Showing results for 
Search instead for 
Did you mean: 

PKI Signing Failure - New device being provisioned via PNP

Working to automate the build of a C3560CX and managed to get things working to the point where a golden image was pushed to the unit and a base config pushed out from template.  All good.


Then proceeded to delete the device from DNAC, run a 'pnpa system reset' on the C3560CX Switch and attempt to re-provison to test changes to the config template.  Now getting the following error shown in the UI when I'm trying to claim the switch:


NCOB02067: Device Authentication Failed:$ErrorInfo@4a4d848f[errorSeverity=ERROR, errorCode=PnP Service Error 3406, errorMessage=PKI signing failed]


Debug logs on DNAC Show similar:


{"log":"2021-05-17 13:33:07,580 | INFO | qtp352598575-106038 | | c.c.p.w.e.c.CommandController | Device event: DeviceAuthEvent{deviceId=DeviceId{protocol=HTTPS, clientAddress=/10.x.x.x, serialNumber='FOCxxxxx', sudiSerialNumber='null', platformId='WS-C3560CX-8PC-S', correlatorId='CiscoPnP-1.0-R33.200930-I6-P312-T245349-4', macAddress='null', hostname='null', authRequired=false, authStatus=NONE, lastProcessedCmdId=null}, status=ERROR, message='$ErrorInfo@4c5ce0ab[errorSeverity=ERROR, errorCode=PnP Service Error 3406, errorMessage=PKI signing failed]', certPem='Not Present ', certificateInfo=Not Present } | pid=WS-C3560CX-8PC-S, hs=event, sn=FOCxxxxx, mac=null\n","stream":"stdout","time":"2021-05-17T13:33:07.580178983Z"}


In terms of where the switch is at in the pnp workflow:

- HELLO Conversation to DNAC Successful.

- Pushed the pnp-profilie to the switch config

- Loaded certs up from DNAC

- Changed PNP profile to use 443 instead of 80.

- Switch receiving backoff messages due to this signing failure.

- I can execute a reset from the UI and the switch reboots, returing to the same error state.


Note that I've attempted to delete the switch from the UI and it does dissapear, but when it gets re-created, it appears that not all artifacts had been removed from the DB as I can see the full history of events for the unit going back through previous build attempts (where I'd then deleted the switch from the UI).


The debug logs aren't showing me anything I can spot as the issue here.  


Anyone seen this one before?

Tomas de Leon
Cisco Employee

Some starter questions:

  • Cisco DNA Center version?
  • Extended Node version?
  • PnP DNS Discovery or PnP Opt43 IPv4 Discovery?

This may be a known issue and may need additional investigation from the Cisco TAC.  Please answer the above questions and in the meantime gather an RCA from the Cisco DNA Center and the "show pnp tech-support" for the ext node for when you open a TAC Case.


ISE Version

No Extended Node

PnP via Option43 Ipv4 (A1D;B2;I10.x.x.x;J80;K4)


This would actually appear to be an issue with the IOS version 15.2(7)E4 on the C3560CX-8PC-S I've been testing with.  Earlier version of the same train (E3,E2 etc) all work without issue.  Full build from automation is successful and the device is added to inventory.


DNAC is on loan atm so no coverage from TAC unfort.  I may lodge the case under the C3560CX.