Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2233
Views
0
Helpful
3
Replies

Node certificate invalid - all switches inactive

Go to solution
Nik Noltenius
Spotlight
Spotlight

‎11-04-2019 08:11 AM

Hi community,

 

I have at least one major issue, perhaps even two.

We have a small demo-lab, one APIC, two leaf switches, one spine. A critical fault (F3031) is raised with a description of "Node Certificate is invalid: Failed to parse the subject line as a valid ACI fabric certificate AND Invalid Serial Number AND Invalid Product ID". The fault is raised for the APIC.

For a time everything went fine, though. We had this fault but nothing really happened. Now I reset the fabric to factory defaults and started building it up from scratch. All nodes are discovered successfully, however they turn to an "inactive" state right after discovery. I have seen this happen in other environments for a short period, maybe up to a couple of minutes but in this case it's been hours now, since the devices have been discovered. I have a hunch this issue might be related to the invalid certificate.

Am I on the right track or are those problems not related? What can I do to get back a valid certificate?

 

Thank you and kind regards,

Nik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gaurav Gambhir
Cisco Employee
Cisco Employee

‎11-04-2019 09:25 PM

In 4.2 we introduced a new cli command "show discoveryissues" which can be run on leaf cli.

the cli basically runs a script in backend and perform multiple checks, certificate check is one of them.

 

If invalid certificate is the issue, please open a tac case.

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Gaurav Gambhir
Cisco Employee
Cisco Employee

‎11-04-2019 09:25 PM

In 4.2 we introduced a new cli command "show discoveryissues" which can be run on leaf cli.

the cli basically runs a script in backend and perform multiple checks, certificate check is one of them.

 

If invalid certificate is the issue, please open a tac case.

 

 

 

0 Helpful

Go to solution
Nik Noltenius
Spotlight
Spotlight
In response to Gaurav Gambhir

‎11-08-2019 01:13 AM

Thank you Gaurav,

unfortunately the switches are still running 3.2(7f) so the command is not available.

I think I'll go with the TAC case. I'll update the discussion when we have a solution.

0 Helpful

Go to solution
Nik Noltenius
Spotlight
Spotlight
In response to Gaurav Gambhir

‎11-28-2019 10:38 PM

Thank you again for the input!
It took a while but it turned out the certificate did indeed have to be replaced. For some unknown reason the subject-line got corrupted and presented the values in a wrong order. I hope this is some very rare scenario but if someone is facing this issue there is no way around it without TAC and root access. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License