https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4675255#M1978 <P>I tried to add catalyst 3560cx as an extended node to SDA fabric but I have this error message:</P> <P>Device tried to contact the server and failed during certificate_install</P> <P>how can I resolve this problem?</P> <P>is it possible to add&nbsp;extended node without using PnP ?</P> <P>&nbsp;</P> Thu, 25 Aug 2022 11:55:11 GMT mzouggagh 2022-08-25T11:55:11Z https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4675255#M1978 <P>I tried to add catalyst 3560cx as an extended node to SDA fabric but I have this error message:</P> <P>Device tried to contact the server and failed during certificate_install</P> <P>how can I resolve this problem?</P> <P>is it possible to add&nbsp;extended node without using PnP ?</P> <P>&nbsp;</P> Thu, 25 Aug 2022 11:55:11 GMT https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4675255#M1978 mzouggagh 2022-08-25T11:55:11Z https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4675454#M1979 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/272658">@mzouggagh</a>&nbsp;</P> <P>Extended nodes can only be connected using PnP. The certificate install error is typically due to a TLS mismatch between the switch and DNA Center.&nbsp; You can check the TLS version that is enabled on DNA Center using the following command</P> <P>&nbsp;</P> <PRE class="pre codeblock"><CODE>magctl service tls_version --tls-min-version show</CODE></PRE> <P>&nbsp;</P> <P>Some switches only support TLS version 1.1 or 1.0 for PnP. We had this exact issue with the C3560-CX which only supports TLS 1.1. We changed the TLS version on DNA Center to 1.2 as recommended in the DNA Center Security Best Practises Guide and had to drop back down to version 1.1 to allow the C3560-CX to complete PnP onboarding. Once PnP completed we were able to change the DNA Center TLS version back to 1.2.</P> <P>&nbsp;</P> <PRE class="pre codeblock"><CODE>magctl service tls_version --tls-min-version 1.0<BR /></CODE></PRE> <PRE class="pre codeblock"><CODE>magctl service tls_version --tls-min-version 1.1</CODE></PRE> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#task_vq4_yyk_ybb" target="_blank" rel="noopener nofollow noreferrer">https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#task_vq4_yyk_ybb</A></P> Thu, 25 Aug 2022 15:57:51 GMT https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4675454#M1979 willwetherman 2022-08-25T15:57:51Z https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4676325#M1981 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/295375">@willwetherman</a>&nbsp;</P> <P>after executing&nbsp;</P> <PRE class="pre codeblock"><CODE>magctl service tls_version --tls-min-version 1.0</CODE></PRE> <P>PnP process is working and I can see 3560-CX switch in the inventory.</P> <P>Thank you for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 26 Aug 2022 16:02:26 GMT https://community.cisco.com/t5/software-defined-access-sd-access/cisco-catalyst-3560cx-sda-extended-node-pnp-fail/m-p/4676325#M1981 mzouggagh 2022-08-26T16:02:26Z