Device Programmability

Hello,

I ma using your postman restconf collection to do a restconf lab on EVE-NG VM with the IOS-XE
“Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.7”
I followed the exact same steps to configure the router and Postman but still not working:
I am getting: “Could not get any response” in Postman right away when I click send
SSL certificate is turned off
Postman is running on my host and I can ping the router. could you please give some hints for troubleshooting…thanks

logs show this error but no clue how to resolve it:

Error: write EPROTO 6900:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\users\administrator\buildkite-agent\builds\pm-electron\postman\electron-release\vendor\node\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1407:SSL alert number 40

Hany

Hello Hany

There are a few things that you can do to troubleshoot this issue. First of all, does the configuration work with cURL? cURL is a simpler command line tool that can do the same tasks as postman. If you can get it to work with cURL, then we can then confirm that the problem is with Postman. If it doesn’t then the problem exists in the router configuration.

Also, it might be helpful to take a look at the following post on Github that pertains to the error that you see:

Although not quite clear, it does seem to indicate that it is related to not specifying a client certificate. In the lesson however, client certificates are not used, but credentials (username and password) are used instead. It could be that Postman is configured to use a certain client certificate where it should send a username and password.

So I suggest you first try cURL, and then take a look at the certificate issue. Let us know how you get on…

I hope this has been helpful!

Laz

I have ‘some’ CSR1000v router, i can ssh from ubuntu, but when i type ssh cisco@ip address -p 830 netconf it shows me ssh: connect to host 172.17.1.2 port 830: Connection refused. Are there any show commands or something to help solve this problem? wireshark shows RST flag from router in TCP connection.

Hello Jan

The first thing you can do is to check if there are any access lists that are blocking the particular IP address, or port. If not, you can then use syslog to see why the connection was refused. You can temporarily reduce the syslog severity to debug or informational and set the terminal monitor on so you can see the output in the CLI. Then try to log in and see the reason for the refusal.

The RST flag on the TCP packet does give us some clues however. Barring any malicious attacks, there are two primary reasons why you would see an RST flag:

• The packet is an initial SYN packet trying to establish a connection to a server port on which no process is listening.
• The packet arrives on a TCP connection that was previously established, but the local application already closed its socket or exited and the OS closed the socket.

The most likely case is that the router is not listening on that port. If that is the case, make sure that netconf is enabled on the router.

I hope this has been helpful!

Laz

I’ve solved the issue by changing system date to year 2019, it had something to do with certificates and with january 2020. But now I have a problem with scripts in the topic. When I use netconf-get-running-configuration-filter.py it gives me something like this, no interface configuration, I’m using Cisco IOS XE Software, Version 16.07.01netconf.txt (2.3 KB)

Hi Rene, I would like to know and also to better understand, in which situations is better to use RESTCONF/gRPC and in which situations is better to use Ansible for instance, thank you, beforehand.

Hello Jan

Your output shows four interfaces (GE1 through GE4) where GE1 is enabled and GE2 to GE4 are not enabled. There are no IP addresses configured on these interfaces. Are you saying that the actual configuration on the device is different than what is showing up in the XML output? If so, how is it different?

Laz

Hello Armando

It is not a question of whether to use Ansible OR RESTCONF/gRPC. These are not mutually exclusive, and can actually be used together. Take a look at this post which will give you more informaiton about how to choose what tools for what job:

If you need more specific information, feel free to ask!

I hope this has been helpful!

Laz

I am also getting the same error using port 830, no ACL in place. I tried with Nexus and its working fine . Anything to check on CSR

Hello Balasubramaian

It seems that @kapucaaa has since solved the problem and describes the solution here:

Could it be an issue with your certificates? If not I suggest you use syslog messages as described in my previous posts to understand the exact reason for the error. Since you’re getting it to work on the Nexus device, it is most likely an issue with the config on the CSR. Keep us posted on your progress.

I hope this has been helpful!

Laz

when I enabled netconf-yang, it is using auto self-signed one. The configuration looks correct and I have verified using working one in VIRL lab.

csr1#show clock
*09:05:14.351 UTC Sat Jul 4 2020
csr1#

!
crypto pki trustpoint TP-self-signed-2461159216
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2461159216
 revocation-check none
 rsakeypair TP-self-signed-2461159216
!
!
crypto pki certificate chain TP-self-signed-2461159216
!

Hello Balasubramanian

Like I mentioned in my previous post to @kapucaaa, try to use syslog to see why the connection was refused. You can temporarily reduce the syslog severity to debug or informational and set the terminal monitor on so you can see the output in the CLI. Then try to log in and see the reason for the refusal.

In addition, you can use Wireshark to inspect the packets being exchanged, and you can see the reason for the refusal so that you can more appropriately continue your troubleshooting. Try it out and if you have any other questions, feel free to share your results with us here.

I hope this has been helpful!

Laz

Hi Rene and staff,
i struggle with this issue too
My CSR1000v is running on vmware workstation pro 15.5
ios xe version is

The netconf configuration is:

netconf ssh
netconf-yang ssh port 830
aaa new-model
aaa authorization exec default local

There is no connectivity issue: i can ssh R1 (192.168.89.3) from my linux mint (192.168.89.74)

When i type ssh -s root@192.168.89.3 netconf it seems that a netconf session is established

When i type ssh -s -p 830 root@192.168.89.3 netconf here is the result

I tried to run a basic python script in my virtual environment
Here is this script and the result

It seems like a netconf session cannot been established ! this is why i get “connection refused” when i ssh with -p 830 !
i dont know why and i wonder why ???
I cannot see anything in the debug of R1 (but i dont want to lie to myself, i will like to be better in troubleshooting these situations !)
I will appreciate your help
Regards

Hi Rene and staff,
waiting for your help, i’am studying basics more deeply: python, github, linux
Probably you could not reproduce the issue, so will i have to come back to this issue without your help ?
Regards

Hello Dominique

Sorry about the late reply, I was conferring with Rene on how to respond. So here’s the deal. Rene was able to replicate your commands and they worked. However, his version is the following:

Cisco IOS XE Software, Version 16.09.01

I suggest the following:

1. Verify that the router is indeed listening on the port. Now since your first command worked, it looks like you’re OK. On other platforms, the show control-plane host open-ports command will do the trick, but this is not supported on the CSR1000v. To be 100% sure, you can always do a Wireshark to see if the router is responding.
2. Next check to see if it is an authentication issue. You can debug using debug aaa authentication and debug aaa authorization.
3. Finally, you can try to debug netconf using debug netconf and debug netconf-yang level debug to take a look at what’s going on there.

Hopefully this will help you in your troubleshooting process…

I hope this has been helpful!

Laz

Hi Laz,
i was filling in gaps in python and linux, so i gave up this issue for one month
But still not resolved !!
I tried the command below

and surprisingly, daemons are not running ??
I suppose some of these daemons should run: which ? confd at least ?
Why they did not start ? should the yang/netconf configuration start the daemons automatically ?
I tried to start confd with server confd but without success
The cisco doc do not help me at this time
Could you help me ?
Regards

Hello @syncope988,

I took another look at my CSR1000v in VIRL. Its processes are running:

R1#show platform software yang-management process
confd            : Running 
nesd             : Running 
syncfd           : Running 
ncsshd           : Running 
dmiauthd         : Running 
nginx            : Running 
ndbmand          : Running 
pubd             : Running   

In your original configuration example:

Did you also run netconf-yang without any parameters? When I do this, that’s when the certificate is generated:

R1(config)#netconf-yang
CRYPTO_PKI: setting trustpoint policy TP-self-signed-560761829 to use keypair TP-self-signed-560761829% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

R1(config)#
*Oct 26 12:54:59.501: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named TP-self-signed-560761829 has been generated or imported
*Oct 26 12:54:59.502: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Oct 26 12:54:59.551: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified.  Issue "write memory" to save new IOS PKI configuration
*Oct 26 12:54:59.551: yang-infra: Trustpoint created: TP-self-signed-560761829
*Oct 26 12:54:59.557: yang-infra: netconf-yang server has been notified to start
*Oct 26 12:54:59.806: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named TP-self-signed-560761829.server has been generated or imported
*Oct 26 12:55:04.377: %ONEP_BASE-6-SS_ENABLED: ONEP: Service set Vty was enabled by Platform
*Oct 26 12:55:04.780: %ONEP_BASE-6-CONNECT: [Element]: ONEP session Application:com.cisco.nesd Host:R1 ID:5461 User:NETCONF has connected.

Rene

Thanks Rene,
that solves the issue
“netconf-yang ssh port 830” is just configuration: this command does not start the confd server on the router
To start the server you have to apply “netconf-yang” on top of the above command
So now it works fine, thanks Rene
Regards

Excellent Sometimes it’s in the details.

Rene

Hi Rene and staff,

i am studying for CCNA Devnet, so i take advantage of your lessons (thanks), but also of the Cisco ressources like

I test the examples of these videos series in my own labs, and here is something i dont understand about RESTCONF

When you send a PUT to configure a network interface, you have to set

• the URI
• the body that holds the configuration of the device you intent to give
  (headers, authorization, etc …are no relative for my question)

First the URI
It is hierachical: it depends on the model you want to use
Suppose you use the capability of ietf-interfaces yang model the URI could be for example:

https://{{host82}}:{{port82}}/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet2

OK, so now you have to set the body
Well, the natural way i would write the body is below

I follow the same hierarchy like in the URI
First: module:container (interface with “s”)
Then it comes interface {} (interface without “s”)
(i well understand that ietf-ip:ipv4 is an augmentation of if:interfaces/if:interface)
Then the keys with their values: “description”, “enabled”, “address”, …
But sending this body gives a malformed message !

The right body i have to send is

So my question is quite simple
where “ietf-interfaces:interface”: with interface without “s” comes from ?
This is not hierachical as interface without “s” is not a container of the module “ietf-interfaces”

Quite sure you could clarify
Best regards