Solved: ISR4K IOSXE with Netconf / YANG

rkuschel · ‎06-14-2017

Hi,

I did run a ISR4321 with the latest IOSXE 16.5.1b and did enable Netconf as it is described in the DMI guide.

ISR4321 shows up that Netconf is running:

ISR4321#sh platform software yang-management process
confd            : Running
nesd             : Running
syncfd           : Running
ncsshd           : Running
dmiauthd         : Running
vtyserverutild   : Running
opdatamgrd       : Running
nginx            : Running
ndbmand          : Running

When I ssh to port 830 on the ISR4321 it shows all the capabilities.

But when I try to connect via NSO I will get the following:

admin@ncs(config-device-ISR4321)# connect
result false
info Device ISR4321 does not advertise any known YANG modules
admin@ncs(config-device-ISR4321)#

admin@ncs(config-cmap)# commit
Aborted: RPC error towards ISR4321: unknown_namespace: /rpc/edit-config/config

I did run the Netconf/YANG packages found under github and aswell the pioneer package.

Any tip ?

Ralf

Jan Lindblad · ‎06-14-2017

The first problem is to enable the right NETCONF implementation. The XE has two(!) implementations, and only one, the newer one, is .. useful. The XE config required to enable it is this:

netconf-yang
netconf ssh

crypto key generate rsa modulus 2048

Then, on the NSO side, you'll need to install a NED, a Network Element Driver that corresponds to the device. For NETCONF devices, you'll generally have to build your own NED. To do that you can use the pioneer package. See the pioneer package instructions for details, or contact me.

When you're done, you should see a package that is 'up' for your NETCONF device in the package list:

show packages package oper-status

At this point, NSO sync-from should work fine. At least you should not be seeing that message that NSO does not know any of the YANG modules advertised by the device.

View solution in original post

Jan Lindblad · ‎06-14-2017

The first problem is to enable the right NETCONF implementation. The XE has two(!) implementations, and only one, the newer one, is .. useful. The XE config required to enable it is this:

netconf-yang
netconf ssh

crypto key generate rsa modulus 2048

Then, on the NSO side, you'll need to install a NED, a Network Element Driver that corresponds to the device. For NETCONF devices, you'll generally have to build your own NED. To do that you can use the pioneer package. See the pioneer package instructions for details, or contact me.

When you're done, you should see a package that is 'up' for your NETCONF device in the package list:

show packages package oper-status

At this point, NSO sync-from should work fine. At least you should not be seeing that message that NSO does not know any of the YANG modules advertised by the device.

rkuschel · ‎06-14-2017

Hi Jan,

thanks for the info. How can I see which NETCONF implementation I using ? I did configure as well netconf-yang, netconf ssh.

I did run the pioneer package and operation status is up. But I am still getting :

admin@ncs# devices device ISR4321 connect

result true

info (admin) Connected to ISR4321 - 10.49.232.180:830

admin@ncs# devices device ISR4321 connect

result false

info Device ISR4321 does not advertise any known YANG modules

admin@ncs# devices device ISR4321 connect

result true

info (admin) Connected to ISR4321 - 10.49.232.180:830

admin@ncs#

I did reload the router as well. Not sure what is wrong.

Ralf

Jan Lindblad · ‎06-14-2017

That pioneer is up is nice, but the real question is: is your ISR NED package up or not? It seems to me that you haven't followed the instructions in the pioneer README.md file yet. Did you? If so, did you get all the way through so that your package is now shown in the show packages package oper-status -list?

Pioneer is a *tool* that helps you build a NETCONF NED for your device. If you can't get it to work, please send me the output of the show packages package oper-status by mail.

jafrazie · ‎06-14-2017

please see here for how to enable NETCONF on XE with 16.x:

Cisco DevNet: Standard Device Interfaces & Models - Docs

Net-net, all you should need is 'netconf-yang'.

Turn off "netconf ssh" (which yes, is the pre-YANG version).

Jan Lindblad · ‎06-14-2017

Thanks! Excellent that you're here jafrazie, so we have some authoritative voices!

rkuschel · ‎06-15-2017

Hi,

I did some further stuff

1. I did fetch/download the current yang models from my ISR4321 running IOSXE1651b

2. I try to build the package with ncs-make-package --netconf-ned ./ directory

I got lots of errors like:

yang/CISCO-TC.yang:2082:23: warning: illegal character after \

yang/Cisco-IOS-XE-aaa.yang:1862:61: warning: illegal character after \

yang/confd_dyncfg.yang:3086:50: warning: illegal character after \

yang/Cisco-IOS-XE-bgp.yang:1189: warning: The 'must' expression should have a tailf:dependency. If is doesn't, it will be checked for every commit.

I could fix those "\" warnings, but not the other ones.

I could not fix the other ones, any idea how to fix it ?

Ralf

Jan Lindblad · ‎06-15-2017

I can help if you show the exact error messages you see. The ones you show above are only warnings, so it wasn't any of them that prevented the build from succeeding. But maybe we should take that by mail, I'm not sure everybody on the Hub will be interested in watching us discuss each of the error messages. Maybe you can post a summary for the community at the end instead.