Introduction
This document describes how to resolve issues on Catalyst 9300X switches involving the HSEC license add-on.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Basic understanding of Cisco Smart Licensing
- Familiarity with Catalyst 9300X switch configuration
Components Used
The information in this document is based on these software and hardware versions:
- Hardware: Catalyst 9300X
- Software: IOS XE 17.9.5
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
HSEC (High Security) license is an additional license that can be added to the Cayalyst 9300X enable the support of encrypted traffic and IPsec features.
Problem
Catalyst 9300X is missing the HSEC license on the switch
Problem Details:
Commands executed to identify the problem:
Switch#show license summary
Account Information:
Smart Account: Cisco Systems
Virtual Account: DEFAULT
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-advantage (C9300-48 Network Advan...) 1 IN USE
dna-advantage (C9300-48 DNA Advantage) 1 IN USE <<<< Missing the HSEC license
Solution
The solution involves removing both the license and instance from Cisco Smart Software Manager (CSSM), regenerating the reservation code from the switch, and installing the new file onto the switch.
Step 1: Remove License and Instance from CSSM
In CSSM, the license and instance are located under the default virtual account. Observe these steps to remove them:
1. Remove the license from the Virtual account:
- Contact TAC licensing team to remove license from account . Useful data sets that can be included in the case are UDI SN# of device, Smart account name, and Virtual account name.
2. Remove the device from the product instance:
- Navigate to the account that the license is under, for example the Default account → Product instance → search for device SN# → actions (on the right-hand side of the listed device) → remove → Confirm.
Step 2: Regenerate Reservation Code
Run this command on the switch to get the reservation code:
device#license smart reservation request local
Enter this request code in the Cisco Smart Software Manager portal:
UDI: PID:C9300X-48HX,SN:FOC2522L1W7
Request code: CB-ZC9300X-48HX:FOC2522L1W7-AK9A6sMTr-2D
Copy the request code and enter it in CSSM. Under the default virtual account navigate to Licenses → License Reservation → (paste code taken from the switch output) → next. Choose the required licenses (HSEC, DNA Advantage, and Network Advantage) and generate the authorization code. Download the new file from CSSM and copy it to the switch. This can be done via FTP or through copy from physical media.
Step 3: Install the New Authorization Code
Verify that the file is in flash and run this command:
device#license smart reservation install file flash:
Install the HSEC license when the switch is connected to CSSM or CSLU using Smart Licensing:
C9300X#license smart authorization request add hseck9 local
*Oct 12 20:01:36.680: %SMART_LIC-6-AUTHORIZATION_INSTALL_SUCCESS: A new licensing authorization code was successfully installed on PID:C9300X-24Y,SN:FOC2522L1W7
Verify HSEC license is correctly installed:
C9300X#show license summary
Account Information:
Smart Account: Cisco Systems, TAC As of Oct 13 15:50:35 2022 UTC
Virtual Account: CORE TAC
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-advantage (C9300X-12Y Network Adv...) 1 IN USE
dna-advantage (C9300X-12Y DNA Advantage) 1 IN USE
C9K HSEC (Cat9K HSEC) 0 NOT IN USE <<<<
Enable IPsec as the tunnel mode on the tunnel interface:
C9300X(config)#interface tunnel1
C9300X(config-if)#tunnel mode ipsec ipv4
C9300X(config-if)#end
Once IPsec is enabled, the HSEC license becomes IN USE. For further information please reference Configure IPsec on Catalyst 9000X Series Switches.
Verify the license usage:
device#show license usage
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
C9300 48P Network Ad... (C9300-48 Network Advan...) 1 IN USE
C9300 48P DNA Advantage (C9300-48 DNA Advantage) 1 IN USE
C9K HSEC (Cat9K HSEC) 1 IN USE <<<<
Related Information
Feedback