cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8590
Views
0
Helpful
5
Replies

smart call home - HTTPS transport from the Nexus 7000 to Cisco

HOT HOT
Level 1
Level 1

hi

i try configured call home on nexus 7000 with https transport and proxy server

i follow this guide -

http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/QuickStart_NX7000.pdf

and configured this :

callhome

  email-contact XXXXXXXXXXX

  phone-contact XXXXXXXXXXX

  streetaddress XXXXXXXXXXXXXXXX

  destination-profile CiscoTAC-1 transport-method http

  destination-profile CiscoTAC-1 http https://tools.cisco.com/its/service/oddce/services/DDCEService

   transport http use-vrf management

  transport http proxy server XXXXXXXXXX port 8080                --------- XXXXXXXXX = my proxy server

  transport http proxy enable

  enable

  periodic-inventory notification interval  30

i have a problem to install the security certificate , i follow thw guide but i get the error :

failed to load or parse certificate

could not perform CA authentication

when i try test call home eith the command : callhome test

trying to send test callhome message

warning:no callhome message sent

email configuration incomplete for destination profile:full_txt

email configuration incomplete for destination profile:short_txt

Error in transporting http message for CiscoTAC-1

http: Received HTTP code 407 from proxy after CONNECT

i guess the problem is because i didnt install the certificate , how can i install the certificate ?

is this the real problem ?

1 Accepted Solution

Accepted Solutions

I need to correct my answer unfortunately. I made too many assumptions. First, for the information in my answer above, if you want the nexus 7000 to use HTTPS to any device, you need the fully chained certificate for that device. HTTP does not require a certificate. But the nexus 7000 will not do username/password or any other method of proxy server authentication.

So getting back to your issue.

http: Received HTTP code 407 from proxy after CONNECT

indicates that the proxy server wants the nexus 7000 to authenticate. It can't do that. HTTP proxy is just to forward the HTTP stream somewhere other than tools.cisco.com (where there is no authentication). Typically, you forward it to the Transport Gateway (which also has no authentication). Both programs accept data, and if it matches the exact format it is looking for with fields filled in correctly, forwards the data on. Otherwise it drops it. It does exactly the same thing for email sent to callhome@cisco.com (you can imagine the amount of spam it receives)

Now, the transport gateway does have a proxy configuration page where you can add a username and password as well as the proxy server and port. It does support proxy authentication for data it wants to forward to tools.cisco.com.

Sorry about the confusion.

View solution in original post

5 Replies 5

Bryan Williams
Level 1
Level 1

Hello,

As stated in the quickstart guide, the Transport Gateway is recommended when a traditional proxy server is required to communicate with Cisco over the Internet.  Basically, you configure your device to send messages to a local URL and the Transport Gateway forwards those messages through your proxy server to Cisco using HTTPS.  The other advantage of this configuration is that there is no need to add a certificate to every device because the Transport Gateway uses a built in certificate.

A growing number of call home enabled devices now include the proxy server option that you are attempting to use.  Unfortunately, this configuratoin option has not been tested by the Smart Call Home team and is not currently supported with Smart Call Home.

With that out of the way.  Your config looks right, but I have yet to test this in my lab.  Give me a few days to try your config and I'll report back here. 

I agree with Bryan that the easiest proxy server to setup for the  nexus 7000 is the Transport Gateway. The documentation (certificates) is  setup to allow you to connect to a Cisco Transport Gateway or directly  into tools.cisco.com. Both have a Cisco certificate.

But that doesn't explain your issue. To answer your issue, you need to look here

http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/SCH31_Ch6.html#wp1039385

except  you need your proxy server's chained certificate in PEM format since  the Nexus 7000 is going to terminate at your proxy server. Take a look  at this line in the documentation.

Input (cut & paste) the CA certificate (chain) in PEM format

The error code 407 you indicated makes sense and  indicates "Proxy Authentication Required". You need the certificate  installed first. NX-OS uses the openssl crypto library to implement the  cert-pki feature if that helps. A complete certificate chain is required. Also,  you might make sure the CRL (certificate revocation list) is set to none  so it doesn't do that first.


revocation-check none

The 4 chained certificates given in the documentation are tools.cisco.com.cer, Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer,  Verisign-Root-CA.cer. The non-nexus 7000 devices just use the last one. Most likely you need a certificate that looks like

your proxy server.cer,Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer,  Verisign-Root-CA.cer

If you are using your own root CA (which typically are taken  off-line after authorizing subordinate CAs for security reasons) , then  make sure that their certificates are in the correct order to be  processed so each can be authenticated.

Now you can see why a Cisco proxy server (Transport Gateway) is easier to setup.

I need to correct my answer unfortunately. I made too many assumptions. First, for the information in my answer above, if you want the nexus 7000 to use HTTPS to any device, you need the fully chained certificate for that device. HTTP does not require a certificate. But the nexus 7000 will not do username/password or any other method of proxy server authentication.

So getting back to your issue.

http: Received HTTP code 407 from proxy after CONNECT

indicates that the proxy server wants the nexus 7000 to authenticate. It can't do that. HTTP proxy is just to forward the HTTP stream somewhere other than tools.cisco.com (where there is no authentication). Typically, you forward it to the Transport Gateway (which also has no authentication). Both programs accept data, and if it matches the exact format it is looking for with fields filled in correctly, forwards the data on. Otherwise it drops it. It does exactly the same thing for email sent to callhome@cisco.com (you can imagine the amount of spam it receives)

Now, the transport gateway does have a proxy configuration page where you can add a username and password as well as the proxy server and port. It does support proxy authentication for data it wants to forward to tools.cisco.com.

Sorry about the confusion.

HOT HOT
Level 1
Level 1

hi

thank you all for your response

i solved the problem , first there was problem at my proxy server and then i found a valid cert in cisco website

so now it's works!

i'm will try now the transport gateway , it's sound more easy than configured evrey device.

thanks all

izik.