https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Onboarding-ICX-switch-to-SZ-vSZ-with-Error-HTTP-Response-Code/m-p/54777#M99 <P>Are you having trouble to onboard an ICX switch into your SmartZone controller?</P> <P>Check the logs in the ICX switch with the command 'show log', if you see errors like these below, it's very likely there's a certificate issue between the ICX and the controller:</P> <P><FONT face="courier new,courier">Jun 24 18:32:02:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTPS Connection Error</FONT><BR /><FONT face="courier new,courier">Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: JSON Parse Error</FONT><BR /><STRONG><FONT face="courier new,courier">Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTP Response Code 400</FONT></STRONG></P> <P>&nbsp;</P> <P class="lia-align-left">This error is common when working with 'non-TPM' switches, which means the switch uses <STRONG>self-signed certificates</STRONG>. Switch models with this charatieristic are&nbsp;<SPAN>ICX 7250, ICX 7450, or ICX 7750. Check your switch's certificate using the CLI comand 'dm verify-device-certs' as shown below:</SPAN></P> <P class="lia-align-left"><FONT face="courier new,courier"><SPAN>SSH@ICX-7450#dm verify-device-certs<BR />Commencing sanity check for device certs ...<BR />Verifying files on Non-TPM Platform ...<BR />Successfully verified<BR />The device key pair is valid<BR />The Encrypt/Decrypt test is successful<BR />Successfully verified device certs</SPAN></FONT></P> <P class="lia-align-left">How to resolve this? There is a CLI command that you can run in SZ/vSZ to honor this kind of self-signed certificates of non-TPM switches.</P> <P class="lia-align-left">1. Log into the CLI of your controller using SSH and run the following commands.</P> <P class="lia-align-left"><FONT face="courier new,courier"><SPAN>1-vSZ# config</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>1-vSZ(config)# non-tpm-switch-cert-validate</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>Successful operation</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>1-vSZ(config)# exit</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>1-vSZ#</SPAN></FONT></P> <P class="lia-align-left">2. Your switch should now be onboarded.</P> <P class="lia-align-left">Visit RUCKUS <A href="https://docs.commscope.com/en-US/bundle/sz-600-cliguide-sz300/page/GUID-8B740B78-C390-4B7B-A271-6A511179B68A.html" target="_blank" rel="noopener">online documentation</A> for more information about this CLI command.</P> <P class="lia-align-left"><SPAN>If the switch's certificate is corrupted or not valid, regenerate the certificates using the below two steps (this is only for non-TPM devices):</SPAN><BR /><SPAN>a) Zeroize the current keys</SPAN><BR /><FONT face="courier new,courier"><SPAN>&nbsp; &nbsp; ICX(config)# crypto device-key-zeroize<BR />&nbsp; &nbsp; ICX(config)# crypto device-cert-zeroize</SPAN></FONT><BR /><SPAN>b) Reload the ICX device</SPAN></P> <P class="lia-align-left"><SPAN>For TPM devices, we cannot regenerate a new cert through CLI, so you need to RMA the device if the certificate is corrupted.</SPAN></P> <P class="lia-align-left">Visit RUCKUS <A href="https://docs.commscope.com/en-US/bundle/fastiron-09010-managementguide/page/GUID-CD3FD835-B641-45A4-8859-062E4AEABE75.html" target="_blank" rel="noopener">online documentation</A> for more&nbsp;troubleshooting steps on ICX-to-SZ onboarding.</P> <P class="lia-align-left">&nbsp;</P> Tue, 04 Apr 2023 15:59:48 GMT Orlando_Elias 2023-04-04T15:59:48Z https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Onboarding-ICX-switch-to-SZ-vSZ-with-Error-HTTP-Response-Code/m-p/54777#M99 <P>Are you having trouble to onboard an ICX switch into your SmartZone controller?</P> <P>Check the logs in the ICX switch with the command 'show log', if you see errors like these below, it's very likely there's a certificate issue between the ICX and the controller:</P> <P><FONT face="courier new,courier">Jun 24 18:32:02:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTPS Connection Error</FONT><BR /><FONT face="courier new,courier">Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: JSON Parse Error</FONT><BR /><STRONG><FONT face="courier new,courier">Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTP Response Code 400</FONT></STRONG></P> <P>&nbsp;</P> <P class="lia-align-left">This error is common when working with 'non-TPM' switches, which means the switch uses <STRONG>self-signed certificates</STRONG>. Switch models with this charatieristic are&nbsp;<SPAN>ICX 7250, ICX 7450, or ICX 7750. Check your switch's certificate using the CLI comand 'dm verify-device-certs' as shown below:</SPAN></P> <P class="lia-align-left"><FONT face="courier new,courier"><SPAN>SSH@ICX-7450#dm verify-device-certs<BR />Commencing sanity check for device certs ...<BR />Verifying files on Non-TPM Platform ...<BR />Successfully verified<BR />The device key pair is valid<BR />The Encrypt/Decrypt test is successful<BR />Successfully verified device certs</SPAN></FONT></P> <P class="lia-align-left">How to resolve this? There is a CLI command that you can run in SZ/vSZ to honor this kind of self-signed certificates of non-TPM switches.</P> <P class="lia-align-left">1. Log into the CLI of your controller using SSH and run the following commands.</P> <P class="lia-align-left"><FONT face="courier new,courier"><SPAN>1-vSZ# config</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>1-vSZ(config)# non-tpm-switch-cert-validate</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>Successful operation</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>1-vSZ(config)# exit</SPAN></FONT><BR /><FONT face="courier new,courier"><SPAN>1-vSZ#</SPAN></FONT></P> <P class="lia-align-left">2. Your switch should now be onboarded.</P> <P class="lia-align-left">Visit RUCKUS <A href="https://docs.commscope.com/en-US/bundle/sz-600-cliguide-sz300/page/GUID-8B740B78-C390-4B7B-A271-6A511179B68A.html" target="_blank" rel="noopener">online documentation</A> for more information about this CLI command.</P> <P class="lia-align-left"><SPAN>If the switch's certificate is corrupted or not valid, regenerate the certificates using the below two steps (this is only for non-TPM devices):</SPAN><BR /><SPAN>a) Zeroize the current keys</SPAN><BR /><FONT face="courier new,courier"><SPAN>&nbsp; &nbsp; ICX(config)# crypto device-key-zeroize<BR />&nbsp; &nbsp; ICX(config)# crypto device-cert-zeroize</SPAN></FONT><BR /><SPAN>b) Reload the ICX device</SPAN></P> <P class="lia-align-left"><SPAN>For TPM devices, we cannot regenerate a new cert through CLI, so you need to RMA the device if the certificate is corrupted.</SPAN></P> <P class="lia-align-left">Visit RUCKUS <A href="https://docs.commscope.com/en-US/bundle/fastiron-09010-managementguide/page/GUID-CD3FD835-B641-45A4-8859-062E4AEABE75.html" target="_blank" rel="noopener">online documentation</A> for more&nbsp;troubleshooting steps on ICX-to-SZ onboarding.</P> <P class="lia-align-left">&nbsp;</P> Tue, 04 Apr 2023 15:59:48 GMT https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/Onboarding-ICX-switch-to-SZ-vSZ-with-Error-HTTP-Response-Code/m-p/54777#M99 Orlando_Elias 2023-04-04T15:59:48Z