Hello,

To ensure DNAC uses the enterprise IP as the source for operations like SWIM, please make sure static routes are defined under the Enterprise interface. You can verify this by switching to the config wizard mode. To do so, use the following command:

sudo maglev-config update

Ensure the static routes are added under the enterprise port of DNAC, save the configuration, and retry SWIM.

Note: Please make these changes during a maintenance window  as there may be some service restarts on the DNAC end. However, the services will automatically come back up

---

@vartjais wrote:

I have a customer who sees the source as Management IP while performing the swim operation, however we expect DNAC to use it's enterprise IP for the SWIM operation, how can we mitigate this ?

---

Hello,

Yes, as long as the device (9300) is managed with CLI and SNMP credentials in Inventory, you can upgrade it without needing NETCONF and address any issues with NETCONF afterward.

However, please note that it is not possible to upgrade the 9800 without NETCONF, as the device will not be managed in the Inventory without NETCONF.

@tanmahes wrote:

Hi Team, My device is 9300 I hit netconf error under manageability in Inventory, can I disable netconf and get the device in managed state post which proceed with upgrade ?

---

Hi Sylvain, 

Catalyst Center won't do a conversion for you, but Both BUNDLE mode and INSTALL mode are supported for switches/routers running in either mode for day-N upgrades. 

Note: For PnP (day-0) upgrades, only Install mode is supported, reference guide : https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-5/release_notes/b_cisco_dna_center_rn_2_3_5.html

---

@vesingar wrote:

Does Catalyst Center save my running configuration before the upgrade? After the upgrade, will my switch boot up with the startup configuration or the previous running configuration?

---

Hello,

Yes, DNAC saves the configuration before the upgrade, ensuring there is no config loss post-upgrade. However, we recommend checking the compliance section of the device in Inventory to ensure the startup and running configurations are in sync. To see the commands DNAC pushes to the device, you can use the following EEM script:

event manager applet catchall
event cli pattern ".*" sync no skip no
action 1 syslog msg "$_cli_msg"

Hello,

You can check the readiness report from the image update page. click on the update readiness report option and you will see all the checks status.

Hi Alex,

Here are a few things to check:

1. Ensure that ports 22, 80, and 443 are open bidirectionally between the device and DNAC.
2. Manually copy the image to the device to see if it succeeds. If it fails with an I/O error, you may have a certificate issue that needs to be  addressed. You can test if HTTPs file transfer is working from Catalyst Center (DNAC) to any Catalyst device by executing the following command on the switch (this is what DNAC does when running the SWIM readiness check)
   

   copy https://<dnac_ip>/core/img/cisco-bridge.png null: ​

    

3. Verify that the device has the DNAC-CA certificate. You can check this by running the command:
   

   show run | sec crypto pki trustpoint DNAC-CA ​

   
   

   If the certificate is not present, you can perform a force telemetry push from DNAC to push the certificate to the device. Navigate to Actions -> Telemetry -> Update Telemetry Settings, select 'Force Configuration Push,' and then update.

Thanks, mate. It looks like it was a certificate issue, which has now been resolved and pushed to the device. However, I still see that SCP is not reachable. I have checked that the ports are allowed, and after running some debugs on the device, I encountered the following error:

%SSH-3-BAD_PACK_LEN: Bad packet length 65564

Hi Alex,

To mitigate this issue, ensure that SSH version 2 is configured on the device. If the problem persists despite having SSH version 2 enabled, please open a TAC case for further investigation.