Solved: Re: Cisco DNA Center Assurance - Wireless

lazuardinurfaiz15 · ‎05-14-2020

Hello everybody.

I am using DNA Center version 1.3.1.5 and Cisco WLC 3504 running firmware version 8.10.112.0. This WLC is exist on Provision - Inventory DNA Center. But on the Assurance page, there is no wireless client detected. And also on Assurance page, the WLC is shown as "No data/unmonitored". Can anyone tell me how to fix this? Thank you.

Best regards,

Lazuardi Nurfaiz

Preston Chilcote · ‎05-14-2020

The certificate should get pushed during discovery, but there may be some bugs that cause it to fail. TAC will tell you:

1) Make sure you have all the right firewall ports open if there is a firewall in the path between DNA-C and WLC (ports are in DNAC docs)

2) try delete/rediscovery of WLC (you may not want to do this if you already dedicated a lot of time placing AP's on your floor maps. Deleting WLC will delete AP's as well and their placement on the map.)

3) Use api's to reprovision the telemetry profile

  1.  Use Apitester    (https://(DNAC IP)/dna/apitester )
  2.  Select network-design
  3.  Then extend "POST  /wireless-telemetry/provision/wlc/{deviceIp} "
  4.  Fill in the WLC ip address and click "Try now".

View solution in original post

grabonlee · ‎05-14-2020

Hello,

Do you have DNA license on the WLC? If not, you need it, as it's a requirement for DNA support.

Secondly, what does the Sync status show for the WLC under the Provision tab?

lazuardinurfaiz15 · ‎05-14-2020

Hi there.

I have a DNA license on the WLC. The assurence is already running for WLC before I upgrade the firmware on DNA Center.

The sync status Managed.

Mohamed Alhenawy · ‎05-14-2020

Hello @lazuardinurfaiz15

Could you verify NTP, DNAC should discover the Access point through the wireless controller re-check the SNMP, CLI credentials, and also streaming telemetry on WLC after this you should find all the AP's joined WLC through CAPWAP appearance with DNA include clients also.

Steps to enable streaming telemetry on the WL

Login to WLC---> management ---> cloud services --->network assurance --->enable services --->save config

lazuardinurfaiz15 · ‎05-14-2020

Hello @Mohamed Alhenawy

All the AP also already discovered and exist on DNAC Inventory.

Login to WLC---> management ---> cloud services --->network assurance --->enable services --->save config

I just configure those in WLC. Still no improvement in Assurance page.

lazuardinurfaiz15 · ‎05-14-2020

Hello @Mohamed Alhenawy

I get these error on WLC - Network Assurance - Server

Fri May 15 01:10:56 2020 Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: self signed certificate in certificate chain

Mohamed Alhenawy · ‎05-14-2020

Hi @lazuardinurfaiz15
Could you give output
debug transfer all enable
and
debug pm PKI enable

lazuardinurfaiz15 · ‎05-14-2020

Hi @Mohamed Alhenawy

Here is the output from the debug you asked.

debug transfer all enable

(Cisco Controller) >*emWeb: May 15 02:56:33.424: [SA]

Debugging session started on May 15 02:56:33.424 for WLC AIR-CT3504-K9 Version :8.10.112.0 SN :FCW2332M0BE Hostname IDJKTDCWLC01

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >debug pm PKI enable

Incorrect input! Use 'debug pm [<keyword>] [enable/disable]'

(Cisco Controller) >debug pm ?

all Used to disable all debug in policy manager module
init Configures debug of policy manager initialization events
rules Configures debug of layer 3 policy events
pki Configures debug of PKI-related events

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*sshpmLscTask: May 15 02:57:53.734: [SA] sshpmLscTask: LSC Task received a message 4
*sshpmLscTask: May 15 02:59:52.751: [SA] sshpmLscTask: LSC Task received a message 4

(Cisco Controller) >
(Cisco Controller) >*sshpmLscTask: May 15 03:01:51.766: [SA] sshpmLscTask: LSC Task received a message 4
*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert ><

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert ><

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnOldDefaultIdCert<

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: found match in row 0

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnOldDefaultIdCert<

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: found match in row 0

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnDefaultIdCert<

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: found match in row 1

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnDefaultIdCert<

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: found match in row 1

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: called to lookup cert >cscoDefaultIdCert<

*SNMPTask: May 15 03:02:34.817: [SA] sshpmGetIdCertIndex: found match in row 2

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >cscoDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 2

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >cscoSha2IdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 3

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >cscoSha2IdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 3

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnSslWebadminCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 4

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnSslWebadminCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 4

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 5

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert ><

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 5

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert ><

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnOldDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 0

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnOldDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 0

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 1

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 1

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >cscoDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 2

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: called to lookup cert >cscoDefaultIdCert<

*SNMPTask: May 15 03:02:34.818: [SA] sshpmGetIdCertIndex: found match in row 2

*emWeb: May 15 03:02:44.695: [SA] sshpmGetCID: called to evaluate <cscoSha2IdCert>

*emWeb: May 15 03:02:45.448: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnSslWebadminCert<

*emWeb: May 15 03:02:45.448: [SA] sshpmGetIdCertIndex: found match in row 4

*emWeb: May 15 03:02:45.448: [SA] sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*emWeb: May 15 03:02:45.448: [SA] sshpmGetIdCertIndex: found match in row 5

(Cisco Controller) >
(Cisco Controller) >*sshpmLscTask: May 15 03:03:50.783: [SA] sshpmLscTask: LSC Task received a message 4

grabonlee · ‎05-14-2020

Hi @lazuardinurfaiz15

Are you using CA signed cert on the DNA and using self-signed on the WLC or are both devices using self-signed?

The error you have is similar to an IOS-XE controller such as 9800. It's either a certificate trust issue or the devices are checking if there is a revocation on the certificate.

I don't have a 3504 WLC, so I don't know what commands to tell you, but this is what I did to fix same issue with a 9800, which is an IOS-XE controller. Under the pki trustpoint for the WLC certificate and the Trustpoint profile sent by the DNAC, which I think is sdn-network-infra-iwan, I added revocation-check none.

lazuardinurfaiz15 · ‎05-14-2020

Hi @grabonlee

I think I use self signed certificate on DNA and WLC.

which I think is sdn-network-infra-iwan, I added revocation-check none.

How can I add revocation-check none ?

grabonlee · ‎05-14-2020

Hi @lazuardinurfaiz15

The commands for AIREOS controller is different from IOS-XE controller, so I can't help you on that. I merely pointed what may be your issue, as it's same as I had with an IOS-XE controller. You can do a show telemetry on your WLC to see the status of the connection between the WLC and DNAC.

I would suggest you a open a TAC, as TAC would know the commands for you to apply.

Preston Chilcote · ‎05-14-2020

The certificate should get pushed during discovery, but there may be some bugs that cause it to fail. TAC will tell you:

1) Make sure you have all the right firewall ports open if there is a firewall in the path between DNA-C and WLC (ports are in DNAC docs)

2) try delete/rediscovery of WLC (you may not want to do this if you already dedicated a lot of time placing AP's on your floor maps. Deleting WLC will delete AP's as well and their placement on the map.)

3) Use api's to reprovision the telemetry profile

  1.  Use Apitester    (https://(DNAC IP)/dna/apitester )
  2.  Select network-design
  3.  Then extend "POST  /wireless-telemetry/provision/wlc/{deviceIp} "
  4.  Fill in the WLC ip address and click "Try now".

lazuardinurfaiz15 · ‎05-14-2020

Hi @Preston Chilcote

Thank you! I try your suggest on step 3 and now on the Assurance page is showing the wireless device and also the wireless client.

Thelmo · ‎06-16-2020

Hello, i have the same problem but when in run de Apitester, the result is a code 202.

I think the problem is with the certificates.

latict · ‎10-14-2020

i do have the same problem....now it solved.

some tips to workaround

-make sure WLC has been discovered by dnac with netconf enable.

-if, from dnac assurance WLC show no data/unmonitored. You might need to delete the wlc device from inventory & re-discover the wlc but before that...

-go to logon to the wlc and select configuration-> services -> cloud services.

-under network assurance configuration, enable service status & put DNAC ip address on URL.

back to dnac and re-discover the wlc.

for me, it work and now i can monitor wlc under assurance

DNAC ver 1.3.0.147

WLC C9800 ver 6.12.03

SI Engineer