Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1626
Views
3
Helpful
10
Replies

"Unable to insert secret into keystore" error when enabling TrustSec

Go to solution
rezaalikhani
VIP
VIP

‎01-27-2024 12:46 AM

Hi all;

I have several Catalyst 9200L switches (version 17.09.04a) and want to implement Cisco TrustSec on them, followed by integrating them with Cisco ISE. At the initial step, upon executing the 'cts credentials id' command, the following log messages are displayed:

Unable to insert secret into keystore.

%KEYSTORE-3-NO_KEYSTORE: CTS hardware keystore is not responsive and software emulation is not enabled.

rezaalikhani_0-1706344573076.png

I searched Google, but unfortunately, I did not find useful information.

My questions are:

  • Does the message pertain to any malfunctioning hardware on the device?
  • How can I enable software emulation for the same purpose of hardware keystore?
  • Does this problem relate to the current license of the device?

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MikeMoss
Level 1
Level 1

‎01-28-2025 02:32 PM

I had this exact same issue, with all the same results people posted above. I wanted to confirm/let others know that my C9200 switch was also using a DNA Essentials license. I upgraded the device's license to Advantage from within Catalyst Center and once the device restarted the command(s) worked as they should.

View solution in original post

10 Replies 10

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎01-27-2024 03:45 AM

 

 - Ref : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/16_xe/smg/xe-16-10/b-sem-16-10-1/b-sem-16-10-1_chapter_0100.html
 >...

%KEYSTORE-3-NO_KEYSTORE : CTS hardware keystore is not responsive and software emulation is not enabled.
Explanation The CTS hardware keystore on the switch has failed and needs to be inspected. Since CTS credentials are stored in the keystore, this means that CTS authentication and authorization operations will fail. The following action is recommended: If the defect is shown on the Active Supervisor, try to switchover to Standby Supervisor. If the defect is shown on Standby Supervisor, try to reset the Standby. If the defect persists, there may be damage to the hardware keystore chip, please take appropriate action. In the meantime, you can configure the switch to use software keystore emulation. After you have enabled software keystore emulation, please re-configure CTS credentials to populate the software keystore.

 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
rezaalikhani
VIP
VIP
In response to marce1000

‎01-27-2024 04:07 AM

Thanks for your reply;

I have reviewed this resource, and as you can see, there are many unanswered questions regarding this problem.

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to rezaalikhani

‎01-27-2024 04:29 AM

 

 - Check the output of :  #   show cts keystore

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
rezaalikhani
VIP
VIP
In response to marce1000

‎01-27-2024 05:14 AM

Thanks for your reply;

rezaalikhani_0-1706361247219.png

 

 

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to rezaalikhani

‎01-27-2024 06:22 AM

 

                                     - Check if you can execute this procedure on your platform too :
             https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#77849

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
rezaalikhani
VIP
VIP
In response to marce1000

‎01-28-2024 12:45 AM - edited ‎01-28-2024 01:22 AM

As you can see below, the device does not have the ability to use emulated keystore:

rezaalikhani_0-1706431527215.png

I think the problem is related to my device license. As you can see below, the device does not have Network Advantage license which is required to support SGT, based on the following Cisco's document:

https://www.cisco.com/c/m/en_us/products/software/dna-subscription-switching/en-sw-sub-matrix-switching.html

rezaalikhani_1-1706433760425.png

 

rezaalikhani_0-1706433688352.png

 

 

Go to solution
DamianRCL
Level 1
Level 1
In response to rezaalikhani

‎03-11-2024 06:25 AM

Rez,

Did you obtain the Network Advantage License? did it resolve your problem?

0 Helpful

Go to solution
rezaalikhani
VIP
VIP
In response to DamianRCL

‎03-12-2024 12:02 AM

Unfortunately not for now but will be soon. If so i will update this post. 

0 Helpful

Go to solution
MikeMoss
Level 1
Level 1

‎01-28-2025 02:32 PM

I had this exact same issue, with all the same results people posted above. I wanted to confirm/let others know that my C9200 switch was also using a DNA Essentials license. I upgraded the device's license to Advantage from within Catalyst Center and once the device restarted the command(s) worked as they should.

Customers Also Viewed These Support Documents