Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: License Check for Cisco Smart Licensing does not honor SLR Licenses #288

Open
onkelbeh opened this issue Aug 10, 2021 · 5 comments
Open

Feature Request: License Check for Cisco Smart Licensing does not honor SLR Licenses #288

onkelbeh opened this issue Aug 10, 2021 · 5 comments

Comments

@onkelbeh
Copy link

Hi,

first thanks for your great work.
Today I accidentally found one of our routers with a faulty license, and my first thought was to implement a check for that.
All my routers running IOS XE with Smart Licensing have a reserved license. It seems that check_nwc_health's license check does not honor this type of license:

Plugin Output (on a ISR4000 Series):

CRITICAL - compliance status is AUTHORIZED - RESERVED, authorization will expire in 0 days, entitlement ISR_4321_Application for feature ISR_4321_Application mode is authorized, entitlement ISR_4321_Security for feature ISR_4321_Security mode is authorized
checking keys
entitlement ISR_4321_Application for feature ISR_4321_Application mode is authorized
entitlement ISR_4321_Security for feature ISR_4321_Security mode is authorized
compliance status is AUTHORIZED - RESERVED
authorization will expire in 0 days | 'sla_remaining_days'=0;7:;2:;;

SNMP Walk of CISCO-SMART-LIC-MIB (ISR4000):

SNMPv2-SMI::enterprises.9.9.831.0.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.2.0 = STRING: "PID:ISR4431/K9,SN:xxxxxxxxxxxxxxx"
SNMPv2-SMI::enterprises.9.9.831.0.3.0 = STRING: "4.8.14_rel/75"
SNMPv2-SMI::enterprises.9.9.831.0.4.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.1 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.2 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.3 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.1 = STRING: "ISR_4400_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.2 = STRING: "ISR_4400_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.3 = STRING: "ISR_4400_Hsec"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.1 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.2 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.3 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.1 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.2 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.3 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.1 = STRING: "AppX License for Cisco ISR 4400 Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.2 = STRING: "Security License for Cisco ISR 4400 Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.3 = STRING: "Export Controlled Feature hseck9"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.1 = STRING: "ISR_4400_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.2 = STRING: "ISR_4400_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.3 = STRING: "hseck9"
SNMPv2-SMI::enterprises.9.9.831.0.6.1.0 = INTEGER: 5
SNMPv2-SMI::enterprises.9.9.831.0.6.2.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.6.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.6.4.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.7.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.2.0 = STRING: "AUTHORIZED - RESERVED"
SNMPv2-SMI::enterprises.9.9.831.0.7.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.7.4.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.3.0 = Gauge32: 5074936
SNMPv2-SMI::enterprises.9.9.831.0.8.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.8.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.9.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.831.0.9.2.0 = STRING: "DeRegistration failure message is not persisted."
SNMPv2-SMI::enterprises.9.9.831.0.10.1.0 = STRING: "Utility failure messages are not persisted."

Plugin Output (on a ISR1100):

CRITICAL - compliance status is AUTHORIZED - RESERVED, authorization will expire in 0 days, entitlement ISR_1100_4P_Application for feature Cisco 1100 Series with 4 LAN Ports, AppX License mode is authorized, entitlement ISR_1100_4P_Security for feature Cisco 1100 Series with 4 LAN Ports , Security License mode is authorized
checking keys
entitlement ISR_1100_4P_Application for feature Cisco 1100 Series with 4 LAN Ports, AppX License mode is authorized
entitlement ISR_1100_4P_Security for feature Cisco 1100 Series with 4 LAN Ports , Security License mode is authorized
compliance status is AUTHORIZED - RESERVED
authorization will expire in 0 days | 'sla_remaining_days'=0;7:;2:;;

Snmp-Walk (on a ISR1100):

SNMPv2-SMI::enterprises.9.9.831.0.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.2.0 = STRING: "PID:C1116-4P,SN:FCZ2308C0TF"
SNMPv2-SMI::enterprises.9.9.831.0.3.0 = STRING: "4.8.14_rel/75"
SNMPv2-SMI::enterprises.9.9.831.0.4.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.1 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.2 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.1 = STRING: "ISR_1100_4P_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.2 = STRING: "ISR_1100_4P_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.1 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.2 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.1 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.2 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.1 = STRING: "Cisco 1100 Series with 4 LAN Ports, AppX License"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.2 = STRING: "Cisco 1100 Series with 4 LAN Ports , Security License"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.1 = STRING: "Cisco 1100 Series with 4 LAN Ports, AppX License"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.2 = STRING: "Cisco 1100 Series with 4 LAN Ports , Security License"
SNMPv2-SMI::enterprises.9.9.831.0.6.1.0 = INTEGER: 5
SNMPv2-SMI::enterprises.9.9.831.0.6.2.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.6.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.6.4.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.7.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.2.0 = STRING: "AUTHORIZED - RESERVED"
SNMPv2-SMI::enterprises.9.9.831.0.7.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.7.4.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.3.0 = Gauge32: 7775849
SNMPv2-SMI::enterprises.9.9.831.0.8.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.8.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.9.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.831.0.9.2.0 = STRING: "DeRegistration failure message is not persisted."
SNMPv2-SMI::enterprises.9.9.831.0.10.1.0 = STRING: "Utility failure messages are not persisted."

Would it be possible to add this as a new feature?

Thanks in advance

\B.
@onkelbeh
Copy link
Author

Have sent the full SNMP walks in an email to Mr. Lausser, here's a Walk of the router affected with the 'lost the reservation' Problem, it runs in Eval Mode, although it had/has (or should have) a valid license reservation installed:

SNMPv2-SMI::enterprises.9.9.831.0.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.2.0 = STRING: "PID:ISR4321/K9,SN:xxxxxxxxxxx"
SNMPv2-SMI::enterprises.9.9.831.0.3.0 = STRING: "4.8.14_rel/75"
SNMPv2-SMI::enterprises.9.9.831.0.4.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.1 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.2 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.1 = STRING: "ISR_4321_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.2 = STRING: "ISR_4321_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.1 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.2 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.1 = INTEGER: 6
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.2 = INTEGER: 6
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.1 = STRING: "AppX License for Cisco 4320 ISR Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.2 = STRING: "Security License for Cisco ISR 4320 Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.1 = STRING: "ISR_4321_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.2 = STRING: "ISR_4321_Security"
SNMPv2-SMI::enterprises.9.9.831.0.6.1.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.6.2.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.6.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.6.4.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.7.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.2.0 = STRING: "EVAL MODE"
SNMPv2-SMI::enterprises.9.9.831.0.7.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.1.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.7.4.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.3.0 = Gauge32: 5171531
SNMPv2-SMI::enterprises.9.9.831.0.8.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.8.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.9.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.831.0.9.2.0 = STRING: "DeRegistration failure message is not persisted."
SNMPv2-SMI::enterprises.9.9.831.0.10.1.0 = STRING: "Utility failure messages are not persisted."

on the router, this looks like:

isr-xxxx1#sh license all
Smart Licensing Status
======================

Smart Licensing is ENABLED
License Reservation is ENABLED

Registration:
  Status: UNREGISTERED
  Export-Controlled Functionality: NOT ALLOWED

License Authorization:
  Status: EVAL MODE
  Evaluation Period Remaining: 59 days, 20 hours, 29 minutes, 9 seconds

License Conversion:
  Automatic Conversion Enabled: False
  Status: Waiting for response on Oct 20 17:02:21 2020 MET
  Next response check: Oct 20 18:02:25 2020 MET

Export Authorization Key:
  Features Authorized:
    <none>

Utility:
  Status: DISABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Callhome

License Usage
==============

ISR_4321_Application (ISR_4321_Application):
  Description: AppX License for Cisco 4320 ISR Series
  Count: 1
  Version: 1.0
  Status: EVAL MODE
  Export status: NOT RESTRICTED
  Reservation:
    Reservation status: NOT INSTALLED

ISR_4321_Security (ISR_4321_Security):
  Description: Security License for Cisco ISR 4320 Series
  Count: 1
  Version: 1.0
  Status: EVAL MODE
  Export status: NOT RESTRICTED
  Reservation:
    Reservation status: NOT INSTALLED

Product Information
===================
UDI: PID:ISR4321/K9,SN:xxxxxxxxxxx

Agent Version
=============
Smart Agent for Licensing: 4.8.14_rel/75

Reservation Info
================
License reservation: ENABLED

Overall status:
  Active: PID:ISR4321/K9,SN:xxxxxxxxxxx
      Reservation status: SPECIFIC INSTALLED on Oct 20 17:06:49 2020 MET
      Export-Controlled Functionality: NOT ALLOWED
      Last Confirmation code: xxxxxxxxx

Specified license reservations:
  ISR_4321_Application (ISR_4321_Application):
    Description: AppX License for Cisco 4320 ISR Series
    Total reserved count: 1
    Term information:
      Active: PID:ISR4321/K9,SN:xxxxxxxxxxx
        License type: PERPETUAL
          Term Count: 1
  ISR_4321_Security (ISR_4321_Security):
    Description: Security License for Cisco ISR 4320 Series
    Total reserved count: 1
    Term information:
      Active: PID:ISR4321/K9,SN:xxxxxxxxxxxx
        License type: PERPETUAL
          Term Count: 1

@onkelbeh
Copy link
Author

onkelbeh commented Sep 9, 2021

Hi,

just tried 9.0.1, here's how it looks now:

root@lnx-monitoring:~ # time sudo -u icinga '/usr/lib64/nagios/plugins/contrib/check_nwc_health' --hostname isr-deg01.router --mode check-licenses --community xxxxxxxxx
Use of uninitialized value in string ne at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70824.
Use of uninitialized value in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70825.
Redundant argument in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70879.
CRITICAL - authorization has expired, registration failed with , entitlement ISR_4400_Application for feature ISR_4400_Application mode is authorized, entitlement ISR_4400_Security for feature ISR_4400_Security mode is authorized, entitlement ISR_4400_Hsec for feature hseck9 mode is authorized, compliance status is AUTHORIZED - RESERVED | 'sla_remaining_days'=0;7:;2:;;

real    0m0,687s
user    0m0,436s
sys     0m0,035s

   [2]   root@lnx-monitoring:~ # time sudo -u icinga '/usr/lib64/nagios/plugins/contrib/check_nwc_health' --hostname isr-deg01.router --mode check-licenses --community xxxxxxxxx  --critical 0 --warning 0
Use of uninitialized value in string ne at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70824.
Use of uninitialized value in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70825.
Redundant argument in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70879.
WARNING - registration failed with , entitlement ISR_4400_Application for feature ISR_4400_Application mode is authorized, entitlement ISR_4400_Security for feature ISR_4400_Security mode is authorized, entitlement ISR_4400_Hsec for feature hseck9 mode is authorized, compliance status is AUTHORIZED - RESERVED, authorization has expired | 'sla_remaining_days'=0;0;0;;

real    0m0,692s
user    0m0,387s
sys     0m0,051s
   [1]   root@lnx-monitoring:~ #

@lausser
Copy link
Owner

lausser commented Sep 9, 2021

I was waiting for an snmpwalk output, sent an email on sept. 2nd, but didn't even receive a reply.

@onkelbeh
Copy link
Author

Sorry, missed that mail. Reply is on the way.

@onkelbeh
Copy link
Author

This time I made sure:

  • mail contains the data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lausser @onkelbeh