- Preface
- Chapter 1 - Overview
- Chapter 2 - Using Troubleshooting Tools
- Chapter 3 - Troubleshooting Installation Issues
- Chapter 4 - Troubleshooting Licensing Issues
- Chapter 5 - Troubleshooting Module Interactions
- Chapter 6 - Troubleshooting Policy Engine Issues
- Chapter 7 - Troubleshooting High Availability Issues
- Chapter 8 - Troubleshooting System Issues
- Chapter 9 - Before Contacting Technical Support
- Index
Troubleshooting Licensing Issues
This chapter describes how to identify and resolve problems related to firewall licensing on the Virtual Supervisor Module (VSM).
This chapter includes the following sections:
•Troubleshooting Unlicensed Firewall Modules
•Troubleshooting License Installation Issues
•Determining Firewall License Usage
•Viewing Installed License Information
•Troubleshooting the Removal of a License
Information about Licensing
The Cisco VSG license package name is NEXUS1000V_VSG_SERVICES_PKG.
The licensing model for Cisco VSG is based on the number of CPU sockets of the ESX servers attached as Virtual Ethernet Modules (VEM) to the Virtual Supervisor Module (VSM).
A module is licensed or unlicensed according to the following definitions:
•Firewalled module—A VEM is considered to be firewalled if it is able to acquire licenses for all of its CPU sockets.
•Non-firewalled module—A VEM is considered to be non-firewalled if it is not able to acquire licenses for any, or a subset of, its CPU sockets.
If a VEM is non-firewalled, all the virtual Ethernet ports on the VEM that correspond to the virtual machines (VMs) are kept in pass-through mode, so that these virtual machines are not firewalled.
By default, the VSM contains 16 CPU socketl licenses for firewall. This license is valid only for the first 60 days after the deployment of VSM.
For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(1).
Troubleshooting Unlicensed Firewall Modules
By default, both the VSM and Cisco VSG (firewall) have 16 CPU socket licenses that are valid for 60 days.
This section includes the following topics:
•Check the Number of Firewall Licenses
•Identify an Unlicensed Firewall Module
Check the Number of Firewall Licenses
To check the number of firewall licenses in use and to know the list of modules that are firewalled, use the show license usage command.
This example shows the results of the command:
vem# show license usage NEXUS_VSG_SERVICES_PKG
----------------------------------------
Feature Usage Info
----------------------------------------
Installed Licenses : 0
Default Eval Licenses : 16
Max Overdraft Licenses : 0
Installed Licenses in Use : 0
Overdraft Licenses in Use : 0
Default Eval Lic in Use : 2
Default Eval days left : 55
Licenses Available : 14
Shortest Expiry : 18 Apr 2011
----------------------------------------
Application
----------------------------------------
VEM 3 - Socket 1
VEM 3 - Socket 2
----------------------------------------
vem#
As shown, the output module 3 is firewalled and two firewall licenses have been assigned.
Identify an Unlicensed Firewall Module
To identify an unlicensed firewall module, enter the show vsn detail command on the VSM.
This example shows the results of the command:
vsm# show vsn detail
#VSN VLAN: 754, IP-ADDR: 200.1.1.10
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
3 00:50:56:83:00:01 Close No-License
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN VLAN: 754, IP-ADDR: 200.1.1.10
Port-Profile: profile-traffic, Security-Profile: sec-profile-perf, Org: root/Tenant-perf-1.1
Module Vethernet
3 9
vsm#
As shown, the status field for VEM 3 does not have a firewall license.
Note The server administrator has no information on whether the VEMs are firewall licensed or unlicensed. Therefore, the firewall license state of the VEMs must be communicated to the server administrators so that they are aware that the vEthernet interfaces on unlicensed firewall modules cannot firewall traffic.
Troubleshooting License Installation Issues
This section assumes that you have a valid Cisco VSG license file.
For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(1).
This section includes the following topics:
•License Troubleshooting Checklist
•Removing an Evaluation License File
License Troubleshooting Checklist
Before you start the troubleshooting process, follow these requirements:
•Make sure that the name of the license file is less than 32 characters.
•Make sure that no other license file with the same name is installed on the VSM. If there is a license file with the same name, rename your new license file to something else.
•Do not edit the contents of the license file. If you have already done so, please contact your Cisco Technical Assistance Center (TAC) Team.
•Make sure that the host ID in the license file is the same as the host ID on the switch.
Contents of the License File
The Cisco VSG license file looks as follows:
Linux(debug)# cat vsg.lic
SERVER this_host ANY
VENDOR cisco
INCREMENT NEXUS_VSG_SERVICES_PKG cisco 1.0 3-mar-2011 16 \
HOSTID=VDH=1218291845128904258 \
NOTICE="<LicFileID>20101203153943867</LicFileID><LicLineID>1</LicLineID> \
<PAK></PAK>" SIGN=00310BEEE50A
Linux(debug)#
To identify the host ID of the VSM, use the show license host-id command.
This example shows the results of the command:
vsm# show license host-id
License hostid: VDH=1218291845128904258
vsm#
Notice that both instances of the host-id match and are equal to VDH=1218291845128904258.
Note Both NEXUS1000V_LAN_SERVICES and NEXUS_VSG_SERVICES use the same host ID (host ID of VSM). There is no such host ID on the VSG.
Removing an Evaluation License File
If an evaluation license file is already installed on the VSM, then you must remove it from the VSM before installing a permanent license file. For more information, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide, Release 4.2(1)VSG1(1).
Determining Firewall License Usage
To view the firewall license state of the VEMs on your VSM and the number of CPU sockets per VEM, enter the module vem 3 execute vemcmd show vsn config command.
This example shows how to display internal license information:
vsm# module vem 3 execute vemcmd show vsn config
VNS Enabled | VNS Licenses Available 2
VSN# VLAN IP STATIC-MAC LEARNED-MAC LTLs
1 754 200.1.1.10 00:00:00:00:00:00 00:50:56:83:00:01 0
vsm#
In this output, VEM 3 is licensed. It has two CPU sockets and it currently uses two firewall licenses.
Viewing Installed License Information
Use the show license usage command to view the installed license count.
This example shows the results of the command:
vsm# show license usage
Feature Ins Lic Status Expiry Date Comments
Count
--------------------------------------------------------------------------------
NEXUS_VSG_SERVICES_PKG No 16 In use 18 Apr 2011 -
NEXUS1000V_LAN_SERVICES_PKG No 16 In use 18 Apr 2011 -
--------------------------------------------------------------------------------
vsm#
The output shows that 16 licenses (LAN and Cisco VSG) have been installed and they will expire on 18 Apr 2011.
Troubleshooting the Removal of a License
You cannot clear a license file that is currently being used. To clear a license file, make sure all modules check-in the firewall license back to the license pool. Check-in the licenses using the vsg license transfer src-vem [module #] license_pool command.
After doing the license transfer, clear the license file using the clear license command.
This example shows the results of the command:
vsm# clear license vsg.lic
vsm# clearing license . . . . done
vsm#