Solved: Re: ISE 3.1 ERS DELETE ers/config/sgacl/ 500 Internal Server Error

Andreas Falk · ‎05-06-2023

When updating pyise-ers to ISE 3.1 compability I found a regression in ers/config/sgacl/ ERSResponse

DELETE ers/config/sgacl/does_not_exist
Response:

{
  "ERSResponse": {
    "operation": "DELETE-delete-sgacl",
    "messages": [
      {
        "type": "ERROR",
        "code": "Conversion exception"
      }
    ],
    "link": {
      "rel": "related",
      "href": "https://ip:9060/ers/config/sgacl/not_found",
      "type": "application/xml"
    }
  }
}
Status: 500 Internal Server Error

Expected response:

{
  "ERSResponse": {
    "operation": "DELETE-delete-sgacl",
    "messages": [
      {
        "title": "The specified resource does not exist",
        "type": "ERROR",
        "code": "Resource not found exception"
      }
    ],
    "link": {
      "rel": "related",
      "href": "https://ip:9060/ers/config/sgacl/not_found",
      "type": "application/xml"
    }
  }
}
Status: 404 Not Found

ISE information:

Version: 3.1.0.518
Patch Information: 6

Any ideas, I think that it is a bug?

--
Kind Regards Falk

thomas · ‎05-08-2023

OK, it was not obvious that you were trying to delete a non-existent SGACL.

The string value "does_not_exist" is incorrect syntax. That value must be a UUID which has the format
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

When I try the DELETE with a non-existent SGACL using a proper UUID with ISE 3.2 Patch 1, I get the 500, too:

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request DELETE https://$ISE_HOSTNAME/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64

HTTP/1.1 500

{
  "ERSResponse" : {
    "operation" : "DELETE-delete-sgacl",
    "messages" : [ {
      "type" : "ERROR",
      "code" : "Conversion exception"
    } ],
    "link" : {
      "rel" : "related",
      "href" : "https://ise.securitydemo.net/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64",
      "type" : "application/xml"
    }
  }
}

You are welcome to submit a bug via TAC.

View solution in original post

thomas · ‎05-07-2023

ISE APIs are documented @ https://cs.co/ise-api . "DELETE ers/config/sgacl/does_not_exist" is not a valid endpoint.

Specifically, the sgacl endpoint is documented @ https://developer.cisco.com/docs/identity-services-engine/latest/#!sgacl

You did not include your actual URL so it is impossible to know why you received a 500 or a 404. Always include your original request URL.

It works great for me on ISE 3.2 + Patch 1:

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request POST https://$ISE_HOSTNAME/ers/config/sgacl \
  --data '
{
    "Sgacl": {
        "name": "Falk",
        "description": "Falk",
        "ipVersion": "IPV4",
        "readOnly": false,
        "aclcontent": "Permit IP"
    }
}'

HTTP/1.1 201
Location: https://ise.securitydemo.net/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64


curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_HOSTNAME/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64

HTTP/1.1 200

{
  "Sgacl" : {
    "id" : "39386e70-ecec-11ed-986a-0660a5c2db64",
    "name" : "Falk",
    "description" : "Falk",
    "generationId" : "0",
    "ipVersion" : "IPV4",
    "aclcontent" : "Permit IP",
    "link" : {
      "rel" : "self",
      "href" : "https://ise.securitydemo.net/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64",
      "type" : "application/json"
    }
  }
}


curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request DELETE https://$ISE_HOSTNAME/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64

HTTP/1.1 204

Andreas Falk · ‎05-08-2023

Hi,

Sorry, the error on my end are when doing a delete on a sgacl that does not exist.

curl  --include  --insecure  --location \
 --header 'Accept: application/json' \
 --header 'Content-Type: application/json' \
 --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
 --request DELETE https://$ISE_HOSTNAME/ers/config/sgacl/does_not_exist

HTTP/1.1 500 
{
  "ERSResponse" : {
    "operation" : "DELETE-delete-sgacl",
    "messages" : [ {
      "type" : "ERROR",
      "code" : "Conversion exception"
    } ],
    "link" : {
      "rel" : "related",
      "href" : "https://ip/ers/config/sgacl/does_not_exist",
      "type" : "application/xml"
    }
  }
}

It should be a HTTP/1.1 404 and and the message should be:

    "messages" : [ {
      "title" : "The specified resource does not exist",
      "type" : "ERROR",
      "code" : "Resource not found exception"
    } ],

It looks like an regression from 3.0.x?

--
Kind Regards Falk

thomas · ‎05-08-2023

OK, it was not obvious that you were trying to delete a non-existent SGACL.

The string value "does_not_exist" is incorrect syntax. That value must be a UUID which has the format
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

When I try the DELETE with a non-existent SGACL using a proper UUID with ISE 3.2 Patch 1, I get the 500, too:

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request DELETE https://$ISE_HOSTNAME/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64

HTTP/1.1 500

{
  "ERSResponse" : {
    "operation" : "DELETE-delete-sgacl",
    "messages" : [ {
      "type" : "ERROR",
      "code" : "Conversion exception"
    } ],
    "link" : {
      "rel" : "related",
      "href" : "https://ise.securitydemo.net/ers/config/sgacl/39386e70-ecec-11ed-986a-0660a5c2db64",
      "type" : "application/xml"
    }
  }
}

You are welcome to submit a bug via TAC.