Solved: Re: Correct Eval Licensing for HA MDS - CPUSE and ...

StackCap43382 · ‎2026-01-12

I've spun up a pair of R81.10 MDS in HA with a couple of CMAs to prep for a production upgrade that's needed.

The issue is no matter how i license the things I cant clear the "license violation".

When i attempt to perform a migrate_server validation or upgrade using CPUSE I hit a brick wall that the server is violating its licensing.

The MDS CMA is licensed with a normal EVAL + each CMA has a Unlimited GW license.

Am i doing something wrong or is there some limitation i'm not aware of?

CPUSE:

Verification failed: The server does not have a valid license. For assistance with your license, contact Check Point Account Services: https://help.checkpoint.com.

Migrate_server:

Verification failed: The server does not have a valid license. For assistance with your license, contact Check Point Account Services: https://help.checkpoint.com.

Licenses:

Host Expiration Signature Features
10.234.1.104 12Feb2026 ai9VhKTThmexBdu7hQoT2kEo3j93VAwAexSx cpsb-dmn-u CK-CC1A61226D86
10.234.1.103 12Feb2026 aWvXbg88Sd8aog2qNUG88rFzdSzq7WdmTUrk cpsb-dmn-u CK-330A46E72E1A
10.234.1.102 12Feb2026 axEBpkmMkkT7ef4NqUoN7NE6QvyVWLXz4Jtd cpsb-dmn-u CK-2258F4F990CA
10.234.1.101 12Feb2026 a9CTA6jVb5C7eQcMuQMcV9WRNGoqDk5UWTNh cpsm-c-u cpsb-npm cpsb-epm cpsb-logs cpsb-mntr cpsb-prvs cpsb-udir cpsb-wkfl-100 cpsb-ws cpsb-mptl cpvp-snx-u-ngx cpsb-swb cpsb-adnc-m cpsb-rprt-u cpsb-evcr-u cpsb-sslvpn-mobmail+5000 cpsb-comp-150 CK-43470845213A

CCSME, CCTE, CCME, CCVS

StackCap43382 · ‎2026-01-13

Problem Solved!

Classic issue of being tired and looking at the issue for too long.

The correct EVAL license for a MDS is "CPSM-NGSM50-MD5-EVAL"

When you generate the license there is TWO STRINGS to enter which adds two SKUs:

CPSM-NGSM50-MD5-EVAL

CPSB-DMN-5-EVAL

I didn't see the second string as the new UC layout means its off-screen initially.

Added additional string and boom.

CCSME, CCTE, CCME, CCVS

View solution in original post

the_rock · ‎2026-01-12

That looks right to me. I had not done mds in the lab in some time, but last time I did it, I just generated regular sms eval license and was fine, did not complain about anything. Let me see if I got time tomorrow, can try again.

Best,
Andy
"Have a great day and if its not, change it"

StackCap43382 · ‎2026-01-13

Same the basic operation of the MDS with the generic EVAL works fine.

Attempt to verify a blink upgrade or run export_server verify and see if it also rejects the license please.

CCSME, CCTE, CCME, CCVS

Chris_Atkinson · ‎2026-01-12

Do the IPs in the license strings match those assigned to the actual machine, also if these are VMs what NIC type is being used?

Where applicable you can also try this eval type if not already:

CCSM R77/R80/ELITE

StackCap43382 · ‎2026-01-13

VMXNET3 for the Interfaces.

I have attempted with just the generic EVAL, Just that specific MDS EVAL and both and still license validation fails.

[Expert@vsx-mds-01:0]# cplic print -x
Host Expiration Signature Features
10.234.1.101 12Feb2026 aTRSvjSzYTknAKG3z69Yk3dZXQQjMkzbZvrt cpsm-c-50 cpsm-ngsm cpsb-wkfl-50 cpsb-npm cpsb-epm cpsb-logs cpsb-mntr cpsb-mptl cpsb-udir cpsb-prvs cpsb-comp-50 cpsb-sme-50 cpsb-rprt-n-c2500 cpsb-rprt-n-c2500 CK-2ED0B86A15E2
10.234.1.104 12Feb2026 ai9VhKTThmexBdu7hQoT2kEo3j93VAwAexSx cpsb-dmn-u CK-CC1A61226D86
10.234.1.103 12Feb2026 aWvXbg88Sd8aog2qNUG88rFzdSzq7WdmTUrk cpsb-dmn-u CK-330A46E72E1A
10.234.1.102 12Feb2026 axEBpkmMkkT7ef4NqUoN7NE6QvyVWLXz4Jtd cpsb-dmn-u CK-2258F4F990CA
10.234.1.101 12Feb2026 a9CTA6jVb5C7eQcMuQMcV9WRNGoqDk5UWTNh cpsm-c-u cpsb-npm cpsb-epm cpsb-logs cpsb-mntr cpsb-prvs cpsb-udir cpsb-wkfl-100 cpsb-ws cpsb-mptl cpvp-snx-u-ngx cpsb-swb cpsb-adnc-m cpsb-rprt-u cpsb-evcr-u cpsb-sslvpn-mobmail+5000 cpsb-comp-150 CK-43470845213A

CCSME, CCTE, CCME, CCVS

Don_Paterson · ‎2026-01-12

Can you try with the prod licenses?

Even better if you could restore the prod to the lab and then carry out testing, if you can.

I've seen secondary management servers misbehave in the past with eval licenses, both 15 day and 30 day.

StackCap43382 · ‎2026-01-13

Not an option sadly.

CCSME, CCTE, CCME, CCVS

_Val_ · ‎2026-01-13

Looks like sk174770. Please follow the SK recommendations and let us know if it helps.

StackCap43382 · ‎2026-01-13

There are no looopbacks configured just the MDS and CMA IPS:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9c:a3:56 brd ff:ff:ff:ff:ff:ff
inet 10.234.1.101/24 brd 10.234.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.234.1.104/24 brd 10.234.1.255 scope global secondary eth0:3
valid_lft forever preferred_lft forever
inet 10.234.1.103/24 brd 10.234.1.255 scope global secondary eth0:2
valid_lft forever preferred_lft forever
inet 10.234.1.102/24 brd 10.234.1.255 scope global secondary eth0:1
valid_lft forever preferred_lft forever

I saw that SK yesterday and added an explicit interface to the MDS and then attached some licenses to that IP:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9c:39:4a brd ff:ff:ff:ff:ff:ff
inet 10.10.10.5/24 brd 10.10.10.255 scope global eth1

10.10.10.5 12Feb2026 ayE6MssnzYcQ3ZW3aWSTwgi9DgSRf3j3u7Hc cpsm-c-50 cpsm-ngsm cpsb-wkfl-50 cpsb-npm cpsb-epm cpsb-logs cpsb-mntr cpsb-mptl cpsb-udir cpsb-prvs cpsb-comp-50 cpsb-sme-50 cpsb-rprt-n-c2500 cpsb-rprt-n-c2500 CK-5335DC829743

[Expert@vsx-mds-01:0]# cat /var/log/licenses.txt
(
:cma-ecom-01_._._ECOM (
:lic_state (2)
:cma_type (1)
)
:cma-office-01_._._OFFICE (
:lic_state (2)
:cma_type (1)
)
:cma-vsx-01_._._VSX (
:lic_state (2)
:cma_type (1)
)
)
m_bViolation: 1
m_bBlockStartup: 1
m_cViolationString:
'License violation detected:
Multi-Domain Server 'vsx-mds-01'
================================
The license on Multi-Domain Server 'vsx-mds-01' allows to manage 0 Domain Management/Log Servers with Domain Management/Log Server level license.
3 are already defined.'
m_cViolationDetectedTime: 13Jan2026-09:43:41
m_cLastUpdatedTime: 13Jan2026-09:43:52
CLicViolationManager::GetNumOfCmas>
nCmaNotSet:0 nCmaPnP:0 nCmaN:3 nCma0:0 nCmaNull:0
nHACmaNotSet:0 nHACmaPnP:0 nHACmaN:0 nHACma0:0 nHACmaNull:0
nClm: 0
The lic states are:
0 : 'Not Set'
1 : 'CMA-PnP'
2 : 'CMA-N'
3 : 'CMA-0'
4 : 'CMA-null'
nTotalLicenses: 0
nRegularSlots: 0
nVirtualContainerSlots: 0
nMainCMAs: 0
nVirtualHAContainerSlots: 0
nMainHACMAs: 0
Number of VSs defined on Primary CMA-0: 0
Number of VSs defined on Secondary CMA-0: 0
-- End --

Did not fix the issue.

CCSME, CCTE, CCME, CCVS

_Val_ · ‎2026-01-13

Is eth0 set as a MGMT interface on that machine? Also, what is "inet"? An alias? Can you assign the main IP address directly to eth0, assuming it is a single interface?

StackCap43382 · ‎2026-01-13

Eth0 is the Mgmt "set management interface eth0"

"inet" is part of the "IP" command set output.

Main IP is already assigned to eth0 and the CMAs are assigned as secondary IPS.

This is how MDS are deployed.

CCSME, CCTE, CCME, CCVS

StackCap43382 · ‎2026-01-13

Problem Solved!

Classic issue of being tired and looking at the issue for too long.

The correct EVAL license for a MDS is "CPSM-NGSM50-MD5-EVAL"

When you generate the license there is TWO STRINGS to enter which adds two SKUs:

CPSM-NGSM50-MD5-EVAL

CPSB-DMN-5-EVAL

I didn't see the second string as the new UC layout means its off-screen initially.

Added additional string and boom.

CCSME, CCTE, CCME, CCVS

the_rock · ‎2026-01-13

Great job! Glad it was something simple.

Best,
Andy
"Have a great day and if its not, change it"

_Val_ · ‎2026-01-14

Glad to hear you resolved it. I suspected something very basic, but could not put my finger on it.

Are you a member of CheckMates?

Correct Eval Licensing for HA MDS - CPUSE and migrate_server license violation issues.