17 May 2022

Cisco FMC Smart Licence Authorization Expired

There is a situation where the Cisco FMC Smart Licence Authorization Expires, then it fails to renew, and you get error notification stating that Smart Licensing Authorization expired. Please synchronize the Firepower Management Center with the Cisco Smart Software Manager. 

You generate another token, then the Cisco FMC fails to synchronize with Cisco Smart Software Manager, showing the error "Failed to send the message to the server. Please verify the DNS Server/HTTP Proxy settings." when you connect to the FMC from CLI you can ping or do curl on tools.cisco.com which means there are no DNS or Proxy issues.

Cisco released a Field Notice: FN - 72103 which states that For affected versions of the Adaptive Security Appliance (ASA), Firepower eXtensible Operating System (FXOS), and Firepower software, some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021, cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Smart Licensing and Smart Call Home will fail to establish secure connections to Cisco and might not operate properly.

The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by ASA, FXOS, and Firepower software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.

Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates will not renew when they expire on either the device or the Cisco cloud server. This will cause functions such as Smart Licensing and Smart Call Home to fail to establish secure connections to Cisco cloud servers.

Follow the link below for the Cisco Field Notice FN-72103 and Workaround/Solution