CISCO, NGFW

FMC and FTD Smart License Registration and Troubleshooting

Introduction

This document describes the Smart License registration configuration on the Firepower Management Center (FMC) for Firepower Threat Defense (FTD) managed devices. It also covers various troubleshooting scenarios.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

FMC, FTD and Smart License

Smart License registration is performed on the FMC. The FMC communicates with the Cisco Smart Software Manager (CSSM) portal over the Internet. In the CSSM the firewall administrator manages the Smart Account and its licenses. The FMC can freely assign and delete licenses to the managed FTD devices. In other words, FMC centrally manages licenses for FTD devices.

215838 fmc and ftd smart license registration a 00

An additional license is required to use certain features of FTD devices. The types of Smart Licenses you can assign to an FTD device are documented in FTD License Types and Restrictions.

The base license is included in the FTD device, and this license is automatically registered in your smart account when the FMC is registered to SSM.

The term-based licenses Threat, Malware, URL Filtering are optional. If you want to use features related to a license, a license needs to be assigned to the FTD device.

When you use a Firepower Management Center Virtual (FMCv) for the FTD management, a Firepower MCv Device License in SSM is also needed for the FMCv. The FMCv license is included in the software, and it is perpetual.

For more details about licenses check Cisco Firepower System Feature Licenses and Frequently Asked Questions (FAQ) about Firepower Licensing.

FMC Smart License Registration

Prerequisites

1. For the Smart License registration, the FMC must be able to access the Internet. Also, because the certificate is exchanged between the FMC and the license cloud using HTTPS, ensure that there is no device in the path that can affect/modify the communication. (e.g. Firewall, Proxy, SSL Decryption device, etc).

2. Access the CSSM and issue a Token ID from Inventory > General > New Token button.

215838 fmc and ftd smart license registration a 01

If you want to use strong encryption you must enable the Allow export-controlled functionality on the products registered with this token option.

215838 fmc and ftd smart license registration a 02

FMC Smart License Registration

From the System> Licenses > Smart Licenses on FMC, select the Register button.

215838 fmc and ftd smart license registration a 03

Enter the Token ID in the Smart Licensing Product Registration window and select Apply Changes.

215838 fmc and ftd smart license registration a 04

If the Smart License registration is successful, the Product Registration status shows Registered.

215838 fmc and ftd smart license registration a 05

To assign a term-based license to the FTD device, select Edit Licenses. Then select and add a managed device to the Devices with license section. Finally, select the Apply button.

215838 fmc and ftd smart license registration a 06

Confirmation in Smart Software Manager (SSM) side

Success of FMC Smart License registration can be confirmed from Inventory > Event Log in CSSM.

215838 fmc and ftd smart license registration a 07

The registration status of FMC can be confirmed from Inventory > Product Instances. You can also check the event log from the Event Log tab. Finally, Smart License registration and usage status can be checked from the Inventory > Licenses tab. You can verify that the term-based license you purchased is used correctly and you don’t have Alerts about insufficient licenses.

FMC Smart License De-Registration

De-register the FMC from Cisco Smart Software Manager

In case you want to release the license for some reason or use a different token you navigate to System > Licenses > Smart Licenses and select the de-register button.

215838 fmc and ftd smart license registration a 08

Remove Registration from SSM Side

From the Inventory > Product Instances, select Remove on the target FMC. Then select Remove Product Instance to remove the FMC and release the allocated licenses.

215838 fmc and ftd smart license registration a 09

Troubleshoot

Time Settings Verification

Access the FMC CLI (e.g. SSH) and ensure that the time is correct and it is synchronized with a trusted NTP server. Because the certificate is used for Smart License authentication, it is important that the FMC has correct time information:

admin@FMC:~$ date
Thu Jun 14 09:18:47 UTC 2020
admin@FMC:~$
admin@FMC:~$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*1.0.0.2         171.68.xx.xx     2 u  387 1024  377    0.977    0.469   0.916
 127.127.1.1     .SFCL.          13 l    -   64    0    0.000    0.000   0.000

From the FMC UI you can check the NTP server settings from System > Configuration > Time Synchronization.

Enable Name Resolution and Check Reachability to tools.cisco.com

Ensure that the FMC can resolve an FQDN and has reachability to tools.cisco.com:

> expert
admin@FMC2000-2:~$ sudo su
Password:
root@FMC2000-2:/Volume/home/admin# ping tools.cisco.com
PING tools.cisco.com (173.37.145.8) 56(84) bytes of data.
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=1 ttl=237 time=163 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=2 ttl=237 time=163 ms

From the FMC UI you can check the management IP and DNS server IP from System > Configuration > Management Interfaces.

Verify HTTPS (TCP 443) access from FMC to tools.cisco.com

Use telnet or curl command to ensure that the FMC has HTTPS access to tools.cisco.com. If TCP 443 communication is broken check if it is not blocked by a Firewall and that there is no SSL decryption device in the path.

root@FMC2000-2:/Volume/home/admin# telnet tools.cisco.com 443
Trying 72.163.4.38...
Connected to tools.cisco.com.
Escape character is '^]'.
^CConnection closed by foreign host.                    <--- Press Ctrl+C

Curl test:

root@FMC2000-2:/Volume/home/admin# curl -vvk https://tools.cisco.com
*   Trying 72.163.4.38...
* TCP_NODELAY set
* Connected to tools.cisco.com (72.163.4.38) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=CA; L=San Jose; O=Cisco Systems, Inc.; CN=tools.cisco.com
*  start date: Sep 17 04:00:58 2018 GMT
*  expire date: Sep 17 04:10:00 2020 GMT
*  issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID SSL ICA G2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: tools.cisco.com
> User-Agent: curl/7.62.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 17 Jun 2020 10:28:31 GMT
< Last-Modified: Thu, 20 Dec 2012 23:46:09 GMT
< ETag: "39b01e46-151-4d15155dd459d"
< Accept-Ranges: bytes
< Content-Length: 337
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Content-type, fromPartyID, inputFormat, outputFormat, Authorization, Content-Length, Accept, Origin
< Content-Type: text/html
< Set-Cookie: CP_GUTC=72.163.4.54.1592389711389899; path=/; expires=Mon, 16-Jun-25 10:28:31 GMT; domain=.cisco.com
< Set-Cookie: CP_GUTC=72.163.44.92.1592389711391532; path=/; expires=Mon, 16-Jun-25 10:28:31 GMT; domain=.cisco.com
< Cache-Control: max-age=0
< Expires: Wed, 17 Jun 2020 10:28:31 GMT
<
<html>
<head>
<script language="JavaScript">

var input = document.URL.indexOf('intellishield');
if(input != -1) {
 window.location="https://intellishield.cisco.com/security/alertmanager/";
}
else {
 window.location="http://www.cisco.com";
};

</script>
</head>

<body>
<a href="http://www.cisco.com">www.cisco.com</a>
</body>
</html>
* Connection #0 to host tools.cisco.com left intact
root@FMC2000-2:/Volume/home/admin#

DNS Verification

Verify that you can resolve successfully the tools.cisco.com:

root@FMC2000-2:/Volume/home/admin# nslookup tools.cisco.com
Server:         192.0.2.100
Address:        192.0.2.100#53

Non-authoritative answer:
Name:   tools.cisco.com
Address: 72.163.4.38

Proxy Verification

In case a Proxy is used, check settings on both FMC and proxy server-side. On FMC check whether the FMC uses correct proxy server IP and port.

root@FMC2000-2:/Volume/home/admin# cat /etc/sf/smart_callhome.conf 
KEEP_SYNC_ACTIVE:1
PROXY_DST_URL:https://tools.cisco.com/its/service/oddce/services/DDCEService
PROXY_SRV:192.0.xx.xx
PROXY_PORT:80

In the FMC UI the proxy settings can be confirmed from System > Configuration > Management Interfaces.

If the FMC side setting is correct, check the proxy server-side settings (e.g. whether the proxy server permits access from the FMC and to tools.cisco.com. Additionally, permit traffic and certificate exchange through the proxy. The FMC uses a certificate for the Smart License registration).

If there is a transparent proxy or a L7 FW in the path between the FMC and the license cloud, the same checks on the proxy or the L7 FW side need to be done.

Expired Token ID

Check whether the issued token ID is not expired. If it is expired, ask the smart software manager administrator to issue a new token and re-register the Smart License with the new Token ID.

Change the FMC Gateway

There are cases where Smart License authentication cannot be performed correctly due to the effects of a relay proxy or SSL decryption device. If possible, change the route for the FMC Internet access not via these devices, and try Smart License registration.

Check the Health Events on FMC

On FMC you navigate to System > Health > Events and check the status of the Smart License Monitor module for errors. For example, if the connection fails due to the expiration of the certificate, an error such as id certificated expired is generated.

215838 fmc and ftd smart license registration a 10

Check the Event Log in SSM side

If the FMC can connect to SSM, you can check the event log of the connectivity in Inventory > Event Log. Check whether there are such event logs, error logs, or not in SSM. If there is no problem with the setting/operation of the FMC site, and there is no event log on the SSM side, there is a possibility that it is a problem of the route between the FMC and the SSM.

Common Issues

Summary of Registration and Authorization States

Product Registration State Usage Authorization State Comments
Unregistered The FMC is neither in Registered nor Evaluation mode. This is the initial state after FMC installation or after 90-day Evaluation License Expiration
Registered Authorized The FMC is registered with Cisco Smart Software Manager (CSCM) and there are FTD devices registered with a valid subscription
Registered Authorization Expired FMC failed to communicate with Cisco License backend for more than 90 days
Registered Unregistered The FMC is registered with Cisco Smart Software Manager (CSCM), but there are no FTD devices registered on FMC
Registered Out-of-Compliance

The FMC is registered with Cisco Smart Software Manager (CSCM), but there are FTD devices registered with an invalid subscription(s).

e.g. An FTD (FP4112) device uses THREAT subscription, but in the with Cisco Smart Software Manager (CSCM) there are no THREAT subscriptions available for FP4112

Evaluation (90 days) N/A The evaluation period is in use, but there are no FTD devices registered on FMC

Case study 1. Invalid Token

Symptom: Registration to the CSSM fails quickly (~10s) due to invalid token

215838 fmc and ftd smart license registration a 12

Resolution: Use a valid token

Case study 2. Invalid DNS

Symptom: Registration to the CSSM failed after a while (~25s)

215838 fmc and ftd smart license registration a 13

Check the /var/log/process_stdout.log file. You can see the DNS issue:

root@FMC2000-2:/Volume/home/admin# cat /var/log/process_stdout.log
2020-06-25 09:05:21 sla[24043]: *Thu Jun 25 09:05:10.989 UTC: CH-LIB-ERROR: ch_pf_curl_send_msg[494], 
failed to perform, err code 6, err string "Couldn't resolve host name"

Resolution: CSSM hostname resolution failure. The resolution is to configure DNS if not configured or fix the DNS issues.

Case study 3. Invalid Time Settings

Symptom: Registration to the CSSM failed after a while (~25s)

215838 fmc and ftd smart license registration a 14

Check the /var/log/process_stdout.log file. You can see certificate issues:

2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_request_init[59], request "POST", url "https://tools.cisco.com/its/service/oddce/services/DDCEService"
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_post_prepare[299], https related setting
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_post_prepare[302], set ca info
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_head_init[110], init msg header
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-ERROR: ch_pf_curl_send_msg[494], 
failed to perform, err code 60, err string "SSL peer certificate or SSH remote key was not OK"
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_http_unlock[330], unlock http mutex.
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_send_http[365], send http msg, result 30
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_curl_is_cert_issue[514], 
cert issue checking, ret 60, url https://tools.cisco.com/its/service/oddce/services/DDCEService

Check the FMC time settings:

root@FMC2000-2:/Volume/home/admin# date
Fri Jun 25 09:27:22 UTC 2021

Case study 4. No Subscription

In case there is no license subscription for a specific feature the FMC deployment is not possible:

215838 fmc and ftd smart license registration a 15

Resolution: There is a need to purchase and apply to the device the required subscription.

Case study 5. Out-Of-Compliance (OOC)

In case there is no entitlement for FTD subscriptions the FMC Smart License goes to OOC state:

215838 fmc and ftd smart license registration a 16

In the CSSM check the Alerts for errors:

215838 fmc and ftd smart license registration a 17

Case study 6. No Strong Encryption

In case you use Base License only DES encryption is enabled in the FTD LINA engine. In that case deployments like L2L VPN with stronger algorithms fail:

215838 fmc and ftd smart license registration a 18

215838 fmc and ftd smart license registration a 19

Resolution: Register the FMC to CSCM and have a Strong Encryption attribute enabled.

Additional Notes

Set Notification of Smart License State

Email notification by SSM

On the SSM side, SSM Email Notification allows you to receive summary e-mails for various events. For example, you can be notified for a lack of license or licenses that are about to expire. You can also receive notifications of product instance connection or update failure, etc.

This function is very useful in order to notice and prevent the occurrence of functional restrictions due to license expiration.

SSM-Email-Notification-01.JPG

Get Health Alert Notifications from FMC

On the FMC side, it is possible to configure a Health monitor Alert and receive an alert notification of a health event. The Module Smart License Monitor is available to check the Smart License status. The monitor alert supports Syslog, Email, and SNMP trap.

This is a configuration example to get a syslog message when a Smart License monitor event occurs:

215838 fmc and ftd smart license registration a 20

This is an example of a Health Alert:

215838 fmc and ftd smart license registration a 21

The syslog message generated by FMC:

Mar 13 18:47:10 xx.xx.xx.xx Mar 13 09:47:10 FMC : HMNOTIFY: Smart License Monitor (Sensor FMC): Severity: critical: Smart License usage is out of compliance

Refer to the Health Monitoring for additional details about the Health Monitor Alerts.

Multiple FMCs on the Same Smart Account

When you use multiple FMCs on the same smart account, each FMC hostname must be unique. When you manage multiple FMCs in SSM in order to distinguish each FMC, the hostname of the each FMC must be unique. This is useful for FMC Smart License maintenance in operation.

FMC Must Maintain Internet Connectivity

After registration, FMC checks the license cloud and license status once every 30 days. If the FMC cannot communicate for 90 days, the licensed function is maintained, but it remains in Authorization Expired status. Even in this state, FMC tries continuously to connect to the license cloud.

Deploy Multiple FMCv

When Firepower System is used in a virtual environment, clone (hot or cold) is not officially supported. Each Firepower Management Center virtual (FMCv) is unique because it has authentication information inside. If you want to deploy multiple FMCv, the FMCv must be created from the OVF file one by one. For more information about this limitation, refer to the Cisco Firepower Management Center Virtual for VMware Deployment Quick Start Guide.

Frequently Asked Questions (FAQ)

In FTD HA, how many device licenses are required?

When you use two FTDs in High Availability, a license is required for each device. For example, two threat and malware licenses are needed if you use the IPS and AMP feature on the FTD HA pair.

Why AnyConnect licenses are not being consumed by FTD?
After FMC registration to the Smart Account, ensure that you enable the AnyConnect License. To enable the license you navigate toFMC > Devices, choose your device, and select License. Select the  Pencil icon, choose the license which you have deposited in your Smart Account and Save.

 

Why only 1 AnyConnect license is ‘In Use’ in the Smart Account when 100 users are connected?

This is expected behavior, as Smart Account tracks the amount of the devices which have this license enabled, not active users connected.

Why there is error ‘Device does not have the AnyConnect License’ after configuration and deployment of a Remote Access VPN via FMC?
Ensure that the FMC is registered to the Smart License Cloud. The expected behavior is that you cannot deploy Remote Access configuration when FMC is unregistered or in Evaluation mode. If FMC is registered, ensure that the AnyConnect License exists in your Smart Account and it is assigned to the device.
To assign a license, you navigate toFMC Devices, choose your device, License (Pencil icon). Choose the license that you have in your Smart Account and Save.

 

Why there is an error ‘Remote Access VPN with SSL cannot be deployed when Export-Controlled Features (Strong-crypto) are disabled’ when there is a deployment of a Remote Access VPN Configuration?

The Remote Access VPN deployed on the FTD requires a Strong encryption license to be enabled. Ensure that a Strong Encryption License is enabled on the FMC. To check the status of the Strong Encryption License you navigate toFMC System > Licenses > Smart Licensingand verify if Export-Controlled Features are enabled.

How can you enable a Strong Encryption License if ‘Export-Controlled Features’ is Disabled?

This functionality is enabled automatically if the token which is was used during the registration FMC to the Smart Account Cloud has had the option Allow export-controlled functionality on the products registered with this token enabled. If the token does not have this option enabled, de-register the FMC and register it again with this option enabled.

What can you do if the option ‘Allow export-controlled functionality on the products registered with this token’ is not available when you generate the token?

Contact your Cisco Account team.

Why do you get the error ‘Strong crypto (i.e encryption algorithm greater than DES) for VPN topology s2s is not supported’?
This error is displayed when the FMC uses Evaluation Mode or Smart License Account is not entitled to a strong encryption license. Verify if the FMC is registered to the License Authority and Allow export-controlled functionality on the products registered with this token is enabled. If the Smart Account is not allowed to use a strong encryption license, you are not allowed to deploy VPN Site-to-Site configuration with ciphers stronger than DES.
Why do you get Out of Compliance status on FMC?
The device can become out of compliance when one of the managed devices uses unavailable licenses.

 

How can you fix the ‘Out of Compliance’ status?
Follow the steps described in the Firepower Configuration Guide:
1. Look at the Smart Licenses section at the bottom of the page to determine which licenses are needed.
2. Purchase the required licenses through your usual channels.
3. In Cisco Smart Software Manager (https://software.cisco.com/#SmartLicensing-Inventory), verify that the licenses appear in your virtual account.
4. In Firepower Management Center, select System > Licenses > Smart Licenses.
5. Select Re-Authorize.
The full procedure can be found in Licensing the Firepower System

 

What are the Firepower Threat Defense Base Features?
The Base license allows you to:
  • Configure your FTD devices to perform switching and routing (including DHCP Relay and NAT).
  • Configure FTD devices in a high availability (HA) mode.
  • Configure security modules as a cluster within a Firepower 9300 chassis (intra-chassis clustering).
  • Configure Firepower 9300 or Firepower 4100 series devices (FTD) as a cluster (inter-chassis clustering).
  • Configure user and application control and add user and application conditions to access control rules.
How can you get the Firepower Threat Defense Base Features License?
A base license is automatically included with every purchase of a Firepower Threat Defense or Firepower Threat Defense Virtual device. It is automatically added to your Smart Account when the FTD registers to the FMC.

Which IPs must be allowed in the path between the FMC and the Smart Licensing Cloud?
The FMC uses addresshttps://tools.cisco.comon port 443 to communicate with the licensing cloud.
The addresshttps://tools.cisco.comis resolved to these IP addresses: 
  • 72.163.4.38
  • 173.37.145.8

نوشته های مرتبط

دیدگاهتان را بنویسید

نشانی ایمیل شما منتشر نخواهد شد. بخش‌های موردنیاز علامت‌گذاری شده‌اند *