10-08-2021 04:28 PM
We have to use a proxy in my environment to reach the internet, but it doesn't appear to be working. I would like to do a tcpdump to verify that DNA is using the proxy but not sure if I'm implementing it correctly.
I would think that I would just ssh to the VIP of the GUI interface and do the tcpdump on its gui interface (eno1)? We have the proxy setting in DNA configured to use port 8080.
From windows command prompt
ssh -l maglev -p2222 X.X.X.X sudo tcpdump -n -i eno1 port 8080 -w /data/tmp/proxy_cap.pcap
How would I force traffic to go to out to *.ciscoconnectdna.com:443 so that it could be captured?
How dependent is a proxy going to be DNS? The reason I ask is because the DNS entry doesn't match what is configured on DNA.
Lastly is there only one DNS hostname that is configured for an entire DNA cluster (and does that only represent the VIP)? As in each DNA center node does not get its own DNS hostname?
Solved! Go to Solution.
10-13-2021 02:18 PM
Try manually from cli using maglev and check as suggested. i used 1.3 proxy config save and works as expected.
10-14-2021 04:17 AM
I have not come across this issue, Looks like some issue around config
you have 2 options here since you tried all options.
1. Open a TAC case they can help you resolve soon.
2. you want to try manually editing proxy config as mentioned below :
https://nefkens.net/updating-dna-center-experiences/
10-08-2021 04:50 PM
You can issue command to check is the proxy configured first :
$maglev catalog settings display
you can also use curl to test proxu
$curl --proxy http://proxy:80 -s https://google.com
On another side, you capture with tcpdump as below
sudo tcpdump -ttttnnr /data/tmp/my_capture.pcap
Hope this helps
10-08-2021 06:04 PM - edited 10-13-2021 12:16 PM
Output from
maglev catalog settings display
SETTING VALUE ---------------------------------------------------------------------------- defaultRepository exposedRegistry httpsProxy http://: offlineMode parentCatalogServer https://www.ciscoconnectdna.com:443 parentCatalogServerRepository dnac222 [Sat Oct 09 00:50:54 UTC] maglev@XXX.XXX.XXX.XXX (maglev-master-172-16-0-4) ~ $
Shouldn't the IP of the proxy be showing up on the above output?
Here's a screen shot of the proxy config.
When I try the tcpdump with that formatting, I get the following output;
$ sudo tcpdump -ttttnnr /data/tmp/my_capture.pcap [sudo] password for maglev: tcpdump: /data/tmp/my_capture.pcap: No such file or directory [Sat Oct 09 00:51:54 UTC] maglev@205.109.54.230 (maglev-master-172-16-0-4) ~ $
10-09-2021 01:18 AM
Somehow the proxy settings are not saved, which need to be fixed. (not sure what version of DNAC is here, but most will work).
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure
tcpdump: /data/tmp/my_capture.pcap: No such file or directory
This is an example folder, check if the /data/tmp folder exists before running TCPDUMP
$ls /tmp/data (if not exits create one ($sudo mkdir /tmp/data) or you can use path /tmp/mycapture.pcap.
Until you see the proxy config effective and show, no point running TCPdump
10-13-2021 12:24 PM - edited 10-13-2021 12:26 PM
Balaji, Current version: 1.3.0.159
I have already gone through steps 1 - 6 of Configure the Proxy with in https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3/admin_guide/b_cisco_dna_center_admin_guide_1_3/b_dnac_admin_guide_1_2_10_chapter_010.html?bookSearch=true#task_xj4_bqh_ldb
Even tried deleting it and re adding the proxy back in but am still getting the same output from maglev catalog settings display.
When I try adding the proxy from sudo maglev-config update I get the following error at the end of the configuration process, but the proxy information remains in the gui and sudo maglev-config update proxy sections.
10-13-2021 12:50 PM
what proxy server do you have?
try below thread configure from CLI and test :
10-13-2021 02:16 PM
I don't manage the Proxy so I don't know what kind of box it's running on.
With the link you provided, are you referring to using http:// instead of https:// ? If so, I am already doing that.
10-13-2021 02:18 PM
Try manually from cli using maglev and check as suggested. i used 1.3 proxy config save and works as expected.
10-13-2021 04:30 PM
Accidentally clicked that as a solution (mouse wheel scrolled up right as I was clicking reply)
As expected that did not work.
I removed all the proxy information and am able to proceed all the way through maglev-config update with no issues.
Putting the proxy information back in from maglev-config update as pictured below.
Then proceeding to the end of maglev-config update, I get the following error message.
Again the above accepted solution did not resolve the issue and I still cannot get DNA to go to the proxy information that is input.
10-14-2021 04:17 AM
I have not come across this issue, Looks like some issue around config
you have 2 options here since you tried all options.
1. Open a TAC case they can help you resolve soon.
2. you want to try manually editing proxy config as mentioned below :
https://nefkens.net/updating-dna-center-experiences/
10-14-2021 05:29 PM
Luckily your second option did end up work for me as I do not have access to information to open a TAC case as of right now.
Initially, I tried just following the steps in the proxy configuration section. And at first this appeared to have worked as my proxy information did appear after I issued the "maglev catalog settings display" command. But after the reboot still had problems connecting to the update services.
Proxy configuration Now, if you run into the situation that your DNAC server is behind a proxy, you can configure a proxy server within
maglev. I didn’t find an option to specify a username and password, so if corporate IT requires authentication, you
need to talk with them and ask for exceptions of the URLs that I provided earlier. 1.)Again, login to the DNAC console via SSH on port 2222 2.)Issue the following command magctl service setenv catalogserver MAGLEV_HTTPS_PROXY http://<yourproxy>:<yourproxyport> 3.) I’ve heard different responses on whether to reboot or not after this change, but better be safe than sorry and
issue a reboot command
sudo reboot
Next I preformed the command as described in the DNA system update & proxy section and this seems to have resolved my issues with connecting to the system updates.
DNAC system update & proxy Did you remember the four layers I described earlier in this post? Well, a DNAC system update is actually also a
package, but you cannot delete it with maglev command. Also, as this is a different layer in the schematic approach,
it does NOT use the maglev proxy settings. It is actually a docker process that does this communication, and that
requires a different configuration file. At the install I was working on, the proxy configuration for docker was
missing. It could be that this file is only created when you specify a proxy during first time setup. Or it was
something else. The key thing is that the proxy config is stored in two places, within maglev and within a docker
config file. So again a caution, you are changing a system level file and you MUST know what you’re doing. Make sure you keep track
of your changes and know how to connect (CIMC) and recover if things go bad.. 1.) Login to the ssh console of DNAC on port 2222 user maglev 2.) Issue the command sudo su - and provide the maglev admin password 3.) Go to the directory /etc/systemd/docker.service.d/ 4.) Create the following file “http-proxy.conf“ 5.) And make sure the following content is in the file [Service] Environment=NO_PROXY=.svc.cluster.local,localhost,127.0.0.1,localhost,127.0.0.1 Environment=no_proxy=.svc.cluster.local,localhost,127.0.0.1,localhost,127.0.0.1 Environment=HTTP_PROXY=http://<yourproxyip>:8080 Environment=HTTPS_PROXY=http://<yourproxyip>:8080 Environment=http_proxy=http://<yourproxyip>:8080 Environment=https_proxy=http://<yourproxyip>:8080 6.) And reboot the DNAC appliance via the command reboot . It is possible to just restart systemd and docker, but I had the feeling that DNAC didn’t like that too much.
10-19-2021 11:02 AM
Please note that modifying files such as this directly from the CLI is not supported and during subsequent upgrades/reboots it may cause issues, and/or not persist during a reboot. If there is an issue here it would be best to get a TAC case open so TAC can triage and find or file a bug if needed.
10-19-2021 12:51 PM
Yes, this does appear to have caused an issue after upgrading. When logging into the GUI through a web browser I am logged back out within 30 seconds to a minute. I've opened a TAC case an am hopeful that this will be resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide