Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
After conversion from NXOS to ACI (Or booting ACI image from loader prompt), the switch may end up in a boot loop due to policyelem hap reset. [ 515.607768] @@@cctrli: wrote 16 to scratch RR [ 515.660368] nvram_klm wrote rr=16 rr_str=policyelem hap reset to nvram [ 515.736919] Collected 9 ext4 filesystems [ 515.787134] Freezing filesystems [ 515.870371] Collected 0 ubi filesystems [ 515.917365] Freezing filesystems [ 515.958101] Done freezing filesystems [ 516.004045] Putting SSD in stdby [ 516.977462] Done putting SSD in stdby 0 [ 517.024456] Done offlining SSD [ 517.062066] Writing reg=0x84 val=0x80000000
System SSL CERT is invalid, seen with N9k chassis with ACI version 4.2.x/14.2.x or higher. This issue is seen with a subset of chassis and work is ongoing to identify the potentially impacted ones.
This this is an expected behavior from Policy Element in case of invalid SSL CERT with release 4.2(x)/14.2(x) or higher. Downgrade the switch version to 13.2x or lower if that's an option as Policy Element has a different method to validate certificates.
This is typically seen after an RMA of an ACI Leaf switch as certificates are not properly installed In order to confirm the issue, you will need to: 1) Boot the switch by breaking in the boot loader and using : cmdline no_hap_reset boot 2) Verify the following PE logs: cat /tmp/logs/dme_logs/svc_ifc_policyelem.log* If you see such logs, you are hitting the SSL CERT issue: 14754||2021-11-24T09:31:20.680537357+00:00||ifm||DBG4||co=ifm||Using regular cert's.||../dme/common/src/ifm/./IFMSSL.cc||287 14754||2021-11-24T09:31:20.681056311+00:00||ifm||DBG4||co=ifm||Failed to match Switch Regex ||../dme/common/src/ifm/./PeerVerificationUtils.cc||163 14754||2021-11-24T09:31:20.681094585+00:00||ifm||DBG4||co=ifm||Switch Certificate & SN mismatch||../dme/common/src/ifm/./IFMSSL.cc||309 14754||2021-11-24T09:31:20.681155894+00:00||ifm||ERROR||co=ifm||Failed to load the default SSL Engine||../dme/common/src/ifm/./IFMSSL.cc||208 14754||2021-11-24T09:31:20.681196907+00:00||log||CRIT||co=ifm||UNCONDITIONAL ASSERT (PANIC!) (!"failed to initialize openssl") failed @ ../dme/common/src/ifm/./Connection.cc:339 3) Verify the CERT itself: From a fully booted and mounted switch: - openssl x509 -noout -subject -in /mnt/ifc/cfg/isan/plugin/0/securedata/ssl/server.crt From an affected switch: - openssl x509 -noout -subject -in /securedata/ssl/server.crt