The error code NCSW10301 typically appears in Cisco Catalyst Center (formerly DNA Center) when using the Software Image Management (SWIM) feature to automate downloads from Cisco.com. The full error—"Unable to download the image from cisco.com: invalid metadata_trans_id"—indicates a breakdown in the API handshake between your local appliance and Cisco’s software servers. Understanding the Root Cause
The metadata_trans_id is a unique transaction ID generated for each software request, typically expiring within 60 minutes. When Catalyst Center reports this as "invalid," it generally stems from one of three issues:
Third-Party API Instability: Sporadic issues with external providers that handle the APIs for automated downloads.
Expired Certificate Chains: If the trustpool certificates on your Catalyst Center appliance are outdated or expired, the encrypted communication with api.cisco.com fails.
ISSU Compatibility Matrix Failures: In some cases, the main image downloads successfully, but the associated In-Service Software Upgrade (ISSU) metadata fails to sync, triggering the error. Step-by-Step Troubleshooting and Workarounds 1. Manual Image Import (Immediate Workaround)
If you need to upgrade a device immediately and cannot wait for API resolution, bypass the automated system by manually importing the image:
Log in to the Cisco Software Central portal using your browser.
Download the required .bin or .tar image to your local workstation. In Catalyst Center, navigate to Design > Image Repository. Click Import and upload the file from your computer. 2. Check Certificate Trustpools
Cisco frequently updates the certificate authorities (CAs) used for secure API calls. If your appliance is running an older version, it may not recognize the new Cisco.com certificates.
Action: Review Field Notice FN74033, which addresses critical certificate updates required for Catalyst Center to communicate with Cisco servers after April 2024. 3. Verify Proxy and Firewall Settings
The Image Repository may sometimes bypass configured proxy settings, attempting a direct connection that gets blocked by your firewall.
Check: Run a packet capture (TCPDUMP) on the Catalyst Center appliance to see if it is attempting to reach cloudsso.cisco.com or api.cisco.com directly rather than through your proxy.
Allowlist: Ensure the following URLs are permitted through your firewall: *.cisco.com cloudsso.cisco.com swapi.cisco.com 4. Re-sync Cisco.com Credentials
Sometimes the session token between Catalyst Center and your Smart Account becomes stale.
The error NCSW10301 is a known issue within Cisco Catalyst Center (formerly DNA Center) that occurs when the system fails to download an image or its associated metadata (like the ISSU Compatibility Matrix) from Cisco.com. The specific "invalid metadata trans-id" typically indicates a failure in the API transaction between your controller and Cisco's automated software distribution backend. Common Causes
Known Bug: This error is documented in Cisco Bug CSCwd15921, affecting versions 2.2.3.x through 2.3.4.x.
API/External Provider Issues: Intermittent issues with the external APIs used to fetch software metadata can trigger this failure.
Expired Trustpool: Outdated or expired certificates in the controller's trustpool can prevent secure communication with Cisco's servers. The error code NCSW10301 typically appears in Cisco
Proxy Configuration: Misconfigured proxies or proxies that bypass certain authentication steps may interfere with the download process. Recommended Workarounds
If you encounter this error, use these steps to resolve or bypass the issue: Update the Trustpool Bundle: Navigate to Settings > Trust & Privacy > Trustpool.
If an update is available, click Update trustpool on controller now and retry the task. Manual Image Import (Recommended Bypass):
Download the required software image manually to your laptop or a local server from the Cisco Software Central.
Import the image into Catalyst Center manually via the Image Repository. Check Integrity Verification: Go to System > Settings > Integrity Verification.
Ensure the Known Good Values (KGV) file is up-to-date. If not, import the latest KGV directly or manually.
Are you currently running one of the affected versions mentioned (2.2.3.x–2.3.4.x), or are you on a newer release like 2.3.7.x? DNA CENTER IMAGE REPOSITORY ERROR NCSW10301
The error NCSW10301 typically indicates a failure in downloading metadata or compatibility matrices from Cisco.com, often due to expired certificates, back-end API issues, or outdated software versions. 1. Manual Workaround (Recommended)
If you need to proceed immediately, the most reliable fix is to bypass the automated download:
Download Manually: Visit the Cisco Software Central and download the specific IOS/image to your local machine.
Import to Catalyst Center: Use the Manual Import feature within the Image Repository to upload the image directly from your local drive. This bypasses the API calls causing the "invalid metadata" error. 2. Known Software Bugs and Updates
Bug CSCwd15921: This specific bug causes the ISSU Compatibility Matrix (comp_matrix.xml) to fail with the NCSW10301 error even if the image itself downloads.
Field Notice FN74033: Cisco warned that software image management (SWIM) features in older versions would stop downloading metadata after April 26, 2024. If you are on an affected version, an upgrade is required to restore automated downloads.
Bug CSCwo76764: In Catalyst Center 2.3.7.9, this error can occur if the product is not properly registered to call the service. 3. Verification and Connectivity Checks
KGV Update: Ensure your system has the latest Known Good Values (KGV) file. Check this under System > Settings > Integrity Verification.
Certificate Check: Expired trustpool certificates can break the secure tunnel to Cisco's servers. Verify your certificates under Settings > Trust & Privacy > Trustpool.
Proxy Configuration: If you are behind a proxy, verify that the Catalyst Center can reach cloudsso.cisco.com. Issues with tunneling through a proxy can cause download artifacts to fail, as noted in bug CSCwi84672. show version show logging show install all /
Which version of Catalyst Center are you currently running? This will help determine if you are affected by the April 2024 end-of-life for metadata downloads. DNA CENTER IMAGE REPOSITORY ERROR NCSW10301
The error NCSW10301: Unable to download the image from cisco.com : invalid metadata_trans_id is a common issue encountered in Cisco Catalyst Center (formerly DNA Center) during Software Image Management (SWIM) operations. This error typically indicates a failure in downloading the associated ISSU Compatibility Matrix (comp_matrix.xml) even if the base image file downloads successfully. Root Causes of NCSW10301
External API Failures: Cisco has identified that certain external providers used for metadata APIs occasionally experience sporadic outages, causing this specific "invalid metadata" response.
Software Bugs: Several bugs have been tracked for this behavior, including CSCwd15921, which affects releases 2.2.3.x through 2.3.4.x.
Registration & Approval Issues: Newer versions like 2.3.7.9 may trigger this error if the product is not properly registered or approved to call Cisco cloud services.
Certificate Expiration: Expired certificates in the Catalyst Center Trustpool can break the secure communication required to fetch metadata from software.cisco.com.
Proxy Configuration: If the appliance is behind a proxy and the SWIM engine is not correctly utilizing the proxy settings, metadata requests will fail. Step-by-Step Troubleshooting and Fixes 1. Manual Image Import (The Guaranteed Workaround)
If the automated download fails, the most reliable fix is to manually upload the image:
Download Locally: Go to the Cisco Software Download portal on your laptop and download the required .bin or .tar file.
Import to Catalyst Center: In Catalyst Center, navigate to Design > Image Repository and use the Import function to upload the file from your local machine.
Verify Integrity: Once imported, check System > Settings > Integrity Verification to ensure the image is verified against Known Good Values (KGV). 2. Refresh Cisco.com Credentials
Sometimes the token between your appliance and Cisco's servers becomes "invalid": Go to System > Settings > Cisco.com Credentials.
Remove the existing account and re-add it using your Cisco Smart Account credentials. 3. Update the Trustpool
Metadata downloads require valid root certificates to verify Cisco's servers: Navigate to Settings > Trust & Privacy > Trustpool.
Check if there is a pending update for the Cisco Trustpool and apply it to restore secure communications. 4. Verify Proxy and Connectivity
Ensure the appliance can actually reach the metadata endpoints:
Use the CLI to test connectivity to cloudsso.cisco.com and software.cisco.com. Temporary bypass (test only):
export no_proxy="*
Check if your firewall is blocking traffic to these URLs or if the appliance is attempting to bypass the configured proxy for SWIM tasks. 5. Check for Known Field Notices
Cisco released Field Notice FN74033, stating that older versions of DNA Center will fail to download metadata after April 26, 2024, due to certificate changes. If you are on an older release, an upgrade to a fixed version (e.g., 2.3.5.x or later) is required. Comparison of Solution Paths Effectiveness When to Use Manual Import Urgent upgrades or persistent API errors. Credential Refresh Authentication or account permission issues. Trustpool Update Certificate or SSL handshake failures. Software Upgrade For long-term fixes of known bugs (e.g., CSCwd15921).
Are you currently running a single-node or three-node cluster, and what is your specific software version? DNA CENTER IMAGE REPOSITORY ERROR NCSW10301
The error code typically indicates a failure within the Software Image Management (SWIM)
feature of Cisco Catalyst Center (formerly DNA Center) when attempting to download an image or its associated metadata from Cisco.com Potential Causes External API Issues
: Sporadic issues with external provider APIs used for the download feature. Failed Metadata Download
: Specifically, the download of the ISSU Compatibility Matrix ( comp_matrix.xml ) may fail even if the image itself is retrieved. Service Registration
: The product may not be properly registered or approved to call the service. Software Version Limitations
: Older versions of DNA Center (e.g., 2.2.3.x, 2.3.3.x, 2.3.4.x) are known to experience this. A field notice
notes that affected releases would stop downloading images after April 26, 2024. Recommended Workarounds
If the direct download from Cisco.com continues to fail, you can use these manual steps: Manual Image Import
Download the required software image manually to a local workstation or laptop from the Cisco Software Central Cisco Catalyst Center , go to the Image Repository and use the feature to upload the file from your local machine. Use Internal Server
: Copy the image to an internal network server and import it into Catalyst Center from that location. Check Registration
: Ensure your Catalyst Center instance is correctly registered and authorized to access Cisco cloud services. Verify Certificates : Check if the and certificate chains are up-to-date under Settings > Trust & Privacy > Trustpool , as expired certificates can block communication. Cisco Community
# Stop the image management service systemctl stop crosswork-image-mgmtExample useful commands (NX-OS / Cisco IOS variants — adapt to your platform)
- show version
- show logging
- show install all / show install logs
- dir bootflash:
- show clock / show ntp status
- copy http://host/image.bin bootflash:
- copy scp://user@host:/path/image.bin bootflash:
- debug http client (platform-specific)
- terminal monitor
Temporary bypass (test only):
export no_proxy="*.cisco.com,software.cisco.com,*.ciscoccservice.com"Root Causes Behind "Invalid Metadata Trans-ID"
Let’s explore why the transaction ID would be deemed invalid. Understanding these causes is the key to resolution.
Restart service
systemctl start crosswork-image-mgmt
Then, re-initiate the metadata sync:
crosswork-cli image catalog sync --force
Using the same trans-id from multiple NCS instances (e.g., in a cluster) can invalidate it. Cisco’s servers treat this as a replay attack.