This document describes the Smart License registration configuration on the Firepower Management Center (FMC) for Firepower Threat Defense (FTD) managed devices. It also covers various troubleshooting scenarios.
There are no specific requirements for this document.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
FMC, FTD and Smart License
Smart License registration is performed on the FMC. The FMC communicates with the Cisco Smart Software Manager (CSSM) portal over the Internet. In the CSSM the firewall administrator manages the Smart Account and its licenses. The FMC can freely assign and delete licenses to the managed FTD devices. In other words, FMC centrally manages licenses for FTD devices.
An additional license is required to use certain features of FTD devices. The types of Smart Licenses you can assign to an FTD device are documented in FTD License Types and Restrictions.
The base license is included in the FTD device, and this license is automatically registered in your smart account when the FMC is registered to SSM.
The term-based licenses Threat, Malware, URL Filtering are optional. If you want to use features related to a license, a license needs to be assigned to the FTD device.
When you use a Firepower Management Center Virtual (FMCv) for the FTD management, a Firepower MCv Device License in SSM is also needed for the FMCv. The FMCv license is included in the software, and it is perpetual.
1. For the Smart License registration, the FMC must be able to access the Internet. Also, because the certificate is exchanged between the FMC and the license cloud using HTTPS, ensure that there is no device in the path that can affect/modify the communication. (e.g. Firewall, Proxy, SSL Decryption device, etc).
2. Access the CSSM and issue a Token ID from Inventory > General > New Token button.
If you want to use strong encryption you must enable the Allow export-controlled functionality on the products registered with this token option.
FMC Smart License Registration
From the System> Licenses > Smart Licenses on FMC, select the Register button.
Enter the Token ID in the Smart Licensing Product Registration window and select Apply Changes.
If the Smart License registration is successful, the Product Registration status shows Registered.
To assign a term-based license to the FTD device, select Edit Licenses. Then select and add a managed device to the Devices with license section. Finally, select the Apply button.
Confirmation in Smart Software Manager (SSM) side
Success of FMC Smart License registration can be confirmed from Inventory > Event Log in CSSM.
The registration status of FMC can be confirmed from Inventory > Product Instances. You can also check the event log from the Event Log tab. Finally, Smart License registration and usage status can be checked from the Inventory > Licenses tab. You can verify that the term-based license you purchased is used correctly and you don’t have Alerts about insufficient licenses.
FMC Smart License De-Registration
De-register the FMC from Cisco Smart Software Manager
In case you want to release the license for some reason or use a different token you navigate to System > Licenses > Smart Licenses and select the de-register button.
Remove Registration from SSM Side
From the Inventory > Product Instances, select Remove on the target FMC. Then select Remove Product Instance to remove the FMC and release the allocated licenses.
Time Settings Verification
Access the FMC CLI (e.g. SSH) and ensure that the time is correct and it is synchronized with a trusted NTP server. Because the certificate is used for Smart License authentication, it is important that the FMC has correct time information:
Thu Jun 14 09:18:47 UTC 2020
admin@FMC:~$ ntpq -pn
remote refid st t when poll reach delay offset jitter
*220.127.116.11 171.68.xx.xx 2 u 387 1024 377 0.977 0.469 0.916
127.127.1.1 .SFCL. 13 l - 64 0 0.000 0.000 0.000
From the FMC UI you can check the NTP server settings from System > Configuration > Time Synchronization.
Enable Name Resolution and Check Reachability to tools.cisco.com
Ensure that the FMC can resolve an FQDN and has reachability to tools.cisco.com:
root@FMC2000-2:/Volume/home/admin# ping tools.cisco.com
PING tools.cisco.com (18.104.22.168) 56(84) bytes of data.
64 bytes from tools2.cisco.com (22.214.171.124): icmp_req=1 ttl=237 time=163 ms
64 bytes from tools2.cisco.com (126.96.36.199): icmp_req=2 ttl=237 time=163 ms
From the FMC UI you can check the management IP and DNS server IP from System > Configuration > Management Interfaces.
Verify HTTPS (TCP 443) access from FMC to tools.cisco.com
Use telnet or curl command to ensure that the FMC has HTTPS access to tools.cisco.com. If TCP 443 communication is broken check if it is not blocked by a Firewall and that there is no SSL decryption device in the path.
root@FMC2000-2:/Volume/home/admin# telnet tools.cisco.com 443
Connected to tools.cisco.com.
Escape character is '^]'.
^CConnection closed by foreign host. <--- Press Ctrl+C
In the FMC UI the proxy settings can be confirmed from System > Configuration > Management Interfaces.
If the FMC side setting is correct, check the proxy server-side settings (e.g. whether the proxy server permits access from the FMC and to tools.cisco.com. Additionally, permit traffic and certificate exchange through the proxy. The FMC uses a certificate for the Smart License registration).
If there is a transparent proxy or a L7 FW in the path between the FMC and the license cloud, the same checks on the proxy or the L7 FW side need to be done.
Expired Token ID
Check whether the issued token ID is not expired. If it is expired, ask the smart software manager administrator to issue a new token and re-register the Smart License with the new Token ID.
Change the FMC Gateway
There are cases where Smart License authentication cannot be performed correctly due to the effects of a relay proxy or SSL decryption device. If possible, change the route for the FMC Internet access not via these devices, and try Smart License registration.
Check the Health Events on FMC
On FMC you navigate to System > Health > Events and check the status of the Smart License Monitor module for errors. For example, if the connection fails due to the expiration of the certificate, an error such as id certificated expired is generated.
Check the Event Log in SSM side
If the FMC can connect to SSM, you can check the event log of the connectivity in Inventory > Event Log. Check whether there are such event logs, error logs, or not in SSM. If there is no problem with the setting/operation of the FMC site, and there is no event log on the SSM side, there is a possibility that it is a problem of the route between the FMC and the SSM.
Summary of Registration and Authorization States
Product Registration State
Usage Authorization State
The FMC is neither in Registered nor Evaluation mode. This is the initial state after FMC installation or after 90-day Evaluation License Expiration
The FMC is registered with Cisco Smart Software Manager (CSCM) and there are FTD devices registered with a valid subscription
FMC failed to communicate with Cisco License backend for more than 90 days
The FMC is registered with Cisco Smart Software Manager (CSCM), but there are no FTD devices registered on FMC
The FMC is registered with Cisco Smart Software Manager (CSCM), but there are FTD devices registered with an invalid subscription(s).
e.g. An FTD (FP4112) device uses THREAT subscription, but in the with Cisco Smart Software Manager (CSCM) there are no THREAT subscriptions available for FP4112
Evaluation (90 days)
The evaluation period is in use, but there are no FTD devices registered on FMC
Case study 1. Invalid Token
Symptom: Registration to the CSSM fails quickly (~10s) due to invalid token
Resolution: Use a valid token
Case study 2. Invalid DNS
Symptom: Registration to the CSSM failed after a while (~25s)
Check the /var/log/process_stdout.log file. You can see the DNS issue:
Resolution: CSSM hostname resolution failure. The resolution is to configure DNS if not configured or fix the DNS issues.
Case study 3. Invalid Time Settings
Symptom: Registration to the CSSM failed after a while (~25s)
Check the /var/log/process_stdout.log file. You can see certificate issues:
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_request_init, request "POST", url "https://tools.cisco.com/its/service/oddce/services/DDCEService"
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_post_prepare, https related setting
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_post_prepare, set ca info
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:39.716 UTC: CH-LIB-TRACE: ch_pf_curl_head_init, init msg header
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-ERROR: ch_pf_curl_send_msg, failed to perform, err code 60, err string "SSL peer certificate or SSH remote key was not OK"
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_http_unlock, unlock http mutex.
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_send_http, send http msg, result 30
2021-06-25 09:22:51 sla: *Fri Jun 25 09:22:40.205 UTC: CH-LIB-TRACE: ch_pf_curl_is_cert_issue, cert issue checking, ret 60, url https://tools.cisco.com/its/service/oddce/services/DDCEService
Check the FMC time settings:
Fri Jun 25 09:27:22 UTC 2021
Case study 4. No Subscription
In case there is no license subscription for a specific feature the FMC deployment is not possible:
Resolution: There is a need to purchase and apply to the device the required subscription.
Case study 5. Out-Of-Compliance (OOC)
In case there is no entitlement for FTD subscriptions the FMC Smart License goes to OOC state:
In the CSSM check the Alerts for errors:
Case study 6. No Strong Encryption
In case you use Base License only DES encryption is enabled in the FTD LINA engine. In that case deployments like L2L VPN with stronger algorithms fail:
Resolution: Register the FMC to CSCM and have a Strong Encryption attribute enabled.
Set Notification of Smart License State
Email notification by SSM
On the SSM side, SSM Email Notification allows you to receive summary e-mails for various events. For example, you can be notified for a lack of license or licenses that are about to expire. You can also receive notifications of product instance connection or update failure, etc.
This function is very useful in order to notice and prevent the occurrence of functional restrictions due to license expiration.
Get Health Alert Notifications from FMC
On the FMC side, it is possible to configure a Health monitor Alert and receive an alert notification of a health event. The Module Smart License Monitor is available to check the Smart License status. The monitor alert supports Syslog, Email, and SNMP trap.
This is a configuration example to get a syslog message when a Smart License monitor event occurs:
This is an example of a Health Alert:
The syslog message generated by FMC:
Mar 13 18:47:10 xx.xx.xx.xx Mar 13 09:47:10 FMC : HMNOTIFY: Smart License Monitor (Sensor FMC): Severity: critical: Smart License usage is out of compliance
Refer to the Health Monitoring for additional details about the Health Monitor Alerts.
Multiple FMCs on the Same Smart Account
When you use multiple FMCs on the same smart account, each FMC hostname must be unique. When you manage multiple FMCs in SSM in order to distinguish each FMC, the hostname of the each FMC must be unique. This is useful for FMC Smart License maintenance in operation.
FMC Must Maintain Internet Connectivity
After registration, FMC checks the license cloud and license status once every 30 days. If the FMC cannot communicate for 90 days, the licensed function is maintained, but it remains in Authorization Expired status. Even in this state, FMC tries continuously to connect to the license cloud.
Deploy Multiple FMCv
When Firepower System is used in a virtual environment, clone (hot or cold) is not officially supported. Each Firepower Management Center virtual (FMCv) is unique because it has authentication information inside. If you want to deploy multiple FMCv, the FMCv must be created from the OVF file one by one. For more information about this limitation, refer to the Cisco Firepower Management Center Virtual for VMware Deployment Quick Start Guide.
Frequently Asked Questions (FAQ)
In FTD HA, how many device licenses are required?
When you use two FTDs in High Availability, a license is required for each device. For example, two threat and malware licenses are needed if you use the IPS and AMP feature on the FTD HA pair.
Why AnyConnect licenses are not being consumed by FTD?
After FMC registration to the Smart Account, ensure that you enable the AnyConnect License. To enable the license you navigate toFMC > Devices, choose your device, and select License. Select the Pencil icon, choose the license which you have deposited in your Smart Account and Save.
Why only 1 AnyConnect license is 'In Use' in the Smart Account when 100 users are connected?
This is expected behavior, as Smart Account tracks the amount of the devices which have this license enabled, not active users connected.
Why there is error 'Device does not have the AnyConnect License' after configuration and deployment of a Remote Access VPN via FMC?
Ensure that the FMC is registered to the Smart License Cloud. The expected behavior is that you cannot deploy Remote Access configuration when FMC is unregistered or in Evaluation mode. If FMC is registered, ensure that the AnyConnect License exists in your Smart Account and it is assigned to the device.
To assign a license, you navigate toFMC Devices, choose your device, License (Pencil icon). Choose the license that you have in your Smart Account and Save.
Why there is an error 'Remote Access VPN with SSL cannot be deployed when Export-Controlled Features (Strong-crypto) are disabled' when there is a deployment of a Remote Access VPN Configuration?
The Remote Access VPN deployed on the FTD requires a Strong encryption license to be enabled. Ensure that a Strong Encryption License is enabled on the FMC. To check the status of the Strong Encryption License you navigate toFMC System > Licenses > Smart Licensingand verify if Export-Controlled Features are enabled.
How can you enable a Strong Encryption License if 'Export-Controlled Features' is Disabled?
This functionality is enabled automatically if the token which is was used during the registration FMC to the Smart Account Cloud has had the option Allow export-controlled functionality on the products registered with this token enabled. If the token does not have this option enabled, de-register the FMC and register it again with this option enabled.
What can you do if the option 'Allow export-controlled functionality on the products registered with this token' is not available when you generate the token?
Contact your Cisco Account team.
Why do you get the error 'Strong crypto (i.e encryption algorithm greater than DES) for VPN topology s2s is not supported'?
This error is displayed when the FMC uses Evaluation Mode or Smart License Account is not entitled to a strong encryption license. Verify if the FMC is registered to the License Authority and Allow export-controlled functionality on the products registered with this token is enabled. If the Smart Account is not allowed to use a strong encryption license, you are not allowed to deploy VPN Site-to-Site configuration with ciphers stronger than DES.
Why do you get Out of Compliance status on FMC?
The device can become out of compliance when one of the managed devices uses unavailable licenses.
How can you fix the 'Out of Compliance' status?
Follow the steps described in the Firepower Configuration Guide:
1. Look at the Smart Licenses section at the bottom of the page to determine which licenses are needed.
2. Purchase the required licenses through your usual channels.
What are the Firepower Threat Defense Base Features?
The Base license allows you to:
Configure your FTD devices to perform switching and routing (including DHCP Relay and NAT).
Configure FTD devices in a high availability (HA) mode.
Configure security modules as a cluster within a Firepower 9300 chassis (intra-chassis clustering).
Configure Firepower 9300 or Firepower 4100 series devices (FTD) as a cluster (inter-chassis clustering).
Configure user and application control and add user and application conditions to access control rules.
How can you get the Firepower Threat Defense Base Features License?
A base license is automatically included with every purchase of a Firepower Threat Defense or Firepower Threat Defense Virtual device. It is automatically added to your Smart Account when the FTD registers to the FMC.
Which IPs must be allowed in the path between the FMC and the Smart Licensing Cloud?