Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2961
Views
5
Helpful
2
Replies

ISR 4331 SSL handshake failed while communicating with AppNav-XE controller device

Go to solution
alex.parks@ngic.com
Level 1
Level 1

‎10-10-2018 11:46 AM

I've run up on a problem registering one of our ISR 4331's with WCM.  I get the error message in the subject line after adding the router as an AppNav controller.  WCM is running 6.4.1a and the IOS on the router is 16.6.3. I've got 10 other of the same model and IOS version of the router that I've successfully added, but for some reason this one continues to fail with the same error message.  Short of rebuilding it from scratch, I'd appreciate any insights others may have in overcoming this issue.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aleksey Pan
Cisco Employee
Cisco Employee

‎10-10-2018 05:28 PM

Hi Alex, 

 

Before you can register any routers to the CM, I will suggest next steps:

- check if you can ssh to the router from the CM cli by using the same credentials you have specified in the IOS global credentials and/or for that specific device in the CM GUI.

 

- if that is all good, then it might be thats the router has been registered before, or somehow the CM has its information but with mismatch cert: then try to delete that router from the CM, reimport the CMs cert to the router and regenerate new self signed cert on the router and then register it again, link:

 

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/other.html#44813

 

sections: "importing the CM certificate" and "Configuring router certificate"

 

 

- if none of the above helps, I would suggest to do pcap on the CM and investigate what breaks the handshake. 

I have seen the situation, when the lower mtu breaks the connections, check if you have in the middle like any dmvpn with mtu of 1400, when you have 1500 default on the CM interface. Then, reducing the mtu on the CM should fix it.

 

Hope that helps.

View solution in original post

2 Replies 2

Go to solution
Aleksey Pan
Cisco Employee
Cisco Employee

‎10-10-2018 05:28 PM

Hi Alex, 

 

Before you can register any routers to the CM, I will suggest next steps:

- check if you can ssh to the router from the CM cli by using the same credentials you have specified in the IOS global credentials and/or for that specific device in the CM GUI.

 

- if that is all good, then it might be thats the router has been registered before, or somehow the CM has its information but with mismatch cert: then try to delete that router from the CM, reimport the CMs cert to the router and regenerate new self signed cert on the router and then register it again, link:

 

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/other.html#44813

 

sections: "importing the CM certificate" and "Configuring router certificate"

 

 

- if none of the above helps, I would suggest to do pcap on the CM and investigate what breaks the handshake. 

I have seen the situation, when the lower mtu breaks the connections, check if you have in the middle like any dmvpn with mtu of 1400, when you have 1500 default on the CM interface. Then, reducing the mtu on the CM should fix it.

 

Hope that helps.

Go to solution
alex.parks@ngic.com
Level 1
Level 1
In response to Aleksey Pan

‎10-11-2018 08:09 AM

Thanks  Aleksey!  Importing the CM cert and regenerating the self-signed cert on the ISR did the trick.  Odd that I had to jump through the extra hoops for this one router, but it is what it is.

0 Helpful
Customers Also Viewed These Support Documents