03-27-2022 09:42 PM - edited 03-27-2022 09:44 PM
Hi Friends,
In my inventory list in DNAC, I have three switches with error Netconf connection failure in manageability column. I checked and did all the things that DNAC suggested. But I still have this error. In addition , I have below log in CLI:
66495: 066422: Mar 27 08:20:37.484: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto
DNA Software version is 2.2.3.4 and switch IOS-XE version is 17.3.3
I searched and found a bug related to this error.
the screenshots of error.
Do you have any idea to solve this problem?
thank you in advance for reply
Solved! Go to Solution.
03-28-2022 06:59 AM
For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing.
When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:
debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt
I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.
03-28-2022 06:59 AM
For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing.
When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:
debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt
I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.
09-20-2023 06:17 PM
Hola muchas gracias a mi si me funciono, PERO HAY QUE RECALCAR QUE SI SE DEBEN TOMAR EN CUENTA ESOS 5 MINUTOS PARA VOLVER A RESINCRONIZAR...
09-23-2022 03:54 AM
Hallo, i had this issue, too.
my solution was:
Inventory --> Actions --> Telemetry --> Update Telemetry Settings --> Check Box "Force Configuration Push" --> Next
wait five minutes and resync the Switch.
01-02-2023 04:02 AM
Solution:Update Telemetry Settings then Check Box "Force Configuration Push" then resync.
03-27-2023 03:00 AM
I have exactly the same problem as the OP and the "Force Configuration Push" solution did NOT work for me. I still see:
%DMI-2-NETCONF_SSH_CRITICAL: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: [pid(30457)] fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto
I guess it's another TAC case then
09-11-2023 04:11 AM
if u use ise dont forget, without default ssh to port 830 is not working u get wrong password error try ssh to ip:830 and test it
aaa authentication login default group ISE local
aaa authorization exec default group ISE local
10-31-2023 08:35 PM
I had this same issue on 3 switches today. AAA was correct for netconf and the "Force Configuration Push" from DNAC did not fix the issue (I didn't try opening a TAC case...). In my case the fix was as follows:
For one switch this was enough to fix it:
Like this:
conf t
no netconf-yang
crypto key generate rsa modulus 2048
netconf-yang
For the other 2 switches, when I re-enabled netconf it threw another error, like this:
yang-infra: ERROR: Primary trustpoint is not usable for NETCONF: sdn-network-infra-iwan
So I removed the sdn-network-infra-iwan trustpoint, which was put there by DNAC (DNAC can re-add it once netconf access is sorted):
no crypto pki trustpoint sdn-network-infra-iwan
Then did the above steps to disable/regenerate SSH key/re-enable netconf. These might not be the optimal steps but I only had these few switches to test on.
12-12-2023 04:36 AM
Thanks noziwatele, these steps worked for me.
06-18-2024 08:36 AM
This worked for me on the c9800 WLC. Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide