Recently I upgraded a Cisco Prime Infrastructure deployment for a customer and after the normal wait of the database migrations, restart of the ACS appliance I ran into the issue that quite a few network devices were set to unreachable.
After some troubleshooting I found out that it were only the devices that were configured with a hostname and not IP-address in the inventory. That brought me to troubleshooting on the CLI, which gave me the following output
prime-server-1/admin# ping switch1.domain.com
% Error: Error invoking ping for the provided host
So something is wrong, and that was odd as the DNS Servers were up, runing and reachable. I managed to analyse this further and found out that Cisco Prime 3.9 has implemented a new feature, DNSSEC and has enabled it by default. It can result in DNS errors in ACS (upon which Prime runs), resulting the above output.
Cisco registered this as caveat CSCvx06532
Workaround
The workaround is relatively easy, just disable dnssec. How? Just perform the following steps
- Login to the CLI of your Prime Deploymen
- Hit config mode
- Disable dnssec
- Save config
Below is the output of the change I performed.
prime-server-1/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
prime-server-1/admin(config)# no ip dnssec
prime-server-1/admin(config)# end
prime-server-1/admin# write memory
prime-server-1/admin# ping switch1.domain.com
PING switch1.domain.com (10.1.1.22) 56(84) bytes of data.
64 bytes from 10.1.1.22: icmp_seq=1 ttl=253 time=0.536 ms
64 bytes from 10.1.1.22: icmp_seq=2 ttl=253 time=0.751 ms
64 bytes from 10.1.1.22: icmp_seq=3 ttl=253 time=0.574 ms
64 bytes from 10.1.1.22: icmp_seq=4 ttl=253 time=0.579 ms
--- switch1.domain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.536/0.610/0.751/0.083 ms
prime-server-1/admin#
And voila, DNS is working and inventory is recovering.
I hope this quick tip helps you when you upgrade Prime and run into this issue.