Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6573
Views
10
Helpful
18
Replies

9800-80 17.3.7 and Prime 3.8.1 connection problem

Gehrig_W
Level 1
Level 1

‎03-29-2023 02:19 AM

Hello Cisco WLAN Experts,

today I did an upgrade on our central 9800-80-WLC from 17.3.5a to 17.3.7.

After the upgrade the following Event-Message appeared several times in the Gui:

Chassis 1 R0/0: ncsshd_bp: NETCONF/SSH: fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto

Also on our Prime I noticed that some of the APs that are connected to the 9800-80-WLC are reported

AP `xyz-123' disassociated from Controller 9800-80

I did already a Sync on Prime for the 9800-80, but the APs are still reported as being "Not Registered"

and Last Reboot Reason "Image Upgrade Success".

Did also a Reset on one of these WLAN-APs without improvement.

Who knows more about the Event-Message and the Prime problem ?

Thank You for any hints and Tipps.

Kind regards

Wini

 

 

 

 

 

 

 

 

 

 

 

0 Helpful
18 Replies 18

marce1000
VIP
VIP
In response to UKW-NK-Cisco

‎04-03-2023 05:58 AM

 

                              >....17.9.3 does not support Wave 1 2702-APs,
  It's actually the reverse ,  17.9.3 will support  those access point(s) again : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html#whats-new-1793

       As far as Prime 3.8 is concerned , these days anything not being PI3.10.x should be considered outdated

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Gehrig_W
Level 1
Level 1

‎04-03-2023 11:39 PM

Hello Marce1000, thank You for this brandnew information. Looks like we are not the last customer still using x7xx-APs

I will consider to setup a new Prime 3.10 in paralell to test.

By the way, I'm a still a fan of using Prime instead of DNA and SDN. I'm convinced that not many customers really need this new stuff and can make a fortune using DNA and SDN in future.  At the momnet many Cisco customers pay a high price to migrate to this new world by paying horrible external support to bring this to life in existing big networks.

I have big doubts and concerns to move to DNA and SDN.

Is there a possiblity or an initaitve to force Cisco from customer-side to enlarge Life for Prime ?

Kind regards

Wini

 

 

0 Helpful

marce1000
VIP
VIP
In response to Gehrig_W

‎04-04-2023 02:02 AM

 

                   >...Is there a possibility or an imitative to force Cisco from customer-side to enlarge Life for Prime ?
   Hm , probably falls into the category of 'wishful thinking' (...) ,  here you find the EOL announcements for 3.8  and other older versions : https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/prime-infrastructure-pids-pb.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

UKW-NK-Cisco
Level 1
Level 1

‎04-05-2023 02:32 AM - edited ‎04-05-2023 02:35 AM

Hello Marce100 and Rich R,

we have found the bug in the ssh-communication between Prime and 9800-WLC in the meantime!!

Obvioulsly the confusion starts with having a lot of trustpoints on the box for example in our case for telemetry also for DNA Spaces and ssh mixing encryption keys or not finding the right self signed certificate.

We worked us through a similar bug CSCvt43974 which contains a recommendation to regenerate the self signed cert

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html#anc9

We deleted the OS-XE device self-signed certificate first. The default self-signed certificate is auto-generated during the controller's initial startup if any HTTPS, SSH or NETCONF service is configured on the controller. But had no luck.

According to Option 2 in the mentioned guide, we created a CA on the WLC and created and installed a new ss-cert.

Within this trustpoint, the important thing is to use the undoumented command "primary" which solved our ssh-problem.

Maybe this statement disappeared during the SW-Upgrade. I don't know, because the tricky thing is

The command cannot be seen in the running config in 17.3.7 by the way, if You look at the trustpoint config afterwards.

Even when You save the running-config with option "all" the statement "primary" is not shown in the trust-point-config.

Therefore I cannot tell You wether it was there before we did the SW-Upgrade.

The error-message and this hint should be part of Your error-message-guide for the 9800 in future.

Nice easter days

Wini

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card