceRequestHandler
DNS is required to resolve tools.cisco.com. If DNS server connectivity is in a VRF, ensure that the proper source-interface and VRF are defined:
Global Routing Table Used:
(config)#ip domain-lookup [source-interface <INTERFACE>]
(config)#ip name-server <IP>
VRF Routing Table Used:
(config)#ip domain-lookup [source-interface <INTERFACE>] <<-- "ip vrf forwarding <VRF-NAME>" defined on the interface
(config)#ip name-server vrf <VRF-NAME> <SERVER-IP>
Alternatively, if DNS is not available, statically configure local DNS to IP mapping (based on local DNS resolution on your end-device), or replace DNS name in call-home configuration with IP address. Refer to example for direct cloud access (for Cisco Smart Software Manager on-prem use its own DNS name instead of tools.cisco.com):
(config)#ip host tools.cisco.com <x.x.x.x>
If communication to tools.cisco.com needs to be originated from the interface in a specific VRF (for example, Mgmt-vrf), then this CLI must be configured:
(config)#ip http client source-interface <VRF_INTERFACE>
A different number of licenses can be consumed based on the configuration of the Cisco device, such as with Catalyst switches that run in StackWise or StackWise Virtual:
Traditional Stack-wise Supported Switches (for example, Catalyst 9300 series):
Network License: 1 license is consumed per switch in the stack
DNA License: 1 license is consumed per switch in the stack
Modular Chassis (for example, Catalyst 9400 series):
Network License: 1 license is consumed per supervisor in the chassis
DNA License: 1 license is consumed per chassis
Fixed Stack-wise Virtual Supported Switches (for example, Catalyst 9500 series):
Network License: 1 license is consumed per switch in the stack
DNA License: 1 license is consumed per switch in the stack
How to Manually Import Certification as a TrustPoint:
The certificate will need be in a BASE64 format to be copied and pasted onto the device as a TrustPoint.
The following example shown below uses "LicRoot" as the TrustPoint name, however, this name can be changed as desired.
Device#conf t
Device(config)#crypto pki trustpoint LicRoot
Device(ca-trustpoint)#enrollment terminal
Device(ca-trustpoint)#revocation-check none
Device(ca-trustpoint)#exit
Device(config)#crypto pki authenticate LicRoot
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: XXXXXXXX
Fingerprint SHA1: XXXXXXX
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
When using the Transport Gateway HTTP Proxy, the IP address must be changed from tools.cisco.com to the Proxy like this example:
FROM
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
TO
destination address http https://<TransportGW-IP_Address>:<port_number>/Transportgateway/services/DeviceRequestHandler
The Transport Gateway IP address can found by navigating to the HTTP Settings and looking under the HTTP Service URLs on the Cisco Transport Gateway GUI.
For more information, see the configuration guide for the Cisco Transport Gateway here.
When you migrate a Cisco device to a Smart Licensing-enabled software version, you can use this flowchart as a general guide for all three methods (Direct Cloud Access, HTTPS Proxy, and Cisco Smart Software Manager On-prem).
Device Upgraded or Shipped with software release that supports Smart Licensing (refer to section 1.3 for list of supported Cisco IOS XE releases).
These steps to troubleshoot mainly concentrate on a scenario in which the device fails to register.
After initial configuration, in order to enable Smart Licensing, Token, which is generated on CSSM / Cisco Smart Software Manager on-prem, needs to be registered on the device via CLI:
license smart register idtoken <TOKEN>
This action generates these events:
! Smart licensing process starts
!
Registration process is in progress. Use the 'show license status' command to check the progress and result !
! Crypto key is automatically generated for HTTPS communication
!
Generating 2048 bit RSA keys, keys will be exportable... [OK] (elapsed time was 1 seconds) %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration !
! Call-home start registration process
! %CALL_HOME-6-SCH_REGISTRATION_IN_PROGRESS: SCH device registration is in progress. Call-home will poll SCH server for registration result. You can also check SCH registration status with "call-home request registration-info" under EXEC mode. !
! Smart Licensing process connects with CSSM and check entitlement.
! %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is allowed %SMART_LIC-6-AGENT_REG_SUCCESS: Smart Agent for Licensing Registration with the Cisco Smart Software Manager or satellitefor udi PID:<PID>,SN:<SN> %SMART_LIC-4-CONFIG_NOT_SAVED: Smart Licensing configuration has not been saved %SMART_LIC-5-IN_COMPLIANCE: All entitlements and licenses in use on this device are authorized %SMART_LIC-6-AUTH_RENEW_SUCCESS: Authorization renewal with the Cisco Smart Software Manager or satellite. State=authorized for udi PID:<PID>,SN:<SN>
To check call-home configuration, run this CLI:
#show call-home profile all Profile Name: CiscoTAC-1 Profile status: ACTIVE Profile mode: Full Reporting Reporting Data: Smart Call Home, Smart Licensing Preferred Message Format: xml Message Size Limit: 3145728 Bytes Transport Method: http HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService Other address(es): default Periodic configuration info message is scheduled every 1 day of the month at 09:15 Periodic inventory info message is scheduled every 1 day of the month at 09:00 Alert-group Severity ------------------------ ------------ crash debug diagnostic minor environment warning inventory normal Syslog-Pattern Severity ------------------------ ------------ APF-.-WLC_.* warning .* major
To check Smart Licensing status, run this CLI:
#show license summary Smart Licensing is ENABLED Registration: Status: REGISTERED Smart Account: TAC Cisco Systems, Inc. Virtual Account: Krakow LAN-SW Export-Controlled Functionality: ALLOWED Last Renewal Attempt: None Next Renewal Attempt: Nov 22 21:24:32 2019 UTC License Authorization: Status: AUTHORIZED Last Communication Attempt: SUCCEEDED Next Communication Attempt: Jun 25 21:24:37 2019 UTC License Usage: License Entitlement tag Count Status ----------------------------------------------------------------------------- C9500 Network Advantage (C9500 Network Advantage) 1 AUTHORIZED C9500-DNA-40X-A (C9500-40X DNA Advantage) 1 AUTHORIZED
If the device fails to register (and if Status is different from REGISTERED), Out-of-Compliance points to an issue on CSSM such as missing license in Smart Virtual Account, incorrect mapping (for example, a token from a different virtual account was used where licenses are not available), and so on.
Check these items:
1. Verify configuration settings and common failure scenarios.
Refer to section 2.1 for basic configuration steps. Also, look at section 5 for common failure scenarios observed in the field.
2. Check basic connectivity.
Verify that the device can reach (and open the TCP port) to tools.cisco.com (in case of direct access) or to Cisco Smart Software Manager on-premise server:
#show run all | in destination address http destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService ! ! check connectivity ! #telnet tools.cisco.com 443 /source-interface gi0/0 Trying tools.cisco.com (x.x.x.x, 443)... Open [Connection to tools.cisco.com closed by foreign host]
If these commands do not work, double-check your routing rules, source-interface, and firewall settings.
Note: The HTTP (TCP/80) is being deprecated and the recommended protocol is HTTPS (TCP/443).
Refer to section: 3. Considerations and Caveats in this document for further guidelines how to configure DNS and HTTP details.
3. Verify Smart License settings.
Collect the output of:
#show tech-support license
and validate collected configuration / logs (attach this output in case you decide to open Cisco TAC case for further investigation).
4. Enable debugs.
Enable these debugs to collect additional information about the Smart Licensing process.
Note: After enabling debugs, you need to try to register the license once again via CLi as mentioned in point 4.1.
#debug call-home smart-licensing [all | trace | error] #debug ip http client [all | api | cache | error | main | msg | socket]
For internal debugs, enable and read binary traces:
! enable debug #set platform software trace ios [switch] active R0 infra-sl debug ! ! read binary traces infra-sl process logs #show platform software trace message ios [switch] active R0
This section describes some common failure scenarios that could be experienced during or after a Cisco device registration:
Snip of "show license all":
Registration:
Status: UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Oct 22 14:25:31 2018 EST
Failure reason: Product Already Registered
Next Registration Attempt: Oct 22 14:45:34 2018 EST
Next Steps:
- The Cisco device must be registered again.
- If the Cisco device is seen in the CSSM, the force parameter must be used (that is, license smart register idtoken <TOKEN> force).
Note: The failure reason can also show as:
- Failure reason: The product <X> and sudi containing udiSerialNumber:<SerialNumber>,udiPid:<Product> has already been registered.
- Failure reason: Existing Product Instance has Consumption and Force Flag is False
Snip of "show license all":
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Oct 24 15:55:26 2018 EST
Failure reason: Your request could not be processed right now. Please try again
Next Registration Attempt: Oct 24 16:12:15 2018 EST
Next Steps:
- Enable debugs as mentioned in section 4 to get more insights on the issue.
- Generate new Token in CSSM in your Smart Licensing and take an another attempt.
Snip of "show license all":
Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: NotAllowed
Initial Registration: FAILED on Nov 1117:55:46 2018 EST
Failure reason: {"timestamp":["The device date '1526135268653' is offset beyond the allowed tolerance limit."]}
Next Registration Attempt: Nov 11 18:12:17 2018 EST
Possible Logs Seen:
%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: XXXXXX) is not yet valid. Validity period starts on 2018-12-12:43Z
Next Steps:
- Verify that the Cisco device clock is showing the correct time (show clock).
- Configure the Network Time Protocol (NTP), if possible, to ensure the clock is set correctly.
- If NTP is not possible, verify that the manually set clock (clock set) is correct (show clock) and configured as a trusted time source by verifying that clock calendar-valid is configured
Note: By default, the system clock is not trusted. Clock calendar-valid is required.
Snip of "show license all":
Registration: Status: UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: Not Allowed
Initial Registration: FAILED on Mar 09 21:42:02 2019 CST
Failure reason: Communication transport not available.
Possible Logs Seen:
%CALL_HOME-3-CALL_HOME_FAILED_TO_ENABLE: Failed to enable call-home from Smart Agent for Licensing: The command failed to enable smart call home due to an existing active user profile. If you are using a user profile other than CiscoTAC-1 profile to send data to SCH server in Cisco, enter reporting smart-licensing-data under profile mode to configure that profile for smart licensing. For more details about SCH, check http://www.cisco.com/go/
%SMART_LIC-3-AGENT_REG_FAILED: Smart Agent for Licensing Registration with the Cisco Smart Software Manager or satellite failed: Communication transport not available.
%SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager or satellite: Communication transport not available.
Next Steps:
- Verify that call-home is enabled with service call-home in the show running-config output of the Cisco device.
- Ensure that the correct call-home profile is active.
- Verify that reporting smart-licensing-data is configured under the active call-home profile.
Snip of "show license all":
License Authorization:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2018 UTC
Last Communication Attempt: FAILED on Aug 02 14:26:23 2018 UTC
Failure reason: Fail to send out Call Home HTTP message.
Next Communication Attempt: Aug 02 14:26:53 2018 UTC
Communication Deadline: Oct 25 09:21:38 2018 UTC
Possible logs are seen:
%CALL_HOME-5-SL_MESSAGE_FAILED: Fail to send out Smart Licensing message to: https://<ip>/its/service/oddce/services/DDCEService (ERR 205 : Request Aborted)
%SMART_LIC-3-COMM_FAILED:Communications failure with the Cisco Smart Software Manager or satellite: Fail to send out Call Home HTTP message.
%SMART_LIC-3-AUTH_RENEW_FAILED:Authorization renewal with the Cisco Smart Software Manager or satellite: Communication message send error for udi PID:XXX, SN: XXX
Next Steps:
- Verify that the Cisco device can ping tools.cisco.com.
- If DNS is not configured, configure a DNS server or a ip host statement for the local nslookup IP for tools.cisco.com.
- Attempt to telnet from the Cisco device to tools.cisco.com on TCP port 443 (port used by HTTPS).
- Verify that the HTTPs client source interface is defined and correct.
- Verify that the URL/IP in the call home profile is set correctly on the Cisco device via show call-home profile all.
- Verify the ip route is pointing to the correct next hop.
- Ensure TCP port 443is not being blocked on the Cisco device, the path to Smart Call Home Server, or the Cisco Smart Software Manager on-prem (satellite).
- Ensure that the correct Virtual Routing and Forwarding (VRF) instance is configured under call-home, if applicable.
This behavior is seen when working with a CSSM on-premise server that has had its crypto certificate expire as documented in Cisco bug ID CSCvr41393. This is expected behavior as the CSSM on-prem must be allowed to sync and renew its certificate in order to prevent a certification sync issue with any registering devices.
Snip of "show license all":
Registration:
Status: UNREGISTERED
Smart Account: Example Account
Export-Controlled Functionality: ALLOWED
License Authorization:
Status: EVAL MODE
Evaluation Period Remaining: 65 days, 18 hours, 43 minutes, 0 seconds
Possible Logs Seen:
This error is seen under show logging or show license eventlog:
SAEVT_DEREGISTER_STATUS msgStatus="LS_INVALID_DATA" error="Missing Id cert serial number field; Missing signing cert serial number field; Signed data and certificate does not match"
Next Steps:
- Verify that the Cisco device has IP connectivity to CSSM on-premise server.
- If using HTTPS, confirm the certification C-Name is being used in the devices call-home configuration.
- If a DNS server is not available to resolve the certification C-Name, configure a static ip host statement to map the domain name and IP address.
- Verify status of certificate on CSSM on-premise is still valid.
- If CSSM on-premise certificate is expired, use one of the workarounds documented in Cisco bug ID CSCvr41393
Note: By default, HTTPS performs a server identity check during the SSL handshake to verify the URL or IP is the same as the provided certificate from the server. This can cause issues when using IP addresses instead of a DNS entry if the hostname and IP do not match. If DNS is not possible, or a static ip host statement, no http secure server-identity-check can be configured to disable this certification check.
Snip of "show license all":
License Authorization:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2018 UTC
Last Communication Attempt: PENDING on Aug 02 14:34:51 2018 UTC
Failure reason: Waiting for reply
Next Communication Attempt: Aug 02 14:53:58 2018 UTC
Communication Deadline: Oct 25 09:21:39 2018 UTC
Possible logs are seen:
%PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed Reason : Failed to select socket. Timeout : 5 (Connection timed out)
%PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed Reason : Failed to select socket. Timeout : 5 (Connection timed out)
Next Steps:
- To correct this issue, the SLA-TrustPoint must be configured as none under the running configuration
show running-config
<omitted>
crypto pki trustpoint SLA-TrustPoint
revocation-check none
What is a CRL?
A Certificate Revocation List (CRL) is a list of revoked certificates. The CRL is created and digitally signed by the certificate authority (CA) that originally issued the certificates. The CRL contains dates for when each certificate was issued and when it expires. Further information in regards to CRL is available here.
Snip of "show license all":
License Authorization:
Status: OUT OF COMPLIANCE on Jul 26 09:24:09 2018 UTC
Last Communication Attempt: PENDING on Aug 02 14:34:51 2018 UTC
Failure reason: Waiting for reply
Next Communication Attempt: Aug 02 14:53:58 2018 UTC
Communication Deadline: Oct 25 09:21:39 2018 UTC
Possible logs are seen:
%SMART_LIC-3-OUT_OF_COMPLIANCE: One or more entitlements are out of compliance.
Next Steps:
- Verify if Token from proper Smart Virtual Account has been used.
- Verify amount of available licenses here.
Snip of "show license all":
License Authorization:
Status: AUTHORIZED on Mar 12 09:17:45 2020 EDT
Last Communication Attempt: FAILED on Mar 12 09:17:45 2020 EDT
Failure reason: Data and signature do not match
Next Communication Attempt: Mar 12 09:18:15 2020 EDT
Communication Deadline: May 09 21:22:43 2020 EDT
Possible logs are seen:
%SMART_LIC-3-AUTH_RENEW_FAILED: Authorization renewal with the Cisco Smart Software Manager (CSSM) : Error received from Smart Software Manager: Data and signature do not match for udi PID:C9000,SN:XXXXXXXXXXX
Next Steps:
- Deregister the switch with License smart deregister.
- Then register the switch using a new token with license smart register idtoken <TOKEN> force.
1) Cisco Smart Licensing home page
2) Cisco Community - On-Demand Trainings.
3) Smart Account - management portal: Smart Software Licensing
4) Smart Account - create new accounts: Smart Accounts
5) Configuration guide (example) - System Management Configuration Guide, Cisco IOS XE Fuji 16.9.x (Catalyst 9300 Switches)
Revision | Publish Date | Comments |
---|---|---|
4.0 |
09-Jul-2024 |
Updated Branding Requirements, Style Requirements, Machine Translation, Gerunds, Hyperlinks, and Formatting. |
3.0 |
25-May-2023 |
Updated Branding Requirements, Style Requirements, Machine Translation, Gerunds, and Formatting. |
2.0 |
11-May-2022 |
Edited the title. Removed section numbers. Changed some IP addresses to use placeholder text ("x.x.x.x"). |
1.0 |
31-May-2019 |
Initial Release |