Brownfield Validation Messages
This chapter contains the following sections:
Adding Greenfield and Brownfield Devices to Cisco IWAN
The Cisco IWAN application (IWAN app) can add “greenfield” or “brownfield” devices to the IWAN network.
“Greenfield” refers to new, unconfigured devices. Because these devices do not have any pre-existing configuration, there are no conflicts when bringing them into the IWAN network and configuring them using the IWAN app.
“Brownfield” refers to devices that belong to existing sites that are being added to an IWAN network. They may have pre-existing configurations to synchronize with IWAN-based configuration, and these existing configurations may cause conflicts.
Validation
While provisioning a brownfield device, the IWAN app performs a validation to determine whether any configuration conflicts exist. It reports the conflicts in two categories:
- Errors—Conflicts that prevent adding the device to the IWAN network.
- Warnings—Conflicts that do not prevent the device from being added to the IWAN network. It is recommended to correct the configuration issues that trigger validation warnings.
If the IWAN app detects an error or warning during provisioning, correct the issue on the device and perform the validation again. Refer to the Errors and Warnings sections below for details.
Errors
The following table describes errors that can occur during validation. These errors prevent adding a device to the IWAN network.
Table A-1 Validation Errors
|
|
Username configuration must have privilege level 15. |
Configure a username with privilege level 15 on the device.
username username privilege 15 password 0 password |
PfR configuration must not be present on the device. |
Ensure that Performance Routing (PfR) configuration is not present on the device.
no domain ONE |
QoS configuration must not be present on the device. |
Ensure that Quality of Service (QoS) configuration is not present on the device.
no class-map match-any nbar-12-cls#VOICE no policy-map nbar-12-cls no policy-map IWAN-INTERFACE-SHAPE-ONLY-INTERNET no service-policy input nbar-12-cls no service-policy output IWAN-INTERFACE-SHAPE-ONLY-INTERNET |
Interface loopback 47233 must not be configured on the device. |
Remove interface loopback 47233 from the device.
no interface loopback47233 |
IWAN trustpoint configuration must not be present on device. |
Remove Cisco IWAN trustpoint configuration from the device.
no crypto pki trustpoint sdn-network-infra-iwan |
VPN routing and forwarding (VRF) configuration must not be present on the device. |
Remove the existing VRFs as VRFs as it will interfere with the Cisco IWAN configuration. Make sure that the routers do not have any of the following VRFs:
- IWAN-TRANSPORT-1
- IWAN-TRANSPORT-2
- IWAN-TRANSPORT-3
- IWAN-TRANSPORT-4
no ip vrf IWAN-TRANSPORT-4 |
Recovery configuration file unavailable in flash |
IWAN recovery configuration file "IWAN_RECOVERY.cfg" is needed to enable recovery of device. Create a recovery file using the CLI command: copy running-config flash:IWAN_RECOVERY.cfg |
Conflicting EIGRP configuration present on the device |
Remove EIGRP configuration using the CLI command: no router eigrp IWAN-EIGRP |
Configure Port-Channel in aggregate mode to support QoS policy configuration |
Applicable only to ASR routers. Ensure that port-channel is in aggregate mode when it is used as WAN/LAN interface. Configure port-channel aggregate mode using the CLI command: platform qos port-channel-aggregate <port-channel-number> |
QoS policy configuration is not supported for the targeted type of interface: Port-Channel |
Device platform type does not support QoS policy configuration on port-channel interface. Choose other types of LAN/WAN interface. |
Warnings
The following table describes errors that can occur during validation. These warnings do not prevent a device from being added to the IWAN network, but it is recommended to correct the issues that trigger these warnings.
Table A-2 Validation Warnings
|
|
Please make sure at least two interfaces for WAN and LAN are up and running. |
Ensure that the two interfaces for WAN and LAN are up and running. Verify using the show ip interface brief command. |
IWAN related crypto configuration found on the device. |
Remove the crypto configuration because the crypto configuration might interfere with the Cisco IWAN configuration.
crypto zeroize mypubkey rsa sdn-network-infra-iwan |
No routing protocol found on device. |
Enable one of the following routing protocols on the device.
router ospf AS number router eigrp AS number router bgp AS number |
EZPM configuration found on the device. |
Remove Easy Performance Monitor (EZPM) configuration as EZPM configuration might interfere with the Cisco IWAN configuration.
no class-map match-all Business-Critical-and-default-tcp-only no performance monitor context IWAN-Context profile application-experience |
NBAR configuration found on the device. |
Remove the Network Based Application Recognition (NBAR) configuration as NBAR configuration might interfere with the Cisco IWAN configuration.
no ip nbar attribute-map Consumer_App_Prof no ip nbar attribute-map Other_Custom no ip nbar attribute-map Net_Admin_Custom |
No device information available for validation. |
Revalidate and if problem persists, ensure the following:
- Device is up and running.
- Device connectivity is established.
|
Device does not have valid image version and K9 package. |
The Cisco IWAN app does not support the Cisco software image loaded on the device. Boot the device with a 15.5(3) or 15.5(4) image with the K9 feature pack.
asr1000rp1-adventerprisek9.03.16.00.S.155-3.S-ext.bin |
Insufficient number of VTY lines present on the device |
A minimum of 16 VTY lines are required to be configured on the device. line vty <first-line-number> <last-line-number> |
One of the VTY line exec-timeout is less than 5 mins |
Ensure VTY line exec timeout are not less than 5 minutes Verify using the CLI command: show running-config | sec line vty |
Configured Throughput on device does not match with installed license throughput |
Applicable only to CSR routers. Remove the platform hardware throughput level CLI to achieve maximum throughput, as follows: no platform hardware throughput level MB <configured-value> |
No active license found on the device |
Applicable only to CSR routers. Either the license has expired or is not supported. Verify license issues using CLI command: show self-diagnostics |
Device does not have required license. |
Required licenses are not enabled on the device. Enable the licenses for the platform in use.
- ASR routers: adventerprisek9 or advipservicesk9 and IPSEC EULA should be accepted
- ISR 4000 Series routers: appxk9 and securityk9
- ISR G2 routers: datak9 and securityk9
- CSR routers: ax
|
Device clock is not synchronized |
Ensure that the router clock is in sync with controller clock. Verify using the show clock command. Recommended to configure NTP server using the CLI command: ntp server <controller-ip> |