cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12279
Views
14
Helpful
8
Replies

Netconf Connection failure

JohnJudi
Level 1
Level 1

Hi Friends,

In my inventory list in DNAC, I have three switches with error Netconf connection failure in manageability column. I checked and did all the things that DNAC suggested. But I still have this error. In addition , I have below log in CLI:

 

66495: 066422: Mar 27 08:20:37.484: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto

 

DNA Software version is 2.2.3.4 and switch IOS-XE version is 17.3.3

I searched and found a bug related to this error.

Bug search.jpeg

 the screenshots of error.

netconf.PNG

netconf2.PNG

 

Do you have any idea to solve this problem?

 

thank you in advance for reply

 

 

1 Accepted Solution

Accepted Solutions

Dan Rowe
Cisco Employee
Cisco Employee

For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing. 

 

When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:

 

debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt

 

I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.

View solution in original post

8 Replies 8

Dan Rowe
Cisco Employee
Cisco Employee

For the quickest resolution, I recommend opening up a TAC case to have them assist with performing the necessary debugs and troubleshooting to provide a root cause. This is a fairly common error that TAC is used to troubleshooting. This error is typically seen when the key to the trustpoint tied to the http/netconf process is incorrect or missing. 

 

When troubleshooting netconf issues, I like to take a tcpdump on the DNAC CLI along with capturing the following logs from the switch:

 

debug netconf-yang level debug
debug netconf all
show logging profile netconf internal level debug to-file flash:netconf.txt

 

I recommend collecting the debugs above & tcpdump from DNAC CLI in order to attach them to the TAC case you open.

Hola muchas gracias a mi si me funciono, PERO HAY QUE RECALCAR QUE SI SE DEBEN TOMAR EN CUENTA ESOS 5 MINUTOS PARA VOLVER A RESINCRONIZAR...

cth
Level 1
Level 1

Hallo, i had this issue, too.

my solution was:

Inventory --> Actions --> Telemetry --> Update Telemetry Settings --> Check Box "Force Configuration Push" --> Next

wait five minutes and resync the Switch.

 

jwannaman1
Level 1
Level 1

Solution:Update Telemetry Settings then Check Box "Force Configuration Push"  then resync.

andy-uos
Level 1
Level 1

I have exactly the same problem as the OP and the "Force Configuration Push" solution did NOT work for me. I still see:
%DMI-2-NETCONF_SSH_CRITICAL: Switch 1 R0/0: ncsshd_bp: NETCONF/SSH: [pid(30457)] fatal: mm_answer_sign: Xkey_sign failed: error in libcrypto

I guess it's another TAC case then

if u use ise dont forget, without default ssh to port 830 is not working u get wrong password error try ssh to ip:830 and test it

aaa authentication login default group ISE local

aaa authorization exec default group ISE local

 

noziwatele
Level 1
Level 1

I had this same issue on 3 switches today. AAA was correct for netconf and the "Force Configuration Push" from DNAC did not fix the issue (I didn't try opening a TAC case...). In my case the fix was as follows:

For one switch this was enough to fix it:

  1. Disable netconf
  2. Regenerate the SSH key
  3. Re-enable netconf

Like this:

conf t
no netconf-yang
crypto key generate rsa modulus 2048
netconf-yang

 

For the other 2 switches, when I re-enabled netconf it threw another error, like this:

 yang-infra: ERROR: Primary trustpoint is not usable for NETCONF: sdn-network-infra-iwan

So I removed the sdn-network-infra-iwan trustpoint, which was put there by DNAC (DNAC can re-add it once netconf access is sorted):

no crypto pki trustpoint sdn-network-infra-iwan

Then did the above steps to disable/regenerate SSH key/re-enable netconf. These might not be the optimal steps but I only had these few switches to test on.

 

Thanks noziwatele, these steps worked for me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco