This article will describe how to fix an onboarding issue if you are running into the following Error on the Task


Make sure secure mode is disabled on the appliance


Note: Please ensure the secure-mode is disabled before onboarding.In a out-of-box unit secure-mode is disabled by default.  

To check the Secure mode status
#From CLI
 request system secure-mode status




To Disable Secure mode
#From CLI
request system secure-mode disable


If secure-mode is disabled and still the Director fails to retrieve the public/pvt keys from appliance proceed follow the below steps.  



Confirm the reachability between the Director and Appliance Management IP


admin@Director-1:~$ ping <appliance management-IP> -s 1200   <<<-- Make sure there is no packet drops


If there are ping drops then troubleshoot the issue from VOS, make sure there is no underlay issue with the appliance,

admin@Branch-01-cli> ping 8.8.8.8 routing-instance <WAN-Transport-VR> count 500 rapid enable packet-size 1300

admin@Branch-01-cli> ping <Controller-WAN-IP> routing-instance <WAN-Transport-VR> count 500 rapid enable packet-size 1300


Confirm the reachability of the following ports from the Director shell

admin@Director-1:~$ telnet <appliance management-IP> 2022

admin@Director-1:~$ telnet <appliance management-IP> 22


Try to SSH from the Director shell to the appliance and confirm if SSH works

admin@Director-1:~$ ssh admin@<appliance management-IP>


If there is an issue with the 22 and 2022 port reachability then check the IPTABLES on the VOS and SSH jail command to confirm the Director southbound IP is not added there along with VOS is listening on port 22 and 2022


[admin@Branch-01: ~] $ sudo iptables -S

admin@Branch-01-cli> show jail ssh

[admin@Branch-01: ~] $ sudo lsof -i:22

[admin@Branch-01: ~] $ sudo lsof -i:2022


If you are still noticing a problem with the public/pvt key then follow the below action


Failed to retrieve the public/pvt keys from appliance <Branch>




Check if are you able to read the ckey file from the appliance and check the file size

[admin@versa-flexvnf: ~] $ ls -la /var/lib/vs/.ckey

-rwx------ 1 root versa 0 Nov  1 02:37 /var/lib/vs/.ckey

[admin@versa-flexvnf: ~] $ sudo cat /var/lib/vs/.ckey


[admin@versa-flexvnf: ~] $



If the .ckey file doesn't show any output, please delete the file, restart the Versa Services, and then re-check if the file exists. The steps are as follows:

1) [admin@versa-flexvnf: ~] $ sudo rm /var/lib/vs/.ckey
2) [admin@versa-flexvnf: ~] $ echo "del /crypto/pki/config-keys{config_key}" | confd_cmd  -u admin -g admin -o
3) [admin@versa-flexvnf: ~] $ vsh restart
4) Once the services come up, please run the below:
5) [admin@versa-flexvnf: ~] $ sudo cat /var/lib/vs/.ckey

If it shows the .ckey, then re-onboard the appliance.


Note: Before re-onboarding the appliance, please make sure you deleted the device from Administrator > Appliances and redeployed the device from Workflow > Devices to clear the cache on the Director.


If still running into same issue then please confirm if the TPM is in good state

[admin@versa-flexvnf: ~] $ vsh connect vsmd

vsm-vcsn0> show vsm tpm stats


If Enabled, then run the below command to check if it is able to decrypt

[admin@versa-flexvnf: ~] $ sudo /opt/versa/util/ckey_util 1234


If it gives an error, it means it is running into a TPM Issue, please disable from the BIOS, then delete the ckey and config_keys from previous shell commands & try to re-onboard again


For TPM: Note the following bug which is fixed after the Oct 2023 releases,

Bug 98093 - TPM decryption failure when VOS is powered off and powered ON


If you are still running into an issue after following the above steps, please reach out to Versa Support [email protected]