08-12-2020 09:37 AM
Greetings,
I am using a Cisco ISR4321 running IOSXE 16.06.04
I am trying to get started with NETCONF and according to every tutorial I've read the command "netconf-yang" should be enough to start the NETCONF service and open Port 830, however, trying to get the Router's capabilities via
ssh -s <user>@192.168.88.211 -p 830 netconf
returns
ssh: connect to host 192.168.88.211 port 830: Connection refused
An NMAP scan also doesn't list Port 830 as open.
The service is definitely running though:
Router#show platform software yang-management process confd : Running nesd : Running syncfd : Running ncsshd : Running dmiauthd : Running vtyserverutild : Running opdatamgrd : Running nginx : Running ndbmand : Running
I've been stuck on this for a while now and would greatly appreciate any hints as to what I'm missing here.
08-12-2020 09:54 AM
- Check if this guide can help you :
M.
08-12-2020 10:14 AM
Thank you, but that seems to be the exact guide I've been using.
As I understand it, it states that if AAA and Syslog/SNMP monitoring aren't required you only need the basic SSH configuration and the "netconf-yang" command for the aforementioned Capabilities check to work.
For troubleshooting it only states that if the test doesn't work, there may be a firewall blocking Port 830 but I've already tested the command while connected directly to the router.
06-09-2021 08:18 AM
Hello,
My answer comes late, but may help the ones who fall on this page.
I recently got the very same behaviour after deleting some crypto keys (i know it is bad :))
To restore them, you can disable and reenable netconf like :
csr-hub(config)#no netconf-yang csr-hub(config)# *Jun 9 15:01:04.021: yang-infra: netconf-yang server has been notified to stop csr-hub(config)# csr-hub(config)#netconf-yang The existing self-signed trustpoint cannot be used for NETCONF. Delete it and create a new one? [yes/no]: yes CRYPTO_PKI: setting trustpoint policy TP-self-signed-3222202584 to use keypair TP-self-signed-3222202584 csr-hub(config)#
03-15-2023 10:56 AM
My reply may come late to this as well, but THIS finally pointed me in the right direction. After reenabling netconf-yang, a log message notified me that it was using an old trustpoint certificate. I disabled netconf-yang, deleted the cert, and reenabled netconf-yang. I then tested SSH over port 830 from Prime, and it finally let me accept the certificate in Prime.
エキスパートの回答、ステップバイステップガイド、最新のトピックなどお気に入りのアイデアを見つけたら、あとで参照できるように保存しましょう。
コミュニティは初めてですか?これらのヒントを活用してスタートしましょう。 コミュニティの活用方法 新メンバーガイド