Symptoms
Issue:
- Downloaded the fresh DCNM SAN Java client via DCNM Web client post the upgrade, the client reports "RequestSendFailed: EJBCLIENT000409: No more destinations are available".
Environment:- The DCNM vApp is deployed with OVA.Changes:- The DCNM is upgrade to 11.5(1).
Cause
Post the upgrade, the certificate imported in "\bin\fmtrust.jks" doesn' match the DCNM web certificate in use.How to verify:- The web certificate "dcnmweb.crt" and Trust Key Store "fmtrust.jks" are saved under "/var/lib/dcnm/afw/apigateway/". Copy these 2 files to an external Windows host.- Extract the certificate from the "fmtrust.jks" file.` -exportcert -file -keystore -alias mykey`Notes:1. is the full path of keytool.exe, may find it under "\java\jdk11-win\bin", or your own JDK path.2. is for exporting the certificate file "cert.crt".3. is the full path of the "fmtrust.jks" file which is copied from the DCNM.4. Hit "Enter" when the keytool asks for a keystore password.- Double-click the exported certificate "cert.crt" to get its SN in the "Details" tab of the popup window.- Double-click the saved DCNM web certificate "dcnmweb.crt" to get its SN in the "Details" tab of the popup window.- If these serial numbers don't match, the "fmtrust.jks" in the DCNM server must be updated to resolve this issue.
Resolution
Run `appmgr afw update-cert-dcnm-client` to update the fmtrust.jks, and then redownloaded the SAN Java client via the DCNM web client.MUST do this step post upgrading to 11.5(1) for OVA/ISO deployment.(https://www.cisco.com/c/en/us/td/docs/dcn/dcnm/1151/installation/san/cisco-dcnm-san-install-upgrade-guide-1151.pdf, the note is under "Launching SAN Client and Device Manager".)
