cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2075
Views
5
Helpful
2
Replies

ISR 4331 SSL handshake failed while communicating with AppNav-XE controller device

I've run up on a problem registering one of our ISR 4331's with WCM.  I get the error message in the subject line after adding the router as an AppNav controller.  WCM is running 6.4.1a and the IOS on the router is 16.6.3. I've got 10 other of the same model and IOS version of the router that I've successfully added, but for some reason this one continues to fail with the same error message.  Short of rebuilding it from scratch, I'd appreciate any insights others may have in overcoming this issue.

1 ACCEPTED SOLUTION

Accepted Solutions
Aleksey Pan
Cisco Employee

Hi Alex, 

 

Before you can register any routers to the CM, I will suggest next steps:

- check if you can ssh to the router from the CM cli by using the same credentials you have specified in the IOS global credentials and/or for that specific device in the CM GUI.

 

- if that is all good, then it might be thats the router has been registered before, or somehow the CM has its information but with mismatch cert: then try to delete that router from the CM, reimport the CMs cert to the router and regenerate new self signed cert on the router and then register it again, link:

 

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/other.html#44813

 

sections: "importing the CM certificate" and "Configuring router certificate"

 

 

- if none of the above helps, I would suggest to do pcap on the CM and investigate what breaks the handshake. 

I have seen the situation, when the lower mtu breaks the connections, check if you have in the middle like any dmvpn with mtu of 1400, when you have 1500 default on the CM interface. Then, reducing the mtu on the CM should fix it.

 

Hope that helps.

View solution in original post

2 REPLIES 2
Aleksey Pan
Cisco Employee

Hi Alex, 

 

Before you can register any routers to the CM, I will suggest next steps:

- check if you can ssh to the router from the CM cli by using the same credentials you have specified in the IOS global credentials and/or for that specific device in the CM GUI.

 

- if that is all good, then it might be thats the router has been registered before, or somehow the CM has its information but with mismatch cert: then try to delete that router from the CM, reimport the CMs cert to the router and regenerate new self signed cert on the router and then register it again, link:

 

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/other.html#44813

 

sections: "importing the CM certificate" and "Configuring router certificate"

 

 

- if none of the above helps, I would suggest to do pcap on the CM and investigate what breaks the handshake. 

I have seen the situation, when the lower mtu breaks the connections, check if you have in the middle like any dmvpn with mtu of 1400, when you have 1500 default on the CM interface. Then, reducing the mtu on the CM should fix it.

 

Hope that helps.

View solution in original post

Thanks  Aleksey!  Importing the CM cert and regenerating the self-signed cert on the ISR did the trick.  Odd that I had to jump through the extra hoops for this one router, but it is what it is.