How To confirm that Panorama communicate with Cisco ACI Fabrics

The article provides how to confirm that the Panorama is communicating with Cisco ACI Fabrics after configuration is completed as per the admin guide.

• Any Panorama.
• PAN-OS 9.1 and above.
• Integration with Cisco ACI.

1. Check the status of the connection with all ACI Fabrics

admin@aci-pan-67> show plugins cisco status

Cluster Name          Status    Last Updated Time             Error Msg
----------------------------------------------------------------------------------------------------
apic1                 Success   2021-01-18T12:12:14.963000

2. Check Websockets on Panorama and confirm that it has at least one in Established state with the Cisco APIC fabric IP

admin@aci-pan-67> show netstat all yes numeric-hosts yes verbose yes | match 10.46.32.221  => Replace the IP matching your configuration
tcp        0      0 10.46.56.67:51955       10.46.32.221:https      ESTABLISHED
tcp       32      0 10.46.56.67:58400       10.46.32.221:https      CLOSE_WAIT
tcp       32      0 10.46.56.67:58511       10.46.32.221:https      CLOSE_WAIT
tcp       32      0 10.46.56.67:59814       10.46.32.221:https      CLOSE_WAIT
tcp       32      0 10.46.56.67:38142       10.46.32.221:https      CLOSE_WAIT
tcp        0      0 10.46.56.67:51944       10.46.32.221:https      ESTABLISHED
tcp       32      0 10.46.56.67:34968       10.46.32.221:https      CLOSE_WAIT
tcp       32      0 10.46.56.67:33555       10.46.32.221:https      CLOSE_WAIT
tcp        0      0 10.46.56.67:51992       10.46.32.221:https      ESTABLISHED
tcp       32      0 10.46.56.67:60270       10.46.32.221:https      CLOSE_WAIT
tcp        0      0 10.46.56.67:51954       10.46.32.221:https      ESTABLISHED

3. Check plugin counters. No historical values are stored. Counters can be cleared on demand. Delta option is available

admin@aci-pan-67> show plugins cisco counters

Name                               Value     Rate      Severity       Category       Aspect         Description
---------------------------------------------------------------------------------------------------------------
Tag_push_fail                      2         0         error          tag-proc       tag_push       Number of failed tag updates pushed to configd process
apic1_full_ret_success             111065    0         info           tag-ret        api-call       Number of successful full endpoint retrievals from apic1.
apic1_invalid_ep                   488114    0         info           tag-ret        api-call       Number of endpoints retrieved outside of EPGs with apic1.
dashboard_data_update_success      111065    0         info           tag-ret        db-access      Number of successful dashboard data update in Dashboard DB.
10.46.32.221_login_success         111081    0         info           tag-ret        api-call       Number of successful logins with APIC 10.46.32.221.
ip_tag_queue_update_success        111065    0         info           tag-ret        db-access      Number of successful IP/tag updates in Queue DB.
epg_update_success                 111075    0         info           tag-ret        api-call       Number of successful epg updates

admin@aci-pan-67> clear plugins cisco counters

Counters were successfully cleared!

4. Take a packet capture on panorama and confirm that there is packet back and forth 

admin@aci-pan-67> tcpdump filter "host 10.46.32.221 and port 443"   => Repace the host and use ctrl+c to stop capture

admin@aci-pan-67> view-pcap no-dns-lookup yes no-port-lookup yes mgmt-pcap mgmt.pcap
12:29:32.953737 IP 10.46.56.67.51955 > 10.46.32.221.443: Flags [.], ack 4223802298, win 173, length 0
12:29:32.954200 IP 10.46.32.221.443 > 10.46.56.67.51955: Flags [.], ack 1, win 245, length 0
12:29:52.855441 IP 10.46.56.67.51954 > 10.46.32.221.443: Flags [P.], seq 1974128972:1974129407, ack 1545978313, win 330, length 435
12:29:52.859215 IP 10.46.32.221.443 > 10.46.56.67.51954: Flags [P.], seq 1:683, ack 435, win 430, length 682
12:29:52.859247 IP 10.46.56.67.51954 > 10.46.32.221.443: Flags [.], ack 683, win 330, length 0
12:29:52.859593 IP 10.46.56.67.51954 > 10.46.32.221.443: Flags [P.], seq 435:870, ack 683, win 330, length 435
12:29:52.862859 IP 10.46.32.221.443 > 10.46.56.67.51954: Flags [P.], seq 683:1365, ack 870, win 438, length 682
12:29:52.903740 IP 10.46.56.67.51954 > 10.46.32.221.443: Flags [.], ack 1365, win 330, length 0

The Cisco ACI plugin for Panorama allows you to build a security policy for your Cisco ACI fabric using Dynamic Address Groups (DAGs). The plugin monitors for changes in an Application Policy Infrastructure Controller (APIC) fabric in your Cisco ACI environment and shares that information with Panorama. The Cisco ACI plugin works slightly differently than other panorama plugins like AZURE, AWS, or GCP plugin. The Cisco ACI plugin maintains a WebSocket connection with ACI controllers and monitors notification messages coming from ACI about endpoint updates. The Cisco ACI plugin will pull APIC fabrics reporting an endpoint change within 60seconds and does full sync with all APICs every 10 min.