This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Onboarding ICX switch to SZ/vSZ with Error: HTTP Response Code 400

Orlando_Elias
RUCKUS Team Member

‎03-08-2023 09:13 AM - last edited on ‎04-04-2023 08:59 AM by Community Manager

Are you having trouble to onboard an ICX switch into your SmartZone controller?

Check the logs in the ICX switch with the command 'show log', if you see errors like these below, it's very likely there's a certificate issue between the ICX and the controller:

Jun 24 18:32:02:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTPS Connection Error
Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: JSON Parse Error
Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTP Response Code 400

 

This error is common when working with 'non-TPM' switches, which means the switch uses self-signed certificates. Switch models with this charatieristic are ICX 7250, ICX 7450, or ICX 7750. Check your switch's certificate using the CLI comand 'dm verify-device-certs' as shown below:

SSH@ICX-7450#dm verify-device-certs
Commencing sanity check for device certs ...
Verifying files on Non-TPM Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs

How to resolve this? There is a CLI command that you can run in SZ/vSZ to honor this kind of self-signed certificates of non-TPM switches.

1. Log into the CLI of your controller using SSH and run the following commands.

1-vSZ# config
1-vSZ(config)# non-tpm-switch-cert-validate
Successful operation
1-vSZ(config)# exit
1-vSZ#

2. Your switch should now be onboarded.

Visit RUCKUS online documentation for more information about this CLI command.

If the switch's certificate is corrupted or not valid, regenerate the certificates using the below two steps (this is only for non-TPM devices):
a) Zeroize the current keys
    ICX(config)# crypto device-key-zeroize
    ICX(config)# crypto device-cert-zeroize
b) Reload the ICX device

For TPM devices, we cannot regenerate a new cert through CLI, so you need to RMA the device if the certificate is corrupted.

Visit RUCKUS online documentation for more troubleshooting steps on ICX-to-SZ onboarding.

 

With regards,
--
Orlando Elias
Technical Support
0 REPLIES 0
Copyright © 2024 Khoros, LLC