Troubleshooting Licensing Issues


This chapter describes how to troubleshoot issues that are related to firewall licensing on the Virtual Supervisor Module (VSM).

This chapter includes the following sections:

Information About Licensing

Troubleshooting Unlicensed Cisco VSG Modules

Troubleshooting License Installation Issues

Determining Cisco VSG License Usage

Viewing Installed License Information

Troubleshooting the Removal of a License

Information About Licensing

The Cisco Virtual Security Gateway (VSG) license package name is NEXUS1000V_VSG_SERVICES_PKG.

The licensing model for the Cisco VSG is based on the number of CPU sockets of the ESX servers attached as Virtual Ethernet Modules (VEMs) to the Virtual Supervisor Module (VSM).

A module is licensed or unlicensed according to the following definitions:

Firewalled module—A VEM is considered to be firewalled if it can acquire licenses for all of its CPU sockets.

Nonfirewalled module—A VEM is considered to be nonfirewalled if it cannot acquire licenses for any, or a subset of, its CPU sockets.

If a VEM is nonfirewalled, all the virtual Ethernet ports on the VEM that correspond to the virtual machines (VMs) are kept in pass-through mode, so that these virtual machines are not firewalled.

By default, the VSM contains 16 CPU socket licenses for Cisco VSGs. This license is valid only for the first 60 days after the deployment of VSM.

For additional information about licensing, see the Cisco Virtual Security Gateway for VMware vSphere License Configuration Guide, Release 4.2(1)VSG2(1.1).

Troubleshooting Unlicensed Cisco VSG Modules

By default, both the VSM and the Cisco VSG have 16 CPU socket licenses that are valid for 60 days.

This section includes the following topics:

Checking the Number of Cisco VSG Licenses

Identifying an Unlicensed Cisco VSG

Checking the Number of Cisco VSG Licenses

You can check the number of Cisco VSG licenses in use and see the list of modules that are firewalled by entering the show license usage command.

This example shows how to display the license usage for your Cisco VSG:

vem# show license usage NEXUS_VSG_SERVICES_PKG
----------------------------------------
Feature Usage Info
----------------------------------------
       Installed Licenses : 0
    Default Eval Licenses : 16
   Max Overdraft Licenses : 0
Installed Licenses in Use : 0
Overdraft Licenses in Use : 0
  Default Eval Lic in Use : 2
   Default Eval days left : 55
       Licenses Available : 14
          Shortest Expiry : 18 Apr 2011
----------------------------------------
Application
----------------------------------------
VEM 3 - Socket 1
VEM 3 - Socket 2
----------------------------------------
 
   

As shown, the output module 3 is firewalled and two Cisco VSG licenses have been assigned.

Identifying an Unlicensed Cisco VSG

You can identify an unlicensed Cisco VSG by entering the show vservice detail command on the VSM.

This example shows how to display the details of the Cisco VSG:

vsm# show vservice detail
 
   
--------------------------------------------------------------------------------
License Information
--------------------------------------------------------------------------------
Mod VSG-Lic-Count ASA-Lic-Count
6 UnLicensed 0
 
   
--------------------------------------------------------------------------------
Node Information
--------------------------------------------------------------------------------
Node ID:6 Name:vsg1
Type:vsg IPAddr:40.40.40.40 Fail:close Vlan:753
Mod State MAC-Addr VVer
6 Alive 00:50:56:95:49:6f 2
 
   
--------------------------------------------------------------------------------
Path Information
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Port Information
--------------------------------------------------------------------------------
PortProfile:vmpp1
Org:root/Tenant_Scale
Node:vsg1(40.40.40.40) Profile(Id):SP_Scale(30)
Veth8
Module :6
VM-Name :vm1
vNIC:Network Adapter 2
DV-Port :1057
VM-UUID :50 02 41 d6 9b 2b 03 2f-ad 0d 9d ad 87 e9 54 51
DVS-UUID:3e 43 15 50 95 39 5e bc-95 52 e4 de 61 19 b7 9f
IP-Addrs:14.14.14.21,
 
   

Note The server administrator has no information on whether the VEMs are Cisco VSG licensed or unlicensed. Therefore, the Cisco VSG license state of the VEMs must be communicated to the server administrators so that they are aware that the vEthernet interfaces on unlicensed Cisco VSGs cannot firewall traffic.


Troubleshooting License Installation Issues

This section describes how to troubleshoot Cisco VSG license installation issues.


Note This section assumes that you have a valid Cisco VSG license file.


For additional information about licensing, see the Cisco Virtual Security Gateway for VMware vSphere License Configuration Guide, Release 4.2(1)VSG2(1.1).

This section includes the following topics:

License Troubleshooting Checklist

Contents of the License File

Removing an Evaluation License File

License Troubleshooting Checklist

Before you start the troubleshooting process, follow these requirements:

Make sure that the name of the license file is less than 32 characters.

Make sure that no other license file with the same name is installed on the VSM. If there is a license file with the same name, rename your new license file to something else.

Do not edit the contents of the license file. If you have already done so, contact your Cisco Technical Assistance Center (TAC) Team.

Make sure that the host ID in the license file is the same as the host ID on the switch.

Contents of the License File

The Cisco VSG license file looks as follows:

Linux(debug)# cat vsg.lic
SERVER this_host ANY
VENDOR cisco
INCREMENT NEXUS_VSG_SERVICES_PKG cisco 1.0 3-mar-2011 16 \
        HOSTID=VDH=1218291845128904258 \
        NOTICE="<LicFileID>20101203153943867</LicFileID><LicLineID>1</LicLineID> \
        <PAK></PAK>" SIGN=00310BEEE50A
 
   

You can identify the host ID of the VSM by entering the show license host-id command.

This example shows the results of the command:

vsm# show license host-id
License hostid: VDH=1218291845128904258

Notice that in both instances of the command output the host-ID matches and is equal to VDH=1218291845128904258.


Note Both NEXUS1000V_LAN_SERVICES and NEXUS_VSG_SERVICES use the same host ID (host ID of VSM). There is no such host ID on the VSG.


Removing an Evaluation License File

If an evaluation license file is already installed on the VSM, you must remove it from the VSM before installing a permanent license file. For more information, see the Cisco Virtual Security Gateway for VMware vSphere License Configuration Guide, Release 4.2(1)VSG2(1.1) for your release number.

Determining Cisco VSG License Usage

You can view the Cisco VSG license state of the VEMs on your VSM and the number of CPU sockets per VEM by entering the module vem 3 execute vemcmd show vsn config command.

This example shows how to confirm the Cisco VSG license state:

vsm# module vem 3 execute vemcmd show vsn config
  VNS Enabled  | VNS Licenses Available   2
  VSN#  VLAN               IP         STATIC-MAC        LEARNED-MAC  LTLs
     1   754       200.1.1.10  00:00:00:00:00:00  00:50:56:83:00:01     0
 
   

In this command output, VEM 3 is licensed. It has two CPU sockets and it currently uses two firewall licenses.

Viewing Installed License Information

You can view the installed license count by entering the show license usage command.

This example shows how to display the installed licenses count:

vsm# show license usage
Feature                      Ins  Lic   Status Expiry Date Comments
                                 Count
--------------------------------------------------------------------------------
NEXUS_VSG_SERVICES_PKG        No   16   In use 18 Jan 2012 -
NEXUS1000V_LAN_SERVICES_PKG   No   16   In use 18 Jan 2012 -
--------------------------------------------------------------------------------
vsm#
 
   

The output shows that 16 licenses (LAN and Cisco VSG) have been installed and they will expire on January 18, 2012.

Troubleshooting the Removal of a License

You cannot clear a license file that is being used. To clear a license file, make sure that all modules check in the Cisco VSG license back to the license pool. You can check in the licenses by entering the vsg license transfer src-vem [module_#] license_pool command.

After doing the license transfer, clear the license file using the clear license command.

This example shows how to clear the license file:

vsm# clear license vsg.lic 
vsm# clearing license . . . . done
vsm#