There is no firewall between servers. I'm connected through https port to two servers GUI from my PC.

Hi Jegor,

First of all, it is probably better to upgrade PI to the latest patch.  There were some old API being used by PI so that could cause some problems.

That being said, I think they should at least communicate.

Can you take a look at the log files on PI?

1) ssh <PI server>

2) get a root shell (shell)

3) cd cd /opt/CSCOlumos/logs

4) take a look at ifm_apic.log

Adam

Hi,

Here last logs:

[2017-02-10 06:57:43,907] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,406] : IFM_APIC_INFO: [Enter into getApicZTDStatus method -]

[2017-02-10 06:57:43,908] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,406] : IFM_APIC_INFO: [getApicGlobalPnPStatus:]

[2017-02-10 06:57:43,908] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,406] : IFM_APIC_INFO: [Status value from db::false===>false]

[2017-02-10 06:57:57,562] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [ApicServerStatusTask :: Begin of executeTask - Triggered TimeFri Feb 10 06:57:57 CET 2017]

[2017-02-10 06:57:57,562] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [ApicServerStatusTask :: TaskExecutionContext -[]]

[2017-02-10 06:57:57,562] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [getApicController from Persistance - server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,563] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [ApicServerStatusTask :: Got Apicprofile - server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,563] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [getApicController from Persistance - server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,563] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [Updating APIC profile to PI -  server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,746] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [Adding APIC profile to PI -  server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-UNKNOWN]

[2017-02-10 06:57:57,913] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [Adding APIC profile to PI val - HTTP/1.1 403 Forbidden]

[2017-02-10 06:57:57,913] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [Updating APIC profile Status to PI -  server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,934] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [getApicController from Persistance - server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,934] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [ApicServerStatusTask :: End of executeTask ***** ]

I have tried to download Prime 3.1, But I can't do it with my account "Cisco service contract information indicates you are not authorized to download software for the following product(s):"

I'm downloaded trial version, it is only 3.0 version.

Hi Jegor,

did you specify the ip address of APIC-EM as "10.0.0.01"?

rather than "10.0.0.1"?

Adam

Actually I have replaced real IP of APIC-EM with 10.0.0.01 to paste here.  The real IP is correct.  One thing I realized is that in Administration / Servers / APIC-EM Controller  there is APIC-EM reachability history and every record have duration of 00:00:01, but I restarted APIC-EM server and while it was unreachable the duration was 00:00:18. I suggest that duration of 00:00:01 sec shows that something drops connection but duration of  00:00:18 sec shows that Prime close connection after some time out. I can't find any logs from APIC-EM side about prime connection.

Hi Jegor,

reachability should be 1sec.  Here is mine (which is successful).

This is mine:

I have tried to create and use another user in APIC-EM with admin rights.

This is very strange.

One other thing I can think to try.  For your new admin user, can you try with a "simple password"?  Not sure how complex your password is, but if it contains $'" maybe that is causing a problem? 

It is about the only other thing i can thing of at present.  Normally. this just works.

Adam

I've tried to use simple password 3 digits 1 char upper case and two chars lower case without special symbols.

Ok...

one more thing to try.  From a shell on PI.

wget -S --header="Content-Type: application/json" --no-check-certificate --post-data '{"username": "admin", "password": "<password>"}' -O- https://<apic-ipaddress>/api/v1/ticket

change <password> and <apic-ipaddress>

you should see something like

WARNING: cannot verify x.x.x.x's certificate, issued by `/CN=e44fd808-e2c4-4d5e-ae6d-af878c565e47/C=US/ST=California/L=SanJose/OU=APICEM-SDN/O=Cisco':

  Unable to locally verify the issuer's authority.

HTTP request sent, awaiting response...

  HTTP/1.1 200 OK

  Date: Fri, 10 Feb 2017 13:13:29 GMT

  Content-Type: application/json;charset=UTF-8

  X-Frame-Options: SAMEORIGIN

  Cache-Control: no-cache, no-store

  Pragma: no-cache

  Strict-Transport-Security: max-age=31536000; includeSubDomains

  Connection: close

Length: unspecified [application/json]

Saving to: `STDOUT'

    [<=>                                                                  ] 0          --.-K/s              {"response":{"serviceTicket":"ST-14169-tKyCaSUPpVaLyxrK0Q9a-cas","idleTimeout":3600,"sessionTimeout":21600},"ve    [ <=>                                                                ] 124        --.-K/s  in 0s    

2017-02-11 00:13:29 (22.3 MB/s) - written to stdout [124]

Here is the output of this command:

ade # wget -S --header="Content-Type: application/json" --no-check-certificate --post-data '{"username": "admin", "password": "123Pass"}' -O- https://10.0.0.1/api/v1/ticket

--2017-02-10 14:23:52--  https://10.0.0.1/api/v1/ticket

Connecting to 10.0.0.1:443... connected.

WARNING: cannot verify 10.0.0.1's certificate, issued by `/CN=1eed38dc-a9c3-43be-90e7-065088d887c6/C=US/ST=California/L=SanJose/OU=APICEM-SDN/O=Cisco':

  Unable to locally verify the issuer's authority.

HTTP request sent, awaiting response...

  HTTP/1.1 200 OK

  Date: Fri, 10 Feb 2017 13:23:52 GMT

  Content-Type: application/json;charset=UTF-8

  X-Frame-Options: SAMEORIGIN

  Cache-Control: no-cache, no-store

  Pragma: no-cache

  Strict-Transport-Security: max-age=31536000; includeSubDomains

  Connection: close

Length: unspecified [application/json]

Saving to: `STDOUT'

    [<=>                                                                                                                                                                                                 ] 0           --.-K/s              {    [ <=>                                                                                                                                                                                                ] 120         --.-K/s   in 0s

2017-02-10 14:23:53 (12.7 MB/s) - `-' saved [120]

There is no serviceTicket response.

I think it did work, just saved the response in file called "-".

If so, then it means the auth worked ok, so there must be an API issue.  Probably due to difference in versions.

Hi Jegor,

Have you upgraded to PI 3.1.x?  That is the version that is supported for integration with the controller.