Troubleshoot SLP Smart Transport on Catalyst 9000 Switches

Introduction

This document describes how to troubleshoot Smart Licensing Using Policy (SLP) using Smart Transport on Catalyst 9000 switches.

Prerequisites

Requirements

Cisco recommends that you have knowledge of and familiarity with this topic:

• Smart Licensing Using Policy on Cisco IOS® XE devices.

Components Used

The information in this document is based on these software and hardware versions:

• Catalyst 9200
• Catalyst 9300
• Catalyst 9400
• Catalyst 9500
• Catalyst 9600
• Cisco IOS XE 17.9.1 and later versions

Note: Consult the appropriate configuration guide for the commands that are used in order to enable these features on other Cisco platforms.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Smart Licensing Using Policy is an enhanced version of Smart Licensing, designed with the primary goal of providing a licensing solution that ensures your network's operations remain uninterrupted. Rather than being disruptive, it establishes a compliance relationship to account for the hardware and software licenses you purchase and utilize.

For Smart Licensing reporting to function properly, the Catalyst 9000 switch connects with Cisco Smart Software Manager (CSSM) to report license usage. CSSM serves as a centralized platform to manage all Cisco software licenses and review usage, which helps plan for future licensing needs.

There are multiple topologies through which a Catalyst 9000 switch can connect to CSSM, but this document focuses on the specific topology in which the switch is directly connected to CSSM. This means that the switch must be capable of reaching and establishing a connection with CSSM, which is hosted on the Internet.

In this direct connection topology, there are two transport options: Smart Transport and Call Home, with Smart Transport being the recommended method. Additionally, Smart Transport supports the use of an HTTPS proxy and allows for the selection of a specific VRF to handle Smart Licensing communication with CSSM.

When using Smart Transport, the Catalyst 9000 switch exchanges license usage information with CSSM in JavaScript Object Notation (JSON) format within an HTTPS message. This information, known as the RUM Report, is sent by the switch, and the response from CSSM is referred to as an ACK.

The minimum reporting frequency for this topology is throttled to one day. This means the product instance will send no more than one RUM report per day, preventing an excessive number of reports from being generated and transmitted for certain licenses. This helps resolve memory-related issues and system slowdowns caused by an overproduction of RUM reports.

If needed, you can override this throttling restriction by using the license smart sync command in privileged EXEC mode

Configure

Follow these steps to configure SLP with Smart Transport:

1. Configure Smart as the transport type, and use the default URL.

   Switch#configure terminal
   Switch(config)#license smart transport smart
   Switch(config)#license smart url default

   

   Note: If a VRF is used for Smart Transport, license smart vrf <vrf-name> needs to be configured.

2. Configure the DNS server and source interface for DNS resolution and HTTP client connections.

   Switch(config)#ip domain lookup
   Switch(config)#ip name-server 10.31.104.74
   Switch(config)#ip domain name cisco.com
   Switch(config)#ip domain lookup source-interface Vlan10
   

   

   Note: If a VRF is used for Smart Transport, the VRF variant of these commands needs to be used.

3. If needed, configure an HTTPS proxy.

   Switch(config)#license smart proxy address 192.168.217.105
   Switch(config)#license smart proxy port 80
   

   

   Note: The proxy server can be configured using its IP address or hostname.

4. Generate a token in the Virtual Account. To complete this step, follow the process outlined in this document.

5. Install the trust code on the switch.

   Switch#license smart trust idtoken NGFkODgzMGUtZmNkMS00NTRjLWI5MjUtYjI0YWYzZjU1ZGQzLTE3NDAyNjU5%0AODA0NTV8VXVHVjdvVjByejY1aVZYa0lCVkl12345FSk9WZTdDb3lhZEZT%0ANjkyST0%3D%0A all force
   
   [OK]
   
   

   Upon successful Trust Establishment with CSSM, a syslog similar to this is shown.

   *Jan 24 23:19:05.144: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C9300-48UN,S:<SN>.
   

   Additionally, show license status shows the time of the Trust code installation.

   Switch#show license status  | i Trust
   Trust Code Installed: Jan 24 23:19:05 2025 UTC  <--- Trust code was installed
   

   Finally, the Virtual Account Event Log shows that the switch was added.

   Virtual Account Event Log Showing Device.

Troubleshoot

If Trust Establishment with CSSM fails, a syslog indicating the reason for failure is shown.

*Jan 24 15:17:46.341: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : <Reason>

Possible reasons for communication failure include:

• Unable to resolve server hostname/domain name: The Smart Transport URL or the proxy server hostname was not resolved by DNS. Validate name resolution configurations and reachability of the DNS server.

• Connection timed out: The connection was attempted, but there was no response. Validate that the HTTPS connection with CSSM is being established using packet captures, and check if a device, such as a proxy server or firewall, is blocking connectivity. If using a proxy server, ensure the correct port is in use.

Follow these steps and validation commands to troubleshoot SLP with Smart Transport:

1. Validate Smart Licensing event logs.

   Switch#show license eventlog 1
   **** Event Log ****
   
   2025-01-24 13:58:23.900 UTC SAEVT_INIT_START version="5.5.29_rel/114"
   2025-01-24 13:58:23.922 UTC SAEVT_INIT_CRYPTO success="False" error="Crypto Initialization has not been completed"
   2025-01-24 13:58:23.922 UTC SAEVT_HA_EVENT eventType="SmartAgentEvtHArmfRegister"
   2025-01-24 13:58:27.620 UTC SAEVT_READY
   2025-01-24 13:58:27.621 UTC SAEVT_ENABLED
   2025-01-24 13:58:27.665 UTC SAEVT_EXPORT_FLAG exportAllowed="False"
   2025-01-24 13:58:27.732 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch"
   2025-01-24 13:58:27.742 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch"
   2025-01-24 13:58:27.742 UTC SAEVT_TAG_AUTHORIZED count="1" entitlementTag="regid.2017-05.com.cisco.C9300_48P_NW_Advantagek9,1.0_6a224fe3-c92e-4440-a9c1-5d0e53a54015"
   2025-01-24 13:58:27.744 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch"
   2025-01-24 13:58:27.744 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_LICENSE_REQUEST" MSG="License network-advantage, dev C9300_48P, count 1, reslt 0, alt 0"
   2025-01-24 13:58:27.763 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch"
   2025-01-24 13:58:27.767 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch"
   2025-01-24 13:58:27.767 UTC SAEVT_TAG_AUTHORIZED count="1" entitlementTag="regid.2017-05.com.cisco.C9300_48P_Dna_Advantage,1.0_60783b06-53ee-484c-b21e-615d3cf6837a"
   2025-01-24 13:58:27.767 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_SYSDATA_FAIL" MSG="Get-SDL: not the active switch"
   2025-01-24 13:58:27.768 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_LICENSE_REQUEST" MSG="License dna-advantage, dev C9300_48P, count 1, reslt 0, alt 0"
   2025-01-24 13:58:30.425 UTC SAEVT_HA_EVENT eventType="SmartAgentEvtHArmfInitialize"
   2025-01-24 13:58:30.431 UTC SAEVT_HA_CHASSIS_ROLE udi="PID:C9300-48UN,SN:<SN>"
   2025-01-24 13:58:30.431 UTC SAEVT_HA_EVENT eventType="SmartAgentEvtHAchkptRegister"
   2025-01-24 13:58:37.975 UTC SAEVT_HA_ROLE udi="PID:C9300-48UN,SN:<SN>" haRole="Active"
   2025-01-24 13:58:38.048 UTC SAEVT_HA_CHASSIS_ROLE udi="PID:C9300-48UN,SN:<SN>" haRole="Active"
   2025-01-24 13:58:38.048 UTC SAEVT_HA_ROLE udi="PID:C9300-48UN,SN:<SN>" haRole="Active"
   2025-01-24 13:58:38.062 UTC SAEVT_INIT_CONFIG_READ_BEGIN
   2025-01-24 13:58:40.884 UTC SAEVT_HOSTNAME_CHANGE
   2025-01-24 13:58:41.734 UTC SAEVT_HA_EVENT eventType="SmartAgentSetNVPairs"
   2025-01-24 13:58:42.408 UTC SAEVT_INIT_CONFIG_READ_DONE
   2025-01-24 13:58:42.531 UTC SAEVT_PLATFORM eventSource="INFRA_SL" eventName="INFRA_SL_EVLOG_OIR_ADD" MSG="OIR Add evt 100 with slot-id 1"
   2025-01-24 13:58:42.531 UTC SAEVT_HA_CONFIG
   2025-01-24 13:58:42.531 UTC SAEVT_HA_UDI udi="PID:C9300-48UN,SN:<SN>" haRole="Active"
   2025-01-24 13:58:42.732 UTC SAEVT_LICENSE_USAGE count="0" type="destroy" entitlementTag="regid.2017-05.com.cisco.C9300_48P_NW_Advantagek9,1.0_6a224fe3-c92e-4440-a9c1-5d0e53a54015"
   2025-01-24 13:58:42.744 UTC SAEVT_LICENSE_USAGE count="0" type="destroy" entitlementTag="regid.2017-05.com.cisco.C9300_48P_Dna_Advantage,1.0_60783b06-53ee-484c-b21e-615d3cf6837a"
   2025-01-24 13:58:43.140 UTC SAEVT_INIT_SYSTEM_INIT
   2025-01-24 13:58:44.143 UTC SAEVT_INIT_CRYPTO success="False" error="Crypto Initialization has not been completed"
   2025-01-24 13:59:14.143 UTC SAEVT_INIT_CRYPTO success="True"
   2025-01-24 13:59:14.144 UTC SAEVT_COMM_RESTORED
   2025-01-24 13:59:14.176 UTC SAEVT_INIT_COMPLETE
   2025-01-24 14:00:14.145 UTC SAEVT_PRIVACY_CHANGED enabled="True"
   2025-01-24 14:00:27.432 UTC SAEVT_UTILITY_REPORT_START
   2025-01-24 15:17:46.341 UTC SAEVT_COMM_FAIL error="Connection timed out".  <--- Connection timed out
   2025-01-24 15:35:22.627 UTC SAEVT_COMM_RESTORED <--- Communication with CSSM restored
   
   

2. Validate connectivity with CSSM by sending a ping and attempting a telnet connection. This verifies that name resolution is occurring and that there is no administrative block between the switch and CSSM.

   Switch#show ip interface brief | exclude unassigned
   Interface              IP-Address      OK? Method Status                Protocol
   Vlan10                 10.31.121.118   YES DHCP   up                    up      
   
   Switch#ping  smartreceiver.cisco.com source Vlan10
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to X.X.X.X, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 364/365/368 ms
   
   Switch#telnet  smartreceiver.cisco.com 443 /ipv4 /source-interface vlan10
   Trying X.X.X.X, 80 ... Open
   
   [Connection to X.X.X.X closed by foreign host]
   
   

   Alternatively, if a proxy server is being used, you can try the same commands using the IP address and port of the proxy server.

   Switch#ping  192.168.217.105
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 192.168.217.105, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 364/365/368 ms
   
   Switch#telnet  192.168.217.105 80 /ipv4 /source-interface vlan10
   Trying 192.168.217.105, 80 ... Open
   
   [Connection to 192.168.217.105 closed by foreign host]
   

3. Validate that RUM reports are being sent and if there is a response.

   Switch#show license history message        
   
   Message History (oldest to newest):
   ====================================================
   Trust Establishment:
     REQUEST: Jan 24 23:18:59 2025 UTC    <--- RUM report was sent
   {"request":"{\"header\":{\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300-48UN\",\"udi_serial_number\":\"<SN>\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"product_instance_identifier\":\"\",\"nonce\":\"8620723070430261290\",\"timestamp\":1737760739943,\"connect_info\":{\"name\":\"C_agent\",\"version\":\"5.5.29_rel/114\",\"production\":true,\"additional_info\":\"\",\"capabilities\":[\"UTILITY\",\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\",\"OK_TRY_AGAIN\",\"POLICY_USAGE\",\"POLICY_USAGE\"]}},\"request_data\":\"{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"timestamp\\\":1737760738052,\\\"nonce\\\":\\\"8620723070430261290\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"hostname\\\":\\\"Switch\\\",\\\"token\\\":\\\"<TOKEN>\\\",\\\"mode\\\":\\\"PERMANENT\\\",\\\"force\\\":true,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"device_list\\\":[{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"trust_id\\\":612,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"csr\\\":\\\"MIICnjCCAYYCAQAwODE2MDQGA1UEAxMtOTFEMjVFMTcwRDM5RDAzOUI5M0VFMTE1Q0VDQTA4MEJDRjI4ODg1MTo6MSwyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq7F1KkAKcIUuHDIF+IilYAXIKew4Pz42X3Pz49nVwm93e3lURk7I5f8W9Q6Pe6JiRYsgmpvdZgbQcX6pi57oYw/E50C76JDLChQ4uB9S5NyaYwdj3QaK2Uw9pNlu0JsUXaShtXMi3JC1kcXG1qGfMxYp/LBJUub8BxtOB71b5a4CX0Sz08pB3y4WhYd8o43xT4lxe0LiBITG6Ds6TO228/9LFKD9O65wiVP7Pg2w5A6lsgQjGg1XU0dfNyD5+zmzKK5YiObi2X3wQFgKRBUX6T0v7RkWRmDuRyWz5tiDPZtVxRRXPq91dxTK2C6+jrTZ7HaE9vTunqGFsWNYjxBLXwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAD8vAO7LrD2yEubZPE4/OW+8pAHXRSpW4SQGP99dwiGpYT/0+8iD9wjyBWPZU5ysmYSAKlUzFqB57MIqXjHUdMAZnypL59YALXjVkAAJzof+bpwTIgvy2oYxsNvfW4AkuslJOUPINW9crqIMFEKSlNgcmaYHd6u/KO3tk5vufPM0vh2xnIHLyWlwBlga+TOS1VNwZl8PFSHTY7OAzd2d6c6+je+CSl1QvHZVmW5KgrkUIbv+YsAieZD7a2bTWOcdYR3AVqm34c3luzqTn6rq/xaTaGbi1dyR1PlD4uEDQeSewdkpTrmyWhYHUdLuN4c3NhIZqOAoaOk1TE1QGJSSh5s=\\\",\\\"id_cert_sn\\\":\\\"\\\"}]}\"}"}
     RESPONSE: Jan 24 23:19:05 2025 UTC   <--- Response from CSSM was received
   {"signature":{"type":null,"value":null,"piid":null,"cert_sn":null},"response":"{\"header\":{\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"timestamp\":1737760824972,\"nonce\":\"8620723070430261290\",\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300-48UN\",\"udi_serial_number\":\"<SN>\"},\"agent_actions\":null,\"connect_info\":{\"name\":\"SSM\",\"version\":\"1.3\",\"production\":true,\"capabilities\":[\"DLC\",\"AppHA\",\"EXPORT_2\",\"POLICY_USAGE\",\"UTILITY\"],\"additional_info\":\"\"},\"product_instance_identifier\":\"\",\"id_cert_serial_number\":null,\"signing_cert_serial_number\":null},\"status_code\":\"OK\",\"status_message\":\"OK\",\"retry_time_seconds\":0,\"response_data\":\"{\\\"nonce\\\":\\\"8620723070430261290\\\",\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"smart_account_name\\\":\\\"<ACCOUNT>\\\",\\\"pool_name\\\":\\\"<VIRTUAL_ACCOUNT>\\\",\\\"device_list\\\":[{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300-48UN\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"smart_license\\\":\\\<LICENSE>\\\",\\\"product_instance_identifier\\\":\\\"6c5ea69b-4881-4396-bfa6-6a53bd5894a4\\\"}]}\"}","sch_response":null}
   
   
   Usage Reporting:
     No past history
   Result Polling:
     No past history
   Authorization Request:
     No past history
   Authorization Return:
     No past history
   Trust Sync:
     No past history
   
   Import Message History (oldest to newest):
   ====================================================
   Import POLICY:
     No past Import history
   
   Import AUTH:
     No past Import history
   
   Import TRUST CODE:
   Received on Jan 24 23:19:05 2025 UTC
     <TRUST_CODE>
   
   
   Import RUM ACK:
     No past Import history
   
   Import CONVERSION ACK:
     No past Import history
   
   Import ACCOUNT INFO:
     Last policy received on Jan 24 23:19:05 2025 UTC
     <ACCOUNT_INFO>
   
   
   Switch#show license tech support | sec Trust
   Trust Establishment:
     Attempts: Total=1, Success=1, Fail=0  Ongoing Failure: Overall=0 Communication=0
     Last Response: OK on Jan 24 23:19:05 2025 UTC  <--- Trust establishment succeeded
       Failure Reason: 
     Last Success Time: Jan 24 23:19:05 2025 UTC
     Last Failure Time: 
   Trust Acknowledgement:
     Attempts: Total=0, Success=0, Fail=0  Ongoing Failure: Overall=0 Communication=0
     Last Response: 
       Failure Reason: 
     Last Success Time: 
     Last Failure Time: 
   Trust Sync:
     Attempts: Total=1, Success=1, Fail=0  Ongoing Failure: Overall=0 Communication=0
     Last Response: OK on Jan 24 23:19:50 2025 UTC
       Failure Reason: 
     Last Success Time: Jan 24 23:19:50 2025 UTC
     Last Failure Time: 
   Trusted Store Interface: True
   Local Device: P:C9300-48UN,S:<SN>, state[2], Trust Data INSTALLED  TrustId:612
   Overall Trust: INSTALLED (2) <--- Trust code installed
   
   

   If there request is sent but there is no response from CSSM, show license history message command shows no JSON data for the given response and more details about the failure can be obtained.

   Switch#show license history message                     
   ! <--- Output omitted for brevity --->
   Trust Establishment:
     REQUEST: Feb 21 16:54:49 2025 UTC
   {"request":"{\"header\":{\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300X-12Y\",\"udi_serial_number\":\"<SN>\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"product_instance_identifier\":\"\",\"nonce\":\"418461674986421033\",\"timestamp\":1740156889326,\"connect_info\":{\"name\":\"C_agent\",\"version\":\"5.5.29_rel/114\",\"production\":true,\"additional_info\":\"\",\"capabilities\":[\"UTILITY\",\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\",\"OK_TRY_AGAIN\",\"POLICY_USAGE\",\"POLICY_USAGE\"]}},\"request_data\":\"{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300X-12Y\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"timestamp\\\":1740156888584,\\\"nonce\\\":\\\"418461674986421033\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"hostname\\\":\\\"F241.24.06-9300-1\\\",\\\"token\\\":\\\"MzgwMDAwMTItOGVkOC00OWExLTgzZmEtMzVhNTZkMDAyNTJhLTE3NDI3NDgy%0ANDkyMTF8U1N4MFV0RDgzdytvY0EwL1FrRHBEaDJ6bW8yTDlpa3BsazJKbkxE%0ASXpwND0%3D%0A\\\",\\\"mode\\\":\\\"PERMANENT\\\",\\\"force\\\":true,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"device_list\\\":[{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300X-12Y\\\",\\\"udi_serial_number\\\":\\\"<SN>\\\"},\\\"trust_id\\\":497,\\\"software_tag_identifier\\\":\\\"regid.2017-05.com.cisco.C9300,v1_727af1d9-6c39-4444-b301-863f81445b72\\\",\\\"product_instance_identifier\\\":\\\"\\\",\\\"csr\\\":\\\"MIICnjCCAYYCAQAwODE2MDQGA1UEAxMtODhFMzcyODRBOTYwN0U1MDhERDJCMTdERkYyNTJBOTZDQjA1ODNENzo6MSwyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTl8H93Q05evxmYkBYIq1hwyXqmkw24AHfnxGLFw7SaiN3bCKmYnG31vYzAbgcq3fq2LD6dtzFLrXm7t43wiF+kLtkgh4a+W9cl6PaiPXr9pxEBSxuMokfUZBd9OU7e83wCtH+0bUeSsdFHpTyIiynodF92NHwjsR4eRB5fAnx1qqbZBNa4ntgj11HQ1X9pN31PY7Wc18iEGRhYgR5ljGpgvhnfzno6M8jG4wplxuiA3oWvYO8BaXkQHRf6QofQIXfmsgGAddtJqw2UzcSLWaelbuHB1yhnhWTD5mpRFQYxuLU87ndr/G8PaCreJ/RzjikSLgEes4hF34i13ab8LGwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEFBQADggEBAAOUiLz9nZ+C2mGI31ZqrK1iV/C1GWNXJajWisRhFBgSANgFs7cLfAJhZtEXF1PY+0PQGRAeR/zwCpYwIq/cI7jLjqXAaHkNmEeRsidWv+pMxNwjR4csSJk+PNqeqwXzVIhsJTEU5E8jchwzI1i26STUDjKJhHW+Z1wgDYBCPldl2CA2D7c71s4/UirEPoEEiFtrxtGi8KvldRPFEis8vaX8OGNV4H/t1+SSU4UW5resHpABusJSM2SJNTOsX6f+7IULqPQJjoGs0pqu+EyHcjglSYolMsIqE1x9jzdKGN+wy3p4my3a0PNfiHF3RofSkXMk++idw9v8+kHV9m+Ym9A=\\\",\\\"id_cert_sn\\\":\\\"\\\"}]}\"}"}
     RESPONSE: Feb 21 16:54:49 2025 UTC
                                               <--- The line is empty, which means there was no response from CSSM
   
     REQUEST: Feb 21 16:55:19 2025 UTC
   {"request":"{\"header\":{\"request_type\":\"ID_TOKEN_TRUST\",\"sudi\":{\"udi_pid\":\"C9300X-12Y\",\"udi_serial_number\":\"<SN>\"},\"version\":\"1.3\",\"locale\":\"en_US.UTF-8\",\"product_instance_identifier\":\"\",\"nonce\":\"17639638978924380272\",\"timestamp\":1740156919824,\"connect_info\":{\"name\":\"C_agent\",\"version\":\"5.5.29_rel/114\",\"production\":true,\"additional_info\":\"\",\"capabilities\":[\"UTILITY\",\"DLC\",\"AppHA\",\"MULTITIER\",\"EXPORT_2\",\"OK_TRY_AGAIN\",\"POLICY_USAGE\",\"POLICY_USAGE\"]}},\"request_data\":\"{\\\"sudi\\\":{\\\"udi_pid\\\":\\\"C9300X-12Y\\\",\\\"udi_serial_number\\\"
   ! <--- Output omitted for brevity --->
   
   
   Switch#show license tech support | sec Trust
   Trust Establishment:
   Attempts: Total=2, Success=0, Fail=2 Ongoing Failure: Overall=2 Communication=2
   Last Response: NO REPLY on Feb 21 16:55:39 2025 UTC <--- Failure reason was NO REPLY
   Failure Reason: <none>
   Last Success Time: <none>
   Last Failure Time: Feb 21 16:55:39 2025 UTC
   Trust Acknowledgement:
   Attempts: Total=0, Success=0, Fail=0 Ongoing Failure: Overall=0 Communication=0
   Last Response: <none>
   Failure Reason: <none>
   Last Success Time: <none>
   Last Failure Time: <none>
   Trust Sync:
   Attempts: Total=0, Success=0, Fail=0 Ongoing Failure: Overall=0 Communication=0
   Last Response: <none>
   Failure Reason: <none>
   Last Success Time: <none>
   Last Failure Time: <none>
   Trusted Store Interface: True
   Local Device: P:C9300-48UN,S:<SN>, state[1], NOT INSTALLED TrustId:605 <--- Trust point exists but it is not installed yet
   Overall Trust: No ID

4. Trigger the switch to send a RUM report to synchronize with CSSM.

   Switch#show clock 
   *23:38:54.683 UTC Fri Jan 24 2025
   
   Switch#show license tech support | i Utility             
   Utility:
   Start Utility Measurements: Jan 24 23:35:55 2025 UTC (4 minutes, 38 seconds remaining)
   Send Utility RUM reports: Feb 23 23:20:56 2025 UTC (29 days, 23 hours, 49 minutes, 39 seconds remaining) <--- Next RUM report to be sent in 29 days
   Process Utility RUM reports: Jan 25 23:30:58 2025 UTC (23 hours, 59 minutes, 41 seconds remaining)
   
   
   Switch#show license history message | i REQUEST
     REQUEST: Jan 24 23:18:59 2025 UTC
     REQUEST: Jan 24 23:20:50 2025 UTC
     REQUEST: Jan 24 23:25:55 2025 UTC
     REQUEST: Jan 24 23:19:41 2025 UTC
   
   Switch#license smart sync all <--- Trigger synchronization
   
   Switch#show license history message | i REQUEST
     REQUEST: Jan 24 23:18:59 2025 UTC
     REQUEST: Jan 24 23:20:50 2025 UTC
     REQUEST: Jan 24 23:25:55 2025 UTC
     REQUEST: Jan 24 23:19:41 2025 UTC
     REQUEST: Jan 24 23:39:05 2025 UTC <--- New RUM report was sent
   
   
   Switch#show license tech support | sec Trust
   Trust Establishment:
     Attempts: Total=1, Success=1, Fail=0  Ongoing Failure: Overall=0 Communication=0
     Last Response: OK on Jan 24 23:19:05 2025 UTC
       Failure Reason: 
     Last Success Time: Jan 24 23:19:05 2025 UTC
     Last Failure Time: 
   Trust Acknowledgement:
     Attempts: Total=0, Success=0, Fail=0  Ongoing Failure: Overall=0 Communication=0
     Last Response: 
       Failure Reason: 
     Last Success Time: 
     Last Failure Time: 
   Trust Sync:
     Attempts: Total=2, Success=2, Fail=0  Ongoing Failure: Overall=0 Communication=0
     Last Response: OK on Jan 24 23:39:14 2025 UTC  <--- Successful response from CSSM
       Failure Reason: 
     Last Success Time: Jan 24 23:39:14 2025 UTC
     Last Failure Time: 
   Trusted Store Interface: True
   Local Device: P:C9300-48UN,S:<SN>, state[2], Trust Data INSTALLED  TrustId:612
   Overall Trust: INSTALLED (2)
   
   

5. To validate that the switch is establishing the HTTPS connection with the CSSM, you can take a packet capture. This is an example packet capture of a successful connection using a proxy server.

   Switch#sh ip cef 10.31.104.78
   0.0.0.0/0
     nexthop 10.31.121.65 Vlan10
     
   Switch#sh ip arp 10.31.121.65
   Protocol  Address          Age (min)  Hardware Addr   Type   Interface
   Internet  10.31.121.65            0   2c31.24b1.6bc6  ARPA   Vlan10
   
   Switch#show mac address-table address 2c31.24b1.6bc6
             Mac Address Table
   -------------------------------------------
   
   Vlan    Mac Address       Type        Ports
   ----    -----------       --------    -----
     10    2c31.24b1.6bc6    DYNAMIC     Fi1/0/48
   Total Mac Addresses for this criterion: 1
   
   Switch#monitor capture CSSM interface Fi1/0/48 both match any 
   Switch#monitor capture CSSM start
   Started capture point : CSSM
   
   Switch#show clock
   *15:41:10.058 UTC Fri Jan 24 2025
   
   Switch#license smart sync all
   
   Switch#sh license hist mess | i REQUEST
    REQUEST: Jan 24 15:35:17 2025 UTC
    REQUEST: Jan 24 15:41:58 2025 UTC
   
   Switch#monitor capture CSSM stop
   
   Switch#monitor capture CSSM export location flash:slp-proxy-https-connection.pcap
   Export Started Successfully

   Packet Capture of Successful HTTPS Connection with CSSM Using a Proxy Server.

6. If the packet capture shows that the HTTPS connection is attempting to be established but fails, it could be due to a TLS or SSL handshake failure. These debugs can be used for further investigation.

   debug ip http client all
   debug ssl openssl states 
   debug ssl openssl errors 
   debug crypto pki messages 
   debug crypto pki transactions
   

7. If at any point the installed trust code needs to be removed from the switch, a Smart Licensing factory reset can be performed. This process requires a reload. After the factory reset, a new trust code can be installed. Using this command removes all licensing information, including the policy.

   Switch#license smart factory reset 
   %Warning: reload required after "license smart factory reset" command
   
   Switch#show license status | include Trust
   Trust Code Installed: <none>  <--- Installed trust code now shows none
   
   Switch#reload

Related Information

• Smart Licensing Using Policy for Cisco Catalyst 9000 Series Switches
• Understand Smart Licensing for Catalyst Switching
• Cisco Live: Introduction to Smart Licensing Using Policy
• Cisco Technical Support & Downloads