License avoidance errors basically mean that Reporter VA is unable to communicate to the Broadcom licensing servers to validate the license. 

Article will highlight following points:

1. Licensing the product for the first time
   
   
2. Explanation on how the licensing process works
   
   
3. The URLs must be whitelisted for licensing purposes
   
   
4. Desired NTP to be set or permit ntp.bluecoat.com and ntp2.bluecoat.com
   
   
5. What to do when the birth certificate on the virtual appliance is expired, and we see license errors related to this certificate

• Reporter VA

With VA appliances (SG/CA/MC/Reporter) require Internet access to certain Broadcom domains in order to obtain a birth certificate which will be later used for license validation.

After the first license attempt is successfully, the Reporter is going to communicate with the licensing servers at Broadcom every hour to validate it.

In restricted environments with no Internet access, Offline license addon can be purchased.

This addon is not available by default.

For details contact your Sales Representative.

1. Licensing the product for the first time

When the virtual appliance is initially deployed, in order for licensing to be properly retrieved and installed, it must have internet access. Also, it is necessary to keep the internet connection open at all times with each virtual appliance as they will be periodically reaching Broadcom servers to validate the license in order to prevent license duplicates.

The appliance will attempt to license itself automatically. If the license process somehow fails, you can license the appliance manually, by running the following command:

#licensing load username <Broadcom Portal username> password <Broadcom Portal password>

2. Explanation on how the licensing process works

• The first time Reporter is brought online, it will try and communicate with Blue Coat every 5 minutes until it makes a successful connection.
• The Reporter attempts to establish a connection to validation.es.bluecoat.com  on port 443. After a successful connection is made, the Reporter communicates with the licensing servers at Blue Coat every hour. 
• If it cannot communicate with the licensing servers or the link is broken or blocked, the Reporter will allow a maximum of 7 days grace period to restore the connectivity before suspending the license. During that time, the Reporter will still try and communicate with the licensing servers back at Blue Coat.
• If more than one virtual appliance uses the same serial number, the Blue Coat licensing servers will detect this and send notification in logs. Maximum of 30 days to given to action and eliminate the duplicate. If there are more than two appliances sharing the same serial number, the grace period is decreased drastically. If the issue is not addressed, then the license will be suspended until the duplicates are removed.

3. The URLs that must be whitelisted for licensing purposes can be found here:

• Reporter Ports and Protocols Reference

4. Desired NTP to be set or permit bluecoat.com
   
   The NTP server also needs to be contacted by the virtual appliance for time synchronization as it also plays a role in license verification. By default, NTP servers on virtual appliances are pointed to ntp.bluecoat.com and ntp2.bluecoat.com.  If you do not allow the appliances to sync to these external internet servers, you will need to configure an internal NTP server to serve this purpose.
   
   
5. If the birth certificate on the virtual appliance is expired, it must be recreated as follows:

Connect to the virtual appliance CLI via SSH and follow these steps:

1. Enter 'enable' mode
2. Enter 'configure' mode
3. Enter 'ssl' mode
4. Remove the existing default cert with the command: delete certificate default
5. Create the new certificate with the command: create certificate default
6. For the certificate 'Subject', enter this: CN=192.168.121.30,O=SYMC,OU=1006485912

Note: Replace CN, O, and OU with your details. CN must be IP address of Reporter and OU must be serial number

Once procedure is completed Reporter has to be restarted.

Once the certificate is created without error and Reporter has been rebooted, you should be able to login to Reporter.

-