The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to troubleshoot issues that are related to firewall licensing on the Virtual Supervisor Module (VSM).
The Cisco Virtual Security Gateway (VSG) license package name is NEXUS1000V_VSG_SERVICES_PKG.
The licensing model for the Cisco VSG is based on the number of CPU sockets of the ESX servers attached as Virtual Ethernet Modules (VEMs) to the Virtual Supervisor Module (VSM).
A module is licensed or unlicensed according to the following definitions:
If a VEM is nonfirewalled, all the virtual Ethernet ports on the VEM that correspond to the virtual machines (VMs) are kept in pass-through mode, so that these virtual machines are not firewalled.
By default, the VSM contains 16 CPU socket licenses for Cisco VSGs. This license is valid only for the first 60 days after the deployment of VSM.
For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide for your release number.
By default, both the VSM and the Cisco VSG have 16 CPU socket licenses that are valid for 60 days.
This section includes the following topics:
You can check the number of Cisco VSG licenses in use and see the list of modules that are firewalled by entering the s how license usage command.
This example shows how to display the license usage for your Cisco VSG:
As shown, the output module 3 is firewalled and two Cisco VSG licenses have been assigned.
You can identify an unlicensed Cisco VSG by entering the show vsn detail command on the VSM.
This example shows how to display the details of the Cisco VSG:
As shown in the command output, the status field for VEM 3 does not have a Cisco VSG license.
Note The server administrator has no information on whether the VEMs are Cisco VSG licensed or unlicensed. Therefore, the Cisco VSG license state of the VEMs must be communicated to the server administrators so that they are aware that the vEthernet interfaces on unlicensed Cisco VSGs cannot firewall traffic.
This section describes how to troubleshoot Cisco VSG license installation issues.
Note This section assumes that you have a valid Cisco VSG license file.
For additional information about licensing, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide for your release number.
This section includes the following topics:
Before you start the troubleshooting process, follow these requirements:
The Cisco VSG license file looks as follows:
You can identify the host ID of the VSM by entering the show license host-id command.
This example shows the results of the command:
Notice that in both instances of the command output the host-ID matches and is equal to VDH=1218291845128904258.
Note Both NEXUS1000V_LAN_SERVICES and NEXUS_VSG_SERVICES use the same host ID (host ID of VSM). There is no such host ID on the VSG.
If an evaluation license file is already installed on the VSM, you must remove it from the VSM before installing a permanent license file. For more information, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch License Configuration Guide for your release number.
You can view the Cisco VSG license state of the VEMs on your VSM and the number of CPU sockets per VEM by entering the module vem 3 execute vemcmd show vsn config command.
This example shows how to confirm the Cisco VSG license state:
In this command output, VEM 3 is licensed. It has two CPU sockets and it currently uses two firewall licenses.
You can view the installed license count by entering the show license usage command.
This example shows how to display the installed licenses count:
The output shows that 16 licenses (LAN and Cisco VSG) have been installed and they will expire on January 18, 2012.
You cannot clear a license file that is being used. To clear a license file, make sure that all modules check in the Cisco VSG license back to the license pool. You can check in the licenses by entering the vsg license transfer src-vem [module_#] license_pool command.
After doing the license transfer, clear the license file using the clear license command.
This example shows how to clear the license file: