01-04-2023 07:36 AM
Hi. I am pretty new to DNA Center so I am not always sure where to look when things don't work, so looking for a bit of advice. We have started to update switches through DNA SWIM. So far, the 9300s have had no problems but we have tried numerous times to update a 2960x-48FPS-L and keep getting the same error. It fails on the Image Distribution phase, sometimes after minutes, sometimes after an hour or more, with the message:
Solved! Go to Solution.
01-04-2023 08:36 AM
Thanks,
Give a try to manually replace the currently installed DNAC cert and see if that works.
Download DNAC certificate from browser: http://<dnac-ip>/ca/pem Certificate is saved on file.
Copy Certificate chain : open the downloaded file in note-pad/vim. copy the content
Check and remove any old Certificate
show runn | sec crypto > Get trust point name
no crypto pki trustpoint DNAC-CA > > To delete the existing trustpoint
crypto pki trustpoint DNAC-CA >> install new certificate
enrollment mode ra
enrollment terminal
usage ssl-client revocation-check none
exit
crypto pk authenticate DNAC-CA
>> Paste the certificate content copied from note-pad/vim
>> enter yes when prompted.
Anyways, go with TAC. They will be able to check SWIM log files and others to see what's going on.
Regards.
01-04-2023 07:44 AM - edited 01-04-2023 07:46 AM
Hi,
Best you could do is raise a TAC case for these type of issues.
Could be that the DNAC certificate is not installed on the 2960X.
Could you do:
show ip http client all
show run | sec crypto
Also, is the device added to a site in inventory?
Regards.
01-04-2023 08:13 AM - edited 01-04-2023 08:15 AM
Hi,
Thanks for the suggestions. Yes, the device is assigned to a site in the inventory. It also has the DNAC-CA trustpoint and certificate installed on it.
In the output of 'show ip http client all' I see a number of GET timestamps for the DNAC hostname in the HTTP client history section.
The rest of the output looks like this:
show ip http client all
HTTP client status: Enabled
HTTP client application session modules:
Id : 1
Application Name : HTTP CFS
Version : HTTP/1.0
Persistent : persistent
Response-timeout : 0
Retries : 0
Proxy :
Id : 2
Application Name : HTTP_CALL_HOME_AGEN
Version : HTTP/1.1
Persistent : persistent
Response-timeout : 30000
Retries : 1
Proxy :
HTTP client current connections:
Persistent connection = enabled (default)
Connection establishment timeout = 10s (default)
Connection idle timeout = 30s (default)
Maximum number of connection establishment retries = 1 (default)
Maximum http client connections per host : 2
HTTP secure client capability: Present
HTTP secure client ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure client TLS version: TLSv1.2 TLSv1.1
HTTP secure client trustpoint:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes
Total client connections : 0
HTTP client cache:
Maximum Memory size for cache : 100000 bytes (default)
Maximum memory per cache entry : 2000 bytes (default)
Memory used : 0 bytes
Memory Available : 100000 bytes
Cache Ager interval : 5 minutes (default)
Total entries created : 0
Edit: Will probably follow your advice and raise a TAC case.
Thanks
01-04-2023 08:36 AM
Thanks,
Give a try to manually replace the currently installed DNAC cert and see if that works.
Download DNAC certificate from browser: http://<dnac-ip>/ca/pem Certificate is saved on file.
Copy Certificate chain : open the downloaded file in note-pad/vim. copy the content
Check and remove any old Certificate
show runn | sec crypto > Get trust point name
no crypto pki trustpoint DNAC-CA > > To delete the existing trustpoint
crypto pki trustpoint DNAC-CA >> install new certificate
enrollment mode ra
enrollment terminal
usage ssl-client revocation-check none
exit
crypto pk authenticate DNAC-CA
>> Paste the certificate content copied from note-pad/vim
>> enter yes when prompted.
Anyways, go with TAC. They will be able to check SWIM log files and others to see what's going on.
Regards.
01-04-2023 09:17 AM
It worked!
Thanks PabMar. Manually replacing the certificate and trustpoint did the trick. Successful distribution and activation of the 2960x.
Much appreciated,
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide