Solved: Re: show telemetry internal connection state 'Disconnecting'

jegan_rajappa · ‎06-24-2021

Does anyone have any advise?

marce1000 · ‎06-29-2021

- You may want to reboot the controller 'if times permit' , check if the problem remains afterwards.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Grendizer · ‎06-29-2021

If you want to delete PI from the 9800, delete the 9800 from PI Network devices then follow the cli commands (Delete all the telemetry subscription from the WLC configuration) in this doc: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214286-managing-catalyst-9800-wireless-controll.html#anc21
If you need to fix the telemetry between 9800 and PI check the below notes:
Note 1: Netconf on 9800 uses the default method (and you cannot change this) for both aaa authentication login as well as aaa authorization exec.
Note 2: The IP address of the WLC that you add in Prime Infrastructure must be the IP address used as "wireless management interface". Prime Infrastructure IP address must be reachable from that wireless management interface on the controller side. If the controller has a service port (gig0/0 on appliances) with an IP in the range of the Prime Infrastructure, the WLC will not be able to to reach Prime. We can't source the Netconf traffic from the service port (OOB port). Network Mobility Service Protocol NMSP and NetFlow and streaming telemetry are not supported thru the Service Port.
Note 3: Prime Infrastructure does not support being dual-homed and will not listen for telemetry on its second port.
Note 4: there is problem with PI 3.8 and 9800 netconf, so you have to use PI version 3.8.1 or after.
Note 5: if the 9800 is showing from PI as Telemetry Status Failed then this tells you that there is problem sending Netconf from the 9800 to the PI:
[cid:image005.jpg@01D76CE9.6D92DC80]
to fix it just double check if netconf is enabled form the 9800:
#sh run | i netconf
and the aaa commands are correct and using the default method, if you're using TACACS then you can use something as below:
aaa authorization exec default local group ISE-Group-TACACS
aaa authentication login default local group ISE-Group-TACACS
with above commands, you will be able to use the local accounts and the TACACS accounts at the same time.
OR use:
aaa authorization exec default group ISE-Group-TACACS local
aaa authentication login default group ISE-Group-TACACS local
With above commands, you will not be able to use the local accounts as long as the TACACS is active and the 9800 can reach it.
to test the connectivity from PI using netconf
Prime_Infrastructure# ssh <9800_ip_address_added_to_primeinfra> port 830
type to end the session
Note 6: Make sure the Firewall is not blocking the below ports:
[cid:image006.jpg@01D76CE9.6D92DC80]

View solution in original post

marce1000 · ‎06-24-2021

- Used for management by Prime, I think. Is the Prime server up and running ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jegan_rajappa · ‎06-29-2021

Yes, prime is up and running, prime and wlc connection is active for all other wlc's except the one wlc.

tried to negate all those telemetry subscription, still status is disconnecting

marce1000 · ‎06-29-2021

- You may want to reboot the controller 'if times permit' , check if the problem remains afterwards.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jegan_rajappa · ‎07-09-2021

Finally fixed telemetry connection issues, here is the steps I performed

Deleted all the telemetry subscription with below mentioned script
Reloaded the controllers without outage by passing active role to standby chassis by executing following command 'redundancy force-switchover'
Resynced the controllers in prime

Delete all the telemetry subscription from the WLC configuration

WLC#term shell
WLC#function removeall() {
for id in `sh run | grep telemetry | cut -f4 -d' '`
do
conf t
no telemetry ietf subscription $id
exit
done
}
WLC#removeall

Grendizer · ‎06-28-2021

This can be Prime or DNAC or DNA Spaces connector, which one is yours from those?

jegan_rajappa · ‎06-29-2021

Its prime, tried to negate all those telemetry subscription, still status is disconnecting, is there any way to fix it except reloading the wlc?

Grendizer · ‎06-29-2021

If you want to delete PI from the 9800, delete the 9800 from PI Network devices then follow the cli commands (Delete all the telemetry subscription from the WLC configuration) in this doc: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214286-managing-catalyst-9800-wireless-controll.html#anc21
If you need to fix the telemetry between 9800 and PI check the below notes:
Note 1: Netconf on 9800 uses the default method (and you cannot change this) for both aaa authentication login as well as aaa authorization exec.
Note 2: The IP address of the WLC that you add in Prime Infrastructure must be the IP address used as "wireless management interface". Prime Infrastructure IP address must be reachable from that wireless management interface on the controller side. If the controller has a service port (gig0/0 on appliances) with an IP in the range of the Prime Infrastructure, the WLC will not be able to to reach Prime. We can't source the Netconf traffic from the service port (OOB port). Network Mobility Service Protocol NMSP and NetFlow and streaming telemetry are not supported thru the Service Port.
Note 3: Prime Infrastructure does not support being dual-homed and will not listen for telemetry on its second port.
Note 4: there is problem with PI 3.8 and 9800 netconf, so you have to use PI version 3.8.1 or after.
Note 5: if the 9800 is showing from PI as Telemetry Status Failed then this tells you that there is problem sending Netconf from the 9800 to the PI:
[cid:image005.jpg@01D76CE9.6D92DC80]
to fix it just double check if netconf is enabled form the 9800:
#sh run | i netconf
and the aaa commands are correct and using the default method, if you're using TACACS then you can use something as below:
aaa authorization exec default local group ISE-Group-TACACS
aaa authentication login default local group ISE-Group-TACACS
with above commands, you will be able to use the local accounts and the TACACS accounts at the same time.
OR use:
aaa authorization exec default group ISE-Group-TACACS local
aaa authentication login default group ISE-Group-TACACS local
With above commands, you will not be able to use the local accounts as long as the TACACS is active and the 9800 can reach it.
to test the connectivity from PI using netconf
Prime_Infrastructure# ssh <9800_ip_address_added_to_primeinfra> port 830
type to end the session
Note 6: Make sure the Firewall is not blocking the below ports:
[cid:image006.jpg@01D76CE9.6D92DC80]