Moving Firepower Management Center: Dealing with Licensing Errors

Today I finally got around to re-configuring our Firepower Management Center (FMC) after we moved it from my companies data center to our head office (we were moving servers from a whole subnet over so we recreated the subnet here at the head office and moved the servers over like for like and without the need to re-IP).  We successfully vMotioned the device from our data center servers to our blade servers here at HQ, we turned FMC back on and everything seemed to be working; and why wouldn’t it be its an exact copy of the old one from the data center.

As I tried to push a policy change I got an error:

FirepowerManagementCenter authorization:No Licenses in Use,0″.

This lead me down the firepower licensing rabbit-hole, first I check out the device management, where I saw all of the sensors showed Unlicensed, and finally to the licensing page where I noticed all of my licenses showed “Failed[Node]”.  Crap! How could that have happened?

I had a gleam of hope as I remembered I still had the license files from when I implemented Firepower.  “I can just use the same licenses as before.  Nothing has changed, so this should work!”  I opened the license files copied the Hash and went though the process of adding licenses.  More errors!!! Crap again!

FirepowerLicFailure

I noticed the License Key had changed; but how can that be?  The machine is exactly the same, the only difference is where the VM lives.  At this point I am sure some of you realize what has happened.  When we moved the virtual machine we changed host servers, and these host servers have a different set of MAC addresses to assign the virtual NICs.  The License key is the MAC address of the machine and when we moved the VM we unknowingly invalidated our licensing.  So how do we fix this?  By re-hosting the licenses.

In the passed re-hosting licenses meant calling up TAC and waiting for a licensing engineer to re-host the licenses and typically this would take anywhere from a few hours to all day.   Luckily Cisco recently updated their licensing portal (https://www.cisco.com/go/license) with the ability to re-host already fulfilled licenses.  The caveat here is your CCO account must be the original account that fulfilled the licenses, otherwise it doesn’t show up in the list of fulfilled licenses.

Here are the steps to re-host your firepower licenses:

  1. Navigate to the licensing portal: https://www.cisco.com/go/license.
  2. Click on Show: All Licenses for [your name]
  3. Under the Licenses tab, hover over the license you want to re-host and click the blue >
  4. Click Rehost license…

RehostFPLic

From there it is no different than fulfilling a PAK code, all you need is to enter the new license key and a new license file will be created, emailed, and ready for immediate download.  No more waiting on TAC to get around to it.  From there enter the hash into FMC like before and it will work.  One thing to note is that the old licenses will still show failed, you can safely delete them without affecting the new licenses.

At this point the sensors are still not licensed.  After you have re-hosted every sensors licenses make sure to go into device management and edit the sensors licenses to enable the licensing for that sensor by checking the appropriate check boxes.

That’s it!  Hopefully my pain, can help someone else who is going though this issue!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s