DNAC Troubleshooting Tips & Tricks

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some basic admin duties.


"The Why?" - I have been fortunate to work in an Software-Defined Access (SDA) environment for a few years now. During this time I have encountered issues, worked with Cisco TAC/BU, & along the way picked up some helpful items. Hopefully these helps others during their journeys with SDA/DNAC.


"The How?" - Ok, so here are a collection of command examples to perform a variety of tasks and/or aide in troubleshooting:


DNAC info for upgrade status:

  • $ sudo maglev system_updater update_info --shows status of upgrade via cli

Tail logs during DNAC upgrade:

  • $magctl service logs -rf system_updater --tail logs in real time

Output logs to identify issues with hosts that failed installing host components:

  • $magctl service logs -r system_updater > system_updater.log --outputs log to file in current directory

Check appstack statuses:

  • $magctl appstack status

  • $magctl appstack status -fw --f pulls up anything not in running status; w watch live;

  • $magctl appstack status | grep 0/ --determine appstack issues

Terminate hung pods if depicted as 'Null' in GUI and/or 'terminating' via CLI; verify with $sudo magctl appstack status | grep 0/:

  • $magctl service kill <service> example: kong-775f685fdb-8ccbz --kills hung pods

Restart a hung pod:

  • $magctl service restart -d <pod>

Get Chassis product information:

  • $ sudo cat /sys/devices/virtual/dmi/id/product_name

Get Chassis serial number:

  • $ sudo cat /sys/devices/virtual/dmi/id/product_serial

Halt the appliances:

Warm reboot appliances:

  • $sudo shutdown -r now

Change DNAC admin password from CLI with maglev:

  • $magctl user password update admin -p <pass> TNT0

Check DNAC configured interfaces:

  • $sudo ip a | egrep "enp|eno|management|internet|cluster|enterprise"

Enable External Authentication fallback from CLI so you can locally login to DNAC if remote AAA is having issues:

  • $sudo magctl rbac external_auth_fallback enable/disable --enable allows local user login; disable only allows AAA external auth;

Verify is external authentication is enabled/disabled:

  • $ sudo magctl rbac external_auth_fallback display

Verify validity of internal DNAC certificates:

  • $sudo maglev-config certs info --show internal cert statuses/expiration

Lastly, I want to share a few Cisco links that are very helpful:


NOTE: I strongly suggest working directly with TAC for any issues to ensure you have their support. These notes are meant to provide help & save time, but not an end-all be-all by any means.


Thanks for reading, Cheers!


0 comments

Recent Posts

See All

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai