Posted on December 13, 2021 3:31 pm
 |  Asked by Sergej Pioch
Print Friendly, PDF & Email

I’m trying to add two more (new) devices to CloudVision. They don’t appear in the ‘Undefined’ container, as allways. Instead I see log messages at the console:

Dec 13 09:12:03 sw-10 Sending request to https://<cvp ip>/cvpservice/services/ztp/config [56]
Dec 13 09:12:04 sw-10 running commands enable#012bash bash -c "bash /var/tmp/agents/tmpYRq1M9/curlOutput" errMsg #012> bash bash -c "bash /var/tmp/agents/tmpYRq1M9/curlOutput"#012#012% 'bash -c "bash /var/tmp/agents/tmpYRq1M9/curlOutput"' returned error code: 60 at line 2
Dec 13 09:12:04 sw-10 Error sending ztp config request: #012> bash bash -c "bash /var/tmp/agents/tmpYRq1M9/curlOutput"#012#012% 'bash -c "bash /var/tmp/agents/tmpYRq1M9/curlOutput"' returned error code: 60 at line 2

Connecting to the ztp pod on CVP Server I see the following messages in the ‘ztp.stderr.log’:

I1213 14:02:04.802547 8 bootstrap_service.go:544] Device JPE is not in the whitelist
I1213 14:02:04.807497 8 bootstrap_service.go:519] allowAllDevices key is not present, defaulting to whitelist disable
I1213 14:02:04.890072 8 ztp.go:371] found device JPE with same mac address c4:ca: as new ZTP dev JPE

The Devices occur at the inventory at devices overview but are not added to the container undefined, so I am not able to manage them. Is there anything I missed to have these devices provisioned?

Posted by Tamas Plugor
Answered on December 13, 2021 3:35 pm

Hi Sergej,

As you can see the switch cannot make the API call to CloudVision, inside that curlOutput file there's a curl command, if you run that command it will tell you exactly what the problem is (in newer CVP versions, post 2021.2.0+ you'll also see the exact curl error on the UI in the Device page under System - Log messages). The most common problem why the above would fail is either if you have a signed cert without the full chain (mostly case with internal CAs) or if SAN IP/SAN DNS is missing from the SAN fields from your CVP's nginx certificate. You can correct your cert and import the new one on the UI by following the best practices and guidelines mentioned in this chapter:

Should you have any issues with that, I'd recommend opening a TAC case by emailing support@ and one of us would be more than happy to help out!



Posted by Sergej Pioch
Answered on December 14, 2021 6:12 pm

Thanks for your quick answer, Tamas! I just put the cert-chain together (root CA cert was indeed missing) and uploaded it to CVP using the GUI as suggested by cv-https-certificates-setup document. Unfortunately this did not the whole trick - but sadly, when one comes to another it get's even worse. Before finishing my investigations we had to shut down whole cvp services due to log4j vulnerability. I will come back, as soon as possible.

Post your Answer

You must be logged in to post an answer.