03-29-2023 02:19 AM
Hello Cisco WLAN Experts,
today I did an upgrade on our central 9800-80-WLC from 17.3.5a to 17.3.7.
After the upgrade the following Event-Message appeared several times in the Gui:
Chassis 1 R0/0: ncsshd_bp: NETCONF/SSH: fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto
Also on our Prime I noticed that some of the APs that are connected to the 9800-80-WLC are reported
AP `xyz-123' disassociated from Controller 9800-80
I did already a Sync on Prime for the 9800-80, but the APs are still reported as being "Not Registered"
and Last Reboot Reason "Image Upgrade Success".
Did also a Reset on one of these WLAN-APs without improvement.
Who knows more about the Event-Message and the Prime problem ?
Thank You for any hints and Tipps.
Kind regards
Wini
04-03-2023 05:58 AM
>....17.9.3 does not support Wave 1 2702-APs,
It's actually the reverse , 17.9.3 will support those access point(s) again : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html#whats-new-1793
As far as Prime 3.8 is concerned , these days anything not being PI3.10.x should be considered outdated
M.
04-03-2023 11:39 PM
Hello Marce1000, thank You for this brandnew information. Looks like we are not the last customer still using x7xx-APs
I will consider to setup a new Prime 3.10 in paralell to test.
By the way, I'm a still a fan of using Prime instead of DNA and SDN. I'm convinced that not many customers really need this new stuff and can make a fortune using DNA and SDN in future. At the momnet many Cisco customers pay a high price to migrate to this new world by paying horrible external support to bring this to life in existing big networks.
I have big doubts and concerns to move to DNA and SDN.
Is there a possiblity or an initaitve to force Cisco from customer-side to enlarge Life for Prime ?
Kind regards
Wini
04-04-2023 02:02 AM
>...Is there a possibility or an imitative to force Cisco from customer-side to enlarge Life for Prime ?
Hm , probably falls into the category of 'wishful thinking' (...) , here you find the EOL announcements for 3.8 and other older versions : https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/prime-infrastructure-pids-pb.html
M.
04-05-2023 02:32 AM - edited 04-05-2023 02:35 AM
Hello Marce100 and Rich R,
we have found the bug in the ssh-communication between Prime and 9800-WLC in the meantime!!
Obvioulsly the confusion starts with having a lot of trustpoints on the box for example in our case for telemetry also for DNA Spaces and ssh mixing encryption keys or not finding the right self signed certificate.
We worked us through a similar bug CSCvt43974 which contains a recommendation to regenerate the self signed cert
We deleted the OS-XE device self-signed certificate first. The default self-signed certificate is auto-generated during the controller's initial startup if any HTTPS, SSH or NETCONF service is configured on the controller. But had no luck.
According to Option 2 in the mentioned guide, we created a CA on the WLC and created and installed a new ss-cert.
Within this trustpoint, the important thing is to use the undoumented command "primary" which solved our ssh-problem.
Maybe this statement disappeared during the SW-Upgrade. I don't know, because the tricky thing is
The command cannot be seen in the running config in 17.3.7 by the way, if You look at the trustpoint config afterwards.
Even when You save the running-config with option "all" the statement "primary" is not shown in the trust-point-config.
Therefore I cannot tell You wether it was there before we did the SW-Upgrade.
The error-message and this hint should be part of Your error-message-guide for the 9800 in future.
Nice easter days
Wini
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide