Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13201
Views
16
Helpful
8
Replies

Netconf Connection failure

Go to solution
JohnJudi
Level 1
Level 1

‎03-27-2022 09:42 PM - edited ‎03-27-2022 09:44 PM

Hi Friends,

In my inventory list in DNAC, I have three switches with error Netconf connection failure in manageability column. I checked and did all the things that DNAC suggested. But I still have this error. In addition , I have below log in CLI:

 

66495: 066422: Mar 27 08:20:37.484: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto

 

DNA Software version is 2.2.3.4 and switch IOS-XE version is 17.3.3

I searched and found a bug related to this error.

Bug search.jpeg

 the screenshots of error.

netconf.PNG

netconf2.PNG

 

Do you have any idea to solve this problem?

 

thank you in advance for reply

 

 

5 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan Rowe
Cisco Employee
Cisco Employee

‎03-28-2022 06:59 AM

For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing. 

 

When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:

 

debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt

 

I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.

View solution in original post

8 Replies 8

Go to solution
Dan Rowe
Cisco Employee
Cisco Employee

‎03-28-2022 06:59 AM

For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing. 

 

When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:

 

debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt

 

I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.

Go to solution
yera1991
Level 1
Level 1
In response to Dan Rowe

‎09-20-2023 06:17 PM

Hola muchas gracias a mi si me funciono, PERO HAY QUE RECALCAR QUE SI SE DEBEN TOMAR EN CUENTA ESOS 5 MINUTOS PARA VOLVER A RESINCRONIZAR...

0 Helpful

Go to solution
cth
Level 1
Level 1

‎09-23-2022 03:54 AM

Hallo, i had this issue, too.

my solution was:

Inventory --> Actions --> Telemetry --> Update Telemetry Settings --> Check Box "Force Configuration Push" --> Next

wait five minutes and resync the Switch.

 

Go to solution
jwannaman1
Level 1
Level 1

‎01-02-2023 04:02 AM

Solution:Update Telemetry Settings then Check Box "Force Configuration Push"  then resync.

0 Helpful

Go to solution
andy-uos
Level 1
Level 1

‎03-27-2023 03:00 AM

I have exactly the same problem as the OP and the "Force Configuration Push" solution did NOT work for me. I still see:
%DMI-2-NETCONF_SSH_CRITICAL: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: [pid(30457)] fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto

I guess it's another TAC case then

0 Helpful

Go to solution
Christian-DNAC-ISE
Level 1
Level 1

‎09-11-2023 04:11 AM

if u use ise dont forget, without default ssh to port 830 is not working u get wrong password error try ssh to ip:830 and test it

aaa authentication login default group ISE local

aaa authorization exec default group ISE local

 

0 Helpful

Go to solution
noziwatele
Level 1
Level 1

‎10-31-2023 08:35 PM

I had this same issue on 3 switches today. AAA was correct for netconf and the "Force Configuration Push" from DNAC did not fix the issue (I didn't try opening a TAC case...). In my case the fix was as follows:

For one switch this was enough to fix it:

  1. Disable netconf
  2. Regenerate the SSH key
  3. Re-enable netconf

Like this:

conf t
no netconf-yang
crypto key generate rsa modulus 2048
netconf-yang

 

For the other 2 switches, when I re-enabled netconf it threw another error, like this:

 yang-infra: ERROR: Primary trustpoint is not usable for NETCONF: sdn-network-infra-iwan

So I removed the sdn-network-infra-iwan trustpoint, which was put there by DNAC (DNAC can re-add it once netconf access is sorted):

no crypto pki trustpoint sdn-network-infra-iwan

Then did the above steps to disable/regenerate SSH key/re-enable netconf. These might not be the optimal steps but I only had these few switches to test on.

 

Go to solution
andy-uos
Level 1
Level 1
In response to noziwatele

‎12-12-2023 04:36 AM

Thanks noziwatele, these steps worked for me.

0 Helpful
Customers Also Viewed These Support Documents