cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
616
Views
0
Helpful
6
Replies

CMX 11.0.1 <-> Prime Infrastructure 3.10.4 integration

Tima_20
Level 1
Level 1

Hello,

did anybody tried to connect prime intra 3.10.4 (last version) with CMX 11.0.1 (last version)?

combability matrix says it should work but I get "CMX Reachability issue. Please check logs for more information"

Tima_20_0-1717596762146.png

 

Sure, it is almost impossible to find related logs, but It is (still) possible to run tcpdump and this is the result:

Tima_20_1-1717596963578.png

TLS Version error ... looking into CMX documentation:

Tima_20_2-1717597089031.png

Ok, except NMSP, only TLS Version 1.3 is supported

Looking into Prime Infrastructure: 

Tima_20_3-1717597209079.png

It supports TLS 1.2 ,1.1 and 1.0

I'm sure, someone tested the integration, before updating combability Matrix, but forgot to write down, how it suppose to work. May be some one knows the solution?

 

Thanks

6 Replies 6

marce1000
VIP
VIP

 

  - You may try to change or specify the needed tls version on Prime with :
                        ncs run set-tls-versions  ?
     (The question mark intended to check the available options first ),

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Yes, the output after question mark is in my initial post yellow highlighted and included in red square bracket, to highlight it double 

nevertheless, to exclude hided commands, I checked it

ncs run tls-server-versions ?
<cr> Carriage return.

ncs run tls-server-versions TLSv1.3
Error : Invalid TLS version - TLSv1.3. Supported TLS versions - TLSv1.2 TLSv1.1 TLSv1

marce1000
VIP
VIP

 

         - Also have a look at : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr01602

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thanks you for answer, but I receive protocol error from CMX, not on the prime infrastructure site.

To be sure, I checked it, so on prime site there wasn't any single entry in tofu store and complete CA trust chain in trusted-ca-store (ncs certvalidation trusted-ca-store listcacerts), as well as valid server certificate

I checked also CMX site (cmxctl config certs show), the same CA trust chain in CA store and valid certificate in server certificate store

unfortunately it seems to be not the right solution, I could enable or disable cert validation, but still cmx has some issue with prime certificate or TLS version, because error code is "protocol version"

 ncs certvalidation certificate-check ?
disable Disable certificate validation
enable Enable certificate validation
trust-on-first-use Trust and pin the host certificate on first use

stephendrkw
Level 3
Level 3

Having the exact same issue between Prime 3.10.4 and CMX 11.0.1-129

I ran a packet capture at the CMX end and pcap file displayed a TLS 1.2 packet - Fatal, Description, Protocol version

We get an initial 3 way handshake, CMX>Prime sends back a TLS error for TLS1.2 and after a FIN, ACK is sent from the CMX to close the session...................waiting for TAC. I can only see them adding a patch fix for Prime or telling us to go to DNA.....but...Prime is still supported so they should provide a fix!

Wireless combability matrix was updated after CMX 11.0.1-129 release, probably someone tested integration with Prime Infrastructure 3.10

Tima_20_0-1720586948635.png

Please share TAC answer with us

 

Review Cisco Networking for a $25 gift card