OPERATIONAL DEFECT DATABASE
...
...
"Error When Checking for Token Expiration 784: unexpected token at '<html> <head><title>400 Bad Request<title><head> <body> <center>400 Bad Request<center> <hr><center>nginx/1.29.1<center> <body> <html> '"
This is due to migration of Identity Provider (IDP) from Ping to Okta. Since the existing tokens are issues by IDP Ping, these tokens are not valid in Okta service causing sync to fail. If any OnPrem accounts are created after this migration, the token are issued by Okta and this issue is not seen. This is not an issue on the OnPrem. All OnPrem servers are affected by this migration to Okta.
Conditions: OnPrem sync performed with Network or Scheduled and the DB has Access Tokens prior to the Ping to Okta Migration. Cisco Bug ID : CSCwr45134 Workaround 1 : a. Create a new On-prem Account: Log in to the On-Prem Admin Workspace portal. Navigate to the 'Accounts' widget, create a new On-prem account, and approve the request by providing your credentials. This action will generate a new token with Okta (our new IDP), enabling continued functionality. Once the account creation is complete, perform a full network sync on the failing accounts. * Keep in mind you do not perform any action with this account, no device transfer or registration to CSSM, is just to refresh the internal token all onprem accounts use to talk to the cloud. b. Manual Synchronization: As an alternative to network synchronization, you can perform manual synchronizations, which will only fix the issue for that one-time resolution. This is not a permanent fix. c. Not consistent but awaiting token expiration is one option: The issue is expected to resolve automatically after a certain number of days (28/160/180, etc.), once the old Ping token cached in our container expires. You may choose to wait for this automatic resolution. Workaround 2 : Apply the script for clearing up tokens. (Attached the scripts to the KB) Take VM snapshot and backup Onprem-console Database_backup before applying workaround.Transfer the attached files under var/files/patches by using WinscpRun the below command Upgrade patches: sync_issue_token_cleanup.shPreform a network sync with CCO admin credentials. Note : After applying the script, if SSM On-Prem is not synced at least every 9 hours (i.e., before the 10-hour expiry), the sync will start failing again. In such cases, the only workaround would be to re-apply the script and continue syncing every 9 hours or less.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
