Solved: DNA Center & C9800 "ERROR-NETCONF-CONNECTION-PORT-MISSING"

JPavonM · ‎10-31-2019

Hi community,

After setting up my 3-node DNAC cluster, I discovered my newly installed Catalyst 9800 to provision them, but the status column returns "ERROR-NETCONF-CONNECTION-PORT-MISSING".

All the credentials are right, CLI, SNMPv3, SNMPv2 and also Netconf is enabled for discovery (default port 830), and enabled in the controller (Device(config)# netconf-yang). No firewall is between DNAC and c9800 so traffic is going straight through.

Any solution?

Device(config)# show platform software yang-management process

confd : Running
nesd : Running
syncfd : Running
ncsshd : Running
dmiauthd : Running
nginx : Running
ndbmand : Running
pubd : Running
gnmib : Not Running

JPavonM · ‎11-13-2019

After openning a TAC case they told me I was hitting bug CSCvo82246 where DNAC cannot use customized authentication groups for remote control after upgrade to 1.3.

Final workaround was to set up "aaa authentication login default group" instead using custom groups.

View solution in original post

aleopoldie · ‎11-13-2019

Same issue here, very annoying ...

Even with trying a different port like 835, still not working after DNAC's upgrade to 1.3.1.3...

JPavonM · ‎11-13-2019

After openning a TAC case they told me I was hitting bug CSCvo82246 where DNAC cannot use customized authentication groups for remote control after upgrade to 1.3.

Final workaround was to set up "aaa authentication login default group" instead using custom groups.

aleopoldie · ‎11-14-2019

Hello Jesus.pavon,

Well that's interesting, thanks for sharing.

I currently have the following "aaa authentication login default group dnac-network-radius-group local" generated dynamically from the DNAC, and "dnac-network-radius-group" pointing to the ISEs. I think you had the same ?

JPavonM · ‎11-15-2019

I manually created that entry in c9800 before re-discovering the device through DNAC and that worked for me.

aleopoldie · ‎11-15-2019

What do you mean by that entry ? What did you create manually ?

JPavonM · ‎11-15-2019

These are the lines that I configured manually before re-discovering c9800 with DNAC and Netconf reachability was success:

aaa authentication login default group NPS_MGMT local

aaa authentication enable default group NPS_MGMT enable

aaa authorization exec default group NPS_MGM

Cheers

aleopoldie · ‎11-15-2019

Hmm I've done the same, discovery is ok but still partial collection failure ... Very strange issue ...

Cyptic man · ‎11-25-2019

Hi!

I got the same error but my netconf icon is grayed out. Did this fix even that?

Running 1.3.1.3 as well and ewlc 16.12

Cyptic man · ‎11-25-2019

Hi!

I got the same error but my netconf icon is grayed out. Did this fix even that?

Running 1.3.1.3 as well and ewlc 16.12.

JPavonM · ‎11-25-2019

Have you enabled netconf in the eWLC?

Have you configured aaa in the eWLC? If you have, check aaa login/exec configs to point to default group.

Cyptic man · ‎11-25-2019

Yes i have.

I'm working with the TAC on this. It seems like my DNA Center doesn't see or accept the netconf updates.

aleopoldie · ‎11-26-2019

Hello Cyptic,

What you can try :

- Verify the netconf status and port used (show netconf-yang status)

- Try also to disable netconf-yang and reactivate it

- test the netconf access from the DNAC Center CLI to the WLC (ssh -p <netconf> port <username@WLC IP address> -s netconf)

Alex.

Cyptic man · ‎11-26-2019

When debugging in the WLC i get this message. I'm not sure of what trustpoint or cert the netconf session is requesting??

I now cleared all existing old trustpoints from the device but it still gives me this message.

[Tue Nov 26 11:52:17 UTC] maglev@192.168.x.x (maglev-master-192-168-x.x) ~
$ ssh -p 830 nxxxx@10.x.x.x -s netconf
ssh_exchange_identification: read: Connection reset by peer

Error message from eWLC:

Nov 26 11:52:01.670 Central: %DMI-3-NETCONF_SSH_ERROR: Chassis 1 R0/0: ncsshd_bp: NETCONF/SSH: error: Trustpoint does not have a cert

Cyptic man · ‎11-26-2019

Hi!

I removed the netconf-yang and readded the command, removed the WLC and rediscovered it. Now it's able to connect using netconf. Case closed.

Thank's for all details.