cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
215
Views
0
Helpful
2
Replies

Cisco DNA unable to communicate with Nexus 9000 switch using NETCONF

DCampus
Level 1
Level 1

I am having an issue with adding a Cisco Nexus 9000 switch to the inventory in Cisco DNA Center.
I have enabled NETCONF on the switch using the "feature netconf" command.
I have also added the DNA Center IP address to the IP ACL associated with the SNMP user I created.

While DNA Center can communicate with the switch via CLI and SNMP (V3), it cannot communicate using NETCONF.
DNA Center is giving me an error that it cannot connect to the switch over NETCONF, despite NETCONF being enabled on the switch side.

I have provided DNA Center with the CLI credentials, SNMP settings, and specified the NETCONF port (830) when adding the switch to the inventory. However, the NETCONF connection still fails.

2 Replies 2

estetson
Cisco Employee
Cisco Employee

If you're able to, can you share the VTY and AAA configs? (You can mask anything that you don't want to disclose).

NETCONF uses the default method to login. If you have a custom method defined, NETCONF won't use that line.  Also, are you using local or AAA credentials for CLI credentials?

For example, lets say this is your AAA config:

aaa new-model
aaa authentication login custom_method group aaa-group local
aaa authorization exec custom_method group aaa-group local if-authenticated

 Above we're using a custom method. Since NETCONF uses the default method, you have to add two lines for it. This adds to and does not replace the above config:

aaa authentication login default group aaa-group local
aaa authorization exec default group aaa-group local if-authenticated

So your config becomes:

aaa new-model
aaa authentication login default group aaa-group local
aaa authentication login custom_method group aaa-group local
aaa authorization exec default group aaa-group local if-authenticated
aaa authorization exec custom_method group aaa-group local if-authenticated

You can also enable AAA debugs on the device, and 'validate credentials' from the Catalyst Center GUI to see what the issue may be:

# debug aaa authentication
# debug aaa authorization
# term mon

DCampus
Level 1
Level 1

Hi estetson,
thanks for your reply.
we are using AAA credentials. here are the config you have req;

DCampus_1-1718009925154.png

DCampus_0-1718009759837.png