cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1835
Views
0
Helpful
12
Replies
Beginner

ACI APIC (not ssh-able or joning) despite reset

 ping.jpg

I have 3 ACI APIC UCS appliances.

 

1 of them is up and can be ssh-ed viva OOB mgmt.

 

Rest are not, although they can be pinged.

 

I used https://supportforums.cisco.com/t5/application-centric/how-can-i-make-a-apic-to-a-factory-default/td-p/2532218 as a guide to reset pw but still can't be login using admin via ssh nor console.

 pw.jpg

 

Can there be an instance where "passwd reset" doesn't go through?

 

Also, if configured correctly within one subnet, do rest of APIC controllers automatically join the 1st one?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACI APIC (not ssh-able or joning) despite reset

Are you saying that your switches are booting into NX-OS? If that is the case, these switches will never get discover until they star running in ACI mode.

 

 

The consoling to the switch should be the same no matter if you are running in ACI mode or NX-OS.  The switch should have a console port port.

 

You mentioned that the switch was able to see all of the APICs LLDP adjacencies, how did you determine this?  You would have to have ssh or console access to the switch to get this info.

 

 

View solution in original post

12 REPLIES 12
Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

Is this a new setup? If the APICs have not formed a fully-fit cluster, then it is expected to not be able to gain SSH/GUI access with the admin user on APICs 2 and 3. They must join APIC 1 in a cluster first, so that they can pull the admin password from APIC 1. 

If you need access to APICs 2 and 3, then try 'rescue-user' as the username via KVM console or vKVM (CIMC). It should be a null password. 

-JW

Cisco Employee

Re: ACI APIC (not ssh-able or joning) despite reset

sendalot7,

    Just to shine a bit more light on Jasons response, the APICs cluster using the Infra (TEP) addresses, not the mgmt address.

 

The TEP addresses are assigned to the bond0 interface that is mapped to the VNIC ports (that should go into the leaf). So without at least a single leaf to link their TEP addresses, they will not cluster.

 

There is currently no method to cluster them via OOB mgmt.

 

-Gabriel

Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

Thank you both for your time.

 

This is a new setup I'm trying.

 

So I guess 1st eth is tied to OOB interface.

 

But how do I map TEP to 2nd eth then enable communication between them?

I can put 2nd eth(s) into their own vlan, but how do I map TEP to their eth(s)?

 

I'll look at the manual again for now.

Thank you again.

 

[Update: to phrase my question better, included a screenshot. I only see two NIC. Do I need more? 1/1,1/2,2/1/2/2 ?]

 

int.jpg

Cisco Employee

Re: ACI APIC (not ssh-able or joning) despite reset

In addition to Jason's and Gabriel comments, you mentioned this a new set up, has APIC1 discover the first leaf node?  The TEP assignment to the APICs is automatically, so you don't have to worry about configuring it.  Assuming the APICs and switches don't have any previous documentation If APIC1 is unable to discover the first leaf node try rebooting APIC1 by running the following command "acidiag reboot".  If APIC1 can see the first leaf node assign node id and name to discover the rest of the nodes.

 

See video YouTube video below for ACI fabric Discovery

https://www.youtube.com/watch?v=2zCVpqdDcto

 

One more thing, looking at the screenshots you posted, it doesn't look like you have connected your APIC to any leaf node since eth2-1 and eth2-2 are showing as down. Eth1-1 and Eth1-2 are both the LOM ports of your APIC which are used for OOB connectivity of the APIC.

Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

thanks for your reply

 

int.jpg

"to fabric" ports connected.

 

is this port supposed be part of In-Band mgmt for clustering?

 

screenshots attached aftewards (out-of-band mgmt is reachable wihle in-band is trunked with vlan tagging).

 

address.jpg

Cisco Employee

Re: ACI APIC (not ssh-able or joning) despite reset

Yes the connection of these ports are required to discover the fabric, and for clustering.  

 

Note inband mgmt configuration is not needed for the discover of the nodes or the clustering of the APICs. 

 

Are you able to discover first leaf node? Now that you connected the fabric ports?  You can check by going to the Fabric>Inventory>Fabric Membership

 

Do all 3 APICs have Fabric port connected as well?

Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

thanks for the continued help.

 

watched video and added serial #s of N9K to APIC ACI web-gui interface.

 

But still not discovering IPs of the N9K(s).

 

On the N9K(s), however, "show lldp nei" swhos all APIC ACI devices.

 

Do N9K(s) themselves need to be in TEP range with trunking to ACI?

 

thanks again.

Cisco Employee

Re: ACI APIC (not ssh-able or joning) despite reset

You don't need to add the Serial Number, it should show automatically, the only thing you need to do is to add the node ID and name.

 

Also the TEP address gets assigned to the the leaf automatically no need to configure anything.

 

Are your leaf nodes running on ACI mode or NX-OS?

 

Can you console or ssh to one of the leaf and run the "show version" command and provide the output?

 

Also what version of code is your APIC running?  If you ssh to APIC 1 and type the "show version" you can get this info.

Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

1# show ver
 Role        Id          Name                      Version              
 ----------  ----------  ------------------------  --------------------
 controller  1           crn1                      2.2(1n)   

 

 

also, booting NX into ACI mode.

 

does ACI get fetched by APIC-ACI?

 

it's not like conventional switch anymore where I console and setup?

(unless converting back to NX-OS mode?)

 

Thanks.

Cisco Employee

Re: ACI APIC (not ssh-able or joning) despite reset

Are you saying that your switches are booting into NX-OS? If that is the case, these switches will never get discover until they star running in ACI mode.

 

 

The consoling to the switch should be the same no matter if you are running in ACI mode or NX-OS.  The switch should have a console port port.

 

You mentioned that the switch was able to see all of the APICs LLDP adjacencies, how did you determine this?  You would have to have ssh or console access to the switch to get this info.

 

 

View solution in original post

Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

So while it was NX-OS,  I was able to use "show lldp" to see APIC(s).

 

Then I saw the post and booted NX into ACI mode. (as in "boot aci image")

 

I'll provide update soon.

Thanks for your time.

Highlighted
Beginner

Re: ACI APIC (not ssh-able or joning) despite reset

thank you that did it.

now magically everyone discovered each other.

 

(none) login: admin
********************************************************************************
     Fabric discovery in progress, show commands are not fully functional
     Logout and Login after discovery to continue to use show commands.
********************************************************************************
(none)#

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here