08-04-2014 07:34 AM - edited 03-12-2019 07:19 AM
I am attempting to enable the REST API on the Cisco CSR 1000V. I have followed the instructions in http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/csr1000Vswcfg.pdf (CH. 14). The API service is running; however, the API endpoint is not functional. See below for (1) API service status, and (2), errant behavior. See http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/restapi/restapi.pdf. If we can get this to work, we will use it to automate the deployment of the CSRs. The running config is pasted (3).
(1) API Service Status
ip-172-31-10-167#show virtual-service detail
Virtual service csr_mgmt detail
State : Activated
Package information
Name : csrmgmt.1_3_1.20140213_121708.ova
Path : bootflash:/csrmgmt.1_3_1.20140213_121708.ova
Application
Name : csr_mgmt
Installed version : 1.3.1
Description : CSR-MGMT
Signing
Key type : Cisco development key
Method : SHA-1
Licensing
Name : Not Available
Version : Not Available
Detailed guest status
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
nginx UP 0Y 0W 0D 0: 7:40 0
climgr UP 0Y 0W 0D 0: 7:40 0
restful_api UP 0Y 0W 0D 0: 7:40 0
fcgicpa Down
pnscag Down
pnscdme Down
----------------------------------------------------------------------
Feature Status Configuration
----------------------------------------------------------------------
Restful API Enabled, UP port: 443
auto-save-timer: 8 seconds
socket: unix:/usr/local/nginx/csrapi-fcgi.sock;
(2) Errant behavior of REST API endpoint
[ec2-user@ip-172-31-4-51 ~]$ curl -k -v https://172.31.10.167/api/v1/auth/token-services
* Hostname was NOT found in DNS cache
* Trying 172.31.10.167...
* Connected to 172.31.10.167 (172.31.10.167) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_3DES_EDE_CBC_SHA
* Server certificate:
* subject: CN=IOS-Self-Signed-Certificate-1988170391
* start date: Jul 11 20:07:58 2014 GMT
* expire date: Jan 01 00:00:00 2020 GMT
* common name: IOS-Self-Signed-Certificate-1988170391
* issuer: CN=IOS-Self-Signed-Certificate-1988170391
> GET /api/v1/auth/token-services HTTP/1.1
> User-Agent: curl/7.36.0
> Host: 172.31.10.167
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Fri, 11 Jul 2014 20:18:09 GMT
* Server cisco-IOS is not blacklisted
< Server: cisco-IOS
< Connection: close
< Accept-Ranges: none
<
404 Not Found
* Closing connection 0
(3) Running config
$ printf "term len 0\nsh run\n" | ssh -i .ssh/aptlivewest2.pem ec2-user@54.191.136.82
Pseudo-terminal will not be allocated because stdin is not a terminal.
ip-172-31-10-167#term len 0
ip-172-31-10-167#sh run
Building configuration...
Current configuration : 2704 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ip-172-31-10-167
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1988170391
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1988170391
revocation-check none
rsakeypair TP-self-signed-1988170391
!
!
crypto pki certificate chain TP-self-signed-1988170391
certificate self-signed 01
[SNIP!]
quit
license udi pid CSR1000V sn 97FQ0HAJ0I0
!
username ec2-user privilege 15 secret 5 $1 [SNIP!]
!
redundancy
mode none
!
!
!
!
!
!
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
username ec2-user
key-hash ssh-rsa [SNIP!] aptlivewest2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface VirtualPortGroup0
ip unnumbered GigabitEthernet1
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
!
virtual-service csr_mgmt
vnic gateway VirtualPortGroup0
activate
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip route 172.31.4.51 255.255.255.255 VirtualPortGroup0
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
!
!
end
06-15-2018 02:19 AM
I didnt even get to this stage.
Trying to configure the management access between virtual-service and the router, but it doesn't work.
BUSEC-CSR1000v#sh virtual-service detail
Virtual service csr_mgmt detail
State : Activated
Owner : IOSd
Package information
Name : iosxe-remote-mgmt.03.16.04a.S.155-3.S4a-ext.ova
Path : bootflash:/iosxe-remote-mgmt.03.16.04a.S.155-3.S4a-ext.ova
Application
Name : csr_mgmt
Installed version : 03.16.03
Description : CSR-MGMT
Signing
Key type : Cisco development key
Method : SHA-1
Licensing
Name : Not Available
Version : Not Available
Detailed guest status
Information not available
Activated profile name: None
Resource reservation
Disk : 756 MB
Memory : 512 MB
CPU : 5% system CPU
Attached devices
Type Name Alias
---------------------------------------------
NIC ieobc_1 ieobc
NIC dp_1_0 net2
Disk _rootfs
Disk /opt/var
Disk /opt/var/c
Serial/shell serial0
Serial/aux serial1
Serial/Syslog serial2
Serial/Trace serial3
Watchdog watchdog-2
Network interfaces
MAC address Attached to interface
------------------------------------------------------
54:0E:00:0B:0C:02 ieobc_1
00:1E:7A:A5:41:BA VirtualPortGroup0
Guest interface
---
Information not available
---
Guest routes
---
Information not available
---
Resource admission (without profile) : passed
Disk space : 756MB
Memory : 512MB
CPU : 5% system CPU
VCPUs : Not specified
BUSEC-CSR1000v#
01-27-2021 09:10 AM
Did you ever figure this one out? I know it is super old but I am STILL not finding any guidance on using tokens on CSR or 4000 series.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: