search

CiscoDevNet / yangsuite

Cisco YANG Suite provides a set of tools and plugins to learn, test, and adopt YANG programmable interfaces such as NETCONF, RESTCONF, gNMI and more.
Other
244 stars 76 forks source link

Error connecting to switch #41

Closed it0it0 closed 2 years ago

it0it0 commented 2 years ago

I have configured netconf on a 9300 with IOS 16.12.05b and configured yang using the default SSH port. switch#sh run | in netconf netconf detailed-error netconf ssh netconf-yang

When testing connectivity with the device I receive the following error

Connectivity check results: ping (ok) NETCONF Error in executing NETCONF get-config: {'type': 'rpc', 'tag': 'missing-element', 'app_tag': None, 'severity': 'error', 'info': '<?xml version="1.0" encoding="UTF-8"?>filter', 'path': None, 'message': None} SSH (ok)

I tested it on a 4507, 2960x switch as well on ios 15.x with the same result.

I have confirmed that netconf is working, see the following anonymised output when yangsuite connects.

switch# debug netconf all All NETCONF debug flags are on

switch#debug netconf-yang switch#term mon switch# Feb 2 14:15:58: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: x] [Source: x] [localport: 22] at 14:15:58 CST Wed Feb 2 2022 Feb 2 14:15:58: GSI: netconf app _s_ssh.[0x7FD2B7420A50]: new ssh connection from x Feb 2 14:15:58: NETCONF: ns_clone.sess=0x7FD2B7440F00 Feb 2 14:15:58: NETCONF: naap_accept.clone=0x7FD2B7440F00 Feb 2 14:15:58: NETCONF: _nssd.64.snd.now<?xml version="1.0" encoding="UTF-8"?>urn:ietf:params:netconf:base:1.0urn:ietf:params:netconf:capability:writeable-running:1.0urn:ietf:params:netconf:capability:startup:1.0urn:ietf:params:netconf:capability:url:1.0urn:cisco:params:netconf:capability:pi-data-model:1.0urn:cisco:params:netconf:capability:notification:1.03074690816 Feb 2 14:15:58: NETCONF: _nssd.64.snd.don=7FD2B7440F00 msg=7FD2B7443400 Feb 2 14:15:58: NETCONF: ne_send.sess=0x7FD2B7440F00 Feb 2 14:15:58: GSI: netconf app _s_ssh.[0x7FD2B8E76E50]: <?xml version="1.0" encoding="UTF-8"?>urn:ietf:params:netconf:base:1.0</nc:capability>urn:ietf:params:netconf:base:1.1</nc:capability>urn:ietf:params:netconf:capability:writable-running:1.0</nc:capability>urn:ietf:params:netconf:capability:candidate:1.0</nc:capability>urn:ietf:params:netconf:capability:confirmed-commit:1.0</nc:capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</nc:capability>urn:ietf:params:netconf:capability:startup:1.0</nc:capability>urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file,https,sftp</nc:capability>urn:ietf:params:netconf:capability:validate:1.0</nc:capability>urn:ietf:params:netconf:capability:xpath:1.0</nc:capability>urn:ietf:params:netconf:capability:notification:1.0</nc:capability>urn:liberouter:params:netconf:capability:power-control:1.0</nc:capability>urn:ietf:params:netconf:capability:interleave:1.0</nc:capability>urn:ietf:params:netconf:capability:with-defaults:1.0</nc:capability></nc:capabilities></nc:hello> Feb 2 14:15:58: NETCONF: _namn.64.mlc.don=7FD2B8E76930 Feb 2 14:15:58: NETCONF: _narc.64.rcv.ok=7FD2B7440F00 Feb 2 14:15:58: NETCONF: netconf_xml_interpret.64.msg_len=1278 bytes Feb 2 14:15:58: NETCONF: netconf_xml_interpret.64.ok Feb 2 14:15:58: NETCONF: _nem.64.msg_type=1 Feb 2 14:15:58: NETCONF: netconf hello#26.count=0 Feb 2 14:15:58: NETCONF: _nem.64.nre_type=3 Feb 2 14:15:58: NETCONF: _nmfr.64.now=7FD2B63CD2F0 Feb 2 14:15:58: NETCONF: _nefhm.now=7FD2B63CD2F0 Feb 2 14:15:58: NETCONF: _nefrp.now=7FD2B63CD2F0 Feb 2 14:15:58: NETCONF: _nefrcrp.now=7FD2B63CD2F0 Feb 2 14:15:58: GSI: netconf app _s_ssh.[0x7FD2B8E76E50]: <?xml version="1.0" encoding="UTF-8"?></nc:source></nc:get-config></nc:rpc> Feb 2 14:15:58: NETCONF: _namn.65.mlc.don=7FD2B8E74680 Feb 2 14:15:58: NETCONF: _narc.65.rcv.ok=7FD2B7440F00 Feb 2 14:15:58: NETCONF: netconf_xml_interpret.65.msg_len=244 bytes Feb 2 14:15:58: NETCONF: netconf_xml_interpret.65.failure<?xml version="1.0" encoding="UTF-8"?></nc:source></nc:get-config></nc:rpc>> Feb 2 14:15:58: NETCONF: _nssd.65.snd.now<?xml version="1.0" encoding="UTF-8"?>rpcmissing-elementerrorfilter Feb 2 14:15:58: NETCONF: _nssd.65.snd.don=7FD2B7440F00 msg=7FD2B7440E80 Feb 2 14:15:58: NETCONF: ne_send.sess=0x7FD2B7440F00 Feb 2 14:15:58: NETCONF: _nem.65.nre_type=2 Feb 2 14:15:58: NETCONF: _nmfr.65.now=7FD2AD3D65C8 Feb 2 14:15:58: NETCONF: _nefom.now=7FD2AD3D65C8 Feb 2 14:15:58: NETCONF: _nefrp.now=7FD2AD3D65C8 Feb 2 14:15:58: NETCONF: _nefrcrp.now=7FD2AD3D65C8 Feb 2 14:15:58: GSI: netconf app _s_ssh.[0x7FD2B8E76E50]: <?xml version="1.0" encoding="UTF-8"?></nc:rpc> Feb 2 14:15:58: NETCONF: _namn.66.mlc.don=7FD2B8E75C60 Feb 2 14:15:58: NETCONF: _narc.66.rcv.ok=7FD2B7440F00 Feb 2 14:15:58: NETCONF: netconf_xml_interpret.66.msg_len=184 bytes Feb 2 14:15:58: NETCONF: netconf_xml_interpret.66.ok Feb 2 14:15:58: NETCONF: _nem.66.msg_type=2 Feb 2 14:15:58: NETCONF: _nsv.26.vty=7FD2B4EF5B70 usr=xatfaasen priv=15 cvw=0 Feb 2 14:15:58: NETCONF: _nssd.66.snd.now<?xml version="1.0" encoding="UTF-8"?> Feb 2 14:15:58: NETCONF: _nssd.66.snd.don=7FD2B7440F00 msg=7FD2B7443400 Feb 2 14:15:58: NETCONF: ne_send.sess=0x7FD2B7440F00 Feb 2 14:15:58: NETCONF: ns_stop.gsi_destroy.delayed Feb 2 14:15:58: NETCONF: _nem.66.nre_type=3 Feb 2 14:15:58: NETCONF: _nmfr.66.now=7FD2B8A7C060 Feb 2 14:15:58: NETCONF: _nefom.now=7FD2B8A7C060 Feb 2 14:15:58: NETCONF: _nefrp.now=7FD2B8A7C060 Feb 2 14:15:58: NETCONF: _nefrcrp.now=7FD2B8A7C060 Feb 2 14:15:58: NETCONF: ns_destroy.sess=0x7FD2B7440F00

Other thing that stands out to me is that only a few yang models are supported, examples always show a large set of yang models.

jeremycohoe commented 2 years ago

Hi @it0it0 - you only need netconf-yang CLI and not netconf CLI's as that is the "legacy" non YANG service that is enabled on the Catalyst 9300 16.x

It wont work with the Cat4k or 2k's as those don't support these API's, but from the catalyst 9300 you should see it working

it0it0 commented 2 years ago

Thanks @jeremycohoe

Removed the legacy netconf commands and now only have the following netconf-yang

But now I get authentication errors, I logon using tacacs with priv 15 set. This works for SSH, but no longer for netconf-yang on port 830. Any suggestions?

Feb 2 15:44:22: %DMI-5-AUTHENTICATION_FAILED: Switch 1 R0/0: dmiauthd: Authentication failure from x.x.x.x:46580 for netconf over ssh. Feb 2 15:44:24: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: x] [Source: x.x.x.x] [localport: 22] at 15:44:24 CST Wed Feb 2 2022

jeremycohoe commented 2 years ago

Hi, I linked to the config guide and the CLI's needed, tacacs is supported and the examples for local is below where both authentication and authorizations are set

SUMMARY STEPS enable configure terminal username name privilege level password password aaa new-model aaa authentication login default local aaa authorization exec default local end

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/177/b_177_programmability_cg/m_177_prog_yang_netconf.html

it0it0 commented 2 years ago

Hi, I linked to the config guide and the CLI's needed, tacacs is supported and the examples for local is below where both authentication and authorizations are set

SUMMARY STEPS enable configure terminal username name privilege level password password aaa new-model aaa authentication login default local aaa authorization exec default local end

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/177/b_177_programmability_cg/m_177_prog_yang_netconf.html

My tacacs config was not using default keyword, it turned out the keyword default is key for the netconf to use tacacs.

Thanks for all the help, it works now!