Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
If Smart License registration fails, these syslog messages will be seen: RP/0/RP0/CPU0:Feb 22 10:00:07.962 UTC: smartlicserver[127]: %LICENSE-SMART_LIC-3-COMM_FAILED : Communications failure with the Cisco Smart Software Manager (CSSM) : Fail to send out Call Home HTTP message RP/0/RP0/CPU0:Feb 22 10:00:07.962 UTC: smartlicserver[127]: %LICENSE-SMART_LIC-3-AGENT_REG_FAILED : Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: Fail to send out Call Home HTTP message Smart Call Home Symptoms This error log might be observed in the affected device: RP/0/RP0/CPU0:Feb 22 09:57:36.246 UTC: http_client[255]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist' If the download fails, this message might be seen: RP/0/RP0/CPU0:Feb 22 09:57:24.025 UTC: cepki[279]: %SECURITY-PKI-6-ERR_1_PARAM : Download failed, HTTP returned an error
This log shows the license authorization failure: RP/0/RP0/CPU0:ios#show license status Wed Feb 23 06:08:07.562 UTC Smart Licensing is ENABLED Utility: Status: DISABLED Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED Transport: Type: Callhome Registration: Status: REGISTERED Smart Account: BU Production Test 1 Virtual Account: NCS550 Testing Export-Controlled Functionality: ALLOWED Initial Registration: SUCCEEDED on Feb 23 2022 05:56:41 UTC Last Renewal Attempt: None Next Renewal Attempt: Aug 22 2022 05:56:40 UTC Registration Expires: Feb 23 2023 05:51:36 UTC License Authorization: Status: OUT OF COMPLIANCE on Feb 23 2022 05:56:50 UTC Last Communication Attempt: FAILED on Feb 23 2022 06:08:07 UTC Failure reason: Fail to send out Call Home HTTP message Next Communication Attempt: Feb 23 2022 06:08:36 UTC Communication Deadline: May 24 2022 05:56:21 UTC Export Authorization Key: Features Authorized: Miscellaneous: Custom Id: RP/0/RP0/CPU0:ios#
The three options for a manual certificate update are described in this section. Option 1. Download a Bundle of Certificates From the Default Location The bundle of certificates can be downloaded from http://www.cisco.com/security/pki/trs/ios.p7b by default. If a device is not able to resolve the domain name, it will not download the pool of certificates. This bundle of certificates has the Smart Licensing root certificates. Initiate the download with this command: crypto ca trustpool import http://www.cisco.com/security/pki/trs/ios.p7b Option 2. Download the Bundle of Certificates by Hosting it Locally Cisco IOS XR devices support trustpool policy configuration which allows you to change the default CA Bundle URL. This configuration command can be used to change the CA bundle policy. crypto ca trustpool policy cabundle url Download the CA bundle file from the default location in order to host it locally in an HTTP server. This can be leveraged in case of a connectivity issue. Enter this command in order to display the trustpool policy: show crypto ca trustpool policy Option 3. File-Based Download Customers who are not able to authenticate the certificate with options 1 or 2 can use the file-based approach. Download the file from the default URL (http://www.cisco.com/security/pki/trs/ios.p7b) and copy it to the "tmp" directory. You can then enter this command to authenticate the CA certificates to the device. crypto ca trustpool import url /tmp/pki_bundle_0.p7b Note: Cisco IOS XR does not support customer-signed CA bundle of certificates. It must be signed by the Cisco M1 root certificate, and it is managed by the Cisco Information Security team. option 4: crypto ca trustpoint smart-license ( trust point name can be anything) enrollment terminal crypto ca authenticate smart-license Enter this command for authorization: RP/0/RP0/CPU0:ios#license smart renew auth
https://www.cisco.com/c/en/us/support/docs/field-notices/722/fn72290.html