Having succesfuly deployed a brand new Cisco 4331 ( isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bi) the health check message appears.
4331SWA#sho pnp summ
There are no connectivity issues between APIC's VIP and the routers management network.
It's ironic that the downstream Cosco 2960X is in a provisioned state.
The APIC-EM device credentials give the appliance Level 15 access by virtue of vty privilege level 15 commands. Access is limited toi SSH and has been verified from a DHCP Server sat on the APIC-EM's subnet.
do you have "aaa command authorisation" in your configuration file?
Actually, just took a closer look. seems like there was an issue with the configuration file?
Config-Upgrade Task - Last Run ID:7, ST:5202, Result:Failed, LT:263730, ET:14309 ms
Error Code:1413, Msg:[Invalid input detected]
That still might be due to "aaa command authorisation".
Have you tried pasting the config in manually to see where it fails?
Meanwhile, the router has now deployed withouterror although I waiting for the Provisioned Green light in my browser.
The ISR43xx router'd default inclusion of a interface vlan 1 SVI is strange to say the least; I had not stripped it from the deployed config and it generated the error.
Unfortunately I have just received another "PROVISIONING_CONFIG for more than threshold time: 0 hours, 16 minutes, 0 seconds".
written up the issue (and a solution) in this blog post Network Automation with Plug and Play (PnP) – Part 7 It is also addressed in IOS
A couple more things:
1) Can you verify the "show run" is the same as the config you pushed?
2) Can you discover the device (using the discovery process in APIC-EM)?
3) How did you deploy this device? A pre-provisioned rule or Ad-Hoc?
4) is there anything in "show loggin" that is interesting?
Resolution to Service Request 682005792,was achieved by adding an undocumented "ip http client source-interface" configuration command enabling the designated ssub-interface to initiate an xml heartbeat back to APIC-EM. However, the ongoing absence of nvram resident start-up configuration was addressed with the addition of a run-once-self destructing eem script attached to the foot of each and every deployed configuration.
Cisco also advised that manually deployed configurations should not include RSA keys; they are always generated by APIC-EM. Other issues raised include DHCP binding. APIC-EM forms an association using the initial DHCP supplied IP address; the bond is broken if for any reason this adrresss changes.
Since closure of the case my customer has also regained the ability to automatically upgrade IOS during the deployment.