Troubleshooting and understanding server avoidance errors with Licensing in Management Center

Article Id: 168854
Status: Published
Updated On: 13-04-2020 11:11
Products:
Management Center - VA
Issue/Introduction:

License avoidance errors basically mean that Management Center (MC) is unable to communicate to the Symantec licensing servers to validate the license.  The way it works is as follows:

  • The first time Management Center is brought online, it will try and communicate with Symantec every 5 minutes until it makes a successful connection.
  • Management Center attempts to establish a connection to https://validation.es.bluecoat.com/phs.cgi
  • After a successful connection is made, Management Center communicates with the licensing servers at Symantec every hour.
  • If it cannot communicate with the licensing servers or the link is broken or blocked, Management Center will allow a maximum of 7 days grace period to restore the connectivity before suspending the license.  During that time, Management Center will still try and communicate with the licensing servers back at Symantec
  • If more than one virtual appliance uses the same serial number, the Symantec licensing servers will detect this and notify you. You then have a maximum of 30 days to take action and eliminate the duplicate.  If there are more than two appliances sharing the same serial number, the grace period is decreased drastically.  If the issue is not addressed, then the license will be suspended until the duplicates are removed.


 

Cause:

Unless an "offline" license is purchased, Management Center must have internet connectivity or the appliance will report License Avoidance Detected errors. The following table describes the reasons for these errors and provides remediation options.

Resolution:

 

Topic Scenario Outcome Remediation
Upgrade from pre 1.4.2.x
  • No birth certificate
  • Fully licensed
  • Internet connectivity
 License avoidance error immediately  encountered Option 1
  1. Post upgrade, connect Management Center  to the Internet
  2. Re-license on NPLP, using either the CLI or UI
  3. Wait for 5 minutes to elapse
Option 2
  1. Pre-upgrade, connect Management Center to the Internet
  2. Re-license on NPLP, using either CLI or UI
Option 3
  1. Post upgrade, obtain a license with the “offline license”
  2. Install the new license.
  • Valid birth certificate
  • Fully licensed
  • Internet connectivity
 No issues N/A
New 1.4.2.x installation
  • Subscription-based license format (not perpetual)
  • License via URL or by copy and paste
  • No internet connectivity
 Unable to license Management Center Option 1
  1. Connect Management Center to the Internet
  2. License on NPLP, using either CLI or UI
  3. Wait for 5 minutes to elapse
  • Subscription-based license format (not perpetual)
  • License using NPLP
  • Internet connectivity
 No issues N/A
  • Perpetual license format
  • License via URL or by copy and paste
  • License has birth certificate and user has passphrase
  • No internet connectivity
 Management Center is licensed but license avoidance error immediately encountered Option 1
  1. Connect Management Center to the Internet
  2. Wait for 5 minutes to elapse
Option 2
  1. Obtain a license with the “offline” component
  2. Install the license
  • Perpetual license format
  • License using NPLP
  • Internet connectivity
 No issues N/A
Running 1.4.2.x or later
  • Fully licensed
  • Has Internet connection for some time but then loses Internet connection
  • Management Center will attempt to contact Symantec every hour
  • There is a maximum grace period of 7 days
  • If the Internet connection is not restored within the 7-day grace period, Management Center sends a “License Avoidance” message
NOTE: Users do not receive a warning during the grace period.

 
Option 1
  1. Fix Internet connectivity within the 7-day grace period
Option 2
  1. Obtain a license with the “offline” component
  2. Install the license
Any release
  • Perpetual or subscription-based license format
  • License using NPLP
  • Internet connectivity
  • Incorrect proxy settings
 Unable to license Management Center Option 1
  1. Go to Administration > Settings > HTTP Proxy.
  2. Verify proxy settings. You must enter the IP address of the proxy, not a VIP address.

Workaround

A few key notes to keep in mind for troubleshooting:

  • Ensure the birth certificate is valid. To determine if you have a birth certificate on your VA, attempt to retrieve the license from the CLI by issuing the following command: 
       
    (For MC version 1.x) #license get-from-bluecoat
If you are prompted for your Symantec/Broadcom credentials, the birth certificate is missing.

(For MC version 2.x) #show birth-certificate-status
If birth certificate shows valid, you could refetch license by running 

                    #licensing load username <Broadcom Portal username> password <Broadcom Portal password>

Ensure that you can successfully ping the following:
    • License validation servers  (validation.es.bluecoat.com)
    • MySymantec (bto.bluecoat.com)
  • Attempt a tracepath to validation.es.bluecoat.com.
  • Is there anything in the network that could be blocking this request?
  • Is a proxy required for Management Center to make this request?  If so, please add the correct proxy settings or ensure that the existing settings are correct.
  • Enable verbose logging, let it run for about 5 minutes, and then get the logs.  Use the logs to see if there are any issues on Management Center.
  • Packet Capture is possible with Management Center 11.5.2.1 and later only. You have to be in enable mode and the syntax is:
    • pcap info: Shows the status of the pcap~
    • pcap filter, clear, set-host, set-port, view. These options do exactly what they suggest.
    • pcap start, pcap stop.
  • To download the pcap you need to download the entire diagnostics from the CLI:
service upload-diagnostics: there are several options for uploading. Use the ? for the complete list.
  • Using the packet capture, you should be able to see if there is anything blocking the network path.