03-08-2023 09:13 AM - last edited on 04-04-2023 08:59 AM by dave_feasey
Are you having trouble to onboard an ICX switch into your SmartZone controller?
Check the logs in the ICX switch with the command 'show log', if you see errors like these below, it's very likely there's a certificate issue between the ICX and the controller:
Jun 24 18:32:02:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTPS Connection Error
Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: JSON Parse Error
Jun 24 18:31:42:I:MGMT Agent: Failed to connect to network controller at 192.168.169.220 Error: HTTP Response Code 400
This error is common when working with 'non-TPM' switches, which means the switch uses self-signed certificates. Switch models with this charatieristic are ICX 7250, ICX 7450, or ICX 7750. Check your switch's certificate using the CLI comand 'dm verify-device-certs' as shown below:
SSH@ICX-7450#dm verify-device-certs
Commencing sanity check for device certs ...
Verifying files on Non-TPM Platform ...
Successfully verified
The device key pair is valid
The Encrypt/Decrypt test is successful
Successfully verified device certs
How to resolve this? There is a CLI command that you can run in SZ/vSZ to honor this kind of self-signed certificates of non-TPM switches.
1. Log into the CLI of your controller using SSH and run the following commands.
1-vSZ# config
1-vSZ(config)# non-tpm-switch-cert-validate
Successful operation
1-vSZ(config)# exit
1-vSZ#
2. Your switch should now be onboarded.
Visit RUCKUS online documentation for more information about this CLI command.
If the switch's certificate is corrupted or not valid, regenerate the certificates using the below two steps (this is only for non-TPM devices):
a) Zeroize the current keys
ICX(config)# crypto device-key-zeroize
ICX(config)# crypto device-cert-zeroize
b) Reload the ICX device
For TPM devices, we cannot regenerate a new cert through CLI, so you need to RMA the device if the certificate is corrupted.
Visit RUCKUS online documentation for more troubleshooting steps on ICX-to-SZ onboarding.