Troubleshooting and understanding server avoidance errors with Licensing in Management Center

Products

Management Center - VA

Issue/Introduction

License avoidance errors basically mean that Management Center (MC) is unable to communicate to the Symantec licensing servers to validate the license. The way it works is as follows:

The first time Management Center is brought online, it will try and communicate with Symantec every 5 minutes until it makes a successful connection.
Management Center attempts to establish a connection to https://validation.es.bluecoat.com/phs.cgi
After a successful connection is made, Management Center communicates with the licensing servers at Symantec every hour.
If it cannot communicate with the licensing servers or the link is broken or blocked, Management Center will allow a maximum of 7 days grace period to restore the connectivity before suspending the license. During that time, Management Center will still try and communicate with the licensing servers back at Symantec
If more than one virtual appliance uses the same serial number, the Symantec licensing servers will detect this and notify you. You then have a maximum of 30 days to take action and eliminate the duplicate. If there are more than two appliances sharing the same serial number, the grace period is decreased drastically. If the issue is not addressed, then the license will be suspended until the duplicates are removed.

Cause

Unless an "offline" license is purchased, Management Center must have internet connectivity or the appliance will report License Avoidance Detected errors. The following table describes the reasons for these errors and provides remediation options.

Resolution

Topic	Scenario	Outcome	Remediation
Upgrade from pre 1.4.2.x	No birth certificate Fully licensed Internet connectivity	License avoidance error immediately encountered	Option 1 Post upgrade, connect Management Center to the Internet Re-license on NPLP, using either the CLI or UI Wait for 5 minutes to elapse Option 2 Pre-upgrade, connect Management Center to the Internet Re-license on NPLP, using either CLI or UI Option 3 Post upgrade, obtain a license with the “offline license” Install the new license.
Upgrade from pre 1.4.2.x	Valid birth certificate Fully licensed Internet connectivity	No issues	N/A
New 1.4.2.x installation	Subscription-based license format (not perpetual) License via URL or by copy and paste No internet connectivity	Unable to license Management Center	Option 1 Connect Management Center to the Internet License on NPLP, using either CLI or UI Wait for 5 minutes to elapse
	Subscription-based license format (not perpetual) License using NPLP Internet connectivity	No issues	N/A
	Perpetual license format License via URL or by copy and paste License has birth certificate and user has passphrase No internet connectivity	Management Center is licensed but license avoidance error immediately encountered	Option 1 Connect Management Center to the Internet Wait for 5 minutes to elapse Option 2 Obtain a license with the “offline” component Install the license
	Perpetual license format License using NPLP Internet connectivity	No issues	N/A
Running 1.4.2.x or later	Fully licensed Has Internet connection for some time but then loses Internet connection	Management Center will attempt to contact Symantec every hour There is a maximum grace period of 7 days If the Internet connection is not restored within the 7-day grace period, Management Center sends a “License Avoidance” message NOTE: Users do not receive a warning during the grace period.	Option 1 Fix Internet connectivity within the 7-day grace period Option 2 Obtain a license with the “offline” component Install the license
Any release	Perpetual or subscription-based license format License using NPLP Internet connectivity Incorrect proxy settings	Unable to license Management Center	Option 1 Go to Administration > Settings > HTTP Proxy. Verify proxy settings. You must enter the IP address of the proxy, not a VIP address.

Workaround

A few key notes to keep in mind for troubleshooting:

Ensure the birth certificate is valid. To determine if you have a birth certificate on your VA, attempt to retrieve the license from the CLI by issuing the following command:

(For MC version 1.x) #license get-from-bluecoat

If you are prompted for your Symantec/Broadcom credentials, the birth certificate is missing.

(For MC version 2.x) #show birth-certificate-status
If birth certificate shows valid, you could refetch license by running

#licensing load username <Broadcom Portal username> password <Broadcom Portal password>

Ensure that you can successfully ping the following:

- License validation servers (validation.es.bluecoat.com)
- MySymantec (bto.bluecoat.com)
Attempt a tracepath to validation.es.bluecoat.com.
Is there anything in the network that could be blocking this request?
Is a proxy required for Management Center to make this request? If so, please add the correct proxy settings or ensure that the existing settings are correct.
Enable verbose logging, let it run for about 5 minutes, and then get the logs. Use the logs to see if there are any issues on Management Center.
Packet Capture is possible with Management Center 11.5.2.1 and later only. You have to be in enable mode and the syntax is:
- pcap info: Shows the status of the pcap~
- pcap filter, clear, set-host, set-port, view. These options do exactly what they suggest.
- pcap start, pcap stop.
To download the pcap you need to download the entire diagnostics from the CLI:

service upload-diagnostics: there are several options for uploading. Use the ? for the complete list.

Using the packet capture, you should be able to see if there is anything blocking the network path.