Problem with Connecting APIC-EM to Prime Infrastructure

• Trying to connect APIC-EM controller to Prime infrastructure it fails.
• Two servers is in one subnet. One server can ping another.
•  checked with tcpdump on apic-em side, there was some packets from PI after I added APIC-EM info in PI. But still PI show alarm that Apic server is not reachable.
•  Have double checked APIC-EM credentials.
•  APIC-EM Version 1.3.2.37.
• Prime infrastructure Version 3.0.0.0.78 (Trial)

 The servers communicate over port 443.  Can you verify it is open between the two.

 On second look, you need to use the current release of Prime Infrastructure.

Cisco Prime Infrastructure 3.1 - Cisco

First of all, it is probably better to upgrade PI to the latest patch.  There were some old API being used by PI so that could cause some problems.

 That being said, I think they should at least communicate.

 Can you take a look at the log files on PI?

1) ssh <PI server>

2) get a root shell (shell)

3) cd cd /opt/CSCOlumos/logs

4) take a look at ifm_apic.log

[2017-02-10 06:57:57,934] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [getApicController from Persistance - server-10.0.0.01 portNumber-443 userName-admin transportType-https connectionStatus-ERROR]

[2017-02-10 06:57:57,934] [seqtaskexecutor-254] [apic] [INFO ] - Thread Id : [27,416] : IFM_APIC_INFO: [ApicServerStatusTask :: End of executeTask ***** ]

Using trial version, it is only Prime 3.0 version.

 Have replaced real IP of APIC-EM with 10.0.0.01 to paste here.  The real IP is correct.  One thing I realized is that in Administration / Servers / APIC-EM Controller  there is APIC-EM reachability history and every record have duration of 00:00:01, but I restarted APIC-EM server and while it was unreachable the duration was 00:00:18. Would suggest that duration of 00:00:01 sec shows that something drops connection but duration of  00:00:18 sec shows that Prime close connection after some time out. unable to find any logs from APIC-EM side about prime connection.

Tried to create and use another user in APIC-EM with admin rights.

 It is about the only other thing i can thing of at present.  Normally. this just works.

one more thing to try.  From a shell on PI.

 wget -S --header="Content-Type: application/json" --no-check-certificate --post-data '{"username": "admin", "password": "<password>"}' -O- https://<apic-ipaddress>/api/v1/ticket

 change <password> and <apic-ipaddress>

 you should see something like

WARNING: cannot verify x.x.x.x's certificate, issued by `/CN=e44fd808-e2c4-4d5e-ae6d-af878c565e47/C=US/ST=California/L=SanJose/OU=APICEM-SDN/O=Cisco':

  Unable to locally verify the issuer's authority.

HTTP request sent, awaiting response...

  HTTP/1.1 200 OK

  Date: Fri, 10 Feb 2017 13:13:29 GMT

  Content-Type: application/json;charset=UTF-8

  X-Frame-Options: SAMEORIGIN

  Cache-Control: no-cache, no-store

  Pragma: no-cache

  Strict-Transport-Security: max-age=31536000; includeSubDomains

  Connection: close

Length: unspecified [application/json]

Saving to: `STDOUT'

     [<=>                                                                  ] 0          --.-K/s              {"response":{"serviceTicket":"ST-14169-tKyCaSUPpVaLyxrK0Q9a-cas","idleTimeout":3600,"sessionTimeout":21600},"ve    [ <=>                                                                ] 124        --.-K/s  in 0s    

 2017-02-11 00:13:29 (22.3 MB/s) - written to stdout [124]