PDF(552.2 KB) View with Adobe Reader on a variety of devices
ePub(606.5 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(369.7 KB) View on Kindle device or Kindle app on multiple devices
Updated:November 15, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to troubleshoot the most common issues of Hyperflex registration license issues.
Cisco recommends that you have basic knowledge of these topics:
The information in this document is based on:
Hyperflex Data Program (HXDP) 5.0.(2a) and higher
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
What is Smart License
Cisco Smart Licensing (Smart Licensing) is an intelligent cloud-based software license management solution that simplifies the three core license functions (Purchase, Management, and Report) across your entire organization.
Cisco Hyperflex integrates with Smart Licensing and it is automatically enabled by default as you create a Hyperflex storage cluster. However, for your Hyperflex storage cluster to consume and report licenses, you must register it with Cisco Smart Software Manager (SSM) through your Cisco Smart Account.
A Smart Account is a cloud-based repository that provides full visibility and access control to all the Cisco software licenses purchased and product instances across your company.
Note: In Hyperflex clusters, registration is valid for one year. After that, Hyperflex automatically attempts to re-register so no human interaction is required.
Strict Enforcement Policy
From version HXDP 5.0(2a) onward, some features are blocked from Hyperflex Connect GUI if the cluster is not in compliance with the license.
License status example scenarios:
In this scenario, the cluster is In compliance with the License status.
In the next scenario, the Cluster is registered, but the License State is Out of Compliance, and the grace period is between one (1) to ninety (90) days.
In this case, no features are blocked, but a banner appears on the top of the menu which prompts you to activate the required license before the grace period expires.
In this scenario, the cluster is registered, the License State is Out of Compliance, and the grace period is zero (0).
For guidance on how to register Hyperflex with your Smart License account, check this video.
Confirm that your configuration works properly.
Verify the license status via CLI. View the registration status and the authorization status.
There are some common scenarios where these two statuses can fail, both of them caused by the same root cause.
Scenario 1: HTTP/HTTPs Connectivity
License registration goes over TCP, and more specifically over HTTP and HTTPS, therefore it is critical to allow this communication.
Test connectivity from each Storage Controller VM (SCVM), but mainly from Cluster Management IP (CMIP) SCVM.
From logs, you can see specific errors when the environment is set incorrectly as devtest.
cat hxLicenseSvc.log | grep -ia "Name or service not known" 2021-09-01-18:27:11.557  [Thread-40] ERROR event_msg_sender_log - sch-alpha.cisco.com: Name or service not known
Tip: From the 5.0(2a) version, diag user is available to allow users to have more privileges to troubleshoot with access to restricted folders and commands that are not accessible via priv command line which was introduced in Hyperflex version 4.5.x.
You can change the environment type to production and retry the registration.
diag# stcli services sch set --email email@example.com --environment production --enable-proxy false
Scenario 4: Online Certificate Status Protocol (OCSP)
Hyperflex leverages OCSP and Certificate Revocation Lists (CRL) servers to validate HTTPS certificates during the license registration process.
These protocols are designed to distribute the revocation status over HTTP. CRLs and OCSP messages are public documents that indicate the revocation status of X.509 certificates when OCSP validation fails then license registration fails as well.
Tip: If OCSP fails, it means that a security device in between breaks the HTTP connection.
In order to confirm if OCSP validation is good, you can try to download the file to your CMIP SCVM / tmp partition, as shown in the example.
It is important to remark that the Subject Name and Issuer Name information must match the certificate shown in this example.
Warning: If at least one field in the subject or issuer is different, the registration fails. A bypass rule in the security SSL Inspection for Hyperflex Cluster management IPs and tools.cisco.com:443 can fix this.
In this example, you can see how to validate the same information received from the certificate in Hyperflex CMIP SCVM.
hxshell:~$ su diag diag# openssl s_client -connect tools.cisco.com:443 -showcerts < /dev/null CONNECTED(00000003) depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 verify return:1 depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service,CN = HydrantID Server CA O1 verify return:1 depth=0 CN = tools.cisco.com, O = Cisco Systems Inc., L = San Jose, ST = California, C = US verify return:1 --- Certificate chain 0 s:/CN=tools.cisco.com/O=Cisco Systems Inc./L=San Jose/ST=California/C=US i:/C=US/O=IdenTrust/OU=HydrantID Trusted Certificate Service/CN=HydrantID Server CA O1 ... <TRUNCATED> ... 1 s:/C=US/O=IdenTrust/OU=HydrantID Trusted Certificate Service/CN=HydrantID Server CA O1 i:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 ... <TRUNCATED> ... 2 s:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 i:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1 ... <TRUNCATED> ... --- Server certificate subject=/CN=tools.cisco.com/O=Cisco Systems Inc./L=San Jose/ST=California/C=US issuer=/C=US/O=IdenTrust/OU=HydrantID Trusted Certificate Service/CN=HydrantID Server CA O1 --- ... <TRUNCATED> ... --- DONE
This procedure can be leveraged if the covered scenarios are successful or resolved, yet license registration still fails.