cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
148
Views
0
Helpful
1
Replies
khgrant
Cisco Employee

Crypto keyring order issue -- ASR1k

Friends,

I”m facing some challenges with order of commands for a service on ASR1k.

The error I get is

<ERROR> 23-Sep-2015::02:19:01.844 NedWorker Ned-Worker-Thread-0: - NedWorker error for ned_prepare_cli
com.tailf.packages.ned.ios.IOSNedCli$ExtendedApplyException: keyring MPN991:
% No such keyring MPN991

at com.tailf.packages.ned.ios.IOSNedCli.print_line_wait(IOSNedCli.java:885)

at com.tailf.packages.ned.ios.IOSNedCli.applyConfig(IOSNedCli.java:1151)

at com.tailf.ned.NedCliBaseTemplate.prepare(NedCliBaseTemplate.java:476)

at com.tailf.ned.NedWorker.dorun(NedWorker.java:1381)

at com.tailf.ned.NedWorker.run(NedWorker.java:255)

My template does create the Crypto Keyring and then use it in the profile.

I tried dividing the creation and use of keyring in separate templates too, but, no luck.


I suspect that the second section (isakmp) is being added to the device before creation of keyring.
When I comment the keyring in isakmp profile, crypto keyring is created correctly.

Appreciate your help.

 

—————— Template ——————

 

<crypto xmlns="urn:ios">
<keyring>                         <———————— Creation of Keyring
<name>MPN{$CUST-ID}</name>
<vrf>MPN{$CUST-ID}</vrf>
<pre-shared-key>
<address>
<address>{$TUNNEL-DEST}</address>
<key>
<secret>{$PASSPHRASE}</secret>
</key>
</address>
</pre-shared-key>
</keyring>

<isakmp>
<profile>
<name>MPN{$CUST-ID}</name>
<vrf>MPN{$CUST-ID}</vrf>
<keyring>                     <————— use of keyring in profile
<name>MPN{$CUST-ID}</name>
</keyring>
<match>
<identity>
<address>
<ipv4>
<address>{$TUNNEL-DEST}</address>
<mask>255.255.255.255</mask>
<vrf>MPN{$CUST-ID}</vrf>
</ipv4>
</address>
</identity>
</match>
<local-address>
<interface>
<Loopback>6{$CUST-ID}</Loopback>
<!-- <Loopback>0</Loopback> -->
</interface>
</local-address>
<keepalive>
<seconds>10</seconds>
<retry>2</retry>
</keepalive>
</profile>
</isakmp>
</crypto>

 

1 ACCEPTED SOLUTION

Accepted Solutions
khgrant
Cisco Employee

 

Hi Sandeep,

If you look at the IOS ned yang. The dependancy is not there.

        // crypto isakmp profile * / keyring *

        list keyring {

          tailf:info "Specify keyring to use";

          tailf:cli-suppress-mode;

          tailf:cli-delete-when-empty;

          key name;

          leaf name {

            type union {

              type enumeration {

                enum "default" {

                  tailf:info "Use global keyring";

                }

              }

              type string { <== Suggested change to path

                tailf:info "WORD;;Name of the keyring to use”; <== Suggested change to the path of the keyring name

              }

            }

          }

        }

 

Please try the changes and see if it works. Compile and reload the packages after changes.

   

Thanks,

Kalyan

 

 

 

 

View solution in original post

1 REPLY 1
khgrant
Cisco Employee

 

Hi Sandeep,

If you look at the IOS ned yang. The dependancy is not there.

        // crypto isakmp profile * / keyring *

        list keyring {

          tailf:info "Specify keyring to use";

          tailf:cli-suppress-mode;

          tailf:cli-delete-when-empty;

          key name;

          leaf name {

            type union {

              type enumeration {

                enum "default" {

                  tailf:info "Use global keyring";

                }

              }

              type string { <== Suggested change to path

                tailf:info "WORD;;Name of the keyring to use”; <== Suggested change to the path of the keyring name

              }

            }

          }

        }

 

Please try the changes and see if it works. Compile and reload the packages after changes.

   

Thanks,

Kalyan

 

 

 

 

View solution in original post

Content for Community-Ad