Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee
Employee

CDT failed with API error - Fingerprint change

Hi,

 

I working with my customer to use the CDT tool to upgrade hundreds of gateway. In my test environment version 1.8 works fine albeit with some import error occasionally but nothing deadly, just need to re-run the CDT.

 

However when my customer does it in his MDM production environment, he encountered the strange error, while trying to upgrade from R77.30 to R80.30. The CDT stopped at "Prepare new post policy" after importing the upgrade package, and 3 hours later it exited with API call error, stating fingerprint change. 

 

Re-run of the CDT tool produce the same result. Any advice from the expert?  

 

*** LOG ***  

Tue May  5 14:36:37 2020 *N* [cdt_fw]: Finished executing action #2 Import Package on cdt_fw

Tue May  5 14:36:37 2020 *N* [cdt_fw]: Executing Action - Install Package

Tue May  5 14:36:37 2020 *N* [cdt_fw]: Executing stage - Prepare new post policy

Tue May  5 18:21:20 2020 *E* [cdt_fw]:

************************************************

An error has occurred in stage Prepare new post policy of machine cdt_fw:

 

Error code 43 - Failed to prepare and compile new firewall policy for the target machine's version. Make sure that the policy is saved and that no SmartDashboard sessions are connected to this server or update the policy manually via SmartDashboard and try again.

 

Additional Information:

-----------------------

 

        ************************************************

        DB Operations error has occurred:

 

        Error code 19 - Error querying the management database.

        Make sure that the policy is saved and that no SmartDashboard sessions are connected to this server.

 

        Details:

        --------

        Failed to parse json from mgmt_cli

 

        Additional Information:

        -----------------------

 

                Command Summary:

                Command = mgmt_cli show api-versions -r true --format json

                Return code = 1

                Output = Fingerprint of server 127.0.0.1 was changed

 

                To protect against impersonation, compare the following fingerprint with the one displayed by the api management tool (api fingerprint).

 

                SHA1 Fingerprint=D9:98:DC:E0:CF:F6:1E:F9:19:AE:5A:EC:9B:93:DB:CA:50:8B:B3:AD

                English Fingerprint=SETS OBOE ROB IVAN CADY FACE HE DICE MILE REP SOW SUNG

 

                Do you accept the fingerprint? (y/n) [n] ? Do you accept the fingerprint? (y/n) [n] ? Peer certificate cannot be authenticated with given CA certificates

                Fingerprint of server 127.0.0.1 was changed

 

                To protect against impersonation, compare the following fingerprint with the one displayed by the api management tool (api fingerprint).

 

                SHA1 Fingerprint=D9:98:DC:E0:CF:F6:1E:F9:19:AE:5A:EC:9B:93:DB:CA:50:8B:B3:AD

                English Fingerprint=SETS OBOE ROB IVAN CADY FACE HE DICE MILE REP SOW SUNG

 

                Do you accept the fingerprint? (y/n) [n] ? Logout failed

 

        ************************************************

 

 

0 Kudos
4 Replies
Highlighted

This is content for TAC case and not for forum.
0 Kudos
Highlighted
Admin
Admin

What happens if you run (from the CLI of the MDM): mgmt_cli show api-versions -r true --format json
And you accept all the warnings…and try with CDT again?

Of course a seperate question would be why did the certificate change. Which implies the ICA may have been regenerated recently.
0 Kudos
Highlighted
Employee
Employee

Hi, 

Looks like the certificate on the machine changed and the API command cannot run until the new fingerprint is accepted.

you need to run the following command to accept the new fingerprint

 

mgmt_cli show api-versions -r true --format json --unsafe-auto-accept true

 

0 Kudos
Highlighted
Employee
Employee

Thanks, Mahmods and Phoneboy. This solve the problem. The ICA was reset a couple of months ago, prior to the MDS being upgraded to R80. I thought this Mgmt_cli was a R80 thing.

0 Kudos