FMC and FTD Smart License Registration and Troubleshooting

Introduction

This document describes the Smart License registration configuration on the Firepower Management Center (FMC) for Firepower Threat Defense (FTD) managed devices. It also covers various troubleshooting scenarios.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

FMC, FTD and Smart License

Smart License registration is performed on the FMC. The FMC communicates with the Cisco Smart Software Manager (CSSM) portal over the Internet. In the CSSM the firewall administrator manages the Smart Account and its licenses. The FMC can freely assign and delete licenses to the managed FTD devices. In other words, FMC centrally manages licenses for FTD devices.

An additional license is required to use certain features of FTD devices. The types of Smart Licenses you can assign to an FTD device are documented in FTD License Types and Restrictions.

The base license is included in the FTD device, and this license is automatically registered in your smart account when the FMC is registered to SSM.

The term-based licenses Threat, Malware, URL Filtering are optional. If you want to use features related to a license, a license needs to be assigned to the FTD device.

When you use a Firepower Management Center Virtual (FMCv) for the FTD management, a Firepower MCv Device License in SSM is also needed for the FMCv. The FMCv license is included in the software, and it is perpetual.

For more details about licenses check Cisco Firepower System Feature Licenses and Frequently Asked Questions (FAQ) about Firepower Licensing.

FMC Smart License Registration

Prerequisites

1. For the Smart License registration, the FMC must be able to access the Internet. Also, because the certificate is exchanged between the FMC and the license cloud using HTTPS, ensure that there is no device in the path that can affect/modify the communication. (e.g. Firewall, Proxy, SSL Decryption device, etc).

2. Access the CSSM and issue a Token ID from Inventory > General > New Token button.

If you want to use strong encryption you must enable the Allow export-controlled functionality on the products registered with this token option.

FMC Smart License Registration

From the System> Licenses > Smart Licenses on FMC, select the Register button.

Enter the Token ID in the Smart Licensing Product Registration window and select Apply Changes.

If the Smart License registration is successful, the Product Registration status shows Registered.

To assign a term-based license to the FTD device, select Edit Licenses. Then select and add a managed device to the Devices with license section. Finally, select the Apply button.

Confirmation in Smart Software Manager (SSM) side

Success of FMC Smart License registration can be confirmed from Inventory > Event Log in CSSM.

The registration status of FMC can be confirmed from Inventory > Product Instances. You can also check the event log from the Event Log tab. Finally, Smart License registration and usage status can be checked from the Inventory > Licenses tab. You can verify that the term-based license you purchased is used correctly and you don’t have Alerts about insufficient licenses.

FMC Smart License De-Registration

De-register the FMC from Cisco Smart Software Manager

In case you want to release the license for some reason or use a different token you navigate to System > Licenses > Smart Licenses and select the de-register button.

Remove Registration from SSM Side

From the Inventory > Product Instances, select Remove on the target FMC. Then select Remove Product Instance to remove the FMC and release the allocated licenses.

Troubleshoot

Time Settings Verification

Access the FMC CLI (e.g. SSH) and ensure that the time is correct and it is synchronized with a trusted NTP server. Because the certificate is used for Smart License authentication, it is important that the FMC has correct time information:

admin@FMC:~$ date
Thu Jun 14 09:18:47 UTC 2020
admin@FMC:~$
admin@FMC:~$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*1.0.0.2         171.68.xx.xx     2 u  387 1024  377    0.977    0.469   0.916
 127.127.1.1     .SFCL.          13 l    -   64    0    0.000    0.000   0.000

From the FMC UI you can check the NTP server settings from System > Configuration > Time Synchronization.

Enable Name Resolution and Check Reachability to tools.cisco.com

Ensure that the FMC can resolve an FQDN and has reachability to tools.cisco.com:

> expert
admin@FMC2000-2:~$ sudo su
Password:
root@FMC2000-2:/Volume/home/admin# ping tools.cisco.com
PING tools.cisco.com (173.37.145.8) 56(84) bytes of data.
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=1 ttl=237 time=163 ms
64 bytes from tools2.cisco.com (173.37.145.8): icmp_req=2 ttl=237 time=163 ms

From the FMC UI you can check the management IP and DNS server IP from System > Configuration > Management Interfaces.

Verify HTTPS (TCP 443) access from FMC to tools.cisco.com

Use telnet or curl command to ensure that the FMC has HTTPS access to tools.cisco.com. If TCP 443 communication is broken check if it is not blocked by a Firewall and that there is no SSL decryption device in the path.

root@FMC2000-2:/Volume/home/admin# telnet tools.cisco.com 443
Trying 72.163.4.38...
Connected to tools.cisco.com.
Escape character is '^]'.
^CConnection closed by foreign host.                    <--- Press Ctrl+C

Curl test:

root@FMC2000-2:/Volume/home/admin# curl -vvk https://tools.cisco.com
*   Trying 72.163.4.38...
* TCP_NODELAY set
* Connected to tools.cisco.com (72.163.4.38) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=CA; L=San Jose; O=Cisco Systems, Inc.; CN=tools.cisco.com
*  start date: Sep 17 04:00:58 2018 GMT
*  expire date: Sep 17 04:10:00 2020 GMT
*  issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID SSL ICA G2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: tools.cisco.com
> User-Agent: curl/7.62.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 17 Jun 2020 10:28:31 GMT
< Last-Modified: Thu, 20 Dec 2012 23:46:09 GMT
< ETag: "39b01e46-151-4d15155dd459d"
< Accept-Ranges: bytes
< Content-Length: 337
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Content-type, fromPartyID, inputFormat, outputFormat, Authorization, Content-Length, Accept, Origin
< Content-Type: text/html
< Set-Cookie: CP_GUTC=72.163.4.54.1592389711389899; path=/; expires=Mon, 16-Jun-25 10:28:31 GMT; domain=.cisco.com
< Set-Cookie: CP_GUTC=72.163.44.92.1592389711391532; path=/; expires=Mon, 16-Jun-25 10:28:31 GMT; domain=.cisco.com
< Cache-Control: max-age=0
< Expires: Wed, 17 Jun 2020 10:28:31 GMT
<
<html>
<head>
<script language="JavaScript">

var input = document.URL.indexOf('intellishield');
if(input != -1) {
 window.location="https://intellishield.cisco.com/security/alertmanager/";
}
else {
 window.location="http://www.cisco.com";
};

</script>
</head>

<body>
<a href="http://www.cisco.com">www.cisco.com</a>
</body>
</html>
* Connection #0 to host tools.cisco.com left intact
root@FMC2000-2:/Volume/home/admin#

DNS Verification

Verify that you can resolve successfully the tools.cisco.com:

root@FMC2000-2:/Volume/home/admin# nslookup tools.cisco.com
Server:         192.0.2.100
Address:        192.0.2.100#53

Non-authoritative answer:
Name:   tools.cisco.com
Address: 72.163.4.38

Proxy Verification

In case a Proxy is used, check settings on both FMC and proxy server-side. On FMC check whether the FMC uses correct proxy server IP and port.

root@FMC2000-2:/Volume/home/admin# cat /etc/sf/smart_callhome.conf 
KEEP_SYNC_ACTIVE:1
PROXY_DST_URL:https://tools.cisco.com/its/service/oddce/services/DDCEService
PROXY_SRV:192.0.xx.xx
PROXY_PORT:80

In the FMC UI the proxy settings can be confirmed from System > Configuration > Management Interfaces.

If the FMC side setting is correct, check the proxy server-side settings (e.g. whether the proxy server permits access from the FMC and to tools.cisco.com. Additionally, permit traffic and certificate exchange through the proxy. The FMC uses a certificate for the Smart License registration).

If there is a transparent proxy or a L7 FW in the path between the FMC and the license cloud, the same checks on the proxy or the L7 FW side need to be done.

Expired Token ID

Check whether the issued token ID is not expired. If it is expired, ask the smart software manager administrator to issue a new token and re-register the Smart License with the new Token ID.

Change the FMC Gateway

There are cases where Smart License authentication cannot be performed correctly due to the effects of a relay proxy or SSL decryption device. If possible, change the route for the FMC Internet access not via these devices, and try Smart License registration.

Check the Health Events on FMC

On FMC you navigate to System > Health > Events and check the status of the Smart License Monitor module for errors. For example, if the connection fails due to the expiration of the certificate, an error such as id certificated expired is generated.

Check the Event Log in SSM side

If the FMC can connect to SSM, you can check the event log of the connectivity in Inventory > Event Log. Check whether there are such event logs, error logs, or not in SSM. If there is no problem with the setting/operation of the FMC site, and there is no event log on the SSM side, there is a possibility that it is a problem of the route between the FMC and the SSM.

Common Issues

Summary of Registration and Authorization States

Case study 1. Invalid Token

Symptom: Registration to the CSSM fails quickly (~10s) due to invalid token

Resolution: Use a valid token

Case study 2. Invalid DNS

Symptom: Registration to the CSSM failed after a while (~25s)

Check the /var/log/process_stdout.log file. You can see the DNS issue:

root@FMC2000-2:/Volume/home/admin# cat /var/log/process_stdout.log
2020-06-25 09:05:21 sla[24043]: *Thu Jun 25 09:05:10.989 UTC: CH-LIB-ERROR: ch_pf_curl_send_msg[494], 
failed to perform, err code 6, err string "Couldn't resolve host name"

Resolution: CSSM hostname resolution failure. The resolution is to configure DNS if not configured or fix the DNS issues.

Case study 3. Invalid Time Settings

Symptom: Registration to the CSSM failed after a while (~25s)

Check the /var/log/process_stdout.log file. You can see certificate issues:

2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_request_init[59], request "POST", url "https://tools.cisco.com/its/service/oddce/services/DDCEService"
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_post_prepare[299], https related setting
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_post_prepare[302], set ca info
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_head_init[110], init msg header
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-ERROR: ch_pf_curl_send_msg[494], 
failed to perform, err code 60, err string "SSL peer certificate or SSH remote key was not OK"
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_http_unlock[330], unlock http mutex.
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_send_http[365], send http msg, result 30
2021-06-25 09:22:51 sla[24043]: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_curl_is_cert_issue[514], 
cert issue checking, ret 60, url https://tools.cisco.com/its/service/oddce/services/DDCEService

Check the FMC time settings:

root@FMC2000-2:/Volume/home/admin# date
Fri Jun 25 09:27:22 UTC 2021

Case study 4. No Subscription

In case there is no license subscription for a specific feature the FMC deployment is not possible:

Resolution: There is a need to purchase and apply to the device the required subscription.

Case study 5. Out-Of-Compliance (OOC)

In case there is no entitlement for FTD subscriptions the FMC Smart License goes to OOC state:

In the CSSM check the Alerts for errors:

Case study 6. No Strong Encryption

In case you use Base License only DES encryption is enabled in the FTD LINA engine. In that case deployments like L2L VPN with stronger algorithms fail:

Resolution: Register the FMC to CSCM and have a Strong Encryption attribute enabled.

Additional Notes

Set Notification of Smart License State

Email notification by SSM

On the SSM side, SSM Email Notification allows you to receive summary e-mails for various events. For example, you can be notified for a lack of license or licenses that are about to expire. You can also receive notifications of product instance connection or update failure, etc.

This function is very useful in order to notice and prevent the occurrence of functional restrictions due to license expiration.

Get Health Alert Notifications from FMC

On the FMC side, it is possible to configure a Health monitor Alert and receive an alert notification of a health event. The Module Smart License Monitor is available to check the Smart License status. The monitor alert supports Syslog, Email, and SNMP trap.

This is a configuration example to get a syslog message when a Smart License monitor event occurs:

This is an example of a Health Alert:

The syslog message generated by FMC:

Mar 13 18:47:10 xx.xx.xx.xx Mar 13 09:47:10 FMC : HMNOTIFY: Smart License Monitor (Sensor FMC): Severity: critical: Smart License usage is out of compliance

Refer to the Health Monitoring for additional details about the Health Monitor Alerts.

Multiple FMCs on the Same Smart Account

When you use multiple FMCs on the same smart account, each FMC hostname must be unique. When you manage multiple FMCs in SSM in order to distinguish each FMC, the hostname of the each FMC must be unique. This is useful for FMC Smart License maintenance in operation.

FMC Must Maintain Internet Connectivity

After registration, FMC checks the license cloud and license status once every 30 days. If the FMC cannot communicate for 90 days, the licensed function is maintained, but it remains in Authorization Expired status. Even in this state, FMC tries continuously to connect to the license cloud.

Deploy Multiple FMCv

When Firepower System is used in a virtual environment, clone (hot or cold) is not officially supported. Each Firepower Management Center virtual (FMCv) is unique because it has authentication information inside. If you want to deploy multiple FMCv, the FMCv must be created from the OVF file one by one. For more information about this limitation, refer to the Cisco Firepower Management Center Virtual for VMware Deployment Quick Start Guide.

Frequently Asked Questions (FAQ)

In FTD HA, how many device licenses are required?

When you use two FTDs in High Availability, a license is required for each device. For example, two threat and malware licenses are needed if you use the IPS and AMP feature on the FTD HA pair.