03-27-2022 09:42 PM - edited 03-27-2022 09:44 PM
Hi Friends,
In my inventory list in DNAC, I have three switches with error Netconf connection failure in manageability column. I checked and did all the things that DNAC suggested. But I still have this error. In addition , I have below log in CLI:
66495: 066422: Mar 27 08:20:37.484: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto
DNA Software version is 2.2.3.4 and switch IOS-XE version is 17.3.3
I searched and found a bug related to this error.
the screenshots of error.
Do you have any idea to solve this problem?
thank you in advance for reply
Solved! Go to Solution.
03-28-2022 06:59 AM
For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing.
When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:
debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt
I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.
03-28-2022 06:59 AM
For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing.
When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:
debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt
I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.
09-20-2023 06:17 PM
Hola muchas gracias a mi si me funciono, PERO HAY QUE RECALCAR QUE SI SE DEBEN TOMAR EN CUENTA ESOS 5 MINUTOS PARA VOLVER A RESINCRONIZAR...
09-23-2022 03:54 AM
Hallo, i had this issue, too.
my solution was:
Inventory --> Actions --> Telemetry --> Update Telemetry Settings --> Check Box "Force Configuration Push" --> Next
wait five minutes and resync the Switch.
01-02-2023 04:02 AM
Solution:Update Telemetry Settings then Check Box "Force Configuration Push" then resync.
03-27-2023 03:00 AM
I have exactly the same problem as the OP and the "Force Configuration Push" solution did NOT work for me. I still see:
%DMI-2-NETCONF_SSH_CRITICAL: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: [pid(30457)] fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto
I guess it's another TAC case then
09-11-2023 04:11 AM
if u use ise dont forget, without default ssh to port 830 is not working u get wrong password error try ssh to ip:830 and test it
aaa authentication login default group ISE local
aaa authorization exec default group ISE local
10-31-2023 08:35 PM
I had this same issue on 3 switches today. AAA was correct for netconf and the "Force Configuration Push" from DNAC did not fix the issue (I didn't try opening a TAC case...). In my case the fix was as follows:
For one switch this was enough to fix it:
Like this:
conf t
no netconf-yang
crypto key generate rsa modulus 2048
netconf-yang
For the other 2 switches, when I re-enabled netconf it threw another error, like this:
yang-infra: ERROR: Primary trustpoint is not usable for NETCONF: sdn-network-infra-iwan
So I removed the sdn-network-infra-iwan trustpoint, which was put there by DNAC (DNAC can re-add it once netconf access is sorted):
no crypto pki trustpoint sdn-network-infra-iwan
Then did the above steps to disable/regenerate SSH key/re-enable netconf. These might not be the optimal steps but I only had these few switches to test on.
12-12-2023 04:36 AM
Thanks noziwatele, these steps worked for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: