Leaf stuck in Inactive state during initial fabric discovery

ramu.gajula · ‎09-20-2021

Hello Experts,

Need your help here please.

One of our leaf switches(leaf1) is stuck in inactive state during the fabric discovery. I have tried decommissioning/wiping off the leaf completely/changing the node ID as suggested by Cisco TAC., But no luck. When i tried "openssl s_client -state -connect leaf1:12440", I clearly see leaf1 is not presenting the full certificate chain like the other leaf did. Below is the snippet from the output. I would like to know if it has to do with the certs or if i am missing anything here. Thank you.

Inactive Leaf:

Certificate chain
0 s:/C=US/ST=CA/L=SanJose/O=Insieme Networks/CN=Insieme
i:/C=XX/L=Default City/O=Default Company Ltd

Active Leaf:

Certificate chain
0 s:/serialNumber=PID:N9K-C93180YC-FX SN:XXXXXXX/CN=XXXXXXX
i:/O=Cisco Systems/CN=Cisco Manufacturing CA
1 s:/O=Cisco Systems/CN=Cisco Manufacturing CA
i:/O=Cisco Systems/CN=Cisco Root CA 2048
2 s:/O=Cisco Systems/CN=Cisco Root CA 2048
i:/O=Cisco Systems/CN=Cisco Root CA 2048

Davideczech63 · ‎09-21-2021

Hello Ramu,

This is kinda a long shot since I don't have any more details, but what is the time on the leaf?

ramu.gajula · ‎09-21-2021

Hello David,

Thanks for your response. The time was same on all the nodes. TAC generated a cert and installed, without any luck. The leaf node just won't take the new cert and SSL handshake fails with apic. We had to proceed with the RMA.

Ali Aghababaei · ‎09-24-2021

Hi @ramu.gajula

Can you run the "show diagnostic result module all " and "show diagnostic result module all detail" commands on your mentioned switch and share the result?
Maybe rtc-test parameter goes fail.

Regards,

Ali