06-05-2024 11:43 PM
Hello,
did anybody tried to connect prime intra 3.10.4 (last version) with CMX 11.0.1 (last version)?
combability matrix says it should work but I get "CMX Reachability issue. Please check logs for more information"
Sure, it is almost impossible to find related logs, but It is (still) possible to run tcpdump and this is the result:
TLS Version error ... looking into CMX documentation:
Ok, except NMSP, only TLS Version 1.3 is supported
Looking into Prime Infrastructure:
It supports TLS 1.2 ,1.1 and 1.0
I'm sure, someone tested the integration, before updating combability Matrix, but forgot to write down, how it suppose to work. May be some one knows the solution?
Thanks
06-05-2024 11:57 PM
- You may try to change or specify the needed tls version on Prime with :
ncs run set-tls-versions ?
(The question mark intended to check the available options first ),
M.
06-06-2024 01:29 AM - edited 06-06-2024 01:38 AM
Yes, the output after question mark is in my initial post yellow highlighted and included in red square bracket, to highlight it double
nevertheless, to exclude hided commands, I checked it
ncs run tls-server-versions ?
<cr> Carriage return.
ncs run tls-server-versions TLSv1.3
Error : Invalid TLS version - TLSv1.3. Supported TLS versions - TLSv1.2 TLSv1.1 TLSv1
06-06-2024 09:53 AM
- Also have a look at : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr01602
M.
06-07-2024 02:48 AM
Thanks you for answer, but I receive protocol error from CMX, not on the prime infrastructure site.
To be sure, I checked it, so on prime site there wasn't any single entry in tofu store and complete CA trust chain in trusted-ca-store (ncs certvalidation trusted-ca-store listcacerts), as well as valid server certificate
I checked also CMX site (cmxctl config certs show), the same CA trust chain in CA store and valid certificate in server certificate store
unfortunately it seems to be not the right solution, I could enable or disable cert validation, but still cmx has some issue with prime certificate or TLS version, because error code is "protocol version"
ncs certvalidation certificate-check ?
disable Disable certificate validation
enable Enable certificate validation
trust-on-first-use Trust and pin the host certificate on first use
07-09-2024 07:56 AM
Having the exact same issue between Prime 3.10.4 and CMX 11.0.1-129
I ran a packet capture at the CMX end and pcap file displayed a TLS 1.2 packet - Fatal, Description, Protocol version
We get an initial 3 way handshake, CMX>Prime sends back a TLS error for TLS1.2 and after a FIN, ACK is sent from the CMX to close the session...................waiting for TAC. I can only see them adding a patch fix for Prime or telling us to go to DNA.....but...Prime is still supported so they should provide a fix!
07-09-2024 09:50 PM
Wireless combability matrix was updated after CMX 11.0.1-129 release, probably someone tested integration with Prime Infrastructure 3.10
Please share TAC answer with us
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide