Here's a link regarding Cisco Device Led Conversion (DLC).
In a previous post, I've mentioned about the Cisco Smart License in a Cisco ISR 4K router. Below are the steps in preparing a Cisco ISR 4K router with no Smart License and convert its Traditional Product Activation Key (PAK) License to Smart License using DLC.
1. Perform the ROMMON firmware and IOS-XE Upgrade:
In this scenario, I got a Cisco ISR 4K router running IOS-XE 16.6 which is doesn't have the Smart License enabled yet and has a Unified Communication (UC) PAK license installed. The target code is IOS-XE 16.12 which requires a Smart License and I'll perform a DLC on the UC license.
Refer to this link for the ROMMON and IOS-XE software code compatibility matrix.
4K##show version
Cisco IOS XE Software, Version 16.06.05
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 10-Dec-18 13:10 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
4K uptime is 3 weeks, 6 days, 10 hours, 35 minutes
Uptime for this control processor is 3 weeks, 6 days, 10 hours, 36 minutes
System returned to ROM by Reload Command at 15:31:00 UTC Tue Jul 26 2022
System restarted at 15:34:06 UTC Tue Jul 26 2022
System image file is "bootflash:isr4400-universalk9.16.06.05.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9
AdvUCSuiteK9 None None None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
uck9 uck9 Permanent uck9
securityk9 None None None
ipbase ipbasek9 None ipbasek9
cisco ISR4431/K9 (1RU) processor with 1795979K/6147K bytes of memory.
Processor board ID FCZ26181234
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7081983K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
I skipped the ROMMON firmware upgrade since the 4K router is already on the latest 17.x firmware and it wouldn't allow you perform a ROMMON 17.x > 16.x code "downgrade."
For reference, the ROMMON upgrade command is issued in privileged EXEC mode.
4K#upgrade rom-monitor filename bootflash:isr4400_rommon_1612_2r_SPA.pkg all
4K#show platform
Chassis type: ISR4431/K9
Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
0 ISR4431/K9 ok 3w6d
0/0 ISR4431-X-4x1GE ok 3w6d
0/4 PVDM4-128 ok 3w6d
R0 ISR4431/K9 ok, active 3w6d
F0 ISR4431/K9 ok, active 3w6d
P0 PWR-4430-AC ok 3w6d
P1 PWR-4430-AC ok 3w6d
P2 ACS-4430-FANASSY ok 3w6d
Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 19042950 17.6.1
R0 19042950 17.6.1
F0 19042950 17.6.1
You change the boot variable with the boot system flash bootflash:<IOS-XE.bin> command and issue a reload afterwards.
4k#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
4K(config)#no boot system // A QUICK WAY TO REMOVE MUTIPLE BOOT VARIABLES
4K(config)#boot system flash bootflash:isr4400-universalk9.16.12.07.SPA.bin
4K(config)#boot system flash bootflash:isr4400-universalk9.16.06.05.SPA.bin
4K(config)#end
4K#write memory
Building configuration...
[OK]
4K#show run | include boot
boot-start-marker
boot system flash bootflash:isr4400-universalk9.16.12.07.SPA.bin
boot system flash bootflash:isr4400-universalk9.16.06.05.SPA.bin
boot-end-marker
no ip bootp server
license boot level uck9
diagnostic bootup level minimal
4K#reload
Proceed with reload? [confirm] <HIT ENTER>
<SNIP>
The Smart License status became Unregistered and UC license changed to an Eval mode which is valid for 90 days.
4K#show version
Cisco IOS XE Software, Version 16.12.07
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 02-Feb-22 11:11 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: (c)
4K uptime is 3 minutes
Uptime for this control processor is 4 minutes
System returned to ROM by Reload Command at 02:16:02 UTC Tue Aug 23 2022
System image file is "bootflash:isr4400-universalk9.16.12.07.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Suite License Information for Module:'esg'
--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None Smart License None
securityk9
appxk9
AdvUCSuiteK9 None Smart License None
uck9
cme-srst
cube
Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None Smart License None
uck9 uck9 Smart License uck9
securityk9 None Smart License None
ipbase ipbasek9 Smart License ipbasek9
The current throughput level is 500000 kbps
Smart Licensing Status: UNREGISTERED/EVAL MODE
cisco ISR4431/K9 (1RU) processor with 1694668K/6147K bytes of memory.
Processor board ID FCZ26181234
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7081983K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
4K#show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: UNREGISTERED
Export-Controlled Functionality: NOT ALLOWED
License Authorization:
Status: EVAL MODE
Evaluation Period Remaining: 89 days, 23 hours, 55 minutes, 45 seconds
License Conversion:
Automatic Conversion Enabled: False
Status: Not started
Export Authorization Key:
Features Authorized:
<none>
Utility:
Status: DISABLED
Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED
Transport:
Type: Callhome
License Usage
==============
(ISR_4400_UnifiedCommunication):
Description:
Count: 1
Version: 1.0
Status: EVAL MODE
Export status: NOT RESTRICTED
Product Information
===================
UDI: PID:ISR4431/K9,SN:FOC26161234
Agent Version
=============
Smart Agent for Licensing: 4.8.18_rel/86
Reservation Info
================
License reservation: DISABLED
2. Configure Call Home:
I'm using the 4K dedicated GigabitEthernet0 Out-of-Band (OOB) interface which has the default Mgmt-intf VRF. I'm also using an On-Prem Cisco Smart Software Manager (CSSM) Smart License server. The config also works with the Cisco Smart License public portal over the Internet. Below are some additional Call-Home config.
ip name-server vrf Mgmt-intf <PRIMARY DNS IP> <SECONDARY DNS IP>
ip domain lookup
ip domain lookup vrf Mgmt-intf source-interface GigabitEthernet0
ip http client source-interface GigabitEthernet0
license smart url https://<CSSM FQDN>/Transportgateway/services/DeviceRequestHandler
license smart transport smart
call-home
vrf Mgmt-intf
source-interface GigabitEthernet0
profile "CiscoTAC-1"
destination address http https://<CSSM FQDN>/Transportgateway/service/DeviceRequestHandler
3. Generate a Product Instance Registration token in CSSM and apply in ISR 4K
Generate a Product Instance Registration token in CSSM, go to Inventory > General > New Token.
Issue the license smart register idtoken <CSSM TOKEN> force command in privileged EXEC.
4K#license smart register idtoken <CSSM TOKEN> force
Registration process is in progress. Use the 'show license status' command to check the progress and result
Aug 23 03:40:17.560 UTC: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair2 has been removed from key storage
Aug 23 03:40:18.476 UTC: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair2 has been generated or imported by crypto-engine
Aug 23 03:40:18.529 UTC: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM
Aug 23 03:40:23.960 UTC: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file
Aug 23 03:40:24.776 UTC: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
Aug 23 03:40:34.000 UTC: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
Aug 23 03:40:34.002 UTC: %SMART_LIC-3-AGENT_REG_FAILED: Smart Agent for Licensing Registration with the Cisco Smart Software Manager (CSSM) failed: No detailed information given
Aug 23 03:40:34.002 UTC: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : No detailed information given
Aug 23 03:40:40.003 UTC: %PKI-3-HOSTNAME_RESOLVE_ERR: Failed to resolve HOSTNAME/IPADDRESS : www.cisco.com
Aug 23 03:40:40.003 UTC: %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed
Reason : Failed to fetch IP address from :www.cisco.com
Aug 23 03:41:05.800 UTC: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
Aug 23 03:41:11.803 UTC: %PKI-3-HOSTNAME_RESOLVE_ERR: Failed to resolve HOSTNAME/IPADDRESS : www.cisco.com
Aug 23 03:41:11.803 UTC: %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed
Reason : Failed to fetch IP address from :www.cisco.com
If you get a CRL log error, apply this workaround command and apply the registration token again:
crypto pki trustpoint SLA-TrustPoint
revocation-check none
4K#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
4K(config)#crypto pki trustpoint SLA-TrustPoint
4K(ca-trustpoint)#revocation-check ?
crl Revocation check by CRL
none Ignore revocation check
ocsp Revocation check by OCSP
4K(ca-trustpoint)#revocation-check none
4K#license smart register idtoken <CSSM TOKEN> force
Registration process is in progress. Use the 'show license status' command to check the progress and result
Aug 23 03:43:11.806 UTC: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair has been removed from key storage
Aug 23 03:43:12.103 UTC: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine
Aug 23 03:43:12.154 UTC: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration
Aug 23 03:43:12.404 UTC: %SMART_LIC-5-COMM_RESTORED: Communications with the Cisco Smart Software Manager (CSSM) restored
Aug 23 03:43:12.517 UTC: %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is allowed
Aug 23 03:43:12.517 UTC: %SMART_LIC-6-AGENT_REG_SUCCESS: Smart Agent for Licensing Registration successful. udi PID:ISR4431/K9,SN:FOC26161234
Aug 23 03:43:14.932 UTC: %SMART_LIC-3-OUT_OF_COMPLIANCE: One or more entitlements are out of compliance
Aug 23 03:43:14.932 UTC: %SMART_LIC-5-END_POINT_RESET: End Point list reset
Aug 23 03:43:14.933 UTC: %SMART_LIC-6-AUTH_RENEW_SUCCESS: Authorization renewal successful. State=OOC for udi PID:ISR4431/K9,SN:FOC26161234
Aug 23 03:43:45.421 UTC: %SMART_LIC-6-AUTH_RENEW_SUCCESS: Authorization renewal successful. State=OOC for udi PID:ISR4431/K9,SN:FOC26161234
Aug 23 03:44:15.817 UTC: %SMART_LIC-6-AUTH_RENEW_SUCCESS: Authorization renewal successful. State=OOC for udi PID:ISR4431/K9,SN:FOC26161234
Issue a show license summary to check the Smart License status. Notice the UC Smart License status is Out of Compliance. This is because there's no UC Smart License balance available in the On-Prem CSSM.
4K#show license summary
Smart Licensing is ENABLED
Registration:
Status: REGISTERED
Smart Account: MY-ACCOUNT
Virtual Account: Default
Export-Controlled Functionality: ALLOWED
Last Renewal Attempt: None
Next Renewal Attempt: Feb 19 03:43:11 2023 UTC
License Authorization:
Status: OUT OF COMPLIANCE
Last Communication Attempt: SUCCEEDED
Next Communication Attempt: Aug 23 19:37:21 2022 UTC
License Usage:
License Entitlement tag Count Status
-----------------------------------------------------------------------------
ISR_4400_UnifiedComm... (ISR_4400_UnifiedCommun...) 1 OUT OF COMPLIANCE
3. Initiate Device Led Conversion (DLC)
The final step is to issue the license smart conversion start privileged EXEC command to start the DLC conversion process.
4K#license smart conversion start?
clear Clear
conversion Start or stop a license conversion
deregister deregister this device
export Get or return an export authorization key
factory Execute Smart Licensing Factory commands
register register token id
renew Smart License renew
send license smart send
4K#license smart conversion ?
start Start a manual license conversion
stop Stop a license conversion that pending retry because of a communications failure
4K#license smart conversion start
Aug 23 03:52:40.593 UTC: %SMART_LIC-6-CONVERT_START: Smart License Conversion has started
You can check the DLC status with the show platform software license dlc command. This would take around an hour to complete per the Cisco Smart License doc.
4K#show platform software license dlc
Index 1 Feature: uck9
Permanent License: 1
EVAL RTU License: 0
RTU License: 0
Paper License: 0
DLC Process Status: Not Complete
If you go to CSSM Inventory > Product Instances, you'll see an Alert that DLC has been requested and a Synchronization is required.
If the DLC status is still not yet completed after waiting for an hour, you can perform a "force update" in the On-Prem CSSM. Go to CSSM Admin Workspace > click Synchronization.
Select the Virtual Account > click Sync Selected.
Select again the Virtual Account > click Actions > Network Synchronization > Standard Synchronization Now.
Notice under Alerts status changed to Synchronization Successful.
You can verify if the DLC and License migration is complete in On-Prem CSSM > go to License Tab > check the Available to Use and In Use. Notice there's a ISR_4400_UnifiedCommunication Smart License that would appeared with a Available to Use and In Use balance count of 1.
4K#show platform software license dlc
Index 1 Feature: uck9
Permanent License: 1
EVAL RTU License: 0
RTU License: 0
Paper License: 0
DLC Process Status: Completed
DLC Conversion Status: SUCCESS
