Symptom
With a Proxy server configured on the FMC mgmt interface, when registering the FMC to the Smart-license portal, the FMC queries its DNS server for tools.cisco.com then, the DNS server replies with a failure so the FMC is not able to resolve the IP address.
But, for SRU/VDB downloads, the FMC resolves and connects to support.sourcefire.com through the proxy server.
In a lab environment (working), reauthorization to the smart license, unable to see dns packets for tools.cisco.com... However, the FMC establishes the session through the Proxy server to tools.cisco.com, and the same happens for SRU/VDB downloads.
**DNS cache is disabled.
8 2023-02-08 21:46:04.695792 10.88.243.114 64.102.255.40 TCP 74 44804 → 8080 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2751863953 TSecr=0 WS=128
9 2023-02-08 21:46:04.779181 64.102.255.40 10.88.243.114 TCP 74 8080 → 44804 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1300 WS=64 SACK_PERM=1 TSval=1764617056 TSecr=2751863953
10 2023-02-08 21:46:04.779239 10.88.243.114 64.102.255.40 TCP 66 44804 → 8080 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2751864036 TSecr=1764617056
11 2023-02-08 21:46:04.779426 10.88.243.114 64.102.255.40 HTTP 163 CONNECT tools.cisco.com:443 HTTP/1.1
nslookup on the FMC expert mode, DNS queries are visible.
8 2023-02-08 22:11:38.527799 10.88.243.114 72.163.47.11 DNS 75 Standard query 0x0e0a AAAA tools.cisco.com
9 2023-02-08 22:11:38.579506 72.163.47.11 10.88.243.114 DNS 103 Standard query response 0x0e0a AAAA tools.cisco.com AAAA 2001:420:1201:5::a
On the affected device the smart license registration uses the configured DNS server instead of the proxy to resolve tools.cisco.com.
The Proxy server IP address is visible in /etc/sf/smart_callhome.conf
Conditions
FMC
7.2.2
Proxy server configured on the management interface
Smart license registration
Workaround
usr/local/sf/bin/configure-network script in CLI and then re-applied proxy settings
