08-23-2012 04:52 AM
hi
i try configured call home on nexus 7000 with https transport and proxy server
i follow this guide -
http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/QuickStart_NX7000.pdf
and configured this :
callhome
email-contact XXXXXXXXXXX
phone-contact XXXXXXXXXXX
streetaddress XXXXXXXXXXXXXXXX
destination-profile CiscoTAC-1 transport-method http
destination-profile CiscoTAC-1 http https://tools.cisco.com/its/service/oddce/services/DDCEService
transport http use-vrf management
transport http proxy server XXXXXXXXXX port 8080 --------- XXXXXXXXX = my proxy server
transport http proxy enable
enable
periodic-inventory notification interval 30
i have a problem to install the security certificate , i follow thw guide but i get the error :
failed to load or parse certificate
could not perform CA authentication
when i try test call home eith the command : callhome test
trying to send test callhome message
warning:no callhome message sent
email configuration incomplete for destination profile:full_txt
email configuration incomplete for destination profile:short_txt
Error in transporting http message for CiscoTAC-1
http: Received HTTP code 407 from proxy after CONNECT
i guess the problem is because i didnt install the certificate , how can i install the certificate ?
is this the real problem ?
Solved! Go to Solution.
08-24-2012 02:00 PM
I need to correct my answer unfortunately. I made too many assumptions. First, for the information in my answer above, if you want the nexus 7000 to use HTTPS to any device, you need the fully chained certificate for that device. HTTP does not require a certificate. But the nexus 7000 will not do username/password or any other method of proxy server authentication.
So getting back to your issue.
http: Received HTTP code 407 from proxy after CONNECT
indicates that the proxy server wants the nexus 7000 to authenticate. It can't do that. HTTP proxy is just to forward the HTTP stream somewhere other than tools.cisco.com (where there is no authentication). Typically, you forward it to the Transport Gateway (which also has no authentication). Both programs accept data, and if it matches the exact format it is looking for with fields filled in correctly, forwards the data on. Otherwise it drops it. It does exactly the same thing for email sent to callhome@cisco.com (you can imagine the amount of spam it receives)
Now, the transport gateway does have a proxy configuration page where you can add a username and password as well as the proxy server and port. It does support proxy authentication for data it wants to forward to tools.cisco.com.
Sorry about the confusion.
08-23-2012 09:37 AM
Hello,
As stated in the quickstart guide, the Transport Gateway is recommended when a traditional proxy server is required to communicate with Cisco over the Internet. Basically, you configure your device to send messages to a local URL and the Transport Gateway forwards those messages through your proxy server to Cisco using HTTPS. The other advantage of this configuration is that there is no need to add a certificate to every device because the Transport Gateway uses a built in certificate.
A growing number of call home enabled devices now include the proxy server option that you are attempting to use. Unfortunately, this configuratoin option has not been tested by the Smart Call Home team and is not currently supported with Smart Call Home.
With that out of the way. Your config looks right, but I have yet to test this in my lab. Give me a few days to try your config and I'll report back here.
08-23-2012 06:58 PM
I agree with Bryan that the easiest proxy server to setup for the nexus 7000 is the Transport Gateway. The documentation (certificates) is setup to allow you to connect to a Cisco Transport Gateway or directly into tools.cisco.com. Both have a Cisco certificate.
But that doesn't explain your issue. To answer your issue, you need to look here
http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/SCH31_Ch6.html#wp1039385
except you need your proxy server's chained certificate in PEM format since the Nexus 7000 is going to terminate at your proxy server. Take a look at this line in the documentation.
Input (cut & paste) the CA certificate (chain) in PEM format
The error code 407 you indicated makes sense and indicates "Proxy Authentication Required". You need the certificate installed first. NX-OS uses the openssl crypto library to implement the cert-pki feature if that helps. A complete certificate chain is required. Also, you might make sure the CRL (certificate revocation list) is set to none so it doesn't do that first.
revocation-check none
The 4 chained certificates given in the documentation are tools.cisco.com.cer, Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer, Verisign-Root-CA.cer. The non-nexus 7000 devices just use the last one. Most likely you need a certificate that looks like
your proxy server.cer,Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer, Verisign-Root-CA.cer
If you are using your own root CA (which typically are taken off-line after authorizing subordinate CAs for security reasons) , then make sure that their certificates are in the correct order to be processed so each can be authenticated.
Now you can see why a Cisco proxy server (Transport Gateway) is easier to setup.
08-23-2012 07:18 PM
This chapter might help you in your endeavor since what you really need is multiple trust points
08-24-2012 02:00 PM
I need to correct my answer unfortunately. I made too many assumptions. First, for the information in my answer above, if you want the nexus 7000 to use HTTPS to any device, you need the fully chained certificate for that device. HTTP does not require a certificate. But the nexus 7000 will not do username/password or any other method of proxy server authentication.
So getting back to your issue.
http: Received HTTP code 407 from proxy after CONNECT
indicates that the proxy server wants the nexus 7000 to authenticate. It can't do that. HTTP proxy is just to forward the HTTP stream somewhere other than tools.cisco.com (where there is no authentication). Typically, you forward it to the Transport Gateway (which also has no authentication). Both programs accept data, and if it matches the exact format it is looking for with fields filled in correctly, forwards the data on. Otherwise it drops it. It does exactly the same thing for email sent to callhome@cisco.com (you can imagine the amount of spam it receives)
Now, the transport gateway does have a proxy configuration page where you can add a username and password as well as the proxy server and port. It does support proxy authentication for data it wants to forward to tools.cisco.com.
Sorry about the confusion.
08-26-2012 01:02 AM
hi
thank you all for your response
i solved the problem , first there was problem at my proxy server and then i found a valid cert in cisco website
so now it's works!
i'm will try now the transport gateway , it's sound more easy than configured evrey device.
thanks all
izik.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide