Re: CMX 11.0.1 <-> Prime Infrastructure 3.10.4 integration

Tima_20 · ‎06-05-2024

Hello,

did anybody tried to connect prime intra 3.10.4 (last version) with CMX 11.0.1 (last version)?

combability matrix says it should work but I get "CMX Reachability issue. Please check logs for more information"

Sure, it is almost impossible to find related logs, but It is (still) possible to run tcpdump and this is the result:

TLS Version error ... looking into CMX documentation:

Ok, except NMSP, only TLS Version 1.3 is supported

Looking into Prime Infrastructure:

It supports TLS 1.2 ,1.1 and 1.0

I'm sure, someone tested the integration, before updating combability Matrix, but forgot to write down, how it suppose to work. May be some one knows the solution?

Thanks

marce1000 · ‎06-05-2024

- You may try to change or specify the needed tls version on Prime with :
ncs run set-tls-versions ?
(The question mark intended to check the available options first ),

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Tima_20 · ‎06-06-2024

Yes, the output after question mark is in my initial post yellow highlighted and included in red square bracket, to highlight it double

nevertheless, to exclude hided commands, I checked it

ncs run tls-server-versions ?
<cr> Carriage return.

ncs run tls-server-versions TLSv1.3
Error : Invalid TLS version - TLSv1.3. Supported TLS versions - TLSv1.2 TLSv1.1 TLSv1

marce1000 · ‎06-06-2024

- Also have a look at : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr01602

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Tima_20 · ‎06-07-2024

Thanks you for answer, but I receive protocol error from CMX, not on the prime infrastructure site.

To be sure, I checked it, so on prime site there wasn't any single entry in tofu store and complete CA trust chain in trusted-ca-store (ncs certvalidation trusted-ca-store listcacerts), as well as valid server certificate

I checked also CMX site (cmxctl config certs show), the same CA trust chain in CA store and valid certificate in server certificate store

unfortunately it seems to be not the right solution, I could enable or disable cert validation, but still cmx has some issue with prime certificate or TLS version, because error code is "protocol version"

 ncs certvalidation certificate-check ?
disable Disable certificate validation
enable Enable certificate validation
trust-on-first-use Trust and pin the host certificate on first use

stephendrkw · ‎07-09-2024

Having the exact same issue between Prime 3.10.4 and CMX 11.0.1-129

I ran a packet capture at the CMX end and pcap file displayed a TLS 1.2 packet - Fatal, Description, Protocol version

We get an initial 3 way handshake, CMX>Prime sends back a TLS error for TLS1.2 and after a FIN, ACK is sent from the CMX to close the session...................waiting for TAC. I can only see them adding a patch fix for Prime or telling us to go to DNA.....but...Prime is still supported so they should provide a fix!

Tima_20 · ‎07-09-2024

Wireless combability matrix was updated after CMX 11.0.1-129 release, probably someone tested integration with Prime Infrastructure 3.10

Please share TAC answer with us