cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1333
Views
16
Helpful
15
Replies

PnP: System health check error?

bsestan71
Beginner
Beginner

Hi all,

I've recently started to test the PnPapplication with some switches.

Option 43 is configured and my switches get listed in the unplanned device section.

However, when I am trying to provision them with some uploaded configuration, the status gets to ´Device_conf´ state but ends up in an ´Error´ as in the picture below.

system_error.JPG

The strange thing is, the configuration file gets fully uploaded on the devices but once the error appears, no further actions are possible (usage of the device in a project,...etc).

Can anyone please explain to me the meaning of this error?

Thanks in advance!

-B

15 REPLIES 15

sairasan
Cisco Employee
Cisco Employee

Hi Belma,

Could you verify if device has connectivity to APIC-EM after the config push?

Yes, the controller is pingable from the switch... any ideas about it?

aradford
Cisco Employee
Cisco Employee

Not wanting to jump to conclusions here, but does your config have "aaa authorisation" commands in it?

It looks like  pnp server  did not receive any response from the  device/agent and the pnp  device is the same state in this case in PROVISIONING_CONFIG state  for more than 16 minutes.If no response is received  for a request from the  agent the  pnp service moves the device  to   error state after 16 minutes.Could you please check whether the device is able to ping the ip address of the cluster on whice the pnp-service is running.

Regards

Sucheta

The controller is pingable after pushing the configuration... I read sth about the VLAN 1 and how it is used by default for the pnp communication, but in my config file it is used for sth else, could that be the possible reason? But I don't get why it needs it at all if there is communcation established on an IP layer?

Thanks for your help in advance!

-B

If you are using non-vlan 1, you should use the pnp startup-vlan command on the upstream device.

 

Thank you for your inputs.

VLAN 1 is issued in our configuration for some other process and the manuals say it’s the default one for communication in the PnP process.

But could you maybe explain the usage of the VLAN for the communication between the controller and the device? 

Will it use any other available VLAN if VLAN 1 is not available?

Why is communication on a VLAN level necessary if there is an IP layer communication ?

 

when you have a device (switch) and it boots up, the only VLAN that is defined is VLAN1.

DHCP runs and assigns an IP address to the interface VLAN1.  (interface vlan 1 is an SVI, if you are familiar with that term).

This IP address will be used to communicate to the APIC-EM as VLAN1  is the only interface that will have an IP address and is the management IP address.

If you wish to use a different VLAN for management, then you need to tell the switch to boot up and run DHCP on a vlan interface other than vlan 1.

You use the "pnp startup-vlan xx" command on the upstream device.  When the pnp switch boots up, it will use CDP to discover the upstream neighbour and be told to use vlan "xx" for management ("xx" is the vlan number eg. 22).  The switch will first create the SVI "interface VLAN xx", and use DHCP to get an IP address. it will then use that IP address for communication.  All active ports on the switch will also be in vlan "xx".

I hope that helps.

Adam

It definetly puts some light on the issue...

is there a way/command to get some debug messages,logs,... to see if it really is due to the vlan setup?

Yes, there are some aaa authorisation commands. Can you explain to me why this could cause the issue?

yes.  There is an issue with "aaa command authorisation" commands.  A long story as to why, but they cause a problem today.

aaa authentication is ok.

we are going to resolve the "aaa command authorisation", but it is a problem now.

Do you have that in your configuration

Yes, I have aaa authorization commands... Is there a way to walk around the problem?

not today.  People are using PI to push that bit of the config post deployment.

we are working to address this.

specifically it is the "command authorisation" that causes the issue.

The config actually works, it is just PnP application thinks it has failed.

aradford
Cisco Employee
Cisco Employee

the simplest way is to see if you can ping the controller when the device has an issue.

apart from that there are the following debugs:

pap-switch:  debug pnp all

upstream switch: show cdp tlv app

if pnp-startup vlan is doing the right thing, you should see the following:

- interface vlan xx created

- and active ports will have the following configuration

interface GigabitEthernet1/0/48

switchport access vlan XX

macro description CISCO_SMI_EVENT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: