Recently I upgraded a Cisco Prime Infrastructure deployment for a customer and after the normal wait of the database migrations, restart of the ACS appliance I ran into the issue that quite a few network devices were set to unreachable. 

 After some troubleshooting I found out that it were only the devices that were configured with a hostname and not IP-address in the inventory.  That brought me to troubleshooting on the CLI, which gave me the following output:

prime-server-1/admin# ping
% Error: Error invoking ping for the provided host

So something is wrong, and that was odd as the DNS Servers were up, runing and reachable. I managed to analyse this further and found out that Cisco Prime 3.9 has implemented a new feature, DNSSEC and has enabled it by default. It can result in DNS errors in ACS (upon which Prime runs), resulting the above output.

Cisco registered this as caveat CSCvx06532 


The workaround is relatively easy, just disable dnssec. How? Just perform the following steps

  1. Login to the CLI of your Prime Deployment
  2. Hit config mode
  3. Disable dnssec
  4. Save config


Below is the output of the change I performed. 

prime-server-1/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
prime-server-1/admin(config)# no ip dnssec 
prime-server-1/admin(config)# end
prime-server-1/admin# write memory 
prime-server-1/admin# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=253 time=0.536 ms
64 bytes from icmp_seq=2 ttl=253 time=0.751 ms
64 bytes from icmp_seq=3 ttl=253 time=0.574 ms
64 bytes from icmp_seq=4 ttl=253 time=0.579 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.536/0.610/0.751/0.083 ms

And voila, DNS is working and inventory is recovering. 

I hope this quick tip helps you when you upgrade Prime and run into this issue.

Share This