smart call home - HTTPS transport from the Nexus 7000 to Cisco

Answered Question
Aug 23rd, 2012
User Badges:

hi

i try configured call home on nexus 7000 with https transport and proxy server


i follow this guide -

http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/QuickStart_NX7000.pdf


and configured this :


callhome

  email-contact XXXXXXXXXXX

  phone-contact XXXXXXXXXXX

  streetaddress XXXXXXXXXXXXXXXX

  destination-profile CiscoTAC-1 transport-method http

  destination-profile CiscoTAC-1 http https://tools.cisco.com/its/service/oddce/services/DDCEService

   transport http use-vrf management

  transport http proxy server XXXXXXXXXX port 8080                --------- XXXXXXXXX = my proxy server

  transport http proxy enable

  enable

  periodic-inventory notification interval  30


i have a problem to install the security certificate , i follow thw guide but i get the error :


failed to load or parse certificate

could not perform CA authentication


when i try test call home eith the command : callhome test


trying to send test callhome message

warning:no callhome message sent

email configuration incomplete for destination profile:full_txt

email configuration incomplete for destination profile:short_txt

Error in transporting http message for CiscoTAC-1

http: Received HTTP code 407 from proxy after CONNECT



i guess the problem is because i didnt install the certificate , how can i install the certificate ?

is this the real problem ?

Correct Answer by Lawrence Searcy about 4 years 11 months ago

I need to correct my answer unfortunately. I made too many assumptions. First, for the information in my answer above, if you want the nexus 7000 to use HTTPS to any device, you need the fully chained certificate for that device. HTTP does not require a certificate. But the nexus 7000 will not do username/password or any other method of proxy server authentication.


So getting back to your issue.


http: Received HTTP code 407 from proxy after CONNECT


indicates that the proxy server wants the nexus 7000 to authenticate. It can't do that. HTTP proxy is just to forward the HTTP stream somewhere other than tools.cisco.com (where there is no authentication). Typically, you forward it to the Transport Gateway (which also has no authentication). Both programs accept data, and if it matches the exact format it is looking for with fields filled in correctly, forwards the data on. Otherwise it drops it. It does exactly the same thing for email sent to [email protected] (you can imagine the amount of spam it receives)


Now, the transport gateway does have a proxy configuration page where you can add a username and password as well as the proxy server and port. It does support proxy authentication for data it wants to forward to tools.cisco.com.


Sorry about the confusion.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Bryan Williams Thu, 08/23/2012 - 09:37
User Badges:
  • Events Top Contributors,

    2013

Hello,


As stated in the quickstart guide, the Transport Gateway is recommended when a traditional proxy server is required to communicate with Cisco over the Internet.  Basically, you configure your device to send messages to a local URL and the Transport Gateway forwards those messages through your proxy server to Cisco using HTTPS.  The other advantage of this configuration is that there is no need to add a certificate to every device because the Transport Gateway uses a built in certificate.


A growing number of call home enabled devices now include the proxy server option that you are attempting to use.  Unfortunately, this configuratoin option has not been tested by the Smart Call Home team and is not currently supported with Smart Call Home.


With that out of the way.  Your config looks right, but I have yet to test this in my lab.  Give me a few days to try your config and I'll report back here. 

Lawrence Searcy Thu, 08/23/2012 - 18:58
User Badges:
  • Cisco Employee,

I agree with Bryan that the easiest proxy server to setup for the  nexus 7000 is the Transport Gateway. The documentation (certificates) is  setup to allow you to connect to a Cisco Transport Gateway or directly  into tools.cisco.com. Both have a Cisco certificate.


But that doesn't explain your issue. To answer your issue, you need to look here


http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/SCH31_Ch6.html#wp1039385


except  you need your proxy server's chained certificate in PEM format since  the Nexus 7000 is going to terminate at your proxy server. Take a look  at this line in the documentation.


Input (cut & paste) the CA certificate (chain) in PEM format


The error code 407 you indicated makes sense and  indicates "Proxy Authentication Required". You need the certificate  installed first. NX-OS uses the openssl crypto library to implement the  cert-pki feature if that helps. A complete certificate chain is required. Also,  you might make sure the CRL (certificate revocation list) is set to none  so it doesn't do that first.


revocation-check none


The 4 chained certificates given in the documentation are tools.cisco.com.cer, Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer,  Verisign-Root-CA.cer. The non-nexus 7000 devices just use the last one. Most likely you need a certificate that looks like


your proxy server.cer,Verisign-G3-SSCA.cer, Verisign-G3-PRCA.cer,  Verisign-Root-CA.cer


If you are using your own root CA (which typically are taken  off-line after authorizing subordinate CAs for security reasons) , then  make sure that their certificates are in the correct order to be  processed so each can be authenticated.


Now you can see why a Cisco proxy server (Transport Gateway) is easier to setup.

Correct Answer
Lawrence Searcy Fri, 08/24/2012 - 14:00
User Badges:
  • Cisco Employee,

I need to correct my answer unfortunately. I made too many assumptions. First, for the information in my answer above, if you want the nexus 7000 to use HTTPS to any device, you need the fully chained certificate for that device. HTTP does not require a certificate. But the nexus 7000 will not do username/password or any other method of proxy server authentication.


So getting back to your issue.


http: Received HTTP code 407 from proxy after CONNECT


indicates that the proxy server wants the nexus 7000 to authenticate. It can't do that. HTTP proxy is just to forward the HTTP stream somewhere other than tools.cisco.com (where there is no authentication). Typically, you forward it to the Transport Gateway (which also has no authentication). Both programs accept data, and if it matches the exact format it is looking for with fields filled in correctly, forwards the data on. Otherwise it drops it. It does exactly the same thing for email sent to [email protected] (you can imagine the amount of spam it receives)


Now, the transport gateway does have a proxy configuration page where you can add a username and password as well as the proxy server and port. It does support proxy authentication for data it wants to forward to tools.cisco.com.


Sorry about the confusion.

HOT HOT Sun, 08/26/2012 - 01:02
User Badges:

hi

thank you all for your response

i solved the problem , first there was problem at my proxy server and then i found a valid cert in cisco website

so now it's works!


i'm will try now the transport gateway , it's sound more easy than configured evrey device.


thanks all

izik.