Re: DNAC - Software updates

pjdouglas42 · ‎09-09-2022

Hi,

We have a new installation of DNAC - Version 2.2.3.5

The issue I have is with some, not all IOS updates to 2960X/XRs which fail the pre-check with the following messages:

Unable to download file using HTTPs and SCP.

The certificates are installed and DNAC is reachable. I have tried deleted/installing the certificates manually with no luck as suggested on many websites.

Both the trustpoint and cert have been deleted and re-installed.

I've also tried copying a file from DNAC as a test from the switch which also fails:

copy https://x.x.x.x//core/img/cisco-bridge.png null:

%Error opening https://x.x.x.x//core/img/cisco-bridge.png (I/O error)

I have ran 'debug ip scp' and it seems that scp fails with:

%SSH-3-NO_MATCH: No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr

All switches run SSH Version 2.

Beyond re-creating the certificates and using SSH version 2 there does not seem to be any other suggestions of how to fix this.

Any help would be appreciated.

Thanks

Paul

pjdouglas42 · ‎09-09-2022

Apologies, we are runnining DNAC version Version 2.2.3.5.

stephen.ebdale1 · ‎09-09-2022

Have had the same issue with 3850 & 9300 switches. I found that deleteing the switch from DNAC and then adding it back in often sorted this problem out.

Rgds

Steve

pjdouglas42 · ‎09-09-2022

Thanks Steve, I was going to try that next.

Presumably, I just delete the device, without device cleanup ticked. No config changes/deletes will be made on the switch ?

stephen.ebdale1 · ‎09-09-2022

Correct, don't click device cleanup. Nothing changes on the switch. Once added you will need to assign it to a site and, possibly, enable and deploy Telemetry once the resync has finished. Rerun the Image Update Readiness Check and, hopefully, HTTPS/SCP will be reachable. Even if HTTPS is still not reachable as long as SCP is you will be fine.