Symptom
- Firepower Management Center (FMC) complains about 'Smart Licensing ID certificate expired'
- Firepower Threat Defense (FTD) devices are getting Unlicensed
On MySQL table for smart_licenses, active flag will be set to 0 for license='BASE'.
Additionally, check /etc/sf/.health_monitor.data for the presence of following:
IDCERTEXPERR:2
FMC logs show:
/var/log/smart_agent.log
ERROR SAMsgThread-Trust chain Verification failed: Depth:1 Error (certificate has expired)
/var/log/sch.log:
\"signing_cert_serial_number\":null,\"id_cert_serial_number\":null},\"status_code\":\"LS_INVALID_DATA\",\"status_message\":\"Missing Id cert serial number field; Missing signing cert serial number field; Signed data and certificate does not match\"
/var/log/sa_process.logs.log:
firepower SF-IMS[3499]: [3535] SLA:SLA [DEBUG] src/smart_agent.c:288:sa_global_notif_callback(): sa_global_notif_callback(): received SmartAgentNotifyIdCertExpired
Conditions
This is a corner scenario which occurs when the licensing registration method moves from CSSM and later eventually to SLR.
Workaround
1. vim into the file /etc/sf/.health_monitor.data and delete the following line.
IDCERTEXPERR:2
2. Have the following modifications made on MySQL. Replace with the right number.
>update smart_licenses set active=1 where license='BASE' and uuid in (select uid from sensor where active=1);
>update smart_licenses set count= where license='VIRTUAL';
>update license_caps set active=1 where capability='BASE';
3. Restart the sla process on FMC:
#pmtool restartbyid sla
