Manually onboard network devices (alternative method)

Alert: Cisco has made the end-of-life (EOL) announcement for the Cisco Edge Device Manager (EDM).

Introduction

You can alternatively onboard a network device to IoT OD using the following manual PnP (Plug and Play) method. This is an alternative to using PnP connect with devicehelper.cisco.com, as described in the onboarding quick start guide.

This can be useful if a manual configuration is required for the network connectivity, DHCP (Dynamic Host Control Protocol) is not available, or any other reason why you would not be able to use the automatic PnP agent.

Requirements

  • Basic Cisco IOS configuration knowledge.
  • Understanding of the PnP process and the IoT Operations Dashboard.
  • Access to an IoT Operations Dashboard organization (tenant).
  • A device that is compatible with the IoT Operations Dashboard.
    • The example in this document uses an IR829 network device as to connect to the IoT Operations Dashboard EU tenant (eu.ciscoiot.com).
  • Internet connectivity for the network device.
  • Verify the requirements in the Get Started with Operations Dashboard.

Add the network device to the IoT Operations Dashboard

Before you begin, add the device and select a template for it in the IoT Operations Dashboard. See Add and manage network devices for instructions.

Note: You will need the device serial number and PID. Enter show license udi if you are not sure.

IR800#sh license udi
Device# PID SN UDI
-----------------------------------------------------------------------------
*1 IR829GW-LTE-GA-EK9 FGL2129944M IR829GW-LTE-GA-EK9:FGL2129944M

Prepare the device

After the device is added to the Operations Dashboard, prepare the device for onboarding.

We recommend starting with an as-minimal-as-possible configuration. If your device was previously used for another purpose or the IoT Operations Dashboard/Kinetic GMM (Gateway Management Module), revert it to an empty configuration before starting.

To clean up a device that was previously used, use the following steps:

IR829_FGL2129944M#del /f -*
IR829_FGL2129944M#del /f /r pnp*
IR829_FGL2129944M#del /f before*
IR829_FGL2129944M#del /f /r archive*

Remove the configuration

IR829_FGL2129944M#wr erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
*Mar 5 07:03:06.342: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram

Reload the device

Note: Do not save the configuration.

IR829_FGL2129944M#reload
Do you want to reload the internal AP ? [yes/no]: no
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

Enter the network config

After the device comes back up, enter the necessary configuration for network connectivity.

For example, when using the L3 GigiabitEthernet0 interface with an SFP:

IR800(config)#interface GigabitEthernet0
IR800(config-if)#ip address 192.168.0.199 255.255.255.0
IR800(config-if)#no shut
IR800(config-if)#exit
IR800(config)#ip name-server 8.8.8.8
IR800(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1
IR800(config)#end

Or if you want to use one of the L2 interfaces on the IR829:

IR800(config)#interface GigabitEthernet1
IR800(config-if)#switchport access vlan 10
IR800(config-if)#no shut
IR800(config-if)#exit
IR800(config)#interface vlan 10
IR800(config-if)#ip address 192.168.0.199 255.255.255.0
IR800(config-if)#no shut
IR800(config-if)#exit
IR800(config)#ip name-server 8.8.8.8
IR800(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1
IR800(config)#end

Test the network connection

After configuring the network connectivity, you can optionally test if the device can communicate with the IoT Operations Dashboard.

Note: Since ICMP is disabled on eu.ciscoiot.com and us.ciscoiot.com, you cannot use ping to test the network connection.

A good check is to test the following:

IR800#telnet eu.ciscoiot.com 443
Trying eu.ciscoiot.com (52.208.73.235, 443)... Open
<press Ctrl + Shift + 6 + x>
IR800#disc
Closing connection to eu.ciscoiot.com [confirm]

If this is reported as open, you tested:

    DNS is working as the name could get resolved
    Routing to IoT OD (and back) is working fine
    No firewall is blocking access to port 443

Import the security certificate

Since HTTPS is used, import the certificate used to verify the device.

  1. Create a trustpoint:
IR800(config)#crypto pki trustpoint iotod
IR800(ca-trustpoint)#enrollment terminal
IR800(ca-trustpoint)#revocation-check none
IR800(ca-trustpoint)#primary
IR800(ca-trustpoint)#exit
  1. Load the certificate chain used by the IoT Operations Dashboard to that trustpoint. Copy the certificate from the Create a Controller Profile instructions.
IR800(config)#crypto pki authenticate iotod

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
<insert certificate contents here>
-----END CERTIFICATE-----

Trustpoint 'iotod' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: ADAB5C4D F031FB92 99F71ADA 7E18F613
Fingerprint SHA1: 33E4E808 07204C2B 6182A3A1 4B591ACD 25B5F0DB

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Start the PNP process manually

After the above steps are complete, create the PNP profile on the device to start the process:

IR800(config)#pnp profile iotod
IR800(config-pnp-init)#$transport https host eu.ciscoiot.com port 443 remotecert iotod
IR800(config-pnp-init)#

If all goes well, your device will move to the bootstrapping state in the IoT Dashboard. After some time, it should move to the UP state.

See also Monitor network device status.

Verify the onboarding status

On the IR829 console, you will see the following, or similar, messages if all goes well:

*Mar 5 07:50:01.756: %PNP-6-PNP_SUDI_UPDATE: Device SUDI [PID:IR829GW-LTE-GA-EK9,SN:FGL2129944M] identified
*Mar 5 07:51:35.002: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
*Mar 5 07:51:35.010: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Mar 5 07:51:39.801: %TRACK-6-STATE: 1 interface Vl10 ip routing Up -> Down
*Mar 5 07:51:40.255: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 5 07:51:40.283: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration
*Mar 5 07:51:41.043: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down
*Mar 5 07:51:41.043: %LINEPROTO-5-UPDOWN: Line protocol on Interface Wlan-GigabitEthernet0, changed state to down
*Mar 5 07:51:41.043: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Mar 5 07:51:42.874: %LINEPROTO-5-UPDOWN: Line protocol on Interface wlan-ap0, changed state to up
*Mar 5 07:51:42.942: %TRACK-6-STATE: 1 interface Vl10 ip routing Down -> Up
*Mar 5 07:51:43.316: %DTP-5-TRUNKPORTON: Port Wl0 has become dot1q trunk
*Mar 5 07:51:43.316: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 5 07:51:43.894: %LINEPROTO-5-UPDOWN: Line protocol on Interface Wlan-GigabitEthernet0, changed state to up
*Mar 5 07:51:45.007: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(Tunnel1) Client_public_addr = 192.168.0.150
*Mar 5 07:51:45.009: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Mar 5 07:51:45.011: %IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Loopback1
*Mar 5 07:51:45.147: % Multiple self signed certificates in config
certificate for trust point TP-self-signed-422713650 ignored

*Mar 5 07:51:45.439: %DTP-5-NONTRUNKPORTON: Port Wl0 has become non-trunk
*Mar 5 07:51:46.879: %LINK-5-CHANGED: Interface Vlan20, changed state to administratively down
*Mar 5 07:51:47.041: %LINK-5-CHANGED: Interface Loopback1, changed state to administratively down
*Mar 5 07:51:47.409: %WLAN_AP_INTF-6-NOCHANGE: Interface wlan-ap0, always stays up, to session into service-module
*Mar 5 07:51:48.108: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to down
*Mar 5 07:51:50.658: %WLAN_AP_INTF-6-NOCHANGE: Interface wlan-ap0, always stays up, to session into service-module
*Mar 5 07:51:54.152: %WLAN_AP_INTF-6-NOCHANGE: Interface wlan-ap0, always stays up, to session into service-module
*Mar 5 07:51:58.071: %WLAN_AP_INTF-6-NOCHANGE: Interface wlan-ap0, always stays up, to session into service-module
*Mar 5 07:52:01.680: %WLAN_AP_INTF-6-NOCHANGE: Interface wlan-ap0, always stays up, to session into service-module
*Mar 5 07:52:02.416: %PNP-6-PNP_SAVING_TECH_SUMMARY: Saving PnP tech summary (/pnp-tech/pnp-tech-error-summary)... Please wait. Do not interrupt.
*Mar 5 07:52:03.180: %PNP-6-PNP_TECH_SUMMARY_SAVED_OK: PnP tech summary (/pnp-tech/pnp-tech-error-summary) saved successfully (elapsed time: 1 seconds).
*Mar 5 07:52:40.314: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
*Mar 5 07:53:03.047: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 5 07:53:03.061: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(Tunnel1) Client_public_addr = 192.168.0.150 Server_public_addr = 54.72.71.96
*Mar 5 07:53:03.065: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI configuration
*Mar 5 07:53:03.195: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(Tunnel1) Client_public_addr = 192.168.0.150 Server_public_addr = 54.72.71.96
*Mar 5 07:53:03.990: %LINEPROTO-5-UPDOWN: Line protocol on Interface Wlan-GigabitEthernet0, changed state to down
*Mar 5 07:53:04.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Mar 5 07:53:06.520: %DTP-5-TRUNKPORTON: Port Wl0 has become dot1q trunk
*Mar 5 07:53:07.645: %LINEPROTO-5-UPDOWN: Line protocol on Interface Wlan-GigabitEthernet0, changed state to up
*Mar 5 07:53:37.126: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
*Mar 5 07:54:03.452: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Mar 5 07:54:03.452: %TRACK-6-STATE: 111 interface Tu1 ip routing Down -> Up
*Mar 5 07:54:03.454: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(Tunnel1) Client_public_addr = 192.168.0.150 Server_public_addr = 54.72.71.96 Assigned_Tunnel_v4_addr = 172.17.9.237
Translating "eu-int.ciscoiot.com"...domain server (195.130.130.5) [OK]
*Mar 5 07:56:27.071: %SYS-5-CONFIG_I: Configured from console by admin on vty0
*Mar 5 07:56:43.128: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait...

Troubleshoot

If PNP is not starting and the device is not moving to bootstrapping in the IoT Operations Dashboard:

  • Check connectivity to the IoT Operations Dashboard using the telnet command explained in the article.
  • Test HTTPS connectivity using
    more https://eu.ciscoiot.com/coreshell/dashboard.
    • This should return you the HTML of the login page.
    • If this is not working, you can check further by running debug ip http client ?.
  • Check the status of PNP:
    show pnp task

If the device stays in the bootstrapping state:

  • Check the event log on the IoT Operations Dashboard for pointers: Edge Device Manager > Inventory > your device > Event Log.
  • Check the status of the CGNA profile on the device:
    show cgna profile-state all
  • Test connectivity to the URL on the CGNA profile with the same method as explained above.
  • Enable debugging for CGNA:
    debug cgna logging ?