The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to troubleshoot Smart Licensing Using Policy (SLP) using Smart Transport on Catalyst 9000 switches.
Cisco recommends that you have knowledge of and familiarity with this topic:
Smart Licensing Using Policy on Cisco IOSĀ® XE devices.
The information in this document is based on these software and hardware versions:
Note: Consult the appropriate configuration guide for the commands that are used in order to enable these features on other Cisco platforms.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Smart Licensing Using Policy is an enhanced version of Smart Licensing, designed with the primary goal of providing a licensing solution that ensures your network's operations remain uninterrupted. Rather than being disruptive, it establishes a compliance relationship to account for the hardware and software licenses you purchase and utilize.
For Smart Licensing reporting to function properly, the Catalyst 9000 switch connects with Cisco Smart Software Manager (CSSM) to report license usage. CSSM serves as a centralized platform to manage all Cisco software licenses and review usage, which helps plan for future licensing needs.
There are multiple topologies through which a Catalyst 9000 switch can connect to CSSM, but this document focuses on the specific topology in which the switch is directly connected to CSSM. This means that the switch must be capable of reaching and establishing a connection with CSSM, which is hosted on the Internet.
In this direct connection topology, there are two transport options: Smart Transport and Call Home, with Smart Transport being the recommended method. Additionally, Smart Transport supports the use of an HTTPS proxy and allows for the selection of a specific VRF to handle Smart Licensing communication with CSSM.
When using Smart Transport, the Catalyst 9000 switch exchanges license usage information with CSSM in JavaScript Object Notation (JSON) format within an HTTPS message. This information, known as the RUM Report, is sent by the switch, and the response from CSSM is referred to as an ACK.
The minimum reporting frequency for this topology is throttled to one day. This means the product instance will send no more than one RUM report per day, preventing an excessive number of reports from being generated and transmitted for certain licenses. This helps resolve memory-related issues and system slowdowns caused by an overproduction of RUM reports.
If needed, you can override this throttling restriction by using the license smart sync
command in privileged EXEC mode
Follow these steps to configure SLP with Smart Transport:
Configure Smart as the transport type, and use the default URL.
Switch#configure terminal
Switch(config)#license smart transport smart
Switch(config)#license smart url default
Note: If a VRF is used for Smart Transport, license smart vrf <vrf-name>
needs to be configured.
Configure the DNS server and source interface for DNS resolution and HTTP client connections.
Switch(config)#ip domain lookup
Switch(config)#ip name-server 10.31.104.74
Switch(config)#ip domain name cisco.com
Switch(config)#ip domain lookup source-interface Vlan10
Note: If a VRF is used for Smart Transport, the VRF variant of these commands needs to be used.
If needed, configure an HTTPS proxy.
Switch(config)#license smart proxy address 192.168.217.105
Switch(config)#license smart proxy port 80
Note: The proxy server can be configured using its IP address or hostname.
Generate a token in the Virtual Account. To complete this step, follow the process outlined in this document.
Install the trust code on the switch.
Switch#license smart trust idtoken NGFkODgzMGUtZmNkMS00NTRjLWI5MjUtYjI0YWYzZjU1ZGQzLTE3NDAyNjU5%0AODA0NTV8VXVHVjdvVjByejY1aVZYa0lCVkl12345FSk9WZTdDb3lhZEZT%0ANjkyST0%3D%0A all force [OK]
Upon successful Trust Establishment with CSSM, a syslog similar to this is shown.
*Jan 24 23:19:05.144: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C9300-48UN,S:<SN>.
Additionally, show license status
shows the time of the Trust code installation.
Switch#show license status | i Trust Trust Code Installed: Jan 24 23:19:05 2025 UTC <--- Trust code was installed
Finally, the Virtual Account Event Log shows that the switch was added.
Virtual Account Event Log Showing Device.
If Trust Establishment with CSSM fails, a syslog indicating the reason for failure is shown.
*Jan 24 15:17:46.341: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : <Reason>
Possible reasons for communication failure include:
Unable to resolve server hostname/domain name: The Smart Transport URL or the proxy server hostname was not resolved by DNS. Validate name resolution configurations and reachability of the DNS server.
Connection timed out: The connection was attempted, but there was no response. Validate that the HTTPS connection with CSSM is being established using packet captures, and check if a device, such as a proxy server or firewall, is blocking connectivity. If using a proxy server, ensure the correct port is in use.
Follow these steps and validation commands to troubleshoot SLP with Smart Transport:
Validate Smart Licensing event logs.
Switch#show license eventlog 1 **** Event Log **** 2025-01-24 13:58:23.900 UTC SAEVT_INIT_START version="5.5.29_rel/114" 2025-01-24 13:58:23.922 UTC SAEVT_INIT_CRYPTO success="False" error="Crypto Initialization has not been completed" 2025-01-24 13:58:23.922 UTC SAEVT_HA_EVENT eventType="SmartAgentEvtHArmfRegister" 2025-01-24 13:58:27.620 UTC SAEVT_READY 2025-01-24 13:58:27.621 UTC SAEVT_ENABLED 2025-01-24 13:58:27.665 UTC SAEVT_EXPORT_FLAG exportAllowed="False" 2025-01-24 13:58:27.732 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch" 2025-01-24 13:58:27.742 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch" 2025-01-24 13:58:27.742 UTC SAEVT_TAG_AUTHORIZED count="1" entitlementTag="regid.2017-05.com.cisco.C9300_48P_NW_Advantagek9,1.0_6a224fe3-c92e-4440-a9c1-5d0e53a54015" 2025-01-24 13:58:27.744 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch" 2025-01-24 13:58:27.744 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_LICENSE_REQUEST" MSG="License network-advantage, dev C9300_48P, count 1, reslt 0, alt 0" 2025-01-24 13:58:27.763 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch" 2025-01-24 13:58:27.767 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch" 2025-01-24 13:58:27.767 UTC SAEVT_TAG_AUTHORIZED count="1" entitlementTag="regid.2017-05.com.cisco.C9300_48P_Dna_Advantage,1.0_60783b06-53ee-484c-b21e-615d3cf6837a" 2025-01-24 13:58:27.767 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch" 2025-01-24 13:58:27.768 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_LICENSE_REQUEST" MSG="License dna-advantage, dev C9300_48P, count 1, reslt 0, alt 0" 2025-01-24 13:58:30.425 UTC SAEVT_HA_EVENT eventType="SmartAgentEvtHArmfInitialize" 2025-01-24 13:58:30.431 UTC SAEVT_HA_CHASSIS_ROLE udi="PID:C9300-48UN,SN:<SN>" 2025-01-24 13:58:30.431 UTC SAEVT_HA_EVENT eventType="SmartAgentEvtHAchkptRegister" 2025-01-24 13:58:37.975 UTC SAEVT_HA_ROLE udi="PID:C9300-48UN,SN:<SN>" haRole="Active" 2025-01-24 13:58:38.048 UTC SAEVT_HA_CHASSIS_ROLE udi="PID:C9300-48UN,SN:<SN>" haRole="Active" 2025-01-24 13:58:38.048 UTC SAEVT_HA_ROLE udi="PID:C9300-48UN,SN:<SN>" haRole="Active" 2025-01-24 13:58:38.062 UTC SAEVT_INIT_CONFIG_READ_BEGIN 2025-01-24 13:58:40.884 UTC SAEVT_HOSTNAME_CHANGE 2025-01-24 13:58:41.734 UTC SAEVT_HA_EVENT eventType="SmartAgentSetNVPairs" 2025-01-24 13:58:42.408 UTC SAEVT_INIT_CONFIG_READ_DONE 2025-01-24 13:58:42.531 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_OIR_ADD" MSG="OIR Add evt 100 with slot-id 1" 2025-01-24 13:58:42.531 UTC SAEVT_HA_CONFIG 2025-01-24 13:58:42.531 UTC SAEVT_HA_UDI udi="PID:C9300-48UN,SN:<SN>" haRole="Active" 2025-01-24 13:58:42.732 UTC SAEVT_LICENSE_USAGE count="0" type="destroy" entitlementTag="regid.2017-05.com.cisco.C9300_48P_NW_Advantagek9,1.0_6a224fe3-c92e-4440-a9c1-5d0e53a54015" 2025-01-24 13:58:42.744 UTC SAEVT_LICENSE_USAGE count="0" type="destroy" entitlementTag="regid.2017-05.com.cisco.C9300_48P_Dna_Advantage,1.0_60783b06-53ee-484c-b21e-615d3cf6837a" 2025-01-24 13:58:43.140 UTC SAEVT_INIT_SYSTEM_INIT 2025-01-24 13:58:44.143 UTC SAEVT_INIT_CRYPTO success="False" error="Crypto Initialization has not been completed" 2025-01-24 13:59:14.143 UTC SAEVT_INIT_CRYPTO success="True" 2025-01-24 13:59:14.144 UTC SAEVT_COMM_RESTORED 2025-01-24 13:59:14.176 UTC SAEVT_INIT_COMPLETE 2025-01-24 14:00:14.145 UTC SAEVT_PRIVACY_CHANGED enabled="True" 2025-01-24 14:00:27.432 UTC SAEVT_UTILITY_REPORT_START 2025-01-24 15:17:46.341 UTC SAEVT_COMM_FAIL error="Connection timed out". <--- Connection timed out
2025-01-24 15:35:22.627 UTC SAEVT_COMM_RESTORED <--- Communication with CSSM restored
Validate connectivity with CSSM by sending a ping and attempting a telnet connection. This verifies that name resolution is occurring and that there is no administrative block between the switch and CSSM.
Switch#show ip interface brief | exclude unassigned Interface IP-Address OK? Method Status Protocol Vlan10 10.31.121.118 YES DHCP up up Switch#ping smartreceiver.cisco.com source Vlan10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to X.X.X.X, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 364/365/368 ms Switch#telnet smartreceiver.cisco.com 443 /ipv4 /source-interface vlan10 Trying X.X.X.X, 80 ... Open [Connection to X.X.X.X closed by foreign host]
Alternatively, if a proxy server is being used, you can try the same commands using the IP address and port of the proxy server.
Switch#ping 192.168.217.105 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.217.105, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 364/365/368 ms Switch#telnet 192.168.217.105 80 /ipv4 /source-interface vlan10 Trying 192.168.217.105, 80 ... Open [Connection to 192.168.217.105 closed by foreign host]
Validate that RUM reports are being sent and if there is a response.
Switch#show license history message Message History (oldest to newest): ==================================================== Trust Establishment: REQUEST: Jan 24 23:18:59 2025 UTC <--- RUM report was sent {"request":"{\"header\":{\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300-48UN\",\"udi_serial_number\":\"<SN>\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"product_instance_identifier\":\"\",\"nonce\":\"8620723070430261290\",\"timestamp\":1737760739943,\"connect_info\":{\"name\":\"C_agent\",\"version\":\"5.5.29_rel/114\",\"production\":true,\"additional_info\":\"\",\"capabilities\":[\"UTILITY\",\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\",\"OK_TRY_AGAIN\",\"POLICY_USAGE\",\"POLICY_USAGE\"]}},\"request_data\":\"{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"timestamp\\\":1737760738052,\\\"nonce\\\":\\\"8620723070430261290\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"hostname\\\":\\\"Switch\\\",\\\"token\\\":\\\"<TOKEN>\\\",\\\"mode\\\":\\\"PERMANENT\\\",\\\"force\\\":true,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"device_list\\\":[{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"trust_id\\\":612,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"csr\\\":\\\"MIICnjCCAYYCAQAwODE2MDQGA1UEAxMtOTFEMjVFMTcwRDM5RDAzOUI5M0VFMTE1Q0VDQTA4MEJDRjI4ODg1MTo6MSwyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq7F1KkAKcIUuHDIF+IilYAXIKew4Pz42X3Pz49nVwm93e3lURk7I5f8W9Q6Pe6JiRYsgmpvdZgbQcX6pi57oYw/E50C76JDLChQ4uB9S5NyaYwdj3QaK2Uw9pNlu0JsUXaShtXMi3JC1kcXG1qGfMxYp/LBJUub8BxtOB71b5a4CX0Sz08pB3y4WhYd8o43xT4lxe0LiBITG6Ds6TO228/9LFKD9O65wiVP7Pg2w5A6lsgQjGg1XU0dfNyD5+zmzKK5YiObi2X3wQFgKRBUX6T0v7RkWRmDuRyWz5tiDPZtVxRRXPq91dxTK2C6+jrTZ7HaE9vTunqGFsWNYjxBLXwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAD8vAO7LrD2yEubZPE4/OW+8pAHXRSpW4SQGP99dwiGpYT/0+8iD9wjyBWPZU5ysmYSAKlUzFqB57MIqXjHUdMAZnypL59YALXjVkAAJzof+bpwTIgvy2oYxsNvfW4AkuslJOUPINW9crqIMFEKSlNgcmaYHd6u/KO3tk5vufPM0vh2xnIHLyWlwBlga+TOS1VNwZl8PFSHTY7OAzd2d6c6+je+CSl1QvHZVmW5KgrkUIbv+YsAieZD7a2bTWOcdYR3AVqm34c3luzqTn6rq/xaTaGbi1dyR1PlD4uEDQeSewdkpTrmyWhYHUdLuN4c3NhIZqOAoaOk1TE1QGJSSh5s=\\\",\\\"id_cert_sn\\\":\\\"\\\"}]}\"}"} RESPONSE: Jan 24 23:19:05 2025 UTC <--- Response from CSSM was received {"signature":{"type":null,"value":null,"piid":null,"cert_sn":null},"response":"{\"header\":{\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"timestamp\":1737760824972,\"nonce\":\"8620723070430261290\",\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300-48UN\",\"udi_serial_number\":\"<SN>\"},\"agent_actions\":null,\"connect_info\":{\"name\":\"SSM\",\"version\":\"1.3\",\"production\":true,\"capabilities\":[\"DLC\",\"AppHA\",\"EXPORT_2\",\"POLICY_USAGE\",\"UTILITY\"],\"additional_info\":\"\"},\"product_instance_identifier\":\"\",\"id_cert_serial_number\":null,\"signing_cert_serial_number\":null},\"status_code\":\"OK\",\"status_message\":\"OK\",\"retry_time_seconds\":0,\"response_data\":\"{\\\"nonce\\\":\\\"8620723070430261290\\\",\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"smart_account_name\\\":\\\"<ACCOUNT>\\\",\\\"pool_name\\\":\\\"<VIRTUAL_ACCOUNT>\\\",\\\"device_list\\\":[{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"smart_license\\\":\\\<LICENSE>\\\",\\\"product_instance_identifier\\\":\\\"6c5ea69b-4881-4396-bfa6-6a53bd5894a4\\\"}]}\"}","sch_response":null} Usage Reporting: No past history Result Polling: No past history Authorization Request: No past history Authorization Return: No past history Trust Sync: No past history Import Message History (oldest to newest): ==================================================== Import POLICY: No past Import history Import AUTH: No past Import history Import TRUST CODE: Received on Jan 24 23:19:05 2025 UTC <TRUST_CODE> Import RUM ACK: No past Import history Import CONVERSION ACK: No past Import history Import ACCOUNT INFO: Last policy received on Jan 24 23:19:05 2025 UTC <ACCOUNT_INFO> Switch#show license tech support | sec Trust Trust Establishment: Attempts: Total=1, Success=1, Fail=0 Ongoing Failure: Overall=0 Communication=0 Last Response: OK on Jan 24 23:19:05 2025 UTC <--- Trust establishment succeeded Failure Reason: Last Success Time: Jan 24 23:19:05 2025 UTC Last Failure Time: Trust Acknowledgement: Attempts: Total=0, Success=0, Fail=0 Ongoing Failure: Overall=0 Communication=0 Last Response: Failure Reason: Last Success Time: Last Failure Time: Trust Sync: Attempts: Total=1, Success=1, Fail=0 Ongoing Failure: Overall=0 Communication=0 Last Response: OK on Jan 24 23:19:50 2025 UTC Failure Reason: Last Success Time: Jan 24 23:19:50 2025 UTC Last Failure Time: Trusted Store Interface: True Local Device: P:C9300-48UN,S:<SN>, state[2], Trust Data INSTALLED TrustId:612 Overall Trust: INSTALLED (2) <--- Trust code installed
If there request is sent but there is no response from CSSM, show license history message
command shows no JSON data for the given response and more details about the failure can be obtained.
Switch#show license history message ! <--- Output omitted for brevity ---> Trust Establishment: REQUEST: Feb 21 16:54:49 2025 UTC {"request":"{\"header\":{\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300X-12Y\",\"udi_serial_number\":\"<SN>\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"product_instance_identifier\":\"\",\"nonce\":\"418461674986421033\",\"timestamp\":1740156889326,\"connect_info\":{\"name\":\"C_agent\",\"version\":\"5.5.29_rel/114\",\"production\":true,\"additional_info\":\"\",\"capabilities\":[\"UTILITY\",\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\",\"OK_TRY_AGAIN\",\"POLICY_USAGE\",\"POLICY_USAGE\"]}},\"request_data\":\"{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300X-12Y\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"timestamp\\\":1740156888584,\\\"nonce\\\":\\\"418461674986421033\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"hostname\\\":\\\"F241.24.06-9300-1\\\",\\\"token\\\":\\\"MzgwMDAwMTItOGVkOC00OWExLTgzZmEtMzVhNTZkMDAyNTJhLTE3NDI3NDgy%0ANDkyMTF8U1N4MFV0RDgzdytvY0EwL1FrRHBEaDJ6bW8yTDlpa3BsazJKbkxE%0ASXpwND0%3D%0A\\\",\\\"mode\\\":\\\"PERMANENT\\\",\\\"force\\\":true,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"device_list\\\":[{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300X-12Y\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"trust_id\\\":497,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"csr\\\":\\\"MIICnjCCAYYCAQAwODE2MDQGA1UEAxMtODhFMzcyODRBOTYwN0U1MDhERDJCMTdERkYyNTJBOTZDQjA1ODNENzo6MSwyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTl8H93Q05evxmYkBYIq1hwyXqmkw24AHfnxGLFw7SaiN3bCKmYnG31vYzAbgcq3fq2LD6dtzFLrXm7t43wiF+kLtkgh4a+W9cl6PaiPXr9pxEBSxuMokfUZBd9OU7e83wCtH+0bUeSsdFHpTyIiynodF92NHwjsR4eRB5fAnx1qqbZBNa4ntgj11HQ1X9pN31PY7Wc18iEGRhYgR5ljGpgvhnfzno6M8jG4wplxuiA3oWvYO8BaXkQHRf6QofQIXfmsgGAddtJqw2UzcSLWaelbuHB1yhnhWTD5mpRFQYxuLU87ndr/G8PaCreJ/RzjikSLgEes4hF34i13ab8LGwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEFBQADggEBAAOUiLz9nZ+C2mGI31ZqrK1iV/C1GWNXJajWisRhFBgSANgFs7cLfAJhZtEXF1PY+0PQGRAeR/zwCpYwIq/cI7jLjqXAaHkNmEeRsidWv+pMxNwjR4csSJk+PNqeqwXzVIhsJTEU5E8jchwzI1i26STUDjKJhHW+Z1wgDYBCPldl2CA2D7c71s4/UirEPoEEiFtrxtGi8KvldRPFEis8vaX8OGNV4H/t1+SSU4UW5resHpABusJSM2SJNTOsX6f+7IULqPQJjoGs0pqu+EyHcjglSYolMsIqE1x9jzdKGN+wy3p4my3a0PNfiHF3RofSkXMk++idw9v8+kHV9m+Ym9A=\\\",\\\"id_cert_sn\\\":\\\"\\\"}]}\"}"} RESPONSE: Feb 21 16:54:49 2025 UTC <--- The line is empty, which means there was no response from CSSM REQUEST: Feb 21 16:55:19 2025 UTC {"request":"{\"header\":{\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300X-12Y\",\"udi_serial_number\":\"<SN>\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"product_instance_identifier\":\"\",\"nonce\":\"17639638978924380272\",\"timestamp\":1740156919824,\"connect_info\":{\"name\":\"C_agent\",\"version\":\"5.5.29_rel/114\",\"production\":true,\"additional_info\":\"\",\"capabilities\":[\"UTILITY\",\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\",\"OK_TRY_AGAIN\",\"POLICY_USAGE\",\"POLICY_USAGE\"]}},\"request_data\":\"{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300X-12Y\\\",\\\"udi_serial_number\\\" ! <--- Output omitted for brevity --->
Switch#show license tech support | sec Trust
Trust Establishment:
Attempts: Total=2, Success=0, Fail=2 Ongoing Failure: Overall=2 Communication=2
Last Response: NO REPLY on Feb 21 16:55:39 2025 UTC <--- Failure reason was NO REPLY
Failure Reason: <none>
Last Success Time: <none>
Last Failure Time: Feb 21 16:55:39 2025 UTC
Trust Acknowledgement:
Attempts: Total=0, Success=0, Fail=0 Ongoing Failure: Overall=0 Communication=0
Last Response: <none>
Failure Reason: <none>
Last Success Time: <none>
Last Failure Time: <none>
Trust Sync:
Attempts: Total=0, Success=0, Fail=0 Ongoing Failure: Overall=0 Communication=0
Last Response: <none>
Failure Reason: <none>
Last Success Time: <none>
Last Failure Time: <none>
Trusted Store Interface: True
Local Device: P:C9300-48UN,S:<SN>, state[1], NOT INSTALLED TrustId:605 <--- Trust point exists but it is not installed yet
Overall Trust: No ID
Trigger the switch to send a RUM report to synchronize with CSSM.
Switch#show clock
*23:38:54.683 UTC Fri Jan 24 2025
Switch#show license tech support | i Utility Utility: Start Utility Measurements: Jan 24 23:35:55 2025 UTC (4 minutes, 38 seconds remaining) Send Utility RUM reports: Feb 23 23:20:56 2025 UTC (29 days, 23 hours, 49 minutes, 39 seconds remaining) <--- Next RUM report to be sent in 29 days Process Utility RUM reports: Jan 25 23:30:58 2025 UTC (23 hours, 59 minutes, 41 seconds remaining) Switch#show license history message | i REQUEST REQUEST: Jan 24 23:18:59 2025 UTC REQUEST: Jan 24 23:20:50 2025 UTC REQUEST: Jan 24 23:25:55 2025 UTC REQUEST: Jan 24 23:19:41 2025 UTC Switch#license smart sync all <--- Trigger synchronization Switch#show license history message | i REQUEST REQUEST: Jan 24 23:18:59 2025 UTC REQUEST: Jan 24 23:20:50 2025 UTC REQUEST: Jan 24 23:25:55 2025 UTC REQUEST: Jan 24 23:19:41 2025 UTC REQUEST: Jan 24 23:39:05 2025 UTC <--- New RUM report was sent Switch#show license tech support | sec Trust Trust Establishment: Attempts: Total=1, Success=1, Fail=0 Ongoing Failure: Overall=0 Communication=0 Last Response: OK on Jan 24 23:19:05 2025 UTC Failure Reason: Last Success Time: Jan 24 23:19:05 2025 UTC Last Failure Time: Trust Acknowledgement: Attempts: Total=0, Success=0, Fail=0 Ongoing Failure: Overall=0 Communication=0 Last Response: Failure Reason: Last Success Time: Last Failure Time: Trust Sync: Attempts: Total=2, Success=2, Fail=0 Ongoing Failure: Overall=0 Communication=0 Last Response: OK on Jan 24 23:39:14 2025 UTC <--- Successful response from CSSM Failure Reason: Last Success Time: Jan 24 23:39:14 2025 UTC Last Failure Time: Trusted Store Interface: True Local Device: P:C9300-48UN,S:<SN>, state[2], Trust Data INSTALLED TrustId:612 Overall Trust: INSTALLED (2)
To validate that the switch is establishing the HTTPS connection with the CSSM, you can take a packet capture. This is an example packet capture of a successful connection using a proxy server.
Switch#sh ip cef 10.31.104.78 0.0.0.0/0 nexthop 10.31.121.65 Vlan10 Switch#sh ip arp 10.31.121.65 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.31.121.65 0 2c31.24b1.6bc6 ARPA Vlan10 Switch#show mac address-table address 2c31.24b1.6bc6 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 2c31.24b1.6bc6 DYNAMIC Fi1/0/48 Total Mac Addresses for this criterion: 1 Switch#monitor capture CSSM interface Fi1/0/48 both match any Switch#monitor capture CSSM start Started capture point : CSSM Switch#show clock *15:41:10.058 UTC Fri Jan 24 2025 Switch#license smart sync all Switch#sh license hist mess | i REQUEST REQUEST: Jan 24 15:35:17 2025 UTC
REQUEST: Jan 24 15:41:58 2025 UTC Switch#monitor capture CSSM stop
Switch#monitor capture CSSM export location flash:slp-proxy-https-connection.pcap
Export Started Successfully
Packet Capture of Successful HTTPS Connection with CSSM Using a Proxy Server.
If the packet capture shows that the HTTPS connection is attempting to be established but fails, it could be due to a TLS or SSL handshake failure. These debugs can be used for further investigation.
debug ip http client all debug ssl openssl states debug ssl openssl errors debug crypto pki messages debug crypto pki transactions
If at any point the installed trust code needs to be removed from the switch, a Smart Licensing factory reset can be performed. This process requires a reload. After the factory reset, a new trust code can be installed. Using this command removes all licensing information, including the policy.
Switch#license smart factory reset %Warning: reload required after "license smart factory reset" command Switch#show license status | include Trust
Trust Code Installed: <none> <--- Installed trust code now shows none
Switch#reload
Revision | Publish Date | Comments |
---|---|---|
1.0 |
14-Mar-2025
|
Initial Release |