cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15037
Views
5
Helpful
10
Replies

FMC 6.3 "unprocessable entity" error when trying to amend access rule

Sergey Lisitsin
VIP Alumni
VIP Alumni

Good afternoon everyone,

 

I'm trying to amend an existing access rule to enable logging on it. I read the policy and the rule fine. I get the rule output in a variable called data. Then I amend 'logFiles' field from 'False' to 'True' and try to execute a put request with it as the data. Then I get unprocessable entity error. Can anyone explain why it is?

 

The FMC version is 6.3, I am using Python 3.

 

Thanks,

Sergey.

10 Replies 10

eckdd
Cisco Employee
Cisco Employee
I believe "unprocessable entity" errors usually happen when an element in your JSON does contain a valid value, has an non-existent property, or is just improperly formatted. If you have a way to output the JSON you're sending, check for any empty or null values. I have also seen the API be case-sensitive, so play around with True/true/TRUE.

tyoung008
Level 1
Level 1

https://www.keycdn.com/support/422-unprocessable-entity

The FMC understands the content type of the request entity and the syntax of the request entity is correct but was unable to process the contained instructions.  It is not a 400 (Bad Request) which usually happens when a parameter is wrong on you try to post an entry that already exists.  You are doing a put, which is correct.  Conclusion:  This is not an easy syntax fix.  Try to manual make the change on the FMC, and see it you get an error.

tyoung008
Level 1
Level 1

This is cool, although it counters the info I gave above which is RFC standard, https://tools.ietf.org/html/rfc4918#section-11.2.  In my experience syntax errors return an HTTP 400.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/api/REST/Firepower_Management_Center_REST_API_Quick_Start_Guide_623/Objects_in_the_REST_API.html

 

 

  • 422 Unprocessable Entity
    – The payload is too large. This will occur when you send a payload greater than 2048000 bytes.

    – The payload contains an unprocessable or unreadable entity such as a invalid attribut name or incorrect JSON syntax.

 

Michael Kozak
Level 1
Level 1

Can you post the JSON that you're sending in the PUT request?  I've done this same process and from experience I can tell you that you can't just send back all the data that you got in the GET request.  Specifically you have to remove the metadata and links attributes from the get result otherwise you will get this message.  

For me, it was an ACP rule action set to BLOCK_WITH_RESET.  I believe I copied that exactly form the API Explorer.  I simply changed that to BLOCK and the error went away.  I haven't re-tested it in a while.

Thank you so much - I kept getting a 422 response trying to modify variable sets on access rules and your response solved my problem (needed to remove the 'links' and both 'metadata' dictonaries). Been trying to figure this out for hours! Thanks again.

Oliver Kaiser
Level 7
Level 7

have you removed the metadata dictionary from the payload before executing PUT operation? That is the most common issue related to "Unprocessable Entity". If that is not it connect to FMC via SSH and execute "pigtail" command to get more details about the error from the webserver logs.

Yes, I do not include the metadata dictionary when executing a put.

 

Thanks for the FMC info!  I will check that out the next time I get the error.

tylerjshannon
Level 1
Level 1

Other than the previously stated metadata and links keys, I have also run into issues with the urls key if you are using "urlCategoriesWithReputation" and also the users key if it references any AD realm.

I have this in all my scripts:

# Remove unprocessible entities  (i being an element of "items" from GET operation on the ACL/AccessRules)
i.pop("metadata")
i.pop("links")

if 'users' in i:
for j in i['users']['objects']:
j.pop('realm') # Need to remove the realm as it cannot be re-uploaded during PUT.

if 'urls' in i: # Need to remove invalid urlCategoriesWithReputation entries (missing name)
if 'urlCategoriesWithReputation' in i['urls']:
for index, j in enumerate(i['urls']['urlCategoriesWithReputation']):
if 'name' not in j['category']:
i['urls']['urlCategoriesWithReputation'].pop(index)
Here is an example of the FMC injecting a bunk category into my URL filtering which prevented my PUTs from working.

"urls"
: {
"urlCategoriesWithReputation": [
{
"category": { # This is a broken category
"id": "89a91712-fe55-11e4-a157-a9da511cbd1e", # It is missing "name"
"type": "URLCategory"
},
"type": "UrlCategoryAndReputation"
},
{
"category": {
"name": "Abortion", # This is a valid category.
"id": "a774acd8-8240-11e0-9682-6814b504fd68",
"type": "URLCategory"
},
"type": "UrlCategoryAndReputation"
},
]
}

 

 

John Groetzinger
Cisco Employee
Cisco Employee

This is incredibly misleading because the swagger spec (the API explorer) is actually wrong for the "Example Value" for the requests. This has always been a problem. I will try to get this resolved in future releases, i have opened bug CSCwb85010 to address this (should be publicly visible in a day or two).

The problem is that the Example Value for the POST/PUT is actually the example response. One thing that may help is if you just ignore that example value, and click the "Model" instead (next to "Example value") which will tell you the valid structure for the request.