Troubleshooting Licensing Issues
This chapter describes how to troubleshoot issues that are related to firewall licensing on the Virtual Supervisor Module (VSM).
This chapter includes the following sections:
•Information about Licensing
•Troubleshooting Unlicensed Cisco VSG Modules
•Troubleshooting License Installation Issues
•Determining Cisco VSG License Usage
•Viewing Installed License Information
•Troubleshooting the Removal of a License
Information about Licensing
The Cisco Virtual Security Gateway (VSG) license package name is NEXUS1000V_VSG_SERVICES_PKG.
The licensing model for the Cisco VSG is based on the number of CPU sockets of the ESX servers attached as Virtual Ethernet Modules (VEMs) to the Virtual Supervisor Module (VSM).
A module is licensed or unlicensed according to the following definitions:
•Firewalled module—A VEM is considered to be firewalled if it can acquire licenses for all of its CPU sockets.
•Nonfirewalled module—A VEM is considered to be nonfirewalled if it cannot acquire licenses for any, or a subset of, its CPU sockets.
If a VEM is nonfirewalled, all the virtual Ethernet ports on the VEM that correspond to the virtual machines (VMs) are kept in pass-through mode, so that these virtual machines are not firewalled.
By default, the VSM contains 16 CPU socket licenses for Cisco VSGs. This license is valid only for the first 60 days after the deployment of VSM.
For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(2).
Troubleshooting Unlicensed Cisco VSG Modules
By default, both the VSM and the Cisco VSG have 16 CPU socket licenses that are valid for 60 days.
This section includes the following topics:
•Checking the Number of Cisco VSG Licenses
•Identifying an Unlicensed Cisco VSG
Checking the Number of Cisco VSG Licenses
You can check the number of Cisco VSG licenses in use and see the list of modules that are firewalled by entering the show license usage command.
This example shows how to display the license usage for your Cisco VSG:
vem# show license usage NEXUS_VSG_SERVICES_PKG
----------------------------------------
----------------------------------------
Default Eval Licenses : 16
Max Overdraft Licenses : 0
Installed Licenses in Use : 0
Overdraft Licenses in Use : 0
Default Eval Lic in Use : 2
Default Eval days left : 55
Shortest Expiry : 18 Apr 2011
----------------------------------------
----------------------------------------
----------------------------------------
As shown, the output module 3 is firewalled and two Cisco VSG licenses have been assigned.
Identifying an Unlicensed Cisco VSG
You can identify an unlicensed Cisco VSG by entering the show vsn detail command on the VSM.
This example shows how to display the details of the Cisco VSG:
#VSN VLAN: 754, IP-ADDR: 200.1.1.10
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
3 00:50:56:83:00:01 Close No-License
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN VLAN: 754, IP-ADDR: 200.1.1.10
Port-Profile: profile-traffic, Security-Profile: sec-profile-perf, Org:
root/Tenant-perf-1.1
As shown in the command output, the status field for VEM 3 does not have a Cisco VSG license.
Note The server administrator has no information on whether the VEMs are Cisco VSG licensed or unlicensed. Therefore, the Cisco VSG license state of the VEMs must be communicated to the server administrators so that they are aware that the vEthernet interfaces on unlicensed Cisco VSGs cannot firewall traffic.
Troubleshooting License Installation Issues
This section describes how to troubleshoot Cisco VSG license installation issues.
Note This section assumes that you have a valid Cisco VSG license file.
For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(2).
This section includes the following topics:
•License Troubleshooting Checklist
•Contents of the License File
•Removing an Evaluation License File
License Troubleshooting Checklist
Before you start the troubleshooting process, follow these requirements:
•Make sure that the name of the license file is less than 32 characters.
•Make sure that no other license file with the same name is installed on the VSM. If there is a license file with the same name, rename your new license file to something else.
•Do not edit the contents of the license file. If you have already done so, contact your Cisco Technical Assistance Center (TAC) Team.
•Make sure that the host ID in the license file is the same as the host ID on the switch.
Contents of the License File
The Cisco VSG license file looks as follows:
Linux(debug)# cat vsg.lic
INCREMENT NEXUS_VSG_SERVICES_PKG cisco 1.0 3-mar-2011 16 \
HOSTID=VDH=1218291845128904258 \
NOTICE="<LicFileID>20101203153943867</LicFileID><LicLineID>1</LicLineID> \
<PAK></PAK>" SIGN=00310BEEE50A
You can identify the host ID of the VSM by entering the show license host-id command.
This example shows the results of the command:
vsm# show license host-id
License hostid: VDH=1218291845128904258
Notice that in both instances of the command output the host-id matches and is equal to VDH=1218291845128904258.
Note Both NEXUS1000V_LAN_SERVICES and NEXUS_VSG_SERVICES use the same host ID (host ID of VSM). There is no such host ID on the VSG.
Removing an Evaluation License File
If an evaluation license file is already installed on the VSM, you must remove it from the VSM before installing a permanent license file. For more information, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(2).
Determining Cisco VSG License Usage
You can view the Cisco VSG license state of the VEMs on your VSM and the number of CPU sockets per VEM by entering the module vem 3 execute vemcmd show vsn config command.
This example shows how to display the internal license information:
vsm# module vem 3 execute vemcmd show vsn config
VNS Enabled | VNS Licenses Available 2
VSN# VLAN IP STATIC-MAC LEARNED-MAC LTLs
1 754 200.1.1.10 00:00:00:00:00:00 00:50:56:83:00:01 0
In this command output, VEM 3 is licensed. It has two CPU sockets and it currently uses two firewall licenses.
Viewing Installed License Information
You can view the installed license count by entering the show license usage command.
This example shows how to display the installed licenses count:
Feature Ins Lic Status Expiry Date Comments
--------------------------------------------------------------------------------
NEXUS_VSG_SERVICES_PKG No 16 In use 18 Jan 2012 -
NEXUS1000V_LAN_SERVICES_PKG No 16 In use 18 Jan 2012 -
--------------------------------------------------------------------------------
The output shows that 16 licenses (LAN and Cisco VSG) have been installed and they will expire on January 18, 2012.
Troubleshooting the Removal of a License
You cannot clear a license file that is being used. To clear a license file, make sure that all modules check in the Cisco VSG license back to the license pool. You can check in the licenses by entering the vsg license transfer src-vem [module_#] license_pool command.
After doing the license transfer, clear the license file using the clear license command.
This example shows how to clear the license file:
vsm# clear license vsg.lic
vsm# clearing license . . . . done