cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2985
Views
11
Helpful
29
Replies

Unable to validate provider. Nexus Dashboard

Rem Markov
Level 1
Level 1

Unable to validate provider. Please check you configuration.
Nexus Dashboard , when I configured the provider DNS for the first time , it said  that it cannot validate it but why?


I followed  the steps, it arrives to the dns server but still it can't validate , even when I try to configure a LDAP domain login and try to add the provider it just throws the same error: "Unable to validate provider. Please check you configuration." 

what should I check? what can be wrong?

I'm really lost.

1 Accepted Solution

Accepted Solutions

I've confirmed that this functionality (Custom LDAP filter) does not yet exist on Nexus Dashboard.  I've opened an enhancement request to port the AAA functionality from APIC > ND so they're functionally similiar.  I'd suggest you open a TAC SR, and ask them to link to this CDET (will help prioritze this enhancement).  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf51550

Robert

View solution in original post

29 Replies 29

Robert Burns
Cisco Employee
Cisco Employee

What is serving DNS? What server/OS/App.  If the request is getting to the DNS server, there's nothing wrong on the ND side.  Something on the DNS server side is not responding/accepting the DNS query.
Robert

When I try to "Add Provider" when creating a login domain I'm getting the error "Unable to validate provider. Please check you configuration." , now where am I suppose to look ? 

When the initial setup of the NXD I added Two NTP providers and Two DNS providers but for some reason it wasn't able to validate them.

It looks like it doesn't want to validate it, now when reading https://www.cisco.com/c/en/us/td/docs/dcn/nd/2x/user-guide/cisco-nexus-dashboard-user-guide-211.pdf , there was a part about custom attribute-value (AV) pair, and I'm not so sure about it.
I'm trying to validate using a user let's say named "networkie" , does it matter? does it really have to be "admin"? 


 setting it up in the APIC worked but the Nexus Dashboard doesn't allow it for some reason.

Robert Burns
Cisco Employee
Cisco Employee

So we're clear, you're having issues with both DNS & LDAP config?  I assume the same DNS server works for serving APIC DNS queries.  If this is the case, assuming there's no security on your DNS server allowing queuries from only specific IPs, this should be fine.  I assume you've testing connectivity to the DNS & LDAP server from the command like (console) of the ND nodes using "acs ping [ldap hostname/IP]"
Back to my original question, what type of LDAP server are you using?  MS AD, InfoBlox etc?

Robert

The acs ping works fine. Im using IDM for the ldap.
You are correct , both the DNS and the LDAP configuration prompt validation failed. and for both is the same server.

I also would like to add that the APIC has the same LDAP and it works just fine.

Referring to Redhat IDM?  APIC & ND use similar authentication processes, so not sure why one would work, and the other would not.  Might want to grab a sniffer capture on the validation attempt by ND, and see what it is/is-not returning to ND. 

For APIC authenticaiton are you using AV Pair or Group maps?

Robert

I do refer to Redhat IDM. 

I will try to sniff but on what side ? Should I sniffer on the IDM or rather the CLI of the Nexus Dashboard?

Also , Maybe one of the logs inside /logs/* might help? But I'm not sure where to look. 

If only I'd know what causes the error. It just says check your configuration, what where to check 🥲

For the APIC I use Group Maps. but the problem is also with the DNS provider in the NXD, which doesn't require LDAP but still prompt that he can't validate it. 

It seems like the query works from the LDAP side, I'm lost,

My only guess might be is that the query doesn't go back from the leaf switch into the NXD

That's what a packet capture would determine, the full transaction between ND & IDM.  Capture both directions, if you see the query hit the LDAP server, but doesn't return anything - its something on the IDM side.  You'd need someone more versed with IDM to assist if that's the case.  

Robert

BTW - which LDAP port are you using?  389 or 636?

Robert

Im using port 389 which prompts an almost immediate error and when I try 636 it does seem to load a bit I figure trying to search the Certificate and then fails all the same.

I didn't quite understand which Certificate I should use .

Well I found the problem.
When setting up the DNS , it by default send a "svc.intersight.com." and "fake.server.fail.junk.local." 
Now why is that and how can I modify that. I solved it by adding it to the IDM but it is not a good solution.

I imagine it's attempting to test resolve intersight's DNS resource.  As for the other DN, I'd have to dig further.  Glad it's working.  I imagine once it validates you could probably delete those CNAMEs/Aliases from IDM.

Robert

Robert Burns
Cisco Employee
Cisco Employee

I assume you're running ND 2.2 or earlier as we coded the positive and negative validation test.  The first "should" successfully resolve intersight's DN, the second should fail.  If you don't have a DNS forwarder though, this might cause a problem.  In ND 2.3 we changed this behavior and removed that validation test, and replaced it with a simple reachability test instead.

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License