Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption 문제 해결 가이드
Contents
Introduction
Problem
Syslogs and Debug Output
Solution
Verify
Related Information
Introduction
This document describes how to address a change that occurred on March 18, 2016 in which
webservers that host tools.cisco.com were migrated to a SHA-2 certificate. After that migration,
some ASAv devices fail to connect to the Smart Software Licensing Portal (which is hosted on
tools.cisco.com) when they register an ID token or while they attempt to renew existing
authorizations. This was determined to be a certificate-related issue. Specifically, the new
certificate that is presented to the ASAv is signed by a different Intermediate Certificate Authority
than the ASAv expects and has preloaded.
webservers that host tools.cisco.com were migrated to a SHA-2 certificate. After that migration,
some ASAv devices fail to connect to the Smart Software Licensing Portal (which is hosted on
tools.cisco.com) when they register an ID token or while they attempt to renew existing
authorizations. This was determined to be a certificate-related issue. Specifically, the new
certificate that is presented to the ASAv is signed by a different Intermediate Certificate Authority
than the ASAv expects and has preloaded.
Problem
When an attempt is made to register an ASAv to the Smart Software Licensing Portal, the
registration fails with a connection or communication failure. The show license registration and
call-home test profile license commands show these outputs.
registration fails with a connection or communication failure. The show license registration and
call-home test profile license commands show these outputs.
ASAv# show license registration
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Last Retry Start Time: Mar 22 13:26:32 2016 UTC.
Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC.
Number of Retries: 1.
Last License Server response time: Mar 22 13:26:32 2016 UTC.
Last License Server response message: Communication message send response error
ASAv# call-home test profile License
INFO: Sending test message to
ERROR: Failed: CONNECT_FAILED(35)
However, the ASAv can resolve tools.cisco.com and connect on TCP port 443 with a TCP ping.
Syslogs and Debug Output
Syslog output on the ASAv after an attempted registration will show this:
certificate serial number: 250CE8E030612E9F2B89F7058FD, subject name:
cn=VeriSign Class 3 Public Primary Certification Authority - G5,ou=(c) 2006 VeriSign\, Inc.
- For authorized use only,ou=VeriSign Trust Network,o=VeriSign\, Inc.,c=US, issuer name:
Certificate validation failed. No suitable trustpoints found to validate
certificate serial number: 513FB9743870B73440418699FF, subject name: