Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers
Cloud Monitoring for Catalyst Wireless is a Meraki Dashboard Early Access Feature. Before you can add your wireless controller to dashboard you have to Opt-in to Cloud Monitoring for Catalyst Wireless. Go to Organization > Early access to enable.
Once you have added your Catalyst 9800 wireless controller to the dashboard, by following the Adding Catalyst 9800 Wireless Controller and Access Points to Dashboard documentation, the dashboard will begin to provision the configurations required to enable the dashboard to monitor the wireless controller. These configurations can be seen in the Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations document.
If the dashboard experiences any issues during the provisioning process, the Catalyst 9800 wireless controller will update to a warning status and the error can be viewed in the dashboard alert hub.
Meraki Tunnel
To check the status of the Meraki Tunnel on the C9800 wireless controller use the show meraki connect command:
C9800-meraki-mon#show meraki connect
Service meraki connect: enable
Meraki Tunnel Config
------------------------------------
Fetch State: Config fetch succeeded
Fetch Fail: no failure
Last Fetch(UTC): 2023-10-13 18:43:26
Next Fetch(UTC): 2023-10-13 19:44:41
Config Server: cs253-2037.meraki.com
Primary: usw.nt.meraki.com
Secondary: use.nt.meraki.com
Client IPv6 Addr: FD0A:9B09:1F7:1:4E42:1EFF:FEBE:9360
Meraki Tunnel State
------------------------------------
Primary: Up
Secondary: Up
Primary Last Change(UTC): 2023-10-13 18:43:37
Secondary Last Change(UTC): 2023-10-13 18:43:37
Client Last Restart(UTC): 2023-10-13 18:43:26
Meraki Tunnel Interface
------------------------------------
Status: Enable
Rx Packets: 1221
Tx Packets: 1090
Rx Errors: 0
Tx Errors: 0
Rx Drop Packets: 0
Tx Drop Packets: 0
Meraki Device Registration
------------------------------------
url: https://catalyst.meraki.com/nodes/register
Device Number: 1
PID: C9800-40-K9
Serial Number: TTM270100L8
Cloud ID: Q2ZZ-2SK3-UHQD
Mac Address: 4C:42:1E:BE:93:60
Status: Registered
Timestamp(UTC): 2023-10-13 18:43:14
Onboarding Errors
Note: IOS XE cloud console. To perform the initial onboarding configurations on the wireless controller, the Meraki Tunnel provides CLI access via a VTY line. This communication is done software internally between the Meraki Tunnel service and IOS processes.
Wrong console credentials
If the dashboard is unable to access the wireless controller cloud console during the initial onboarding process, this may be due to the username, password or enable password provided during onboarding cannot authenticate to the wireless controller.
This error can be resolved by:
- Verify if you entered the correct credentials that have privilege 15 access.
- Verify your aaa default method list has been configured:
aaa authentication login default local
aaa author exec default local
You can re-enter these credentials by clicking Suggested fix on the alert.
Console error authorization
To complete the onboarding configuration with the cloud console the username provided during onboarding must have authorization for all the required onboarding configuration commands. Refer to Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations and confirm the username provided is authorized for all of the required commands.
For further details, please refer to the Configure RADIUS and TACACS+ for GUI and CLI Authentication on 9800 Wireless LAN Controllers page.
Console error connection
The dashboard is unable to connect to the wireless controller cloud console through the Meraki Tunnel, and the Meraki Tunnel interfaces are UP.
Contact Meraki support for further troubleshooting.
aaa new-model not enabled
The wireless controller must use AAA New-model for device access control. This mode allows the dashboard to securely access the wireless controller.
aaa new-model
User 'meraki-tdluser' exists on device or User 'meraki-user' exists on device
If you have previously added and then removed your wireless controller from the dashboard and the dashboard provisioned usernames were not removed from the configuration, the dashboard will fail to configure these usernames if they already exist in the configuration. Remove the usernames with the following commands:
no username meraki-user
no username meraki-tdluser
No four consecutive VTY on the device
The wireless controller must have four unused consecutive VTY slots. These VTY lines will be provisioned and secured for only the dashboard to access the Controller on these lines. For example, you can remove the configuration for the last 4 VTY lines with the following command:
no line vty 94 97
IPv4 or IPv6 ACL conflicts in HTTP Server
Dashboard utilizes the HTTP secure server interface to read telemetry data from wireless controllers. If your HTTP services are restricted by an IPv4 or IPv6 access control list, you must update OR add an IPv6 ACL to permit access from the Meraki Tunnel interface subnet FD0A:9B09:1F7:1::/64
ipv6 access-list RESTRICT_HTTP_ACCESS
sequence 30 permit FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64
ip http access-class ipv6 RESTRICT_HTTP_ACCESS
IPv6 ACL conflicts in NETCONF Server
Dashboard utilizes the NETCONF to provision wireless controllers. If your NETCONF-YANG services are restricted by an IPv6 access control list, you must update the ACL to permit access from the Meraki Tunnel interface subnet FD0A:9B09:1F7:1::/64
ipv6 access-list RESTRICT_NETCONF_ACCESS
sequence 30 permit FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64
netconf-yang ssh ipv6 access-list name RESTRICT_NETCONF_ACCESS
NETCONF process is in an abnormal state
If netconf-yang status is not in enabled state, the dashboard will be unable to complete the provisioning processes. You can view the current status of the netconf-yang process with the following command:
show netconf-yang status
Additional information on the netconf-yang status may be provided in the wireless controllers' logging buffers or syslog. For more information on netconf-yang see https://www.cisco.com/c/en/us/td/doc...g_netconf.html
Restart netconf-yang process with the following commands:
no netconf-yang
netconf-yang
Contact Cisco TAC support if NETCONF remains in an abnormal state.
AAA authorization conflicts in NETCONF
During onboarding, the dashboard will check the wireless controller aaa default authorization method list begins with 'local':
aaa authorization exec default local group tacacs+ group radius
lf local is NOT the first method in the list, the meraki-user user in the local username store will not be able to use NETCONF to do the required monitoring configuration provisioning.
Option 1:
Update the default authorization exec method list to begin with local before any other server group.
Option 2:
If you can not modify the default method list you can configure the YANG interface method list to use the MERAKI method list.
Starting with IOS XE 17.9, YANG interfaces can now enable multiple authentication or authorization options with named method-lists and do not have to utilize the global default method list for AAA authentication to programmable interfaces in IOS XE such as NETCONF and RESTCONF. https://www.cisco.com/c/en/us/td/doc...ed-method-list.
yang-interfaces aaa authorization method-list MERAKI
SSH port or rotary conflicts with cloud
Dashboard must provision the following command on the wireless controller in order to set the four configured VTY lines to be accessible on port 2222:
ip ssh port 2222 rotary 55
If this configuration is already detected on the wireless controller a dashboard alert will be triggered. If possible, update the ip ssh port 2222 rotary 55 configuration to use a rotary number other than 55.
SSH encryption algorithms not supported
The following SSH encryption algorithms are supported by the dashboard:
aes128-ctr
aes192-ctr
aes256-ctr.
You can configure SSH to support one or more of these algorithms with the following command:
ip ssh server algorithm encryption aes128-gcm@openssh.com ...
Onboarding Provisioning Errors
NETCONF error connection
Dashboard is unable to perform NETCONF operations on the wireless controller through the Meraki Tunnel, and the Meraki Tunnel interfaces are UP.
Contact Meraki support for further troubleshooting.
NETCONF error authorization
The dashboard is unable to authorize NETCONF with the wireless controller using the dashboard provisioned wireless controller local meraki-user account. AAA settings on the device must permit the meraki-user account to be authorised. Additional information may be available in the device log (show log). Verify there are no NETCONF aaa authorization conflicts.
Contact Meraki support for further troubleshooting.
SSH error connection
Dashboard is unable to access the wireless controller via SSH through the Meraki Tunnel, and the Meraki Tunnel interfaces are UP.
Contact Meraki support for further troubleshooting.
SSH error authentication
The dashboard is unable to authenticate SSH with the wireless controller using the dashboard provisioned wireless controller local meraki-user account. AAA settings on the device must permit the meraki-user account to authenticate. Additional information may be available in the device log (show log).
Contact Meraki support for further troubleshooting.
SSH error authorization
The dashboard is unable to authorize commands via SSH with the wireless controller using the dashboard provisioned wireless controller local meraki-user account. AAA settings on the device must permit the meraki-user account to authorize the commands used for onboarding. Additional information may be available in the device log (show log).
This may be due to the default aaa authorization commands configuration. Check the wireless controller configuration for the following:
aaa authorization commands 15 default method
If the method is not local then the MERAKI method list may not be authorized for the privilege level 15 commands the meraki-user account needs.
If you have added the aaa authorization commands 15 ... configuration after your initial wireless controller onboard, you can manually update the MERAKI authorization list for privilege 15 commands:
aaa authorization commands 15 MERAKI local
If you continue to see this error contact Meraki support for further troubleshooting.
Configuration error
The configuration for the wireless controller is out of date.
Contact Meraki support for further troubleshooting.