Cannot Verify KEMP Licensing service: Missing Cookie

0

I've searched, and the onlly response from KEMP is to try from a computer directly connected to the internet.  We don't have those...they're called security risks.

The test messages in the web GUI says that it's resolving an FQDN for a licensing server.  Then it's attempting a connection to an IP address that matches what is resolved for the FQDN.

How are you making this connection?  HTTPS?  By FQDN or IP address?

If you have an answer, will you post it for the public to read.  It will make troubleshooting easier.  If we need to poke holes in content filters, we can do that.  But, only if we know what the hole is supposed to look like.

In the meantime, I can't find a way for the web GUI to work without going through this licensing routine.  Am I locked out of product usage until this is fixed?

7 comments

Avatar
0
Alan Leghart

Any way to manually enter licenses?  From GUI or command-line?

Avatar
0
Alan Leghart

Note to any others seeking help.  This is not a normal HTTPS browser transaction by FQDN or by IP address, as far as I can tell.  I'm trying to use the name/address in the troubleshooting lines as exclusions in an HTTP(s) content filter.  It doesn't work, even with a wildcard on the entire domain.

The only way I could make it work is by temporarily putting the LoadMaster appliance in a VLAN and IP address that bypasses content filtering completely, and running through the licensing in the web GUI.

After licensing, there is a note that says Call Home is MANDATORY, and the interval is set to 24 hours.

I'm not going to babysit this every 24 hours so it can check in for a "free" license over the internet.

Does anyone else in the community have a method to let this Call Home without leaving it open to the entire internet?  Examples would help.

Thanks in advance if you can help !

The concept of free product for commercial use is great.

Avatar
0
Mark Deegan

Hello Alan,

The URL that we need to connect to is alsi2.kemptechnologies.com on port 443 for ssl transaction. This will allow it to licence the unit.

regards

Mark

Avatar
0
Alan Leghart

Hi Mark,

I'm testing with System Configuration > System Administration > Update License > Upgrade (button)

It appears the LoadMaster appliance may be resolving the FQDN on it's own and creating a request for the IP address.

Creating a firewall rule for the FQDN does not work.  Creating a rule for the IP address only will work.

If that is sufficient for the Upgrade button to work, with this work for the Call Home feature, so that the Free license will not expire/timeout?

If so, then my only issue is tracking the IP address if it ever changes.  If the appliance is resolving the FQDN first, then I can't use an FQDN rule on my firewall to dynamically resolve to an IP address.  It would require manual updates if the IP address were to change.

Thanks,

Alan

Avatar
0
Mark Deegan

Hi Alan,

The IP is static and should not change anytime soon. It will only be used once upon licencing once a year or for WAF updates if these are required. A static mapping to the IP would do for now.

regards

Mark

Avatar
0
Alan Leghart

OK.  The licensing says that Call Home is mandatory.  And the web page for Call Home says that it has to reset a 30-day licensing timer.

I'm inferring that the Free license will turn into a pumpkin if it doesn't call home every 30 days.

Is that correct?  Will we get some kind of warning if Call Home stops working due to a broken firewall rule, or some other network problem?

 

https://kemptechnologies.com/callhome/

Will the Free LoadMaster expire?

No. The Free LoadMaster ‘calls home’ to the licencing server to renew the licence for the next 30 days.

Avatar
0
Mark Deegan

Hello Alan,

Yes this will "Turn into a pumpkin" if it cant contact the licence server. This is only for the free version. the commercial version does not do this as the instance is perpetual.

best regards

Mark