cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1348
Views
5
Helpful
1
Replies

Issues using Proxy NED settings for Jump Host

jason.belk
Level 1
Level 1

I have been trying to get a simple jump host NSO scenario working. I am following these helpful posts:
https://community.cisco.com/t5/nso-developer-hub-discussions/how-to-connect-to-device-that-requires-jump-host/td-p/3437827

https://community.cisco.com/t5/nso-developer-hub-blogs/ned-operation-over-a-terminal-server/ba-p/3662102

but my device is not connecting still. Using trace raw I have the following output:

*** output 20-Feb-2019::22:04:54.111 ***
-- NCS VERSION: 6070000
-- NED VERSION: cisco-ios 5.2.7 2017-06-08
-- connect-timeout 20000 read-timeout 20000 write-timeout 20000
-- NED-SETTINGS: (* = modified)
-- device-profile = cisco-ios
-- cisco-ios-log-verbose = false
-- cisco-ios-auto/interface-switchport-status = false
-- cisco-ios-inject-interface-config globstat-sp if "Ethernet|Port-channel" cfg "no switchport"
-- cisco-ios-auto/vrf-forwarding-restore = true
-- cisco-ios-auto/ip-vrf-rd-restore = true
-- cisco-ios-auto/ip-community-list-repopulate = false
-- cisco-ios-write-memory-method = write memory
-- cisco-ios-write-memory-setting = on-commit
-- cisco-ios-transaction-id-method = config-hash
-- cisco-ios-show-running-method = show running-config
-- cisco-ios-api/new-ip-access-list = false
-- cisco-ios-cached-show-enable/version = true
-- cisco-ios-cached-show-enable/inventory = false
-- cisco-ios-use-ip-mroute-cache-distributed = false
-- cisco-ios-police-format = auto
-- cisco-ios-proxy-settings/remote-connection = ssh*
-- cisco-ios-proxy-settings/proxy-prompt = .*$*
-- cisco-ios/connection-settings/prompt-timeout = 5*
-- cisco-ios/connection-settings/send-login-newline = false
-- cisco-ios/connection-settings/device-output-delay = 0
-- cisco-ios/behaviour/config-output-max-retries = 90
--
<< 20-Feb-2019::22:04:54.145 SET_TIMEOUT
-- SSH connecting to host: 54.200.0.15:22 --
-- SSH initializing session --
-- SSH logged in
-- PROXY connecting using: ssh
-- cisco-ios-proxy-settings/remote-name = USER*
-- cisco-ios-proxy-settings/remote-password = PASS*
-- cisco-ios-proxy-settings/remote-address = 34.214.231.109*
-- cisco-ios-proxy-settings/remote-port = 22*
-- Waiting for proxy prompt '.*$'

*** input 20-Feb-2019::22:04:56.027 ***


*** output 20-Feb-2019::22:04:56.027 ***
ssh -p 22 ntc@34.214.231.109
-- Waiting for input from device

*** input 20-Feb-2019::22:04:56.027 ***


*** output 20-Feb-2019::22:04:56.028 ***
-- Got proxy prompt ''
-- PROXY connected
terminal length 0

*** input 20-Feb-2019::22:04:56.113 ***
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-59-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

426 packages can be updated.
275 updates are security updates.

New release '18.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Thu Feb 21 01:01:10 2019 from 73.223.88.14

ssh -p 22 ntc@34.214.231.109
terminal length 0

ntc@ntc:~$ ssh -p 22 ntc@34.214.231.109
<< 20-Feb-2019::22:05:17.008 ERROR: Failed to connect to device proxy_csr1: connection refused: ned_external_error read timeout

I have the following running config for the test device:

admin@ncs# show running-config devices device proxy_csr1
devices device proxy_csr1
address 54.200.0.15
ssh host-key ssh-rsa
key-data "ABC123"
!
authgroup ntc
device-type cli ned-id cisco-ios
device-type cli protocol ssh
trace raw
ned-settings cisco-ios connection-settings prompt-timeout 5
ned-settings cisco-ios-proxy-settings remote-connection ssh
ned-settings cisco-ios-proxy-settings remote-address 34.214.231.109
ned-settings cisco-ios-proxy-settings remote-port 22
ned-settings cisco-ios-proxy-settings proxy-prompt .*$
ned-settings cisco-ios-proxy-settings remote-prompt .*#
ned-settings cisco-ios-proxy-settings remote-name USER
ned-settings cisco-ios-proxy-settings remote-password PASS
ned-settings cisco-ios-proxy-settings remote-secondary-password PASS
state admin-state unlocked

 

1 Reply 1

mawitmer
Cisco Employee
Cisco Employee

Thanks for this input. Just for the overall completeness of this topic, please find below my implementation for ned proxy settings using a Jump Host with ssh public key authentication:

 

Define authgroup for Jump Host

devices authgroups group jump umap admin public-key private-key file name <key file>
remote-name <Jump Host User>

Define authgroup for Device Host

devices authgroups group default umap admin remote-name <device user> remote-password <device password>

Device config

devices device <MY-ROUTER> address 10.92.183.104 port 22        <-- Proxy IP & Port
authgroup jump <-- Proxy Authgroup with SSH PubKey
device-type cli ned-id cisco-iosxr-cli-7.33 protocol ssh
connect-timeout 60 read-timeout 120 write-timeout 120
state admin-state unlocked
ned-settings cisco-iosxr proxy remote-connection ssh <-- Device protocol
ned-settings cisco-iosxr proxy proxy-prompt .$ <-- Device Prompt
ned-settings cisco-iosxr proxy remote-address 1.1.1.1 <-- Device IP
ned-settings cisco-iosxr proxy remote-port 22 <-- Device port
ned-settings cisco-iosxr proxy authgroup default. <-- Device Authgroup