Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
15
Helpful
6
Replies

9800-CL AWS command rejected

Go to solution
sroic
Level 1
Level 1

‎07-18-2022 01:45 AM

Hi,

We are running WLC in AWS which is deployed via Terraform. The marketplace WLC has initial stuff configured and saved in basic AMI which then gets "user data" script at boot. That way we just update the script and can rebuild the instance as much as we want. Script looks like this (and many more lines):

ios-config-101="interface GigabitEthernet1"
ios-config-102="ip address dhcp"
ios-config-103="no shut"
ios-config-104="exit"

Now, the issue we have is that some of the commands get rejected at boot up. Some of these are not even in the user data script (probably left hardcoded in the AMI somehow but not sure why they run like this). They are not important in this case but the one that runs EEM app that was supposed to pull ACLs from a separate FTP server. Applet itself is fine and working no issue when run manually, and I see in config it's loaded correctly from the user data script. So here is the log after bootup:

Jul 13 14:55:14.788: %CVAC-4-CLI_FAILURE: Configuration command failure: 'event manager run pull_acl' was rejected <-------------------------------------------------------------------???
Jul 13 14:55:14.788: %CVAC-4-CLI_FAILURE: Configuration command failure: 'exit ' was rejected
Jul 13 14:55:14.788: %CVAC-4-CLI_FAILURE: Configuration command failure: 'ip http secure-server' was rejected
Jul 13 14:55:14.788: %CVAC-4-CLI_FAILURE: Configuration command failure: 'ip http server' was rejected
Jul 13 14:55:14.788: %CVAC-4-CLI_FAILURE: Configuration command failure: 'ip http authentication local' was rejected
Jul 13 14:55:14.789: %CVAC-4-CLI_FAILURE: Configuration command failure: 'end' was rejected
Jul 13 14:55:14.789: %CVAC-3-CONFIG_ERROR: 7 error(s) while applying configs generated from file varied:/ovf-env.xml. Please inspect bootflash:/cvac.log for details.

I checked the cvac.log:

event manager run pull_acl
% (CVAC) Command failed: PRC_INVALID, PRC_FAILURE_PERMANENT
exit
% (CVAC) Command failed: PRC_INVALID, PRC_FAILURE_PERMANENT
ip http secure-server

ip http secure-server
^
% Invalid input detected at '^' marker.

% (CVAC) Command failed: PRC_PARSE_ERROR_NOMATCH, PRC_FAILURE_PERMANENT
ip http server

ip http server
^
% Invalid input detected at '^' marker.

% (CVAC) Command failed: PRC_PARSE_ERROR_NOMATCH, PRC_FAILURE_PERMANENT
ip http authentication local

ip http authentication local
^
% Invalid input detected at '^' marker.

These errors don't really help much and only "solutions" I found is that I should run those commands manually. Then the automation part makes no sense anymore. Anyone has some idea why is this happening?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎07-18-2022 07:27 AM

"event manager run pull_acl" is *not* a config command it's an exec command so that's why that is failing!

Not sure why the following commands are failing - maybe it's jumping out of config mode after the error?

If you want to run an exec command while in config mode then prefix it with "do " - that will work for most commands as long as they aren't interactive (need response to prompts).

Otherwise you need something else to trigger the EEM script automatically rather than you running it manually - for example you could trigger it on the SYS-5-CONFIG_I log after you exit configuration.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

6 Replies 6

Go to solution
Rich R
VIP
VIP

‎07-18-2022 07:27 AM

"event manager run pull_acl" is *not* a config command it's an exec command so that's why that is failing!

Not sure why the following commands are failing - maybe it's jumping out of config mode after the error?

If you want to run an exec command while in config mode then prefix it with "do " - that will work for most commands as long as they aren't interactive (need response to prompts).

Otherwise you need something else to trigger the EEM script automatically rather than you running it manually - for example you could trigger it on the SYS-5-CONFIG_I log after you exit configuration.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
sroic
Level 1
Level 1

‎07-18-2022 08:12 AM


Hi @Rich R, firstly thank you for your feedback. I've been trying to figure out this for some time and playing with different stuff around ftp, eem, escaping quotes, etc. that I totally forgot I'm not in real CLI so I tried to casually do this:

#EEM APPLET FOR ACLs
#
ios-config-1501="event manager applet pull_acl authorization bypass"
ios-config-1502="event none"
ios-config-1503="action 0001 cli command enable"
ios-config-1504="action 0002 cli command &quot;configure terminal&quot;"
ios-config-1505="action 0003 cli command &quot;file prompt quiet&quot;"
ios-config-1506="action 0004 cli command end"
ios-config-1507="action 0005 cli command &quot;copy ftp://server/file running-config&quot;"
ios-config-1508="action 0006 cli command &quot;configure terminal&quot;"
ios-config-1509="action 0007 cli command &quot;no file prompt quiet&quot;"
ios-config-1510="action 0008 cli command end"
ios-config-1511="exit"
ios-config-1512="exit"
#
ios-config-1550="event manager run pull_acl"
#

But putting "exit" twice didn't bring me in exec mode

Other rejected commands were there even before I made this applet but I didn't want to left them out of this thread just in case they share the same root cause.

After your message I was pretty confident it will work like this with "do" as you proposed:

#EEM APPLET FOR ACLs
#
ios-config-1501="event manager applet pull_acl authorization bypass"
ios-config-1502="event none"
ios-config-1503="action 0001 cli command enable"
ios-config-1504="action 0002 cli command &quot;configure terminal&quot;"
ios-config-1505="action 0003 cli command &quot;file prompt quiet&quot;"
ios-config-1506="action 0004 cli command end"
ios-config-1507="action 0005 cli command &quot;copy ftp://server/file running-config&quot;"
ios-config-1508="action 0006 cli command &quot;configure terminal&quot;"
ios-config-1509="action 0007 cli command &quot;no file prompt quiet&quot;"
ios-config-1510="action 0008 cli command end"
ios-config-1511="exit"
#
ios-config-1550="do event manager run pull_acl"

But after testing there is no change in config unfortunately, although the cvac.log doesn't throw any more issues on this command.

As you see in my code I used "no file prompt" to avoid prompts but if I don't find any more obvious reasons I will need to do some triggering with EEM.

Thanks once more!

0 Helpful

Go to solution
Rich R
VIP
VIP

‎07-18-2022 08:57 AM

I guess you could try enable "debug ip ftp", "debug event manager all" & "debug event-manager" beforehand to try to work out why it still isn't working.

One other thing to try "do-exec" instead of "do" just in case it's treating do as ambiguous (normal CLI accepts it but maybe not like that).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
sroic
Level 1
Level 1

‎07-18-2022 09:44 AM

Yeah I double checked do-exec part already, cvac.log shows it properly so should be fine, but I can update script just in case.

And will try debug (with "do" this time) and see if it helps, thx

0 Helpful

Go to solution
sroic
Level 1
Level 1

‎07-20-2022 03:50 AM

Hi, just to update, "debug event manager all" showed me that my ftp request is failing for some reason. So I added a timer that waits 10 seconds after boot up and it worked. Probably something with AWS boot up process prevented using network interfaces immediately. Thanks again for the help!

Go to solution
Rich R
VIP
VIP

‎07-20-2022 04:33 AM

Excellent

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card