Re: REST API sometimes returns 401 Unauthorized

ed_rs · ‎09-19-2017

We have Cisco Prime 3.0. When my Java client code is making the following REST API calls it sometimes returns 401 from the http request.

Requesting Device data:

/webacs/api/v1/data/Devices?productFamily=notStartsWith%28%22Third+Party%22%29&.full=true&softwareType=%22ASA%22&.maxResults=1000&.firstResult=0

Requesting the unsanitized device config:

/webacs/api/v1/op/configArchiveService/extractUnsanitizedFile?fileId=223224

I have added the "Connection:close" to the http request header as mentioned in the FAQ, but still getting the 401 error code.

https://developer.cisco.com/media/prime-infrastructure-api-reference-v3-0/192.168.115.187/webacs/api/v1/index4fcb.html?id=faq#persistent-connections

Is there another setting I can change? I also have the following in my nbi.properties file on the Cisco Prime server:

nbi.rateLimit.totalRequestThreshold=20

nbi.rateLimit.perUserThreshold=-1

nbi.rateLimit.maxConcurrentQueries=20

nbi.rateLimit.maxAllUserConcurrentQueries=45

nbi.rateLimit.limitPageSize=1000

Thanks,

Eddy

Spencer Zier · ‎09-19-2017

So, there are three general reasons for 401 errors.

The credentials are invalid. This is probably not what you're running into, but I wanted to include it for the sake of completeness.
The concurrent session limit is reached. If you make five requests with persistent connections in a short period of time, the sixth and subsequent requests will yield 401 errors. In Prime Infrastructure 3.1 and 3.2, we changed the way the session manager handles persistent connections for API requests, however, this limit can still be hit when more than five sessions are active at once for a given user.
The external/third-party AAA server (ie TACACS) is not responding quickly enough. As is noted in the FAQ page in 3.1+, increasing the timeout and retry count configured in Prime Infrastructure for the AAA provider will help. I also spent some time optimizing the interfacing between Prime Infrastructure and TACACS to reduce these errors in 3.1, but a slow or unresponsive TACACS server will still cause us to throw back 401 responses.

https://developer.cisco.com/site/prime-infrastructure/

ed_rs · ‎09-22-2017

Hi Spencer,

Regarding concurrent session limit reach. Is it possible to increase from the 5 active session limit at once for a given user in Cisco 3.0 and 3.1?

I am doing a netstat -an | grep <java client ip address> on the Cisco Prime server to see all the TCP connections states for my Java client making HTTP REST API calls to the Cisco Prime server. Is this a good way to determine how many concurrent sessions for a user are being used between my Java Client and Cisco Prime? In my tests with my Java client I am using the same user.

When making a HTTP REST API call in my Java client, is a new session created each time since I have to pass the username and password in the header of the HTTP GET request each time? Or is the new session only created when adding the connection:close to the HTTP header? If the connection:close is not issued then I would have to wait for the server to time out the connection which could result in a large number of sessions opened? I am also using the HttpClient class to make my HTTP GET requests in my Java client. Is my understanding correct?

I am not clear of the definition of a session. Are sessions and the TCP connection viewed in the netstat -an command considered the same?

Thanks for all your help!!