Wireless Access

 View Only
last person joined: 11 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Failing command in configuration

Jump to Best Answer
This thread has been viewed 43 times
  • 1.  Failing command in configuration

    Posted Oct 26, 2021 12:57 PM
    AOS 8.7.1.5
    10x cluster
    7x backup cluster

    We have an alert for nearly all of our controllers on our MM which has been there for a while:

    MM Alert


    We deleted "AOSwildcard21" some time ago. The cert we use now is "AOSwild21". I found that there is still a reference to the old cert in the web-server profile (on all but one of our MCs, strangely), which I assume is the problem. But I can't seem to delete that reference in the web-server profile, or change it so that it references the new cert, this is the profile on one of the boxes:

    (UWS-MC-B1) #show web-server profile

    Web Server Configuration (Invalid: Error: server certificate "AOSwildcard2021" not found)
    -----------------------------------------------------------------------------------------
    Parameter Value
    --------- -----
    Cipher Suite Strength high
    SSL/TLS Protocol Config tlsv1.2
    Switch Certificate AOSwildcard2021
    Captive Portal Certificate AOSwild21
    IDP Certificate default
    Management user's WebUI access method username/password
    User absolute session timeout <30-3600> (seconds) 0
    User session timeout <30-3600> (seconds) 180
    Maximum supported concurrent clients <25-320> 240
    Enable WebUI access on HTTPS port (443) true
    Enable bypass captive portal landing page false
    Exclude Security Headers from HTTP Response false
    VIA client-cert port number 8085

    I tried changing the web-server profile at our md/uws level, and at levels below, down to the individual MCs (on the MM). But although it looked like the change was accepted on the MM the config never finds its way to the MC:

    (UWS-MM-8A) [mynode] (config) #cd UWS-MC-B2
    (UWS-MM-8A) [00:1a:1e:xx:xx:xx] (config) #web-server profile
    (UWS-MM-8A) [00:1a:1e:xx:xx:xx] (Web Server Configuration) #switch-cert AOSwild21
    (UWS-MM-8A) [00:1a:1e:xx:xx:xx] (Web Server Configuration) #no switch-cert
    (UWS-MM-8A) ^[00:1a:1e:xx:xx:xx] (Web Server Configuration) #write mem

    Saving Configuration...

    Configuration Saved.
    (UWS-MM-8A) [00:1a:1e:xx:xx:xx] (Web Server Configuration) #switch-cert AOSwild21
    (UWS-MM-8A) ^[00:1a:1e:xx:xx:xx] (Web Server Configuration) #write mem

    Saving Configuration...

    So I guess the config can't be applied to the boxes because of the existing error.

    For one of the MCs I have got around this by entering disaster recovery mode and applying the change there, now on that box I can see that the switch cert is shown as the new cert. But the second MC I tried failed:

    (DR-Mode) [mm] (Web Server Configuration) #switch-cert AOSwild21
    Error decrementing DS refcount for cert AOSwildcard2021 path /mm

    (DR-Mode) [mm] (Web Server Configuration) #no switch-cert
    Error decrementing DS refcount for cert AOSwildcard2021 path /mm

    So I'm stuck! Can anyone help?

    Thank you
    Guy


    ==================== UPDATE ====================

    Reloading the boxes in the backup cluster then allowed me to enter disaster-recovery mode and make the change above. But if there is a better way then I would be keen to know what I should do - I haven't fixed our live cluster yet and would prefer not to reload the controllers if possible

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 2.  RE: Failing command in configuration

    EMPLOYEE
    Posted Oct 27, 2021 10:04 AM
    You should do a "show configuration effective detail" to determine where the reference exists in your hierarchy.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Failing command in configuration

    Posted Oct 27, 2021 10:39 AM
    Thanks - ok so on one of the live MDs (which I haven't used my brute force solution on yet) I ran that:

    (UWS-MC-A1) *#show configuration effective detail | include wildcard
    switch-cert AOSwildcard2021 # inherited from [/mm]
    (UWS-MC-A1) *#

    Pretty much everything shows as being /mm if I leave the filter off that command.

    I ran the below, which doesn't help much but confirms the error.

    (UWS-MC-A1) *#show configuration failure

    Configuration Failure
    ---------------------
    Command: no crypto-local pki ServerCert AOSwildcard2021
    Process: Certificate Manager
    Message: Failed to delete instance. Cert is either not present or referencedby an application.
    Total Failures: 1

    Is there any way I can remove that line from the configuration that is being sent from the MM, or something like that?

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 4.  RE: Failing command in configuration

    EMPLOYEE
    Posted Oct 27, 2021 12:35 PM
    Look under the MM tree and see if that is where the configuration is coming from.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: Failing command in configuration

    Posted Oct 28, 2021 10:01 AM
    That's the strange thing - when I look on the MM it all looks fine - the config has the switch-cert set to the new certificate (AOSwild21) at every level. But when I look on the individual MDs (logging into them directly) I can see that they still have the switch-cert set to the old certificate. If I try to change that setting at any level on the MM it doesn't do anything because it already has the right cert configured. But for some reason the "no crypto-local pki ServerCert AOSwildcard2021" command is being attempted and failing and must be somehow blocking the command which would change the switch-cert to the new cert... which would then allow the failing command to work (if that makes sense). A bit of a catch-22. I tried restarting the certmgr process on one of the boxes but that didn't seem to make any difference.

    I might try a reload of the MM just in case that sorts things out

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 6.  RE: Failing command in configuration
    Best Answer

    EMPLOYEE
    Posted Oct 28, 2021 10:58 AM
    On one of the MD, try this: ccm-debug full-config-sync

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: Failing command in configuration

    Posted Oct 28, 2021 11:28 AM
    That is brilliant - seems to work a treat, thanks Colin. I'll try that on all of them.

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 8.  RE: Failing command in configuration

    Posted 29 days ago
    Sorry to hijack the thread. I have the excact same problem as the OP, but the "ccm-debug full-config-sync" doesn't seem to help me...

    The only difference between OP's problem and mine, is that it's the captive portal certificate I have problems with.

    It's only visible directly on the MD,

    (Aruba7210-T) [MDC] *#show configuration effective detail | include wildcard-2020
    captive-portal-cert wildcard-2020 # inherited from [/mm]

    but it's not there:

    (ArubaMM) [mm] #show configuration effective detail | include wildcard-2020
    (ArubaMM) [mm] #


    Any other things to try, when ccm-debug full-config-sync is not working?
    ​​

    Regards,
    Stian

    ------------------------------
    Stian Jordet
    ------------------------------



  • 9.  RE: Failing command in configuration

    EMPLOYEE
    Posted 28 days ago
    Remove the controller from the heirarchy and then add it back again.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 10.  RE: Failing command in configuration

    Posted 12 days ago
    Thank you! That actually seemed to do the trick! :)