APIC-EM with ISR C1117-4PM


We got new devices for testing and now I'm trying to test provisioning. Officially this model is not supported, at least when you are adding new device you can't choose  product id (C1117-4PM) from the list in APIC-EM.

The problem is :

Due to advanced configuration of routers (distinct VRF for management) there is  configuration:

pnp profile pnp-zero-touch

backup transport https host port 443 vrf for_management

So after device got all configuration it looses it connection with main transport but after sometime it should be able to connect to backup with source vrf. I have tested this config with ISR4321 and it works.

But with C1117-4PM seems that it doesn't try to connect to backup transport.

Here is output of  show pnp profile:

PnP Profiles: Active:1, Created:1, Deleted:0, Hidden:0

Name            CBType Node     Primary-Path           Primary-Trans  Backup-Trans

pnp-zero-touch  DNS    visible  pnp/WORK-REQUEST       HTTPS          HTTPS

Initiator Profile pnp-zero-touch: 1 open connections: 0 closing connections

        Encap: pnp

        WSSE header is not required. Configured authorization level is 1

        SID:[-], LastSID:[-], ChangedCount:0, SIDAuthOnly:No, MustValidate:No, MustRenew:No

        Work-Request Tracking: Validation Yes, Total 17, SID=[-], Violation 0, PSR 0, PSB 0

                Pending-WR: X/M/R=6/0/6, UDI=[PID:C1117-4PM,VID:V01,SN:FGL212991CZ], SID=[-], Correlator=[CiscoPnP-1.0-14-229-7F800A5060-12]

                Last-WR: X/M/R=2/1/0, UDI=[PID:C1117-4PM,VID:V01,SN:FGL212991CZ], SID=[-], Correlator=[CiscoPnP-1.0-13-229-7F7E7D5DB8-11]

        PnP Request Tracking: Current:[config-upgrade], Last:[cli-config], First:[device-info]

                Total:10, OK:9, Failed:1, LastFailed:[config-upgrade]

        PnP Response Tracking: Retry-Allowed 0, Total 0

                Last-PR: X/M/R=0/0/0, UDI=[PID:C1117-4PM,VID:V01,SN:FGL212991CZ], SID=[-], Correlator=[CiscoPnP-1.0-13-229-7F7E7D5DB8-11]

        PnP Backoff Time Tracking: Default 60, Current 60, Last 60, First:60, OK:2, Failed:0

        Countdown: Security Unlock: S=3/F=0/T=3068, Service Lock: S=2/F=0/T=0, Service Req Wait: S=0/F=0/T=18, Prxoy Req Wait S=120/F=0/T=0, Service Resp Ack: S=25/F=0/T=0

        Max message (RX) is 50 Kbytes

        XEP Faults are sent

        Idle timeout infinite

        Keepalive not configured

        Primary Transport:https to, IP:?.?.?.?, Port:443, Src-Intf:-, VRF:-, URL pnp/WORK-REQUEST

        Backup Transport:https to Host:, IP:IPv4, Port:443, Src-Intf:-, VRF:ad-1003, URL pnp/WORK-REQUEST

          backup excluded time 0 seconds, backup hold time infinite

  Connected to the primary transport via https

  Remote connection via HTTP client.  URL, post

  Established at 13:44:02.917 CET Wed Feb 7 2018

         Tx 32301 bytes (43 msg), Tx 24 errors,

         Last message sent at 13:55:00.998 CET Wed Feb 7 2018

         Rx 6403 bytes (19 msg), 0 empty msg

         Last message received at 13:46:50.742 CET Wed Feb 7 2018

As you can see it is is connected to primary and do not try to connect with backup transport.

Maybe someone has an idea how to fix it ?

IOS version  Version 16.6.2

APIC-EM Version


Found a workaround not sure is it ok.

Just added another pnp profile to config:

pnp profile pnp-zero-touch_2

transport https host port 443 vrf VRF_NAME

After 60 sec router is trying to complete provisioning process through different profile.

