OPERATIONAL DEFECT DATABASE
...
...
With smart licensing configuration with direct access to CSSM or communication via HTTPs proxy, registration is failed with "Error during SSL communication" failure RP/0/RP0/CPU0:Router#sh license all Smart Licensing Status ====================== Smart Licensing is ENABLED Registration: Status: REGISTERING - REGISTRATION IN PROGRESS Export-Controlled Functionality: NOT ALLOWED Initial Registration: FAILED on Dec 04 2023 14:40:58 UTC Failure reason: Error during SSL communication Next Registration Attempt: Dec 04 2023 15:00:28 UTC License Authorization: Status: EVAL MODE Evaluation Period Remaining: 21 days, 2 hours, 29 minutes, 1 seconds Export Authorization Key: Features Authorized: Utility: Status: DISABLED Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED Transport: Type: Smart URL: https://smartreceiver.cisco.com/licservice/license Proxy: Address: x.x.x.x Port: 3128 Username: Password: VRF: Not Supported
All of the following condition should be met in order to see the issue: 1) Smart licensing is configured with direct access to CSSM or with communication via HTTPs proxy: # direct access to CSSM example: license smart url https://smartreceiver.cisco.com/licservice/license # communication via HTTPS proxy example: license smart url https://smartreceiver.cisco.com/licservice/license license smart proxy port 80 license smart proxy hostname x.x.x.x 2) CSSM (or HTTPs proxy) is reachable via VRF: http client vrf TEST 3) Name server is configured only for VRF (no name-server is configured for global routing table): domain vrf TEST name-server y.y.y.y
Option 1: configure a "placeholder" static domain ipv4 host in global routing table (GRT) for smartreceiver.cisco.com pointing to any IP: conf t domain ipv4 host smartreceiver.cisco.com x.x.x.x Option 2: disable ca fqdn check conf t crypto ca fqdn-check ip-address allow
Starting from XR 7.10.1 name server is required to validate name/CN in X509 certificate is FQDN. TLS connection to CSSM will not be established if there is no name server configured (configuring "crypto ca fqdn-check ip-address allow" could be considered as workaround if there is no name server configured). Due to this defect XR will look for name server in GRT even if communication with CSSM is done in VRF. With fixed XR release "crypto ca trustpoint Trustpool vrf " config is required for CSSM communication in VRF.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
