Solved: ISR 4331 SSL handshake failed while communicating with AppNav-XE controller device

alex.parks@ngic.com · ‎10-10-2018

I've run up on a problem registering one of our ISR 4331's with WCM. I get the error message in the subject line after adding the router as an AppNav controller. WCM is running 6.4.1a and the IOS on the router is 16.6.3. I've got 10 other of the same model and IOS version of the router that I've successfully added, but for some reason this one continues to fail with the same error message. Short of rebuilding it from scratch, I'd appreciate any insights others may have in overcoming this issue.

Aleksey Pan · ‎10-10-2018

Hi Alex,

Before you can register any routers to the CM, I will suggest next steps:

- check if you can ssh to the router from the CM cli by using the same credentials you have specified in the IOS global credentials and/or for that specific device in the CM GUI.

- if that is all good, then it might be thats the router has been registered before, or somehow the CM has its information but with mismatch cert: then try to delete that router from the CM, reimport the CMs cert to the router and regenerate new self signed cert on the router and then register it again, link:

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/other.html#44813

sections: "importing the CM certificate" and "Configuring router certificate"

- if none of the above helps, I would suggest to do pcap on the CM and investigate what breaks the handshake.

I have seen the situation, when the lower mtu breaks the connections, check if you have in the middle like any dmvpn with mtu of 1400, when you have 1500 default on the CM interface. Then, reducing the mtu on the