Solved: Subinterfaces on a device in subdomains

sullinsms · ‎06-26-2021

I am trying to configure sub interfaces on a device located in a subdomains . I am unable to make this work. When I use the API-explore I receive the error below. I have also tried using python code below.

Devices:

FMC virtual 6.6.1
FTD virtual 6.6.1

API-Explorer error

{

"error": {

"category": "FRAMEWORK",

"messages": [

{

"description": "You do not have the required authorization to do this operation."

}

],

"severity": "ERROR"

}

API-Explorer code

{

"type": "SubInterface",

"vlanId": 30,

"subIntfId": 12345,

"enabled": true,

"MTU": 1500,

"managementOnly": false,

"enableAntiSpoofing": true,

"enableSGTPropagate": true,

"ifname": "Intf_name",

"name": "GigabitEthernet0/1",

"overrideDefaultFragmentSetting": {

"size": 200,

"chain": 24,

"timeout": 5

},

"ipv4": {

"static": {

"address": "1.2.3.4",

"netmask": "25"

}

Python Code error

Response test {"error":{"category":"FRAMEWORK","messages":[{"description":"Invalid Request"}],"severity":"ERROR"}}

Response

Python Code

def configure_subinterface(addr: str = None, token: str = None):

print("*" * 80)

print("Create subinterfaces")

db_list0 = {}

db_list1 = {}

with os.scandir('./') as entries:

for entry in entries:

db_list0[entry.name] = entry.name

print("*" * 80)

ftdinterface = selectFromDict(db_list0, 'FTD interface backup to restore')

with open(ftdinterface) as readfile:

subinterface = json.load(readfile)

with os.scandir('./') as entries:

for entry in entries:

db_list1[entry.name] = entry.name

print("*" * 80)

ftdrecord = selectFromDict(db_list1, 'FTD device to apply interface')

print("*" * 80)

with open(ftdrecord) as readfile:

devicerecord = json.load(readfile)

domainuuid = ("e276abec-e0f2-11e3-8169-6d9ed49b625f/ " + devicerecord['items'][0]['metadata']['domain']['id'])

deviceuuid = devicerecord['items'][0]['id']

payload = json.dumps([

{

"type": "SubInterface",

"vlanId": 30,

"subIntfId": 12345,

"enabled": True,

"MTU": 1500,

"managementOnly": True,

"enableAntiSpoofing": True,

"enableSGTPropagate": True,

"ifname": "Intf_name",

"name": "GigabitEthernet0/1",

"overrideDefaultFragmentSetting": {

"size": 200,

"chain": 24,

"timeout": 5

},

"securityZone": {

"id": "a5d02a5e-d1ce-11eb-9144-f657a2d3df95",

"type": "SecurityZone"

},

"ipv4": {

"static": {

"address": "1.2.3.4",

"netmask": "25"

}

])

api_uri = f"/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/ 7f180e2c-ce4a-489f-57df-000000000001/devices/devicerecords/{deviceuuid}/subinterfaces?bulk=true"

url = "https://" + addr + api_uri

headers = { "X-auth-access-token": token }

response = requests.request("POST", url, headers=headers, data=json.dumps(payload), verify=False)

jarsmith · ‎07-14-2021

I believe your issue is with regard to the domain. If you look at the URL:

https://fmc.cisco.com/api/fmc_config/v1/domain/bad037b7-11fa-32d5-caf6-000000000000/devices/devicerecords/421e39c2-e4b8-11eb-9b7e-efd0ba43de90/subinterfaces

Pay special attention to the domain what I did is the following:

1. Added a VFTD and put it in my new subdomain

2. I created a new admin role user that is a member of both global and my sub-domain

First I went into API explorer where the domain was selected as "global"

I received the same error you did when the domain was set as "global" when I swapped it to "Global/child_domain" then I did not get an error and the subinterface was successfully created.

I believe this is just swapping the domain uuid in the URL to the child domain.

My JSON document looked like the following:

{
"type": "SubInterface",
"vlanId": 10,
"subIntfId": 1,
"MTU": 1500,
"enabled": true,
"managementOnly": false,
"mode": "NONE",
"enableSGTPropagate": true,
"ipv4": {
"static": {
"address": "192.168.6.1",
"netmask": "255.255.255.0"
}
},
"ipv6": {
"enableRA": true,
"enableIPV6": false,
"enforceEUI64": false,
"enableAutoConfig": false,
"enableDHCPAddrConfig": false,
"enableDHCPNonAddrConfig": false,
"dadAttempts": 1,
"nsInterval": 1000,
"reachableTime": 0,
"raLifeTime": 1800,
"raInterval": 200
},
"enableAntiSpoofing": false,
"fragmentReassembly": false,
"ifname": "sub2",
"name": "GigabitEthernet0/2",
}

My suggestion is to make sure you have the URL with the correct subdomain and I suspect your issue will be resolved. The deceptive thing is that it looks like you can do a GET with the global URL but you can only do the POST with the child domain in the URL. I suspect the same is also true for PUT.

View solution in original post

ross · ‎06-27-2021

On mobile so haven't looked at this thoroughly, however, have you created the API key in the Global Domain then trying to Post data to the sub-domain? I can't remember whether that should actually work or not.

Try posting the data to the global domain but with the correct Device ID.

I'll take another look when I'm at my PC tomorrow for you. I have done this without issue previously on 6.3

sullinsms · ‎06-29-2021

Yes I have tried that method. See results below.

Device record for FMC

https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords

Response body

{

"links": {

"self": "https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords?offset=0&limit=1"

},

"items": [

{

"id": "16836780-d1ab-11eb-b26b-ec8dd1d64550",

"type": "Device",

"links": {

"self": "https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/16836780-d1ab-11eb-b26b-ec8dd1d64550"

},

"name": "FTDv2"

}

],

"paging": {

"offset": 0,

"limit": 1,

"count": 1,

"pages": 1

}

Python code for post interface

def configure_subinterface(addr: str = None, token: str = None):

print("*" * 80)

print("Create subinterfaces")

db_list0 = {}

db_list1 = {}

with os.scandir('./') as entries:

for entry in entries:

db_list0[entry.name] = entry.name

print("*" * 80)

ftdinterface = selectFromDict(db_list0, 'FTD interface backup to restore')

with open(ftdinterface) as readfile:

subinterface = json.load(readfile)

with os.scandir('./') as entries:

for entry in entries:

db_list1[entry.name] = entry.name

print("*" * 80)

ftdrecord = selectFromDict(db_list1, 'FTD device to apply interface')

print("*" * 80)

with open(ftdrecord) as readfile:

devicerecord = json.load(readfile)

deviceuuid = devicerecord['items'][0]['id']

payload = json.dumps(

{

"type": "SubInterface",

"vlanId": 30,

"subIntfId": 12345,

"enabled": True,

"MTU": 1500,

"managementOnly": True,

"enableAntiSpoofing": True,

"enableSGTPropagate": True,

"ifname": "Intf_name",

"name": "GigabitEthernet0/1",

"overrideDefaultFragmentSetting": {

"size": 200,

"chain": 24,

"timeout": 5

},

"securityZone": {

"id": "a5d02a5e-d1ce-11eb-9144-f657a2d3df95",

"type": "SecurityZone"

},

"ipv4": {

"static": {

"address": "1.2.3.4",

"netmask": "25"

}

)

api_uri = f"/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/16836780-d1ab-11eb-b26b-ec8dd1d645508/subinterfaces"

url = "https://" + addr + api_uri

headers = { "X-auth-access-token": token }

response = requests.request("POST", url, headers=headers, data=(payload), verify=False)

print("Device uuid " + deviceuuid)

print("Response test " + response.text)

print(response)

print("*" * 80)

print("Payload")

print(payload)

print("*" * 80)

Response

Device uuid 16836780-d1ab-11eb-b26b-ec8dd1d64550

Response test {"error":{"category":"OTHER","messages":[{}],"severity":"ERROR"}}

********************************************************************************

Payload

{"type": "SubInterface", "vlanId": 30, "subIntfId": 12345, "enabled": true, "MTU": 1500, "managementOnly": true, "enableAntiSpoofing": true, "enableSGTPropagate": true, "ifname": "Intf_name", "name": "GigabitEthernet0/1", "overrideDefaultFragmentSetting": {"size": 200, "chain": 24, "timeout": 5}, "securityZone": {"id": "a5d02a5e-d1ce-11eb-9144-f657a2d3df95", "type": "SecurityZone"}, "ipv4": {"static": {"address":

"1.2.3.4", "netmask": "25"}}}

Response on FMC

2021-06-29 08:32:08 api2 API POST https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/16836780-d1ab-11eb-b26b-ec8dd1d64550 Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fu(...)

sullinsms · ‎07-14-2021

Any updates?

jarsmith · ‎07-14-2021

I believe your issue is with regard to the domain. If you look at the URL:

https://fmc.cisco.com/api/fmc_config/v1/domain/bad037b7-11fa-32d5-caf6-000000000000/devices/devicerecords/421e39c2-e4b8-11eb-9b7e-efd0ba43de90/subinterfaces

Pay special attention to the domain what I did is the following:

1. Added a VFTD and put it in my new subdomain

2. I created a new admin role user that is a member of both global and my sub-domain

First I went into API explorer where the domain was selected as "global"

I received the same error you did when the domain was set as "global" when I swapped it to "Global/child_domain" then I did not get an error and the subinterface was successfully created.

I believe this is just swapping the domain uuid in the URL to the child domain.

My JSON document looked like the following:

{
"type": "SubInterface",
"vlanId": 10,
"subIntfId": 1,
"MTU": 1500,
"enabled": true,
"managementOnly": false,
"mode": "NONE",
"enableSGTPropagate": true,
"ipv4": {
"static": {
"address": "192.168.6.1",
"netmask": "255.255.255.0"
}
},
"ipv6": {
"enableRA": true,
"enableIPV6": false,
"enforceEUI64": false,
"enableAutoConfig": false,
"enableDHCPAddrConfig": false,
"enableDHCPNonAddrConfig": false,
"dadAttempts": 1,
"nsInterval": 1000,
"reachableTime": 0,
"raLifeTime": 1800,
"raInterval": 200
},
"enableAntiSpoofing": false,
"fragmentReassembly": false,
"ifname": "sub2",
"name": "GigabitEthernet0/2",
}

My suggestion is to make sure you have the URL with the correct subdomain and I suspect your issue will be resolved. The deceptive thing is that it looks like you can do a GET with the global URL but you can only do the POST with the child domain in the URL. I suspect the same is also true for PUT.