Symptom

- Firepower Management Center (FMC) complains about 'Smart Licensing ID certificate expired' - Firepower Threat Defense (FTD) devices are getting Unlicensed On MySQL table for smart_licenses, active flag will be set to 0 for license='BASE'. Additionally, check /etc/sf/.health_monitor.data for the presence of following: IDCERTEXPERR:2 FMC logs show: /var/log/smart_agent.log ERROR SAMsgThread-Trust chain Verification failed: Depth:1 Error (certificate has expired) /var/log/sch.log: \"signing_cert_serial_number\":null,\"id_cert_serial_number\":null},\"status_code\":\"LS_INVALID_DATA\",\"status_message\":\"Missing Id cert serial number field; Missing signing cert serial number field; Signed data and certificate does not match\" /var/log/sa_process.logs.log: firepower SF-IMS[3499]: [3535] SLA:SLA [DEBUG] src/smart_agent.c:288:sa_global_notif_callback(): sa_global_notif_callback(): received SmartAgentNotifyIdCertExpired

Conditions

This is a corner scenario which occurs when the licensing registration method moves from CSSM and later eventually to SLR.

Workaround

1. vim into the file /etc/sf/.health_monitor.data and delete the following line. IDCERTEXPERR:2 2. Have the following modifications made on MySQL. Replace with the right number. >update smart_licenses set active=1 where license='BASE' and uuid in (select uid from sensor where active=1); >update smart_licenses set count= where license='VIRTUAL'; >update license_caps set active=1 where capability='BASE'; 3. Restart the sla process on FMC: #pmtool restartbyid sla

Further Problem Description