Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1504
Views
10
Helpful
4
Replies

APIC-EM IWAN App error- trust-point create service unavailable

Go to solution
carl_townshend
Spotlight
Spotlight

‎08-17-2018 12:43 AM

Hi All

It appears we can no longer deploy any devices to our APIC-EM IWAN server,

we are getting the below error when we deploy the branch sites

 

APIC-EM IWAN App error- trust-point create service unavailable

 

Any ideas what this error is?

 

cheers

2 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
carl_townshend
Spotlight
Spotlight
In response to Beau Clark

‎08-22-2018 01:29 AM

Hi

A cisco TAC case was logged and the issue has been resolved, the certs had a 2 year expiry and so the PKI services would not work, they upoaded and installed 2 files and its now OK

The alternative and correct way is to move to the latest version of APIC as advised

 

Cheers

View solution in original post

4 Replies 4

Go to solution
Beau Clark
Level 1
Level 1

‎08-21-2018 10:27 AM

I am glad you posted this, I am experiencing the same issue, so I did a dump of what the APIC-EM is doing on the router when it spits out this error, it is running the following on the router, I do not see anything in the output from these commands that would indicate a problem:

 

enable
terminal length 0 ! to hide what it is doing
terminal width 0 ! to hide what it is doing
show ip interface brief
show running-config
show license
show version
show vrf brief ! returns nothing
show crypto pki trustpoint ! returns nothing
show crypto key mypubkey all ! returns a small self signed non exportable key
show running-config | sec crypto ! returns nothing
show running-config
dir
show clock
show run int GigabitEthernet0/1 ! WAN Side interface here
show running | sec class-map match-any business-critical-and-default
show running | sec performance monitor context IWAN-Context
! Then it starts over just like above but apparently looking at the LAN side interface.
show ip interface brief
show running-config
show license
show version
show vrf brief
show crypto pki trustpoint
show crypto key mypubkey all
show running-config | sec crypto
show running-config | section aaa
dir
show clock
show run int GigabitEthernet0/0 ! See it uses short version of command
show running | sec class-map match-any business-critical-and-default
show running | sec performance monitor context IWAN-Context
! here is where it goes different from above, see using full command this time.
show running-config interface GigabitEthernet0/0
show policy-map interface GigabitEthernet0/0 ! nothing returned here
! here it stops, this last command came back with nothing.

 

THEN it opens a NEW session to the router and runs the following:

 

enable
terminal length 0
terminal width 0
terminal width 0 ! yes, it did this two times
config t
do write mem ! odd it did this from global config mode, and it changed nothing to warrant this.
exit
! At this point, it shows up failed in the APIC-EM, it does not log off the router.

 

Later, I am going to delete one of my working sites, then re-add to get a full successful dump. If you get any more information, please let me know what you find. 

 

Possible things that are different for me with this site:

 

1. The router does not have an internal DNS server to hit while I am trying to add it.

2. Site has an Internet only WAN connection (I have another internet only site, but it had LAN access to the APIC-EM and to internal DNS when it was added).

 

0 Helpful

Go to solution
carl_townshend
Spotlight
Spotlight
In response to Beau Clark

‎08-22-2018 01:29 AM

Hi

A cisco TAC case was logged and the issue has been resolved, the certs had a 2 year expiry and so the PKI services would not work, they upoaded and installed 2 files and its now OK

The alternative and correct way is to move to the latest version of APIC as advised

 

Cheers

Go to solution
Beau Clark
Level 1
Level 1
In response to carl_townshend

‎08-22-2018 09:04 AM

Big thanks for this information, I went ahead and upgraded to 1.6.3. As soon as the server came back up after the upgrade I was able to add the site with no issues.

 

Thanks again. 

 

 

0 Helpful

Go to solution
Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎08-22-2018 04:07 AM

Hello Carl!

 

You should contact Cisco TAC because this is a well known problem, I had the same problem a couple of weeks ago and Cisco resolved it connecting to my server and renovating the certificates (for 2 more years) with 2 files that only they have. This is a quick taks and doesn't have interrups in the network.

 

Please do not forget to rate useful post.

 

Best Regards,

 

 

0 Helpful
Customers Also Viewed These Support Documents