08-17-2018 12:43 AM
Hi All
It appears we can no longer deploy any devices to our APIC-EM IWAN server,
we are getting the below error when we deploy the branch sites
APIC-EM IWAN App error- trust-point create service unavailable
Any ideas what this error is?
cheers
Solved! Go to Solution.
08-22-2018 01:29 AM
Hi
A cisco TAC case was logged and the issue has been resolved, the certs had a 2 year expiry and so the PKI services would not work, they upoaded and installed 2 files and its now OK
The alternative and correct way is to move to the latest version of APIC as advised
Cheers
08-21-2018 10:27 AM
I am glad you posted this, I am experiencing the same issue, so I did a dump of what the APIC-EM is doing on the router when it spits out this error, it is running the following on the router, I do not see anything in the output from these commands that would indicate a problem:
enable
terminal length 0 ! to hide what it is doing
terminal width 0 ! to hide what it is doing
show ip interface brief
show running-config
show license
show version
show vrf brief ! returns nothing
show crypto pki trustpoint ! returns nothing
show crypto key mypubkey all ! returns a small self signed non exportable key
show running-config | sec crypto ! returns nothing
show running-config
dir
show clock
show run int GigabitEthernet0/1 ! WAN Side interface here
show running | sec class-map match-any business-critical-and-default
show running | sec performance monitor context IWAN-Context
! Then it starts over just like above but apparently looking at the LAN side interface.
show ip interface brief
show running-config
show license
show version
show vrf brief
show crypto pki trustpoint
show crypto key mypubkey all
show running-config | sec crypto
show running-config | section aaa
dir
show clock
show run int GigabitEthernet0/0 ! See it uses short version of command
show running | sec class-map match-any business-critical-and-default
show running | sec performance monitor context IWAN-Context
! here is where it goes different from above, see using full command this time.
show running-config interface GigabitEthernet0/0
show policy-map interface GigabitEthernet0/0 ! nothing returned here
! here it stops, this last command came back with nothing.
THEN it opens a NEW session to the router and runs the following:
enable
terminal length 0
terminal width 0
terminal width 0 ! yes, it did this two times
config t
do write mem ! odd it did this from global config mode, and it changed nothing to warrant this.
exit
! At this point, it shows up failed in the APIC-EM, it does not log off the router.
Later, I am going to delete one of my working sites, then re-add to get a full successful dump. If you get any more information, please let me know what you find.
Possible things that are different for me with this site:
1. The router does not have an internal DNS server to hit while I am trying to add it.
2. Site has an Internet only WAN connection (I have another internet only site, but it had LAN access to the APIC-EM and to internal DNS when it was added).
08-22-2018 01:29 AM
Hi
A cisco TAC case was logged and the issue has been resolved, the certs had a 2 year expiry and so the PKI services would not work, they upoaded and installed 2 files and its now OK
The alternative and correct way is to move to the latest version of APIC as advised
Cheers
08-22-2018 09:04 AM
Big thanks for this information, I went ahead and upgraded to 1.6.3. As soon as the server came back up after the upgrade I was able to add the site with no issues.
Thanks again.
08-22-2018 04:07 AM
Hello Carl!
You should contact Cisco TAC because this is a well known problem, I had the same problem a couple of weeks ago and Cisco resolved it connecting to my server and renovating the certificates (for 2 more years) with 2 files that only they have. This is a quick taks and doesn't have interrups in the network.
Please do not forget to rate useful post.
Best Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide