Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
1
Replies

Replacement FI not registering with UCS Central

dragonpark
Level 1
Level 1

‎06-27-2023 05:30 AM

Hello,

I had an FI fail while in the middle of an upgrade via UCS Central. The FI rebooted and just refused to come back online, so it was replaced. The issue now is that I cannot get the FI to register properly with UCS Central. The FI is properly paired and in sync with the other FI, but ever since replacing the failed FI, the domain is stuck in a 'Lost Visibility' state in UCS Central.

I have tried a few things, but doing the two things below result in an error in the FSM:

  1. Resetting the shared secret on both UCS Central and UCS Manager. This gives me the following error when I attempt it (more on this below):
    msedge_rX3eMQ7tO2.png
  2. Attempting to regenerate the default keyring certificate results in this error message:
    msedge_8YniGKGmYJ.png

I do see that the UCS Manager states there is a 'shared secret mismatch', but I have tried resetting the secret multiple times with varying passwords and still get the same error. The following lines show up in the pa_setup.log file when I attempt to set the shared secret on the domain:

 

2023-6-26 11:16:50 -- -----------------------------------------
2023-6-26 11:16:50 -- -------Start cert gen-------
2023-6-26 11:16:50 -- -----------------------------------------
2023-6-26 11:16:50 -- looking for value (systemName) in HASH(0x94afff0)
2023-6-26 11:16:50 -- after checking default systemName=
2023-6-26 11:16:50 -- after checking HASH(0x94afff0) systemName=DOMAIN1
2023-6-26 11:16:50 -- cert subject created = /CN=DOMAIN1/
2023-6-26 11:16:50 -- generating hash
2023-6-26 11:16:50 -- hash generated = 
2023-6-26 11:16:50 -- adding inRqtDigest="" to cert request message
2023-6-26 11:16:50 -- url = https://ucscentral.example.net:443/xmlInternal/apache/cert
2023-6-26 11:16:50 -- xml = <certGetCACert cookie="" commCookie="" srcExtSys="0.0.0.0" destExtSys="0.0.0.0" srcSvc="0" destSvc="0" inRqtDigest=""/>
2023-6-26 11:16:50 -- request sent
2023-6-26 11:16:50 -- response =  <certGetCACert cookie="" commCookie="" userContext="no" srcExtSys="0.0.0.0" destExtSys="0.0.0.0" srcSvc="" destSvc="" response="yes" errorCode="534" invocationResult="internal-error" errorDescr="digest validation failure"> </certGetCACert>, return_code = 0
2023-6-26 11:16:50 -- certGetCACert request to UCS Central failed with errorDescr: digest validation failure, errorCode: 534
2023-6-26 11:16:50 -- Returning shared secret mismatch error, errcode - 101

 

The digest validation error is what has me right now. I'm not sure if that is a result of the shared secret error message or if the shared secret error is being caused by the digest validation error.

Any input would be appreciated.

Thanks

0 Helpful
1 Reply 1

josoneal
Cisco Employee
Cisco Employee

‎06-27-2023 10:07 AM

Hello Dragonpark,

The issue appears to be with the self signed certificate failing to copy over to the new FI. I recommend opening a case with TAC on this issue as they may need to check/change the permissions on the privkey.pem files. I've seen these symptoms related to this defect: CSCwc78620

Regards,

  

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card