# Device Programmability

Hi ,

What is Netconf , yang and yml file , is there any tutorial references to understand these terms and uses ?

Hello Sameer

Here are some lessons that cover these topics:

As for .yml files, these are script files written in the YAML language. This language is commonly used for configuration files and in applications where data is being stored or transmitted. It can be used for many of the same communications applications as XML, but is more human-readable, and thus more user friendly. YAML is most often used with Ansible, a network orchestration tool. You can find out more about YAML and Ansible at the following lesson:

I hope this has been helpful!

Laz

1 Like

Thanks Laz , i will go through it and will get back if there any doubts .

1 Like

Hello Kristina

I took a look at this behaviour with Rene, and it seems that this is a bug or an error in the IOS. Specifically, we tried to configure OSPF and then to remove OSPF configuration using the DELETE HTTP command, and the configuration was removed successfully.

Configuring RIP was also successful, but when it came down to deleting the configuration, it would not be removed, so we go the same results as you.

Looking further into the problem, we found the following error messages generated on the CLI of the router:

*Mar 17 10:08:32.988: %DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'cisco' authenticated successfully from 10.82.100.188:0 and was authorized for rest over http. External groups: PRIV15
*Mar 17 10:08:33.265: %DMI-3-CLI_GEN_FAIL: R0/0: nesd: Failed to generate CLI change set internal error (18): internal error.
*Mar 17 10:08:33.267: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by cisco, transaction-id 365


Notice the error marked DMI-3-CLI_GEN_FAIL. It states “Failed to generate CLI change set internal error (18): internal error.” I was unable to find information about such an error online, but it seems to indicate that there is an error as far as the IOS is concerned.

Specifically, we were using the following IOS version:

Note that the “Status: 204 No Content” is not actually a problem, as many commands don’t actually result in a response that contains content. 204 states that the command was sent successfully, but the device doesn’t necessarily send a response back, and in many cases this is normal behaviour. You need to go into the device to verify your changes.

I hope this has been helpful!

Laz

Hi,

just one question on which I can’t find any answers on line.

What is “arpgmp”, why you are using “arpgmp” and not “ARP”?

I can’t understand what this “gmp” is.

Thanks

Hi all

I want information please how i can learn and implement restconf language ?
i want know how i can make practise with restconf language
and wich are the step to implement its?

thanks

Hello Ugo

You can find out more about RESTCONF at the following lesson:

Included in this lesson, you will find some examples of the implementation of RESTCONF and how it works as well as some implementations that you can try as well. Some additional resources you may find useful include:

I hope this has been helpful!

Laz

very very thanks i will look

1 Like

Hello,

I ma using your postman restconf collection to do a restconf lab on EVE-NG VM with the IOS-XE
“Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.7”
I followed the exact same steps to configure the router and Postman but still not working:
I am getting: “Could not get any response” in Postman right away when I click send
SSL certificate is turned off
Postman is running on my host and I can ping the router. could you please give some hints for troubleshooting…thanks

logs show this error but no clue how to resolve it:

Error: write EPROTO 6900:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\users\administrator\buildkite-agent\builds\pm-electron\postman\electron-release\vendor\node\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1407:SSL alert number 40

Hany

Hello Hany

There are a few things that you can do to troubleshoot this issue. First of all, does the configuration work with cURL? cURL is a simpler command line tool that can do the same tasks as postman. If you can get it to work with cURL, then we can then confirm that the problem is with Postman. If it doesn’t then the problem exists in the router configuration.

Also, it might be helpful to take a look at the following post on Github that pertains to the error that you see:

Although not quite clear, it does seem to indicate that it is related to not specifying a client certificate. In the lesson however, client certificates are not used, but credentials (username and password) are used instead. It could be that Postman is configured to use a certain client certificate where it should send a username and password.

So I suggest you first try cURL, and then take a look at the certificate issue. Let us know how you get on…

I hope this has been helpful!

Laz

I have ‘some’ CSR1000v router, i can ssh from ubuntu, but when i type ssh cisco@ip address -p 830 netconf it shows me ssh: connect to host 172.17.1.2 port 830: Connection refused. Are there any show commands or something to help solve this problem? wireshark shows RST flag from router in TCP connection.

Hello Jan

The first thing you can do is to check if there are any access lists that are blocking the particular IP address, or port. If not, you can then use syslog to see why the connection was refused. You can temporarily reduce the syslog severity to debug or informational and set the terminal monitor on so you can see the output in the CLI. Then try to log in and see the reason for the refusal.

The RST flag on the TCP packet does give us some clues however. Barring any malicious attacks, there are two primary reasons why you would see an RST flag:

• The packet is an initial SYN packet trying to establish a connection to a server port on which no process is listening.
• The packet arrives on a TCP connection that was previously established, but the local application already closed its socket or exited and the OS closed the socket.

The most likely case is that the router is not listening on that port. If that is the case, make sure that netconf is enabled on the router.

I hope this has been helpful!

Laz

I’ve solved the issue by changing system date to year 2019, it had something to do with certificates and with january 2020. But now I have a problem with scripts in the topic. When I use netconf-get-running-configuration-filter.py it gives me something like this, no interface configuration, I’m using Cisco IOS XE Software, Version 16.07.01netconf.txt (2.3 KB)

Hi Rene, I would like to know and also to better understand, in which situations is better to use RESTCONF/gRPC and in which situations is better to use Ansible for instance, thank you, beforehand.

Hello Jan

Your output shows four interfaces (GE1 through GE4) where GE1 is enabled and GE2 to GE4 are not enabled. There are no IP addresses configured on these interfaces. Are you saying that the actual configuration on the device is different than what is showing up in the XML output? If so, how is it different?

Laz

Hello Armando

It is not a question of whether to use Ansible OR RESTCONF/gRPC. These are not mutually exclusive, and can actually be used together. Take a look at this post which will give you more informaiton about how to choose what tools for what job:

If you need more specific information, feel free to ask!

I hope this has been helpful!

Laz

I am also getting the same error using port 830, no ACL in place. I tried with Nexus and its working fine . Anything to check on CSR

Hello Balasubramaian

It seems that @kapucaaa has since solved the problem and describes the solution here:

Could it be an issue with your certificates? If not I suggest you use syslog messages as described in my previous posts to understand the exact reason for the error. Since you’re getting it to work on the Nexus device, it is most likely an issue with the config on the CSR. Keep us posted on your progress.

I hope this has been helpful!

Laz

when I enabled “netconf-yang”, it is using auto self signed one. The configuration looks correct and I have verified using working one in VIRL lab.

csr1#show clock
*09:05:14.351 UTC Sat Jul 4 2020
csr1#

!
crypto pki trustpoint TP-self-signed-2461159216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2461159216
revocation-check none
rsakeypair TP-self-signed-2461159216
!
!
crypto pki certificate chain TP-self-signed-2461159216
!

Hello Balasubramanian

Like I mentioned in my previous post to @kapucaaa, try to use syslog to see why the connection was refused. You can temporarily reduce the syslog severity to debug or informational and set the terminal monitor on so you can see the output in the CLI. Then try to log in and see the reason for the refusal.

In addition, you can use Wireshark to inspect the packets being exchanged, and you can see the reason for the refusal so that you can more appropriately continue your troubleshooting. Try it out and if you have any other questions, feel free to share your results with us here.

I hope this has been helpful!

Laz