Skip to main content

 

Cisco Meraki Documentation

Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers

 

Once you have added your Catalyst 9800 wireless controller to the dashboard, by following the Adding Catalyst 9800 Wireless Controller and Access Points to Dashboard documentation, the dashboard will begin to provision the configurations required to enable the dashboard to monitor the wireless controller. These configurations can be seen in the Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations document.

If the dashboard experiences any issues during the provisioning process, the Catalyst 9800 wireless controller will update to a warning status and the error can be viewed in the dashboard alert hub

Meraki Tunnel

 

To check the status of the Meraki Tunnel on the C9800 wireless controller use the show meraki connect command: 

 

C9800-meraki-mon#show meraki connect 

Service meraki connect: enable

Meraki Tunnel Config

------------------------------------

  Fetch State:                Config fetch succeeded

  Fetch Fail:                 no failure

  Last Fetch(UTC):            2023-10-13 18:43:26

  Next Fetch(UTC):            2023-10-13 19:44:41

  Config Server:              cs253-2037.meraki.com

  Primary:                    usw.nt.meraki.com

  Secondary:                  use.nt.meraki.com

  Client IPv6 Addr:           FD0A:9B09:1F7:1:4E42:1EFF:FEBE:9360

 

Meraki Tunnel State

------------------------------------

  Primary:                    Up

  Secondary:                  Up

  Primary Last Change(UTC):   2023-10-13 18:43:37

  Secondary Last Change(UTC): 2023-10-13 18:43:37

  Client Last Restart(UTC):   2023-10-13 18:43:26

 

Meraki Tunnel Interface

------------------------------------

  Status:                     Enable

  Rx Packets:                 1221

  Tx Packets:                 1090

  Rx Errors:                  0

  Tx Errors:                  0

  Rx Drop Packets:            0

  Tx Drop Packets:            0

 

Meraki Device Registration

------------------------------------

  url:                        https://catalyst.meraki.com/nodes/register

  Device Number:              1

  PID:                        C9800-40-K9

  Serial Number:              TTM270100L8

  Cloud ID:                  Q2ZZ-2SK3-UHQD

  Mac Address:                4C:42:1E:BE:93:60

  Status:                     Registered

  Timestamp(UTC):             2023-10-13 18:43:14

 

Onboarding Errors

Note: IOS XE cloud console. To perform the initial onboarding configurations on the wireless controller, the Meraki Tunnel provides CLI access via a VTY line. This communication is done software internally between the Meraki Tunnel service and IOS processes.

Wrong console credentials

If the dashboard is unable to access the wireless controller cloud console during the initial onboarding process, this may be due to the username, password or enable password provided during onboarding cannot authenticate to the wireless controller.

clipboard_e72600d218641d88b69743ab6492bb641.png

This error can be resolved by:

  • Verify if you entered the correct credentials that have privilege 15 access.
  • Verify your aaa default method list has been configured:

aaa authentication login default local
aaa author exec default local

 

You can re-enter these credentials by clicking Suggested fix on the alert.

clipboard_eb10ff70c8fea6b60ae2a2677280e2708.png

 

Console error authorization

To complete the onboarding configuration with the cloud console the username provided during onboarding must have authorization for all the required onboarding configuration commands. Refer to Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations and confirm the username provided is authorized for all of the required commands.

For further details, please refer to the Configure RADIUS and TACACS+ for GUI and CLI Authentication on 9800 Wireless LAN Controllers page.

Console error connection

The dashboard is unable to connect to the wireless controller cloud console through the Meraki Tunnel, and the Meraki Tunnel interfaces are UP.

Contact Meraki support for further troubleshooting.

aaa new-model not enabled

The wireless controller must use AAA New-model for device access control. This mode allows the dashboard to securely access the wireless controller.

If you have previously added and then removed your wireless controller from the dashboard and the dashboard provisioned usernames were not removed from the configuration, the dashboard will fail to configure these usernames if they already exist in the configuration. Remove the usernames with the following commands:

 

The wireless controller must have four unused consecutive VTY slots. These VTY lines will be provisioned and secured for only the dashboard to access the Controller on these lines. For example, you can remove the configuration for  the last 4 VTY lines with the following command:

no line vty 94 97

 

IPv4 or IPv6 ACL conflicts in HTTP Server

Dashboard utilizes the HTTP secure server interface to read telemetry data from wireless controllers. If your HTTP services are restricted by an IPv4 or IPv6 access control list, you must update OR add an IPv6 ACL to permit access from the Meraki Tunnel interface subnet FD0A:9B09:1F7:1::/64

ipv6 access-list RESTRICT_HTTP_ACCESS

 sequence 30 permit FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64

ip http access-class ipv6 RESTRICT_HTTP_ACCESS

 

IPv6 ACL conflicts in NETCONF Server

Dashboard utilizes the NETCONF to provision wireless controllers. If your NETCONF-YANG services are restricted by an IPv6 access control list, you must update the ACL to permit access from the Meraki Tunnel interface subnet FD0A:9B09:1F7:1::/64

ipv6 access-list RESTRICT_NETCONF_ACCESS

 sequence 30 permit FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64

netconf-yang ssh ipv6 access-list name RESTRICT_NETCONF_ACCESS

 

NETCONF process is in an abnormal state

If netconf-yang status is not in enabled state, the dashboard will be unable to complete the provisioning processes. You can view the current status of the netconf-yang process with the following command:

show netconf-yang status

Additional information on the netconf-yang status may be provided in the wireless controllers' logging buffers or syslog. For more information on netconf-yang see https://www.cisco.com/c/en/us/td/doc...g_netconf.html 

Restart netconf-yang process with the following commands:

no netconf-yang

netconf-yang

Contact Cisco TAC support if NETCONF remains in an abnormal state.

AAA authorization conflicts in NETCONF

During onboarding, the dashboard will check the wireless controller aaa default authorization method list begins with 'local':

aaa authorization exec default local group tacacs+ group radius

lf local is NOT the first method in the list, the meraki-user user in the local username store will not be able to use NETCONF to do the required monitoring configuration provisioning. 

Option 1:

Update the default authorization exec method list to begin with local before any other server group.

Option 2:

If you can not modify the default method list you can configure the YANG interface method list to use the MERAKI method list.

Starting with IOS XE 17.9, YANG interfaces can now enable multiple authentication or authorization options with named method-lists and do not have to utilize the global default method list for AAA authentication to programmable interfaces in IOS XE such as NETCONF and RESTCONF. https://www.cisco.com/c/en/us/td/doc...ed-method-list.

yang-interfaces aaa authorization method-list MERAKI

SSH port or rotary conflicts with cloud

Dashboard must provision the following command on the wireless controller in order to set the four configured VTY lines to be accessible on port 2222:

ip ssh port 2222 rotary 55

If this configuration is already detected on the wireless controller a dashboard alert will be triggered. If possible, update the ip ssh port 2222 rotary 55 configuration to use a rotary number other than 55.

SSH encryption algorithms not supported

The following SSH encryption algorithms are supported by the dashboard:

aes128-gcm@openssh.com

aes256-gcm@openssh.com

aes128-ctr

aes192-ctr

aes256-ctr. 

You can configure SSH to support one or more of these algorithms with the following command:

ip ssh server algorithm encryption aes128-gcm@openssh.com ...

Onboarding Provisioning Errors

NETCONF error connection

Dashboard is unable to perform NETCONF operations on the wireless controller through the Meraki Tunnel, and the Meraki Tunnel interfaces are UP.

Contact Meraki support for further troubleshooting.

NETCONF error authorization

The dashboard is unable to authorize NETCONF with the wireless controller using the dashboard provisioned wireless controller local meraki-user account. AAA settings on the device must permit the meraki-user account to be authorised. Additional information may be available in the device log (show log). Verify there are no NETCONF aaa authorization conflicts.

Contact Meraki support for further troubleshooting.

SSH error connection

Dashboard is unable to access the wireless controller via SSH through the Meraki Tunnel, and the Meraki Tunnel interfaces are UP.

Contact Meraki support for further troubleshooting.

SSH error authentication

The dashboard is unable to authenticate SSH with the wireless controller using the dashboard provisioned wireless controller local meraki-user account. AAA settings on the device must permit the meraki-user account to authenticate. Additional information may be available in the device log (show log).

Contact Meraki support for further troubleshooting.

SSH error authorization

The dashboard is unable to authorize commands via SSH with the wireless controller using the dashboard provisioned wireless controller local meraki-user account. AAA settings on the device must permit the meraki-user account to authorize the commands used for onboarding. Additional information may be available in the device log (show log). 

This may be due to the default aaa authorization commands configuration. Check the wireless controller configuration for the following:

aaa authorization commands 15 default method 

If the method is not local then the MERAKI method list may not be authorized for the privilege level 15 commands the meraki-user account needs.

If you have added the aaa authorization commands 15 ... configuration after your initial wireless controller onboard, you can manually update the MERAKI authorization list for privilege 15 commands:

aaa authorization commands 15 MERAKI local

If you continue to see this error contact Meraki support for further troubleshooting.

Configuration error

The configuration for the wireless controller is out of date. 

Contact Meraki support for further troubleshooting.

  • Was this article helpful?