ASA Smart Licensing Fails Due to Certificate Handshake: SOLVED

Problem

When attempting to register a Cisco ASA via smart licensing, following messages are displayed and as a result licensing fails.

%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to v                                                                                                                                             alidate certificate serial number: 40016EFB0A205CFAEBE18F71D73ABB78, subject nam                                                                                                                                             e: cn=HydrantID Server CA O1,ou=HydrantID Trusted Certificate Service,o=IdenTrus                                                                                                                                             t,c=US, issuer name: cn=IdenTrust Commercial Root CA 1,o=IdenTrust,c=US .
%ASA-7-717029: Identified client certificate within certificate chain. serial nu                                                                                                                                             mber: 40017E745D7448BB2EF502BD06330058, subject name: c=US,st=California,l=San J                                                                                                                                             ose,o=Cisco Systems Inc.,cn=tools.cisco.com.

%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was f                                                                                                                                             ound to validate chain.
%ASA-7-725014: SSL lib error. Function: ssl3_get_server_certificate Reason: cert                                                                                                                                             ificate verify failed
%ASA-4-120006: Call-Home license message to https://tools.cisco.com/its/service/                                                                                                                                             oddce/services/DDCEService failed. Reason: CONNECT_FAILED
%ASA-4-120005: Call-Home license message to https://tools.cisco.com/its/service/                                                                                                                                             oddce/services/DDCEService was dropped. Reason: CONNECT_FAILED
%ASA-3-444303: %SMART_LIC-3-AGENT_REG_FAILED:Smart Agent for Licensing Registrat                                                                                                                                             ion with Cisco licensing cloud failed: Communication message send error
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with Cisco licens                                                                                                                                             ing cloud: Communication message send error

Root Cause

As per documentation, Cisco’s webservers were migrated to use a different root CA and therefore the certificates on the device are not valid.

Solution

Enter the following command to import the relevant certificates required to connect to the licensing portal and complete the license registration.

crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: