Troubleshooting Licensing Issues


This chapter describes how to identify and resolve problems related to firewall licensing on the Virtual Supervisor Module (VSM).

This chapter includes the following sections:

Information about Licensing

Troubleshooting Unlicensed Firewall Modules

Troubleshooting License Installation Issues

Determining Firewall License Usage

Viewing Installed License Information

Troubleshooting the Removal of a License

Information about Licensing

The Cisco VSG license package name is NEXUS1000V_VSG_SERVICES_PKG.

The licensing model for Cisco VSG is based on the number of CPU sockets of the ESX servers attached as Virtual Ethernet Modules (VEM) to the Virtual Supervisor Module (VSM).

A module is licensed or unlicensed according to the following definitions:

Firewalled module—A VEM is considered to be firewalled if it is able to acquire licenses for all of its CPU sockets.

Non-firewalled module—A VEM is considered to be non-firewalled if it is not able to acquire licenses for any, or a subset of, its CPU sockets.

If a VEM is non-firewalled, all the virtual Ethernet ports on the VEM that correspond to the virtual machines (VMs) are kept in pass-through mode, so that these virtual machines are not firewalled.

By default, the VSM contains 16 CPU socketl licenses for firewall. This license is valid only for the first 60 days after the deployment of VSM.

For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(1).

Troubleshooting Unlicensed Firewall Modules

By default, both the VSM and Cisco VSG (firewall) have 16 CPU socket licenses that are valid for 60 days.

This section includes the following topics:

Check the Number of Firewall Licenses

Identify an Unlicensed Firewall Module

Check the Number of Firewall Licenses

To check the number of firewall licenses in use and to know the list of modules that are firewalled, use the show license usage command.

This example shows the results of the command:

vem# show license usage NEXUS_VSG_SERVICES_PKG
----------------------------------------
Feature Usage Info
----------------------------------------
       Installed Licenses : 0
    Default Eval Licenses : 16
   Max Overdraft Licenses : 0
Installed Licenses in Use : 0
Overdraft Licenses in Use : 0
  Default Eval Lic in Use : 2
   Default Eval days left : 55
       Licenses Available : 14
          Shortest Expiry : 18 Apr 2011
----------------------------------------
Application
----------------------------------------
VEM 3 - Socket 1
VEM 3 - Socket 2
----------------------------------------
vem#
 
   

As shown, the output module 3 is firewalled and two firewall licenses have been assigned.

Identify an Unlicensed Firewall Module

To identify an unlicensed firewall module, enter the show vsn detail command on the VSM.

This example shows the results of the command:

vsm# show vsn detail
#VSN  VLAN: 754, IP-ADDR: 200.1.1.10
  MODULE       VSN-MAC-ADDR  FAIL-MODE   VSN-STATE
       3  00:50:56:83:00:01      Close  No-License
 
   
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN  VLAN: 754, IP-ADDR: 200.1.1.10
  Port-Profile: profile-traffic, Security-Profile: sec-profile-perf, Org: 
root/Tenant-perf-1.1
    Module  Vethernet
         3  9
vsm# 

As shown, the status field for VEM 3 does not have a firewall license.


Note The server administrator has no information on whether the VEMs are firewall licensed or unlicensed. Therefore, the firewall license state of the VEMs must be communicated to the server administrators so that they are aware that the vEthernet interfaces on unlicensed firewall modules cannot firewall traffic.


Troubleshooting License Installation Issues

This section assumes that you have a valid Cisco VSG license file.

For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(1).

This section includes the following topics:

License Troubleshooting Checklist

Contents of the License File

Removing an Evaluation License File

License Troubleshooting Checklist

Before you start the troubleshooting process, follow these requirements:

Make sure that the name of the license file is less than 32 characters.

Make sure that no other license file with the same name is installed on the VSM. If there is a license file with the same name, rename your new license file to something else.

Do not edit the contents of the license file. If you have already done so, please contact your Cisco Technical Assistance Center (TAC) Team.

Make sure that the host ID in the license file is the same as the host ID on the switch.

Contents of the License File

The Cisco VSG license file looks as follows:

Linux(debug)# cat vsg.lic
SERVER this_host ANY
VENDOR cisco
INCREMENT NEXUS_VSG_SERVICES_PKG cisco 1.0 3-mar-2011 16 \
        HOSTID=VDH=1218291845128904258 \
        NOTICE="<LicFileID>20101203153943867</LicFileID><LicLineID>1</LicLineID> \
        <PAK></PAK>" SIGN=00310BEEE50A
Linux(debug)#
 
   

To identify the host ID of the VSM, use the show license host-id command.

This example shows the results of the command:

vsm# show license host-id
License hostid: VDH=1218291845128904258
vsm# 

Notice that both instances of the host-id match and are equal to VDH=1218291845128904258.


Note Both NEXUS1000V_LAN_SERVICES and NEXUS_VSG_SERVICES use the same host ID (host ID of VSM). There is no such host ID on the VSG.


Removing an Evaluation License File

If an evaluation license file is already installed on the VSM, then you must remove it from the VSM before installing a permanent license file. For more information, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(1).

Determining Firewall License Usage

To view the firewall license state of the VEMs on your VSM and the number of CPU sockets per VEM, enter the module vem 3 execute vemcmd show vsn config command.

This example shows how to display internal license information:

vsm# module vem 3 execute vemcmd show vsn config
  VNS Enabled  | VNS Licenses Available   2
  VSN#  VLAN               IP         STATIC-MAC        LEARNED-MAC  LTLs
     1   754       200.1.1.10  00:00:00:00:00:00  00:50:56:83:00:01     0
vsm# 
 
   

In this output, VEM 3 is licensed. It has two CPU sockets and it currently uses two firewall licenses.

Viewing Installed License Information

Use the show license usage command to view the installed license count.

This example shows the results of the command:

vsm# show license usage
Feature                      Ins  Lic   Status Expiry Date Comments
                                 Count
--------------------------------------------------------------------------------
NEXUS_VSG_SERVICES_PKG        No   16   In use 18 Apr 2011 -
NEXUS1000V_LAN_SERVICES_PKG   No   16   In use 18 Apr 2011 -
--------------------------------------------------------------------------------
vsm#
 
   

The output shows that 16 licenses (LAN and Cisco VSG) have been installed and they will expire on 18 Apr 2011.

Troubleshooting the Removal of a License

You cannot clear a license file that is currently being used. To clear a license file, make sure all modules check-in the firewall license back to the license pool. Check-in the licenses using the vsg license transfer src-vem [module #] license_pool command.

After doing the license transfer, clear the license file using the clear license command.

This example shows the results of the command:

vsm# clear license vsg.lic 
vsm# clearing license . . . . done
vsm#