Hi Brandon,

thanks a lot for help. Want I wanted to achieve is to speed up the update process since PI 2.1.2 cannot handle TFTP blocksizes bigger than 512 byte. Even if you configure your devices to use a blocksize of 8192 byte (which is the maximum) PI uses 512 byte only. In our environment it takes about 40 to 50 minutes to go from 03.03.05SE to 03.03.06eE... The parallel option we used too but had to recognize that the upgrade process is not stable in any cases. Some of our devices failed, some not. Neither reproducible nor predictable ;-(

Regards, Stephan

Well, from my point of view I've set up all things regarding ssh/scp correctly, but an upgrade via software deployment and ssh fails. Here is the logfile:

ade # cat 10.142.255.5_scp_telnet.log
dir /all flash:
Directory of flash:/

54210  -rwx     2097152  Apr 28 2015 08:01:10 +02:00  nvram_config
69697  drwx        4096  Apr 16 2015 14:27:37 +02:00  dc_profile_dir
54215  -rw-       10435  Apr 23 2015 14:04:01 +02:00  wnweb.tgz
   14  -rw-        1248  Apr 23 2015 15:02:23 +02:00  packages.conf.3-6
54216  -rw-    82615244  Apr 23 2015 15:02:18 +02:00  cat3k_caa-base.SPA.03.06.02aE.pkg
54222  -rw-    99253056  Apr 23 2015 15:02:19 +02:00  cat3k_caa-wcm.SPA.10.2.120.0.pkg
   15  -rw-        1248  Apr 28 2015 07:52:55 +02:00  packages.conf.3-5
54218  -rwx        2296  Apr 17 2015 09:52:48 +02:00  vlan.dat
54217  -rw-     4922044  Apr 23 2015 15:02:18 +02:00  cat3k_caa-drivers.SPA.03.06.02aE.pkg
   12  drwx        4096   Jan 6 2014 07:41:29 +01:00  mnt
85188  -rw-    79122052  Feb 10 2015 08:44:16 +01:00  cat3k_caa-base.SPA.03.03.05SE.pkg
85189  -rw-     6521532  Feb 10 2015 08:44:16 +01:00  cat3k_caa-drivers.SPA.03.03.05SE.pkg
85190  -rw-    34530288  Feb 10 2015 08:44:16 +01:00  cat3k_caa-infra.SPA.03.03.05SE.pkg
85191  -rw-    34846028  Feb 10 2015 08:44:17 +01:00  cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
85192  -rw-    25170832  Feb 10 2015 08:44:17 +01:00  cat3k_caa-platform.SPA.03.03.05SE.pkg
85193  -rw-    77456192  Feb 10 2015 08:44:17 +01:00  cat3k_caa-wcm.SPA.10.1.150.0.pkg
54219  -rw-    33756144  Apr 23 2015 15:02:18 +02:00  cat3k_caa-infra.SPA.03.06.02aE.pkg
54220  -rw-    42882380  Apr 23 2015 15:02:18 +02:00  cat3k_caa-iosd-universalk9.SPA.152-2a.E2.pkg
54221  -rw-    27362192  Apr 23 2015 15:02:18 +02:00  cat3k_caa-platform.SPA.03.06.02aE.pkg
   13  -rw-        1248  Feb 10 2015 08:44:22 +01:00  packages.conf

1621966848 bytes total (1021952000 bytes free)
SLT-EGDV4-255-5#software clean
Preparing clean operation ...
[1]: Cleaning up unnecessary package files
[1]: No path specified, will use booted path flash:packages.conf
[1]: Cleaning flash:
[1]: Preparing packages list to delete ...
     In use files, will not delete:
       cat3k_caa-base.SPA.03.03.05SE.pkg
       cat3k_caa-drivers.SPA.03.03.05SE.pkg
       cat3k_caa-infra.SPA.03.03.05SE.pkg
       cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
       cat3k_caa-platform.SPA.03.03.05SE.pkg
       cat3k_caa-wcm.SPA.10.1.150.0.pkg
       packages.conf
[1]: Files that will be deleted:
    cat3k_caa-base.SPA.03.06.02aE.pkg
    cat3k_caa-drivers.SPA.03.06.02aE.pkg
    cat3k_caa-infra.SPA.03.06.02aE.pkg
    cat3k_caa-iosd-universalk9.SPA.152-2a.E2.pkg
    cat3k_caa-platform.SPA.03.06.02aE.pkg
    cat3k_caa-wcm.SPA.10.2.120.0.pkg
    packages.conf.3-5
    packages.conf.3-6

[1]: Do you want to proceed with the deletion? [yes/no]: yes
[1]: Clean up completed

Than it fails back to TFTP which is working but taking lots of time... Attached is a screenshot of image management in PI.

Hi Steve,

I was able to successfully send the recommended image file for one of our 3850 switches for the company that I am at. 

Here are a few things that need to be considered:

For your ssh username iosinstall, do you happen to have this added to root shell?  For some switches that use the archive command to deploy, not sure if 3850s do, but 3750s, 2960s, and 3560s use the archive command.  What PI will essentially try to do is first authenticate with the device, then when it is attempting to upload the image to the device, it will authenticate to its (PI's own) repository before sending the image.  In order for that transaction to be completed the username that you listed iosinstall, has to be added in PI's root shell.  One potential consideration to think about is if you are using TACACS+, you may want to make the iosinstall and Cisco PI's ssh account for inventorying devices the same, so as to save on weird failures with SWIM distribution.

If you implement TACACS+, you will want the username for Cisco PI's ssh account for device inventory and management to also be set to the highest privileges as well as deploy the following to your AAA configs, aaa authorization exec default group tacacs+ local so that Prime can get proper authentication with your ACS servers.  Plus also make sure to have SCP server enabled on the device, and then test it out.

That should help to either run image distribution with SCP or the archive command, without having to worry about it reverting to TFTP.

HTH,

Brandon

Hi Brandon,

what do you mean with "have this added to root shell?"? I've created the user in the cli with

ciscoprime/admin(config)# username iosinstall password plain ... role user

Should I've given the role "admin" instead of user? Or do you mean to add this user first in the GUI and afterwords in the cli?

As I understood the behavior PI tries to connect to the switch and gives a set of commands to it. Then the switch itself connects with the user "iosinstall" to PI and tries to download the file. Since PI has valid ssh credentials for the mentioned device/switch already it would better to use that credential and push the data...

Thanks again

Stephan

Steve,

This would be in reference to adding a user in the Red Hat OS itself that PI runs on.  Here is a reference to this for another user that had issues with this:

https://supportforums.cisco.com/discussion/12314861/scp-ios-image-upgrades-prime-infrastructure-21-failing

Now something else to consider, for the ones that failed was there any error messages like the following?

% A previous provisioning action is pending reboot, please use 'on-reboot' option for any following install operations. Operation aborted.

You will just need to log into the device and run the following from exec mode:

software install file flash:cat3k_caa-universalk9.SPA.03.03.05.SE.150-1.EZ5.bin on-reboot

the image file is what ever that you have in place for me I used the Cisco recommended image at current time.

Regards,

Brandon

Hi Brandon,

I've created the user "iosinstall" again as you suggested and after that the scp command was working great - unfortunately only by hand...

SLT-EGDV4-255-5#copy scp://10.x.x.x//opt/CSCOlumos/images_tmp/cat3k_caa-universalk9.SPA.03.06.02a.E.152-2a.E2.bin flash:
Address or name of remote host [10.x.x.x]?
Source username [iosinstall]?
Source filename [/opt/CSCOlumos/images_tmp/cat3k_caa-universalk9.SPA.03.06.02a.E.152-2a.E2.bin]?
Destination filename [cat3k_caa-universalk9.SPA.03.06.02a.E.152-2a.E2.bin]?
Password:
Sending file modes: C0666 290796004 cat3k_caa-universalk9.SPA.03.06.02a.E.152-2a.E2.bin
!!!!!!!!!!!!!!!!!!!!!...
!!!!!!!!!!!!!!!!!!!!!!!!!!!
290796004 bytes copied in 1061.260 secs (274010 bytes/sec)

Trying the same procedure via PI is doesn't work again. TAC doesn't have a solution either. 

BTW: Do you know why the copying process is so slow? Device an PI are connected via GBit/s... It seems to me that - like TFTP - the blocksize is stepped down by PI.

So I think I will use the "software install tftp://..." command. This seems to me to be the most stable and fastest.

Regards,

Stephan

try this

ip tftp blocksize 8192

https://supportforums.cisco.com/discussion/11954011/3850-flash-slow-file-transfer-rates

transfers 3M in about 72 seconds now

Hi Stephan,
This is a very old post but i am facing the same problem while deploying the Software image via prime CLI template. I am getting a connection timeout error because the switch is taking little time to respond and prime dose not wait for that long and give connection timeout error.  I have attached the error i got after failure job. Is there a way to extend the timeout time on prime or is there any other way to correct this error?  Please reply if you know the solution to this problem. Thanks

lulumnd2302 is the test switch name

Hi RaghasNaveed,

I don't think so. When I remember correctly we decided to update manually with an own TFTP-server based on Linux. Meanwhile we are at PI 3.1 and is looks better (just tested for one C3850 as well as one C2960). During the next weeks we'll upgrade the whole set of our C3850 (about 30) adn C3960 (about 70). We'll see...

Regards,

Stephan