Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1449
Views
7
Helpful
2
Replies

cisco catalyst 3560cx SDA extended node PnP fail

Go to solution
mzouggagh
Level 1
Level 1

‎08-25-2022 04:55 AM

I tried to add catalyst 3560cx as an extended node to SDA fabric but I have this error message:

Device tried to contact the server and failed during certificate_install

how can I resolve this problem?

is it possible to add extended node without using PnP ?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
willwetherman
Spotlight
Spotlight

‎08-25-2022 08:51 AM - edited ‎08-25-2022 08:57 AM

Hi @mzouggagh 

Extended nodes can only be connected using PnP. The certificate install error is typically due to a TLS mismatch between the switch and DNA Center.  You can check the TLS version that is enabled on DNA Center using the following command

 

magctl service tls_version --tls-min-version show

 

Some switches only support TLS version 1.1 or 1.0 for PnP. We had this exact issue with the C3560-CX which only supports TLS 1.1. We changed the TLS version on DNA Center to 1.2 as recommended in the DNA Center Security Best Practises Guide and had to drop back down to version 1.1 to allow the C3560-CX to complete PnP onboarding. Once PnP completed we were able to change the DNA Center TLS version back to 1.2.

 

magctl service tls_version --tls-min-version 1.0
magctl service tls_version --tls-min-version 1.1

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#task_vq4_yyk_ybb

View solution in original post

2 Replies 2

Go to solution
willwetherman
Spotlight
Spotlight

‎08-25-2022 08:51 AM - edited ‎08-25-2022 08:57 AM

Hi @mzouggagh 

Extended nodes can only be connected using PnP. The certificate install error is typically due to a TLS mismatch between the switch and DNA Center.  You can check the TLS version that is enabled on DNA Center using the following command

 

magctl service tls_version --tls-min-version show

 

Some switches only support TLS version 1.1 or 1.0 for PnP. We had this exact issue with the C3560-CX which only supports TLS 1.1. We changed the TLS version on DNA Center to 1.2 as recommended in the DNA Center Security Best Practises Guide and had to drop back down to version 1.1 to allow the C3560-CX to complete PnP onboarding. Once PnP completed we were able to change the DNA Center TLS version back to 1.2.

 

magctl service tls_version --tls-min-version 1.0
magctl service tls_version --tls-min-version 1.1

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#task_vq4_yyk_ybb

Go to solution
mzouggagh
Level 1
Level 1

‎08-26-2022 09:02 AM

Hi @willwetherman 

after executing 

magctl service tls_version --tls-min-version 1.0

PnP process is working and I can see 3560-CX switch in the inventory.

Thank you for your help  

 

 

 

Customers Also Viewed These Support Documents