- During provisioning of a Cisco 1921 router it enters an error state:
- Received response from pnp agent for message correlatorId: CiscoPnP-1.0-19303-173-2BB9AB34 but with error code : ZTD_CMD_ERROR Response String: ERROR:PnP Service Error 3300:Certificate installation not successful
- Have tested this with the cert that came when we installed APIC-EM and generated a self signed cert, which did not work. In the documentation it says that it's recommended with a x509 signed by a well known provider for PnP to work optimally, but it does not say what works better with the signed cert.
Using a self-signed certificate for either the Cisco APIC-EM or the proxy gateway is strongly discouraged.
Strongly recommend using a publicly verifiable CA issued certificate to be installed for the controller,
as well as the proxy gateway if one is present.
- Want to setup APIC-EM as a proof of concept for our network solution and wanted to try out the functionality before investing in certificates. Have read the documentation. It only states that Cisco recommends the CA issued certificate, but not why. Wondering if it was still possible to test PnP with a self signed certificate to make sure it works with our architecture. wondering what PnP functionality that does not work with a self signed certificate.
The error occurs if either the certificate is not downloadable/reachable OR if the certificate cannot be installed due to cert validation issue.
Please refer to page 18 for Self-Signed Certificate based Authentication
The new router had 15.4(3)M3 installed while the previous had 15.4(3)M2. Upgraded the image on the first router and it started working aswell.
The images were already installed on the devices at boot. There seems to be an issue with autoinstall in 15.4(3)M2. It would not automatically discover DHCP and the PnP client tried to reach devicehelper.cisco.com instead of our local APIC-EM. Managed to bypass the autoinstall and trigger PnP by setting ip address dhcp on the interface right after boot.
Did not change any of the certificate settings, but the new image seems to handle the self signed certificate fine.
- Saw in the pnp trace that it tried to reach pnpntpserver.domain. Guess this is to sync the time on the router so it can verify that the certificate is not outdated. Had pnpserver.domain configured in DNS and added pnpntpserver now. But still it failes to get the trustpool.
This means The routers are now able to reach the APIC-EM and provisioning works when we upgraded to 15.4(3)M3. For APIC-EM GA release, the recommended version for 1921 router is 15.5(3)M/15.5(3)M1. You can upgrade your router image to 15.5(3)M1 to make sure it has all supported PnP agent features.
Also, please always do “write erase” and "reload" the router so that PnP discovery can be performed.