03-08-202309:13 AM - last edited on 04-04-202308:59 AM by dave_feasey
Are you having trouble to onboard an ICX switch into your SmartZone controller?
Check the logs in the ICX switch with the command 'show log', if you see errors like these below, it's very likely there's a certificate issue between the ICX and the controller:
Jun 24 18:32:02:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTPS Connection Error Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: JSON Parse Error Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTP Response Code 400
This error is common when working with 'non-TPM' switches, which means the switch uses self-signed certificates. Switch models with this charatieristic are ICX 7250, ICX 7450, or ICX 7750. Check your switch's certificate using the CLI comand 'dm verify-device-certs' as shown below:
SSH@ICX-7450#dm verify-device-certs Commencing sanity check for device certs ... Verifying files on Non-TPM Platform ... Successfully verified The device key pair is valid The Encrypt/Decrypt test is successful Successfully verified device certs
How to resolve this? There is a CLI command that you can run in SZ/vSZ to honor this kind of self-signed certificates of non-TPM switches.
1. Log into the CLI of your controller using SSH and run the following commands.
If the switch's certificate is corrupted or not valid, regenerate the certificates using the below two steps (this is only for non-TPM devices): a) Zeroize the current keys ICX(config)# crypto device-key-zeroize ICX(config)# crypto device-cert-zeroize b) Reload the ICX device
For TPM devices, we cannot regenerate a new cert through CLI, so you need to RMA the device if the certificate is corrupted.