Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1824
Views
10
Helpful
4
Replies

NCSW10090 error Failed to distribute image to a 2960x switch

Go to solution
andy-uos
Level 1
Level 1

‎01-04-2023 07:36 AM

Hi. I am pretty new to DNA Center so I am not always sure where to look when things don't work, so looking for a bit of advice. We have started to update switches through DNA SWIM. So far, the 9300s have had no problems but we have tried numerous times to update a 2960x-48FPS-L and keep getting the same error. It fails on the Image Distribution phase, sometimes after minutes, sometimes after an hour or more, with the message:

 
Task Status
Failure (NCSW10090: Failed to distribute image: <image name> on device: <switch ip>)
 
Sometimes it has got as far as 20%-30% before the failure. The readiness checks were all good. The model of switch and software version is on the compatibility matrix. Tested it connected to the same neighbour as a 9300 that updated with no problems.
 
I have been unable to find a reference to the error NCSW10090 and wondered if there is anywhere else I should be looking to troubleshoot why it is failing.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎01-04-2023 08:36 AM

Thanks,

Give a try to manually replace the currently installed DNAC cert and see if that works.

Download DNAC certificate from browser: http://<dnac-ip>/ca/pem Certificate is saved on file.

Copy Certificate chain : open the downloaded file in note-pad/vim. copy the content

Check and remove any old Certificate

show runn | sec crypto > Get trust point name

no crypto pki trustpoint DNAC-CA > > To delete the existing trustpoint

crypto pki trustpoint DNAC-CA >> install new certificate

enrollment mode ra

enrollment terminal

usage ssl-client revocation-check none

exit

crypto pk authenticate DNAC-CA

>> Paste the certificate content copied from note-pad/vim

>> enter yes when prompted.

Anyways, go with TAC. They will be able to check SWIM log files and others to see what's going on.

Regards.

View solution in original post

4 Replies 4

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎01-04-2023 07:44 AM - edited ‎01-04-2023 07:46 AM

Hi,

Best you could do is raise a TAC case for these type of issues.

Could be that the DNAC certificate is not installed on the 2960X.

Could you do:

show ip http client all

show run | sec crypto

Also, is the device added to a site in inventory?

Regards.

Go to solution
andy-uos
Level 1
Level 1

‎01-04-2023 08:13 AM - edited ‎01-04-2023 08:15 AM

Hi,

Thanks for the suggestions. Yes, the device is assigned to a site in the inventory. It also has the DNAC-CA trustpoint and certificate installed on it.

In the output of 'show ip http client all' I see a number of GET timestamps for the DNAC hostname in the HTTP client history section.

The rest of the output looks like this:

show ip http client all

HTTP client status: Enabled
HTTP client application session modules:
Id : 1
Application Name : HTTP CFS
Version : HTTP/1.0
Persistent : persistent
Response-timeout : 0
Retries : 0
Proxy :

Id : 2
Application Name : HTTP_CALL_HOME_AGEN
Version : HTTP/1.1
Persistent : persistent
Response-timeout : 30000
Retries : 1
Proxy :

HTTP client current connections:
Persistent connection = enabled (default)
Connection establishment timeout = 10s (default)
Connection idle timeout = 30s (default)
Maximum number of connection establishment retries = 1 (default)
Maximum http client connections per host : 2
HTTP secure client capability: Present
HTTP secure client ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure client TLS version: TLSv1.2 TLSv1.1
HTTP secure client trustpoint:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes

Total client connections : 0


HTTP client cache:
Maximum Memory size for cache : 100000 bytes (default)
Maximum memory per cache entry : 2000 bytes (default)
Memory used : 0 bytes
Memory Available : 100000 bytes
Cache Ager interval : 5 minutes (default)
Total entries created : 0

Edit: Will probably follow your advice and raise a TAC case.

Thanks

0 Helpful

Go to solution
PabMar
Cisco Employee
Cisco Employee

‎01-04-2023 08:36 AM

Thanks,

Give a try to manually replace the currently installed DNAC cert and see if that works.

Download DNAC certificate from browser: http://<dnac-ip>/ca/pem Certificate is saved on file.

Copy Certificate chain : open the downloaded file in note-pad/vim. copy the content

Check and remove any old Certificate

show runn | sec crypto > Get trust point name

no crypto pki trustpoint DNAC-CA > > To delete the existing trustpoint

crypto pki trustpoint DNAC-CA >> install new certificate

enrollment mode ra

enrollment terminal

usage ssl-client revocation-check none

exit

crypto pk authenticate DNAC-CA

>> Paste the certificate content copied from note-pad/vim

>> enter yes when prompted.

Anyways, go with TAC. They will be able to check SWIM log files and others to see what's going on.

Regards.

Go to solution
andy-uos
Level 1
Level 1

‎01-04-2023 09:17 AM

It worked!

Thanks PabMar. Manually replacing the certificate and trustpoint did the trick. Successful distribution and activation of the 2960x.

Much appreciated,

Andy

0 Helpful
Customers Also Viewed These Support Documents