Hello, everyone!
Today, I'd like to share a case with you.
Basic Information
| Product Name | Version |
OptiXtransE6608 | OptiXtransE6608 R20C10 |
Problem Description
The OptiXtransE6608 of the R20C10 version is newly delivered at a site.NCE cannot be created on NCE through ECC communication. As a result, NEs cannot be logged in to and uploaded to NCE. The following error information is displayed.
Problem Analysis
1. Connectivity query
Check the ECC link management. A new device can be discovered, but the ping test fails.
2. Version Problem Analysis
To query the certificate validity time, run the following command:
:pki-query-cert-detail-info:"PRESET_PKI_CA.CRT"
The preset KPI certificate time is 2021-06-16 08:33 to 2021-06-16 08:33.
The NE time is 2021-06-16 08:33.
The device time is not within the validity period of the PKI certificate. The certificate verification fails.
As a result, packets on the DCN channel from the gateway to the non-gateway are masked. Non-gateway NEs cannot be created and managed on NCE.
Root Cause
The DCN channel verification feature is added in V200R020C10. This feature uses the preconfigured PKI certificate for verification.
The device initialization script fixedly writes the NE time and factory time. The PKI certificate is preconfigured. The certificate takes effect at the application time. The device time is not within the valid range of the PKI certificate because the device initialization script is not the latest current time.
Solution
Using the command line to modify: Change the DTLS channel encryption mode of the gateway NE to normal. After the communication is normal, change the NE time to the latest time, and then restore the DTLS channel encryption mode.
:cm-get-encrypt-mode;
:cm-set-encrypt-mode:normal;
Using the NMS to Modify: On the NMS, choose Security > Communication Services > DTLS Channel Encryption Management. Select the GNE and change the mode to normal.
Preventive Action
1 Perform single-NE commissioning on the NE to synchronize the current NE time. After the NE accesses the network, synchronize the NE time with the NMS or NTP time.
2 After devices are delivered, use scripts to change the NE time to the latest time.
Welcome to leave a message below.
We study together.
Thank you!
