Re: REST API not working - 404 errors

klsetzer409 · ‎08-04-2014

I am attempting to enable the REST API on the Cisco CSR 1000V. I have followed the instructions in http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/csr1000Vswcfg.pdf (CH. 14). The API service is running; however, the API endpoint is not functional. See below for (1) API service status, and (2), errant behavior. See http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/restapi/restapi.pdf. If we can get this to work, we will use it to automate the deployment of the CSRs. The running config is pasted (3).

(1) API Service Status

ip-172-31-10-167#show virtual-service detail

Virtual service csr_mgmt detail

State : Activated

Package information

Name : csrmgmt.1_3_1.20140213_121708.ova

Path : bootflash:/csrmgmt.1_3_1.20140213_121708.ova

Application

Name : csr_mgmt

Installed version : 1.3.1

Description : CSR-MGMT

Signing

Key type : Cisco development key

Method : SHA-1

Licensing

Name : Not Available

Version : Not Available

Detailed guest status

----------------------------------------------------------------------

Process Status Uptime # of restarts

----------------------------------------------------------------------

nginx UP 0Y 0W 0D 0: 7:40 0

climgr UP 0Y 0W 0D 0: 7:40 0

restful_api UP 0Y 0W 0D 0: 7:40 0

fcgicpa Down

pnscag Down

pnscdme Down

----------------------------------------------------------------------

Feature Status Configuration

----------------------------------------------------------------------

Restful API Enabled, UP port: 443

auto-save-timer: 8 seconds

socket: unix:/usr/local/nginx/csrapi-fcgi.sock;

(2) Errant behavior of REST API endpoint

[ec2-user@ip-172-31-4-51 ~]$ curl -k -v https://172.31.10.167/api/v1/auth/token-services

* Hostname was NOT found in DNS cache

* Trying 172.31.10.167...

* Connected to 172.31.10.167 (172.31.10.167) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* SSL connection using TLS_RSA_WITH_3DES_EDE_CBC_SHA

* Server certificate:

* subject: CN=IOS-Self-Signed-Certificate-1988170391

* start date: Jul 11 20:07:58 2014 GMT

* expire date: Jan 01 00:00:00 2020 GMT

* common name: IOS-Self-Signed-Certificate-1988170391

* issuer: CN=IOS-Self-Signed-Certificate-1988170391

> GET /api/v1/auth/token-services HTTP/1.1

> User-Agent: curl/7.36.0

> Host: 172.31.10.167

> Accept: */*

>

< HTTP/1.1 404 Not Found

< Date: Fri, 11 Jul 2014 20:18:09 GMT

* Server cisco-IOS is not blacklisted

< Server: cisco-IOS

< Connection: close

< Accept-Ranges: none

<

404 Not Found

* Closing connection 0

(3) Running config

$ printf "term len 0\nsh run\n" | ssh -i .ssh/aptlivewest2.pem ec2-user@54.191.136.82

Pseudo-terminal will not be allocated because stdin is not a terminal.

ip-172-31-10-167#term len 0

ip-172-31-10-167#sh run

Building configuration...

Current configuration : 2704 bytes

!

version 15.4

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console virtual

!

hostname ip-172-31-10-167

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1988170391

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1988170391

revocation-check none

rsakeypair TP-self-signed-1988170391

!

crypto pki certificate chain TP-self-signed-1988170391

certificate self-signed 01

[SNIP!]

quit

license udi pid CSR1000V sn 97FQ0HAJ0I0

!

username ec2-user privilege 15 secret 5 $1 [SNIP!]

!

redundancy

mode none

!

ip ssh rsa keypair-name ssh-key

ip ssh version 2

ip ssh pubkey-chain

username ec2-user

key-hash ssh-rsa [SNIP!] aptlivewest2

!

interface VirtualPortGroup0

ip unnumbered GigabitEthernet1

!

interface GigabitEthernet1

ip address dhcp

negotiation auto

!

virtual-service csr_mgmt

vnic gateway VirtualPortGroup0

activate

!

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip route 172.31.4.51 255.255.255.255 VirtualPortGroup0

!

control-plane

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login local

!

end

leogal777 · ‎06-15-2018

I didnt even get to this stage.

Trying to configure the management access between virtual-service and the router, but it doesn't work.

BUSEC-CSR1000v#sh virtual-service detail
Virtual service csr_mgmt detail
State : Activated
Owner : IOSd
Package information
Name : iosxe-remote-mgmt.03.16.04a.S.155-3.S4a-ext.ova
Path : bootflash:/iosxe-remote-mgmt.03.16.04a.S.155-3.S4a-ext.ova
Application
Name : csr_mgmt
Installed version : 03.16.03
Description : CSR-MGMT
Signing
Key type : Cisco development key
Method : SHA-1
Licensing
Name : Not Available
Version : Not Available

Detailed guest status
Information not available
Activated profile name: None
Resource reservation
Disk : 756 MB
Memory : 512 MB
CPU : 5% system CPU

Attached devices
Type Name Alias
---------------------------------------------
NIC ieobc_1 ieobc
NIC dp_1_0 net2
Disk _rootfs
Disk /opt/var
Disk /opt/var/c
Serial/shell serial0
Serial/aux serial1
Serial/Syslog serial2
Serial/Trace serial3
Watchdog watchdog-2

Network interfaces
MAC address Attached to interface
------------------------------------------------------
54:0E:00:0B:0C:02 ieobc_1
00:1E:7A:A5:41:BA VirtualPortGroup0

Guest interface
---
Information not available
---

Guest routes
---
Information not available
---

Resource admission (without profile) : passed
Disk space : 756MB
Memory : 512MB
CPU : 5% system CPU
VCPUs : Not specified

BUSEC-CSR1000v#

dflick · ‎01-27-2021

Did you ever figure this one out? I know it is super old but I am STILL not finding any guidance on using tokens on CSR or 4000 series.