topic Re: Failure to deploy SWIM certificate in Cisco Catalyst Center

Failure to deploy SWIM certificate

Martin Pritchard — Tue, 28 Feb 2023 11:56:20 GMT

We're having issues with telemetry between our DNAC appliance and our two HA pairs of 9800 WLCs. In the past where telemetry has started acting up (resulting in all APs showing as "down" on heatmaps despite being "reachable" on the AP list, and "No Health" against each controller) a forced push of the telemetry settings has fixed things, but not this time.

Drilling down into the configuration task failure notification reveals the following error:-

Install of Swim Certificate FAILED

Installation of SWIM Certificate initiated successfully
Error occurred in ExecuteOnDeviceMessageHandler of NP: Error occured while executing the command 'do write memory'.Command Output : yes yes ^ % Invalid input detected at '^' marker.

Failing over the HA pair makes no difference.
Rebooting DNA Center makes no difference.

DNAC Version 2.3.3.6-70045
WLC IOS-XE version 17.3.6

Does anyone else have any suggestions to try, or should we TAC it?

Re: Failure to deploy SWIM certificate

Jaccobbchoi — Mon, 10 Jul 2023 09:44:25 GMT

Same issue here. Same DNAC version except controller is running on 17.9.3

Re: Failure to deploy SWIM certificate

Jaccobbchoi — Mon, 10 Jul 2023 10:01:17 GMT

Hi @Martin Pritchard what I did was updated the Telemetry settings in DNAC then reprovision and it worked. Make sure the telemetry update is successful before you reprovision

Re: Failure to deploy SWIM certificate

Martin Pritchard — Mon, 10 Jul 2023 12:13:15 GMT

I forgot about this query. All fixed through TAC as the engineer had come across it before. Problem was down to DNAC's new system certificate being 8K. DNAC's happy with those, but 9800 controllers aren't. Replacing this with a 4K certificate fixed it all.

Re: Failure to deploy SWIM certificate

Jaccobbchoi — Mon, 10 Jul 2023 12:33:59 GMT

Do you have procedure on replacing the 4k certificate ?

Re: Failure to deploy SWIM certificate

Martin Pritchard — Mon, 10 Jul 2023 15:02:08 GMT

The certificate was generated by us, and as it can be a bit fiddly to get all the tickboxes right I opened a copy of the 8K certificate up in SSL Shopper's CSR Decoder to get all the details in the right place when requesting the 4K one to replace it.

Location in DNAC: System -> Settings -> Trust & Privacy -> System Certificates

Some key takeaways:-

Don't tick the "FQDN only" box
Common Name: IP address of the DNAC node (in our case it's not the one we always access it through, it's the address I think of the node itself, on the LAN, not the 192.168 internal cluster address), in our case this is automatically filled in.
Digest: sha512
Key Length: 4096
Key Usage: keyEncipherment digitalSignature
Extended Key Usage: serverAuth clientAuth
SanDNS: dnac.yourdomainname, pnpserver.yourdomainname, yourdnachostname.yourdomainname, yourdnacclustername.yourdomainname (in our case this was dnac.ourpublicdomain.gov.uk, pnpserver.ourdomain.local, oursite-dna-01.ourdomain.local, dnac.ourdomain.local, OURSITE-DNA.ourdomain.local)
SanIP: Internal cluster IP addresses (in our case 192.168.255.192, 192.168.255.194), IP address you access the whole system through, IP address of the node (the address you put in the Common Name above), for us this entry had four addresses altogether

Obviously replace ourdomain, etc. with your actual domain details. The above settings worked for us.