Solved: Adding netsim devices to system install : Access check failed

khgrant · ‎10-12-2016

Hi all;

Never seen this error before… anyone got any ideas?

#ncs-netsim cli-i asr9k_0
“Access check failed”

I trying to add a netsim device to an existing system install:

I have created a authgroup “netsim” like this, but I don’t think the problem is here:
devices authgroups group netsim

umap admin

remote-name admin

remote-password $8$8l6Hbgrl0MqyJvKLroZmtfQ4SvpjUhuyt0gyG/2vHt4=

remote-secondary-password $8$MuYyhbc3qqPZp9VCVQH6fvcEEnCXjzYSUcOAF27JbcE=

!

Have checked the logs: No log file is touched.

Best Regards
Paulo Oliveira

khgrant · ‎10-12-2016

Paulo,

Problem solved:

This configuration was present in ncs.conf
<ncs-ipc-access-check>

<filename>${NCS_DIR}/etc/ncs/ipc_access</filename>

</ncs-ipc-access-check>

After changing it to false and removing the environment variable NCS_IPC_ACCESS_FILE
… everything back to normal, netsim devices added and also reachable.

But you have also turned off IPC security, so don't do this in a production system.

Best Regards,

/jan

View solution in original post

khgrant · ‎10-12-2016

Can you turn on traces?

Roque

khgrant · ‎10-12-2016

Thanks Roque;

Enable trace to the device:
admin@ncs(config)# devices device asr9k_0 trace raw

Tried to connect:
admin@ncs# devices device asr9k_0 connect

result false

info Failed to connect to device asr9k_0: connection refused: ned_external_error ned_connect_cli: unknown device

A file was created: ned-cisco-ios-xr-asr9k_0.trace

File content is:

>> 6-Oct-2016::12:08:39.606 CLI CONNECT to asr9k_0-127.0.0.1:10022 as admin (Trace=true)

<< 6-Oct-2016::12:08:39.608 SET-TIMOUT

<< 6-Oct-2016::12:08:39.934 ERROR: Network Element Driver error econnrefused for device asr9k_0: ned_external_error ned_connect_cli: unknown device

khgrant · ‎10-12-2016

This configuration was present in ncs.conf
<ncs-ipc-access-check>

<filename>${NCS_DIR}/etc/ncs/ipc_access</filename>

</ncs-ipc-access-check>

After changing it to false and removing the environment variable NCS_IPC_ACCESS_FILE
… everything back to normal, netsim devices added and also reachable.

Best Regards
Paulo Oliveira

khgrant · ‎10-12-2016

Paulo,

Problem solved:

This configuration was present in ncs.conf
<ncs-ipc-access-check>

<filename>${NCS_DIR}/etc/ncs/ipc_access</filename>

</ncs-ipc-access-check>

After changing it to false and removing the environment variable NCS_IPC_ACCESS_FILE
… everything back to normal, netsim devices added and also reachable.

But you have also turned off IPC security, so don't do this in a production system.

Best Regards,

/jan

View solution in original post

khgrant · ‎10-12-2016

IMHO, the IPC access check should only be used during certain circumstances. In particular only when you have non trusted shell users on the NSO host.

If you don't - there is no need to use the IPC access ctl, it'll just add to the confusion if you do.

By shell users, I mean actual user logins to the NSO hosts, and you don't want those users to have access to NSO, or you want those users to have to abide by the NACM rules.

/klacke