Device Programmability

Hello Kristina

I took a look at this behaviour with Rene, and it seems that this is a bug or an error in the IOS. Specifically, we tried to configure OSPF and then to remove OSPF configuration using the DELETE HTTP command, and the configuration was removed successfully.

Configuring RIP was also successful, but when it came down to deleting the configuration, it would not be removed, so we go the same results as you.

Looking further into the problem, we found the following error messages generated on the CLI of the router:

*Mar 17 10:08:32.988: %DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'cisco' authenticated successfully from 10.82.100.188:0 and was authorized for rest over http. External groups: PRIV15
*Mar 17 10:08:33.265: %DMI-3-CLI_GEN_FAIL: R0/0: nesd: Failed to generate CLI change set internal error (18): internal error.
*Mar 17 10:08:33.267: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by cisco, transaction-id 365

Notice the error marked DMI-3-CLI_GEN_FAIL. It states “Failed to generate CLI change set internal error (18): internal error.” I was unable to find information about such an error online, but it seems to indicate that there is an error as far as the IOS is concerned.

Specifically, we were using the following IOS version:

Note that the “Status: 204 No Content” is not actually a problem, as many commands don’t actually result in a response that contains content. 204 states that the command was sent successfully, but the device doesn’t necessarily send a response back, and in many cases this is normal behaviour. You need to go into the device to verify your changes.

I hope this has been helpful!

Laz

Hi,

just one question on which I can’t find any answers on line.

What is “arpgmp”, why you are using “arpgmp” and not “ARP”?

I can’t understand what this “gmp” is.

Thanks

Hi all

I want information please how i can learn and implement restconf language ?
i want know how i can make practise with restconf language
and wich are the step to implement its?

thanks

Hello Ugo

You can find out more about RESTCONF at the following lesson:

Included in this lesson, you will find some examples of the implementation of RESTCONF and how it works as well as some implementations that you can try as well. Some additional resources you may find useful include:

I hope this has been helpful!

Laz

very very thanks i will look

1 Like

Hello,

I ma using your postman restconf collection to do a restconf lab on EVE-NG VM with the IOS-XE
“Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.7”
I followed the exact same steps to configure the router and Postman but still not working:
I am getting: “Could not get any response” in Postman right away when I click send
SSL certificate is turned off
Postman is running on my host and I can ping the router. could you please give some hints for troubleshooting…thanks

logs show this error but no clue how to resolve it:

Error: write EPROTO 6900:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\users\administrator\buildkite-agent\builds\pm-electron\postman\electron-release\vendor\node\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1407:SSL alert number 40

Hany

Hello Hany

There are a few things that you can do to troubleshoot this issue. First of all, does the configuration work with cURL? cURL is a simpler command line tool that can do the same tasks as postman. If you can get it to work with cURL, then we can then confirm that the problem is with Postman. If it doesn’t then the problem exists in the router configuration.

Also, it might be helpful to take a look at the following post on Github that pertains to the error that you see:

Although not quite clear, it does seem to indicate that it is related to not specifying a client certificate. In the lesson however, client certificates are not used, but credentials (username and password) are used instead. It could be that Postman is configured to use a certain client certificate where it should send a username and password.

So I suggest you first try cURL, and then take a look at the certificate issue. Let us know how you get on…

I hope this has been helpful!

Laz

I have ‘some’ CSR1000v router, i can ssh from ubuntu, but when i type ssh cisco@ip address -p 830 netconf it shows me ssh: connect to host 172.17.1.2 port 830: Connection refused. Are there any show commands or something to help solve this problem? wireshark shows RST flag from router in TCP connection.

Hello Jan

The first thing you can do is to check if there are any access lists that are blocking the particular IP address, or port. If not, you can then use syslog to see why the connection was refused. You can temporarily reduce the syslog severity to debug or informational and set the terminal monitor on so you can see the output in the CLI. Then try to log in and see the reason for the refusal.

The RST flag on the TCP packet does give us some clues however. Barring any malicious attacks, there are two primary reasons why you would see an RST flag:

  • The packet is an initial SYN packet trying to establish a connection to a server port on which no process is listening.
  • The packet arrives on a TCP connection that was previously established, but the local application already closed its socket or exited and the OS closed the socket.

The most likely case is that the router is not listening on that port. If that is the case, make sure that netconf is enabled on the router.

I hope this has been helpful!

Laz

I’ve solved the issue by changing system date to year 2019, it had something to do with certificates and with january 2020. But now I have a problem with scripts in the topic. When I use netconf-get-running-configuration-filter.py it gives me something like this, no interface configuration, I’m using Cisco IOS XE Software, Version 16.07.01netconf.txt (2.3 KB)

Hi Rene, I would like to know and also to better understand, in which situations is better to use RESTCONF/gRPC and in which situations is better to use Ansible for instance, thank you, beforehand.

Hello Jan

Your output shows four interfaces (GE1 through GE4) where GE1 is enabled and GE2 to GE4 are not enabled. There are no IP addresses configured on these interfaces. Are you saying that the actual configuration on the device is different than what is showing up in the XML output? If so, how is it different?

Laz

Hello Armando

It is not a question of whether to use Ansible OR RESTCONF/gRPC. These are not mutually exclusive, and can actually be used together. Take a look at this post which will give you more informaiton about how to choose what tools for what job:


If you need more specific information, feel free to ask!

I hope this has been helpful!

Laz

I am also getting the same error using port 830, no ACL in place. I tried with Nexus and its working fine . Anything to check on CSR

Hello Balasubramaian

It seems that @kapucaaa has since solved the problem and describes the solution here:


Could it be an issue with your certificates? If not I suggest you use syslog messages as described in my previous posts to understand the exact reason for the error. Since you’re getting it to work on the Nexus device, it is most likely an issue with the config on the CSR. Keep us posted on your progress.

I hope this has been helpful!

Laz

when I enabled netconf-yang, it is using auto self-signed one. The configuration looks correct and I have verified using working one in VIRL lab.

csr1#show clock
*09:05:14.351 UTC Sat Jul 4 2020
csr1#

!
crypto pki trustpoint TP-self-signed-2461159216
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2461159216
 revocation-check none
 rsakeypair TP-self-signed-2461159216
!
!
crypto pki certificate chain TP-self-signed-2461159216
!

Hello Balasubramanian

Like I mentioned in my previous post to @kapucaaa, try to use syslog to see why the connection was refused. You can temporarily reduce the syslog severity to debug or informational and set the terminal monitor on so you can see the output in the CLI. Then try to log in and see the reason for the refusal.

In addition, you can use Wireshark to inspect the packets being exchanged, and you can see the reason for the refusal so that you can more appropriately continue your troubleshooting. Try it out and if you have any other questions, feel free to share your results with us here.

I hope this has been helpful!

Laz

Hi Rene and staff,
i struggle with this issue too
My CSR1000v is running on vmware workstation pro 15.5
ios xe version is


The netconf configuration is:

netconf ssh
netconf-yang ssh port 830
aaa new-model
aaa authorization exec default local

There is no connectivity issue: i can ssh R1 (192.168.89.3) from my linux mint (192.168.89.74)
image

When i type ssh -s root@192.168.89.3 netconf it seems that a netconf session is established

When i type ssh -s -p 830 root@192.168.89.3 netconf here is the result
image

I tried to run a basic python script in my virtual environment
Here is this script and the result

It seems like a netconf session cannot been established ! this is why i get “connection refused” when i ssh with -p 830 !
i dont know why and i wonder why ???
I cannot see anything in the debug of R1 (but i dont want to lie to myself, i will like to be better in troubleshooting these situations !)
I will appreciate your help
Regards

Hi Rene and staff,
waiting for your help, i’am studying basics more deeply: python, github, linux
Probably you could not reproduce the issue, so will i have to come back to this issue without your help ?
Regards

Hello Dominique

Sorry about the late reply, I was conferring with Rene on how to respond. So here’s the deal. Rene was able to replicate your commands and they worked. However, his version is the following:

Cisco IOS XE Software, Version 16.09.01

I suggest the following:

  1. Verify that the router is indeed listening on the port. Now since your first command worked, it looks like you’re OK. On other platforms, the show control-plane host open-ports command will do the trick, but this is not supported on the CSR1000v. To be 100% sure, you can always do a Wireshark to see if the router is responding.
  2. Next check to see if it is an authentication issue. You can debug using debug aaa authentication and debug aaa authorization.
  3. Finally, you can try to debug netconf using debug netconf and debug netconf-yang level debug to take a look at what’s going on there.

Hopefully this will help you in your troubleshooting process…

I hope this has been helpful!

Laz