cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3858
Views
21
Helpful
11
Replies

Successful PNP - Job but APIC dashboard shows error?

John Palmason
Level 4
Level 4

Hello, I am working my way through testing the PNP features of APIC-EM and so far I am very impressed with what has been released to date.  I am working on a project to replace 400 switches and 100 routers and believe the PNP will save us hours of work and bring the level of automation and consistency for our company way up.

I would like some help to understand an error I am getting on a test PNP WS-C3850-48P job.  I have am only doing a very simple project with one switch, a code upgrade and a base switch configuration.  I am using a basic option 43 (ip address via port 80) method for now and I can confirm that that switch does receive the selected IOS image and the base configuration is applied to my lab switch from the project.  If I didn't see the status of error on the dashboard I would have thought my test was successful, but I wonder if anybody understands this error I am receiving on my controller: 

Received response from pnp agent for message correlatorId: CiscoPnP-1.0-2589-324-3D89CC5C-2589 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed

I haven't provided APIC-EM with any other information about this switch other than the details outlined in the project, so I am not sure what part of my job is failing authorization? I am able to login to the switch with our AAA commands as if it was part of the network.  Does APIC-EM try to run a discovery of the host after a successful deploy?  If so I have updated the ACL's we use to control SNMP/SSH traffic to and from network devices.

Looking forward to hearing what other have to say.

Thank you in advance for reading my post.

John Palmason

1 Accepted Solution

Accepted Solutions

aradford
Cisco Employee
Cisco Employee

Hi John,

this is a known issue with PnP.

The problem is 'aaa command authorisation' command.  Long story as to why this is the case, but this will be causing the issue.

If you remove this from the pnp-config it should be fine.

The config will be successfully deployed to the device, it is just that the controller does not think it has been.

The team is working on fixing this in future releases.

Adam

View solution in original post

11 Replies 11

aradford
Cisco Employee
Cisco Employee

Hi John,

this is a known issue with PnP.

The problem is 'aaa command authorisation' command.  Long story as to why this is the case, but this will be causing the issue.

If you remove this from the pnp-config it should be fine.

The config will be successfully deployed to the device, it is just that the controller does not think it has been.

The team is working on fixing this in future releases.

Adam

Great news, thank you Adam I will remove the AAA settings and redeploy the test job.  Just as a test I was successful in using my AAA credentials to login into the switch once deployed.  I am very new to APIC-EM world and doing my best to get up to speed, is this the correct forum for these kinds of questions?  I am not a developer (yet) more of an administrator and noticed most questions are based around scripting etc.

Thank for you support, its really great to have answers from the person I have been learning from off the Cisco Live VOD's.

Cheers, and keep up the good work.

Thanks John.

You only need to remove the command authorization command.  You can still configure authentication and that should work.

This forum is fine for non-developer questions as well.  We have a great community here, and all questions are welcome.

If you have this question, chances are other people will also have it.

Thanks for asking questions and giving us the chance to make the product awesome.

Adam

Perfect thanks for clearing that up, here is what I have done based off of you recommendations.

I have removed the striked through commands from my template.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ none

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting update periodic 1

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

no aaa accounting system guarantee-first

I deleted the old configurations and project reran a new project, this time it completed without errors.

Thank you

JP

Does anyone know if  this software bug has been resolved by Cisco ?  I am running APIC-EM version 1.3.3.126 and experiencing the same problem.  Does the latest APIC-EM 1.4.x release fixes this?

Thanks in advance!

aradford
Cisco Employee
Cisco Employee

Hi Peter,

There is a work around.  You need to have an updated version of IOS on your device too, as there was an agent side fix required too.

The post has all the details about the work around. Network Automation with Plug and Play (PnP) – Part 7

Thank you, Aradford!!

Using the EEM script worked. 

Added the following at the end of the config to be pushed to the provisioning equipment.  Replaced "sdn2" with an existing TACACS account with 15 level privilege.

event manager session cli username sdn2 privilege 15

event manager applet POST_PNP

event timer countdown time 30

action 1.0 cli command "enable"

action 1.1 cli command "debug event manager action cli"

action 1.2 cli command "debug aaa authorization"

action 1.8 cli command "config t"

action 2.1 cli command "aaa authorization commands 1 default group ISE-T if-authenticated"

action 2.2 cli command "aaa authorization commands 15 default group ISE-T if-authenticated"

action 2.3 cli command "no event manager applet POST_PNP"

action 2.8 cli command "end"

action 2.9 cli command "wr mem"

action 3.0 cli command "end"

aradford
Cisco Employee
Cisco Employee

Awesome.

I would remove the debug commands for production.

action 1.1 cli command "debug event manager action cli"

action 1.2 cli command "debug aaa authorization"

Adam

Sent from my iPhone

Hi Araford,

Thank you for the information.

One question, is this fixed in APIC-EM 1.6? and pnp 1.6 versions?
Or still you suggest to use EEM script there?

Amal

Hi Amal,

there are two requirements to solve the issue.  One is on the APIC-EM side.  This was done quite a while ago, so 1.6 should be fine.

The other is in the IOS on the device itself.  Which devices are you looking at?

Adam

Hi Aradford,

Thanks for the quick reply.

We use c3560cx (c3560cx-universalk9-mz.152-4.E5.bin) and APIC-EM 1.6

Amal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community