Configure and Troubleshoot Smart Licensing Policy on ACI Platforms
Available Languages
Contents
Introduction
This document describes how to use Smart Licensing Policy to manage software licenses on the Cisco Application Centric Infrastructure (ACI) Platform.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
This document describes how to work with Cisco Smart Licensing Policy to troubleshoot, configure, and manage software licenses on the Cisco Application Centric Infrastructure (ACI) Platform.
What is Cisco Smart Licensing Policy (SLP)?
Cisco Smart Licensing is a software management platform that manages all the Cisco product licenses. Based on your feedback, Cisco Smart Licensing has been enhanced and a new platform, called SLP, has been proposed. The purpose of SLP is to simplify smart licensing and make it possible for you to configure and maintain. It is introduced in ACI version 5.2(4).
Are you new to Smart Licensing and/or Smart Account administration?
Visit and sign up for the new administrator training course and recording:
- Cisco Community - Get Smart with Cisco Smart Accounts/Smart Licensing and My Cisco Entitlements
- Smart accounts can be created here: Smart Accounts
- Smart accounts can be managed here: Smart Software Licensing
What is an ID token?
Used to securely Register products to a Smart Account and Virtual Account. ID Tokens are “organizational identifiers” used to establish identity when a product is registered. These token in SLP is used with a different method of registration which are explained later in this document.
Generate an ID token from CSSM
In order to generate, go to Cisco Software Central and navigate to Manage Licenses > Inventory > General > New Token as shown in the image.
Once generated, you can copy or download into Actions:
SLP License and the Product States
In ACI SLP, the need for 90 days of the evaluation period and product registration is eliminated. Product registration is no longer needed. You need to report license usage in the best effort. In addition to this, license authorization status on client view is eliminated. A license entitlement has two statuses now: In Use or Not In Use. Since the APIC controller only manages those licenses that are currently In Use, on APIC UI/CLI you can only see every license entitlement that is In Use.
Supported Methods with SLP
There are different methods to configure Smart License Policy which can be differentiated as follows:
1. Online Mode
2. Offline Mode
In ACI SLP, introduce the concept of Resource Utilization Measurement report (RUM report). A RUM report is a file in XML format that contains the report of license usage. So, the terminology license usage report and Rum reportare interchangeable; both refer to report license usage. With online mode, a user needs to configure the network and to make the APIC controller connected to CSSM either directly or indirectly, also in online mode, APIC can automatically send RUM reports to and get acknowledgement from CSSM.
In offline mode, because APIC is completely isolated without any network connection with CSSM either directly or indirectly, a user is required to periodically download the RUM report from APIC, import it into CSSM, download acknowledgement from CSSM and import it into APIC.
Based on the connectivity of APIC with CSSM, you can decide whether to use online or offline mode, which thus also has multiple methods in online mode, explained as follows:
Method 1. Direct Connect to CSSM
This method is the most commonly used network mode. The Cisco APIC must have Internet connectivity so that Cisco APIC can send RUM reports to the CSSM directly. The DNS must be configured and the CSSM hostname (tools.cisco.com) must be pingable.
To configure:
Step 1. Log in to the Cisco APIC GUI.
Step 2. On the menu bar, navigate to System > Smart Licensing > Actions > Configure Network Settings.
Step 3. Select Direct connect to CSSM.
Step 4. URL and Port Number are unchangeable here.
Step 5. Paste product instance ID token, which is already obtained from your CSSM virtual account.
Step 6. Click OK.
Product Instance ID Token
Once successfully synced with CSSM, the Smart Account and Virtual Account names are updated on the Smart Licensing Page as shown in the image.
Smart Account and Virtual AccountNames areUpdated
Method 2. Cisco Transport Gateway
With this method, the Cisco APIC does not require Internet connectivity. The Cisco APIC sends RUM reports to the CSSM with help of the transport gateway. The Cisco transport gateway middleware must be already installed in the data centre and reachable to APIC. For Transport Gateway mode, the URL format is: http<s>://<ip or hostname>:<port>/Transportgateway/services/DeviceRequestHandler, where IP or hostname is Transport Gateway’s IP or hostname. The port number must be entered if it is not the default HTTP port 80 or HTTPS port 443. Along with that, a product instance ID token is required and can be obtained from your CSSM virtual account.
In order to install and configure Transport Gateway, a user can reference the documentation of Cisco Transport Gateway:
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch4.pdf
To configure:
Step 1. Log in to the Cisco APIC GUI.
Step 2. On the menu bar, navigate to System > Smart Licensing > Actions > Configure Network Settings.
Step 3. Select Cisco Transport Gateway.
Step 4. Edit the URL with the correct IP (IP of Cisco Transport Gateway) and port;http<s>://<ip or hostname><port>/Transportgateway/services/DeviceRequestHandler.
Step 5. Paste product instance ID token, which is already obtained from your CSSM virtual account.
Step 6. Click OK.
Method 3. HTTP/HTTPS Proxy
With this method, the Cisco APIC does not require Internet connectivity. The Cisco APIC sends RUM reports to the CSSM from your web proxy. Ensure the web proxy server is configured to allow the smart licensing messages. Also, the firewall must have rules to pass communication to reach the destination (https://tools.cisco.com/its/service/oddce/services/DDCEService).
In Proxy mode, a user needs to configure proxy IP and port. Along with that, a product instance ID token is required and can be obtained from the user’s CSSM virtual account.
To configure:
Step 1. Log in to the Cisco APIC GUI.
Step 2. On the menu bar, navigate toSystem > Smart Licensing >
Step 3. SelectCisco HTTP/HTTPS Proxy.
Step 4. Please provide the IP address and Port number of the proxy.
Step 5. Paste product instance ID token, which can be obtained from your CSSM virtual account.
Step 6. ClickOK.
Method 4. On-Prem
With this method, the Cisco APIC does not require Internet connectivity, whereas On-Prem needs Internet connectivity. The Cisco APIC sends RUM reports to the CSSM via the On-Prem. The On-Prem middleware must be already installed in the data center. This mode was earlier known as Cisco Smart Software Manager Satellite (Manager Satellite) in Cisco ACI Smart Licensing (SL).
To Configure:
Step 1. Log in to the Cisco APIC GUI.
Step 2. On the menu bar, navigate toSystem > Smart Licensing > Actions > Configure Network Settings
Step3. Select Cisco Smart Software Manager On-Prem.
You must provide the URL to the Cisco Smart Software Manager On-Prem. To get the URL, log in to the Cisco Smart Software Manager On-Prem GUI. Navigate to Inventory > General and click the CSLU TransportURL link.
Step 4. Copy the CSLU URL and paste it into the URL field in the Cisco APIC GUI.
You do not need to specify your product instance ID token. The Cisco APIC uses a built-in certificate to communicate with the Cisco Smart Software Manager On-Prem.
Once successfully synced, Smart-Software-Manager On-Prem Inventory is updated with licenses in use.
Method 5. Cisco Smart Licensing Utility
With this method, the Cisco APIC does not require Internet connectivity. The Cisco APIC sends RUM reports to CSSM via the CSLU. The CSLU which is the Microsoft Windows version of the middleware must be already installed in the data center. The URL for the CSLU can be configured in APIC as per this format:http://ip_or_hostname:port/cslu/v1/pi
Here IP or hostname is the CSLU IP address or hostname. HTTPS is not supported.
To configure:
Step 1. Log in to the Cisco APIC GUI.
Step 2. On the menu bar, navigate to Inventory System > Smart Licensing >
Step 3. Select Cisco Smart Licensing Utility (CSLU).
In the previous URL, the port is taken from as Product Instance Service Port under preferences from CSLU GUI.
Once successful, the sync licensing page is updated with the Smart Account name and Virtual Account name as shown in the image.
Method 6. Offline Method
In offline mode, the Cisco APIC is isolated without any network connection with the CSSM either directly or indirectly. Because the Cisco APIC cannot reach the CSSM through a network connection, every 12 months you must download a RUM report from the Cisco APIC and import the report into the CSSM. Afterwards, you must download an acknowledgement from the CSSM and import the acknowledgement into the Cisco APIC.
To configure:
Step 1. Log in to the Cisco APIC GUI.
Step 2. On the menu bar, navigate to System > Smart Licensing.
Step 3. In the Work pane, navigate to Actions > Download Rum Report.
The RUM report file is automatically downloaded to the default folder on your browser.
Once the report is downloaded (LicenseUsageRumReport.xml), you can import it into CSSM.
Step 4. Login to Software.cisco.com and navigate to Manage License.
Step 5. From the Menu, click on Reportsand select the Usage Data Filesoption as shown in the image.
Step 6. Click on Upload Usage Dataand select fileLicenseUsageRumReport.xmlas shown in the image.
Step 7. Select the Virtual Accounts which has the licenses.
Once submitted you have to wait until the reporting status becomes No Errorsand the Acknowledgement field has the option to download.
Step 8. Once the download option is available, click on Download andAcknowledgement is downloaded as file nameACK_LicenseUsageRumReport.xmlas shown in the image.
You need to import the acknowledgement to APIC:
Step 9. Log in to the Cisco APIC GUI.
Step 10. On the menu bar, navigate toSystem > Smart Licensing.
Step 11. In the Work pane, navigate toActions > Import Acknowledgement.
Step 12. ClickChoose File, navigate to where you downloaded the acknowledgement file, choose the file and click Open.
Step 13. Click OK.
Once successful, the sync licensing page is updated with the Smart Account name and Virtual Account name as shown in the image.
Troubleshoot Cisco ACI Smart Licensing Policy
Faults
In ACI a fault is raised when a specific problematic condition or warning occurs before you start to troubleshoot. It is always good to check if any fault exists which redirects us in the right direction, the table lists the smart licensing faults:
|
F3057 |
This is a warning fault, that indicates that you have not configured a network setting yet. Even if you want to choose the offline mode, configure the Offline network setting. Configure a network setting that clears this fault. |
|
F4290 |
This fault indicates that the product instance ID token that you entered is either an invalid or expired token. Log in to the CSSM and create a new product instance registration token. Log in to the Cisco Application Policy Infrastructure Controller (APIC) GUI to enter the new ID token and reconfigure the network setting. This action clears the fault. |
|
F4291 |
This fault indicates that network connectivity between the Cisco APIC and the CSSM or between the Cisco APIC and the transport server (Gateway, Proxy, On-Prem, or CSLU) has an issue. The Cisco APIC cannot communicate with the CSSM or transport server. After you resolve the network connectivity issue, log in to the Cisco APIC GUI, navigate to |
|
F4222 |
This fault indicates that the Cisco APIC has not received acknowledgement of a RUM report for a long time and the acknowledgement has expired. In offline mode, manually download a RUM report and import the acknowledgement. When you import the acknowledgement file into the Cisco APIC, it clears the fault. In the online modes, this fault indicates that, due to a networking issue, the Cisco APIC has been out of synchronization with the CSSM for a long time. Troubleshoot the network connectivity issue between the Cisco APIC and CSSM or between the Cisco APIC and transport server, as well as between the transport server and CSSM. After you resolve the network connectivity issue, log in to the Cisco APIC GUI, navigate to |
|
F4310 |
This fault indicates that you imported the wrong acknowledgement of a RUM report. An acknowledgement is uniquely associated with one RUM report. The imported acknowledgement must match the RUM report that you downloaded. Manually download the RUM report again and import the correct acknowledgement into the Cisco APIC, which clears the fault. |
Show Commands
There are two CLI show commands that are useful to troubleshoot. To use these commands, log in to the Cisco Application Policy Infrastructure Controller (APIC) node 1 in the cluster as the admin user.
# show license all
This show command displays smart licensing information from the Smart Agent (SA) trust store. The "Usage Reporting" section displays the timestamp of the last sent RUM report and the last received acknowledgement, as well as when to send the next RUM report and when to poll the next acknowledgement. If the timestamp of the last received acknowledgement is newer than the timestamp of the last sent RUM report, this indicates that the Cisco APIC successfully sent the RUM report and received the acknowledgement.
# show license tech support
This show command displays much more detailed information than show license all. The console cannot display the complete result because of its length, but you can open the file /tmp/SA_Show_Tech_Support.txt to view all of the output.
Logs
When there is an issue with smart licensing please collect these logs:
/var/log/dme/log/svc_ifc_licensemgr.bin.log
/var/log/dme/log/ch_dbg.log
/var/log/dme/log/sa.log
Techsupport from APIC.
Known Issue
1. Registration Failed due to a Communication Problem (DNS not Configured)
In the Direct Connect to CSSM mode, if you forgot to configure DNS on the Cisco Application Policy Infrastructure Controller (APIC) communication to tools.cisco.com fails.
make sure you have DNS configured in APIC and you can ping tools.cisco.com
To check if DNS is configured, runcat /etc/resolv.confon APIC CLI:
apic1# cat /etc/resolv.conf
# Generated by IFC
search apic.local
nameserver 10.0.0.1
nameserver XX.163.128.140In order to check if ping works, run ping on APIC controller CLI, ping must work for tools.cisco.com.
apic1# ping tools.cisco.com
PING tools.cisco.com (XX.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (XX.163.4.38): icmp_seq=1 ttl=235 time=250 ms
64 bytes from tools1.cisco.com (XX.163.4.38): icmp_seq=2 ttl=235 time=249 ms
64 bytes from tools1.cisco.com (XX.163.4.38): icmp_seq=3 ttl=235 time=249 ms2. Cisco ACI Smart License Policy Upgrade Consideration
If you plan to upgrade to the Cisco Application Policy Infrastructure Controller (APIC) 5.2(4) release or later, and the Cisco APIC is already registered and the network or transport mode is Direct Connect to CSSM, Transport Gateway, or HTTP/HTTPS Proxy, you can directly upgrade the Cisco APIC from Cisco Application Centric Infrastructure (ACI) Smart Licensing (SL) to SLP. There is no need to perform any special procedure. After the upgrade, the Cisco APIC is still connected with the CSSM and can send RUM reports to the CSSM without any issues.
If instead the Cisco APIC is already registered and the network or transport mode is Manager Satellite, you can not directly upgrade the Cisco APIC from SL to SLP. This is because both the transport type and URL are changed for the Cisco Smart Software Manager On-Prem network mode that replaces Manager Satellite. You must perform these actions:
-
Upgrade the Manager Satellite to the latest version of Cisco Smart Software Manager On-Prem that supports SLP. After the upgrade, make sure On-Prem has network connectivity with the CSSM and synchronization still works between On-Prem and the CSSM.
-
Upgrade the Cisco APIC to the 5.2(4) release or later. After the upgrade, the Cisco APIC GUI displays that the network mode is Transport Gateway rather than Manager Satellite. You must reconfigure the network mode to Cisco Smart Software Manager On-Prem and copy the right URL from On-Prem GUI.
3. Error - Fail to Send Out Call Home HTTP Message (Quo Vadis Root CA)
QuoVadis Root CA 2 is decommissioned and can impact SSL communication from APIC, thus it raises a fault "Fail to send out Call Home HTTP". In order to check the same, you can parse call home logs under/var/log/dme/log/ch_dbg.log. If it prints these lines, follows the given BUG and Field Notice:
CH-TRANS-ERROR: ch_pf_curl_send_msg[539], failed to perform, err code 60, err string "Peer certificate cannot be authenticated with given CA certificates" *
CH-TRANS-DETAIL: ch_pf_http_long_buf_dump[264], dump:"SSL certificate problem: self signed certificate in certificate chain"
https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72115.html
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
26-Sep-2022 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)