cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1717
Views
0
Helpful
2
Replies
ww9rivers
Beginner

[RESOLVED] Yet another 401 Error from Prime REST API

Hi, all,

I have a similar issue with Prime 2.2.3's REST API like these two cases:

https://communities.cisco.com/thread/63660

https://communities.cisco.com/thread/61982

However, the 401 (Not authorized) only occurs when I run my Python script, which uses Python's request module. My debug log shows the API it tried to access is:

https://<prime-server>/webacs/api/v1/data/Devices.json, params={'.full': 'true'}, verify=False

When I test the REST API point using Firefox's RESTClient, it worked fine:

Request:

URL: https://<prime-server>/webacs/api/v1/data/Devices.json?.full=true

Response headers:

  1. Status Code: 200 OK
  2. Cache-Control: private
  3. Content-Range: instances 0-99/1428
  4. Content-Type: application/json
  5. Date: Tue, 23 Feb 2016 18:43:23 GMT
  6. Expires: Wed, 31 Dec 1969 19:00:00 EST
  7. Server: Apache-Coyote/1.1
  8. Transfer-Encoding: chunked
  9. X-NBI-TIME: 89

My Python script has been run as a daily cron job, collecting information from two Prime servers. The script has worked fine on both Prime servers until 2/19, when one of the two server started to respond with 401.

Thanks in advance for any insights.

[Update] -- It seems that I cannot reply to this post in any way, so I'll try updating it.

It turned out that I had two issues: a 401 error, which was resolved by restarting the Prime service.

Then, there was a 503 error after 5 requests / responses, which led me back to look at post 63660 again: I thought my code was not sending "Connection: keep-alive", but a little more debugg log from Python's HTTP mode revealed that something did that on my behalf.

So I added a line in my code to explicitly send the "Connection: close" header as post 63660 suggested: That did the trick for me.

As for Prime itself: My networking guys told me that no change had been made. I suspect that some OS patching on the box may have changed the underlying Python library to add in that "Connection: keep-alive" header.

Message was edited by: ww9rivers

2 REPLIES 2
smp
Enthusiast
Enthusiast

That URL looks bad to me.

https://<prime-server>/webacs/api/v1/data/Devices.json, params={'.full': 'true'}, verify=False

Shouldn't the "verify=False" be part of the definition of the REST URL inside your Python script to prevent verifying the SSL certificate, and not part of the actual GET request? I would also look at the definition of the URL in your Python script to get rid of those braces - Prime might be enabling an attack-protection routine. And even if the braces weren't there, I'm not sure the parameter format is valid for a URL.

I think Prime should see the URL that it receives should be formatted like this:

/https://<prime-server>/webacs/api/v1/data/Devices.json?.full=true

Spencer Zier
Cisco Employee

Were no changes made to either the script or Prime?  If not, then please check to ensure your script is not using persistent connections.  If you're using non-local AAA (like TACACS), try increasing the retry count and timeout that you have configured in Prime.

Create
Recognize Your Peers
Content for Community-Ad