06-05-2024 11:43 PM
Hello,
did anybody tried to connect prime intra 3.10.4 (last version) with CMX 11.0.1 (last version)?
combability matrix says it should work but I get "CMX Reachability issue. Please check logs for more information"
Sure, it is almost impossible to find related logs, but It is (still) possible to run tcpdump and this is the result:
TLS Version error ... looking into CMX documentation:
Ok, except NMSP, only TLS Version 1.3 is supported
Looking into Prime Infrastructure:
It supports TLS 1.2 ,1.1 and 1.0
I'm sure, someone tested the integration, before updating combability Matrix, but forgot to write down, how it suppose to work. May be some one knows the solution?
Thanks
06-05-2024 11:57 PM
- You may try to change or specify the needed tls version on Prime with :
ncs run set-tls-versions ?
(The question mark intended to check the available options first ),
M.
06-06-2024 01:29 AM - edited 06-06-2024 01:38 AM
Yes, the output after question mark is in my initial post yellow highlighted and included in red square bracket, to highlight it double
nevertheless, to exclude hided commands, I checked it
ncs run tls-server-versions ?
<cr> Carriage return.
ncs run tls-server-versions TLSv1.3
Error : Invalid TLS version - TLSv1.3. Supported TLS versions - TLSv1.2 TLSv1.1 TLSv1
06-06-2024 09:53 AM
- Also have a look at : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr01602
M.
06-07-2024 02:48 AM
Thanks you for answer, but I receive protocol error from CMX, not on the prime infrastructure site.
To be sure, I checked it, so on prime site there wasn't any single entry in tofu store and complete CA trust chain in trusted-ca-store (ncs certvalidation trusted-ca-store listcacerts), as well as valid server certificate
I checked also CMX site (cmxctl config certs show), the same CA trust chain in CA store and valid certificate in server certificate store
unfortunately it seems to be not the right solution, I could enable or disable cert validation, but still cmx has some issue with prime certificate or TLS version, because error code is "protocol version"
ncs certvalidation certificate-check ?
disable Disable certificate validation
enable Enable certificate validation
trust-on-first-use Trust and pin the host certificate on first use
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide