A week ago, 2/10, Aruba Central 2.5.2 was installed in cluster EU-1 and support for managing switches with OS-CX was added. We have waited for this so we could start to add one of our customers 6300M switches to Aruba Central to make it easier for Cygates Operations to manage them.
In the start of this week I tried to connect three switches, one standalone and two in a VSF stack, but they wouldn’t connect and I just got the following in the switch:
Switch-name(config)# show aruba-central
Central admin state : enabled
Central location : N/A
VRF for connection : N/A
Central connection status : N/A
Central source : dhcp
Central source connection status : connection_failure
Central source last connected on : N/A
System time synchronized from Activate : False
Activate Server URL : devices-v2.arubanetworks.com
CLI location : N/A
CLI VRF : N/A
I didn’t really see anything in the logs either. So I contacted Aruba support and started a case with them and they tought it was because of some Activate issue so they tried to manually add our switch to our Activate Account but that didn’t help so they tought it could be that we didn’t have any rules in our Activate Account. I haven’t worked with Activate before but I couldn’t find any provision rules to add devices into Aruba Central.
But I found that you could do some configuration for Aruba Central in the switch so I added the following:
Switch-name(config)#aruba-central
Switch-name(config)#location-override device-eu.central.arubanetworks.com
But it still didn’t connect and now it looked like this
Switch-name(config-aruba-central)# show aruba-central
Central admin state : enabled
Central location : device-eu.central.arubanetworks.com
VRF for connection : default
Central connection status : N/A
Central source : cli
Central source connection status : connected
Central source last connected on : Sat Oct 10 10:48:53 CEST 2020
System time synchronized from Activate : False
Activate Server URL : devices-v2.arubanetworks.com
CLI location : device-eu.central.arubanetworks.com
CLI VRF : default
I also added some more debugging
Switch-name(config)#debug central all
To see if I could spot anything that could give me some more information. In the debugg i could see
Switch-name(config)# show debugg buffer reverse
2020-10-10:11:01:52.372639|hpe-restd|LOG_ERR|WebSocket connection to Aruba Central failed: error in cert validation: TA profile does not exist. Please create the TA profile first in order to validate the imported certificate..
2020-10-10:11:01:52.372360|hpe-restd|LOG_ERR|||||The certificate with subject: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority is self-signed, but it must be signed by the TA cert
And in the logs I could see
Switch-name(config)# show logging -r -n 10
Event logs from current boot
2020-10-11T08:25:38.230502+02:00 Switch-name hpe-restd[1022]: Event|4640|LOG_ERR|AMM|-|Failed to connect to Aruba Central on location device-eu.central.arubanetworks.com on VRF default
2020-10-11T08:25:38.230088+02:00 Switch-name hpe-restd[1022]: Event|7709|LOG_WARN|UKWN|1|Certificate *.central.arubanetworks.com rejected due to verification failure (30)
2020-10-11T08:25:35.022499+02:00 Switch-name hpe-restd[1022]: Event|4639|LOG_INFO|AMM|-|Connecting to Aruba Central on location device-eu.central.arubanetworks.com on VRF default.
I thought that was strange and thought I should send that to Aruba Support and see what they said about. But when scrolling through Twitter I saw James Whitehead (https://twitter.com/Whereisjrw) posting this tweet
Interesting, someone else is having the same problem as me so I wrote back and said that I have the same problem. I asked James if they could see the same in the debug about *.central.arubanetworks.com gets rejected and complaining about missing TA Profile. The answer I got from James was that they used to see it but they uploaded the Root CA and Intermediate certificates and didn’t get those warnings anymore. So my nest step was to test to upload the root certificate to the switch and see if that would solve it. So I searched for “COMODO RSA Certification Authority” to find the Root certificate and the first hit was to https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 wich included the PEM I needed to install on the switch.
Switch-name(config)# crypto pki ta-profile COMODO_CA
Switch-name(config-ta-COMODO_CA)# ta-certificate import terminal
Paste the certificate in PEM format below, then hit enter and ctrl-D:
Switch-name(config-ta-cert)# —–BEGIN CERTIFICATE—–
Switch-name(config-ta-cert)# MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
Switch-name(config-ta-cert)# hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
Switch-name(config-ta-cert)# A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
Switch-name(config-ta-cert)# BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
Switch-name(config-ta-cert)# MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
Switch-name(config-ta-cert)# EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Switch-name(config-ta-cert)# Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
Switch-name(config-ta-cert)# dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
Switch-name(config-ta-cert)# 6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
Switch-name(config-ta-cert)# pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
Switch-name(config-ta-cert)# 9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
Switch-name(config-ta-cert)# /erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Switch-name(config-ta-cert)# Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
Switch-name(config-ta-cert)# +pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
Switch-name(config-ta-cert)# qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
Switch-name(config-ta-cert)# SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
Switch-name(config-ta-cert)# u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Switch-name(config-ta-cert)# Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
Switch-name(config-ta-cert)# crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
Switch-name(config-ta-cert)# FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
Switch-name(config-ta-cert)# /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
Switch-name(config-ta-cert)# wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
Switch-name(config-ta-cert)# 4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
Switch-name(config-ta-cert)# 2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
Switch-name(config-ta-cert)# FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
Switch-name(config-ta-cert)# CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
Switch-name(config-ta-cert)# boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
Switch-name(config-ta-cert)# jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
Switch-name(config-ta-cert)# S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
Switch-name(config-ta-cert)# QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
Switch-name(config-ta-cert)# 0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
Switch-name(config-ta-cert)# NVOFBkpdn627G190
Switch-name(config-ta-cert)# —–END CERTIFICATE—–
Switch-name(config-ta-cert)#
Switch-name(config-ta-cert)#
The certificate you are importing has the following attributes:
Subject: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
Serial Number: 0x4CAAF9CADB636FE01FF74ED85B03869D
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y
Switch-name(config-ta-COMODO_CA)#
And now when running
Switch-name(config)# show aruba-central
Central admin state : enabled
Central location : device-eu.central.arubanetworks.com
VRF for connection : default
Central connection status : connected
Central source : cli
Central source connection status : connected
Central source last connected on : Sun Oct 11 08:25:05 CEST 2020
System time synchronized from Activate : False
Activate Server URL : devices-v2.arubanetworks.com
CLI location : device-eu.central.arubanetworks.com
CLI VRF : default
And I also looked in Aruba Central and saw that the switch was connected and in the right group. This first switch already had the configuration with locatio-override so on the next switch I tested to first add the Root Certificate to see if both configurations was needed and it was, nothing happened when I just added the Root Certificate and it wasn’t until I added the location-override it connected to Aruba Central.
We are still using evaluation licenses for our devices in Aruba Central as our big order for devices and subscriptions is still being worked on by our sales team and Aruba sales team. So that could be why the switch isn’t getting the right location without location-override but the missing Root Certificate shouldn’t have anything to do with that. Before I installed the Root Certificate the switch didn’t have any TA profiles with certificates. I will send this information to Aruba Support and see what they say about it.
Do you know what version of firmware did you have on the switch at the time?