Moving Catalyst 9500 into Meraki Dashboard monitoring fails

SOLVED
redsector
Head in the Cloud

Moving Catalyst 9500 into Meraki Dashboard monitoring fails

Hello,

 

according to the manual to view Cisco Catalyst 9500 switches in the Meraki Dashboard I used this manual:

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catalyst_Onboarding_Guide 

 

But it fails altough all conditions met.

 

It´s the error message:

 

Device is not eligible for onboarding. Reason: Error: The switch is unable to connect to the TLS gateway eu.tlsgw.meraki.com to establish a tunnel connection. Verify routes and firewall rules are in place to allow communication on TCP 443." Review pre-onboarding requirements for more information:

 

https://documentation.meraki.com/Cloud_Monitoring_for_Catalyst/Onboarding/Cloud_Monitoring_for_Catalyst_Onboarding_Guide#Pre-Onboarding 

 

I checked all to do´s and everything seems to be fine including the firewall config, the firmware version and so on.

 

Then I tried to make (for test purpose) an ssh connection to the described eu.tlsgw.meraki.com per CLI direct from the switch, but then I have this message:

 

Distri1#ssh eu.tlsgw.meraki.com
% Connection refused by remote host

 

also with the us site:

 

Distri1#ssh us.tlsgw.meraki.com
% Connection refused by remote host

 

Is there anybody who has some experience to do this monitoring an Cat 9xxx with Meraki Dashboard?

Any suggestions?

 

Thank you.

1 ACCEPTED SOLUTION

I had to do this for importing Catalyst 9500 into the Meraki Dashboards:

adding the bold line on the switch config:

 

line vty 0 4
length 0
transport input ssh
transport output telnet ssh

View solution in original post

4 REPLIES 4
alemabrahao
Kind of a big deal
Kind of a big deal

I believe it is normal not to be able to SSH into a Cisco host, so this is not a valid test.

Do you have DNA Essentials or DNA Advantage?

 

Pre-Onboarding

  1. Confirm that the switch(es) designated for onboarding are one of the following:

  • Catalyst 9200, 9300, or 9500 series hardware

  • Running IOS-XE 17.3.1 - 17.8.x

  1. Have access to the Meraki dashboard
  1. Get your organization's dashboard API key. To find or generate an API key:
  • In Organization -> Settings verify that the checkbox for “Dashboard API Access” is selected and saved in the “Dashboard API access” section

  • From My Profile, choose "Generate new API key" or use an existing key. Note that a full admin account must be used. SAML log-in is not supported for API key creation

If an "invalid API key" error message appears, confirm the key and try again. API keys may take up to 15 minutes to become active in the onboarding application after creation.

  1. Ensure reachability
  • The computer from which the onboarding application is run must be able to reach api.meraki.com on TCP port 443

    • The onboarding application is a stand-alone executable file; security settings on your local device must permit running this application and accessing the API server

    • HTTPS proxy servers that modify the certificate in transit are not currently supported

  • The Catalyst devices to onboard need access to the Cisco cloud

    • Ensure any firewall rules in place allow communication with the gateway corresponding with the dashboard region on TCP port 443:

      • Americas: us.tlsgw.meraki.com

      • EMEA: eu.tlsgw.meraki.com 

      • Asia Pacific and Japan: ap.tlsgw.meraki.com

  • HTTPS proxies to access the API endpoint and the TLS gateway are not currently supported. If necessary, ensure rules are in place to allow direct HTTPS connections to each.
  • Connectivity must be via a front-panel port (not the management interface).
  • Only the default VRF is supported.
  • IP routing (ip routing) must be enabled on the switch or will be enabled as part of onboarding.
  • Ensure routes are in place to reach external addresses including a default route (use of ip default-gateway is not supported).
  • Ensure DNS is enabled on the switch (ip name-server {DNS server IP} configured).
  • Ensure DNS lookup is enabled (ip domain lookup).
  • NTP needs to be enabled on the switch (ntp server {address}), and the switch clock must reflect the correct time.
  • AAA on the switch must be configured using aaa new-model.
  • SSH access to the switch CLI must be enabled and accessible via the computer used for onboarding.
  • The user account for onboarding must have privilege-15 level access on the switch.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Test with telnet:

telnet us.tlsgw.meraki.com 443

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I had to do this for importing Catalyst 9500 into the Meraki Dashboards:

adding the bold line on the switch config:

 

line vty 0 4
length 0
transport input ssh
transport output telnet ssh

MuhammadFaheem
New here

I run the below commands and it worked
 
ip http secure-server
 
line vty 0 4
 
transport output telnet ssh
end
 
ip name-server 'DNS Server Name' (without quote)
ip domain lookup
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels