02-18-2024 10:56 AM
Hi,
I have a strange issue and I cannot figure out what was wrong.
I have a netconf device but when I do sync-from I got error:
admin@ncs> request devices device zrdm60gcsmf01 sync-from
result false
info Failed to connect to device zrdm60gcsmf01: Protocol error
[ok][2024-02-18 13:33:20]
admin@ncs> exit
and the trace log size is 0:
-rw-rw-r--. 1 sm000x sm000x 0 Feb 18 13:33 netconf-zrdm60gcsmf01.trace
However, I am able to use
ssh -s sm000x@zrdm60gcsmf01-ip-addess -p 22 netconf
to invoke the netconf (Although it takes longer than usual time)
The device type is netconf:
admin@ncs> show configuration devices device zrdm60gcsmf01
address x.x.x.x;
port 22;
authgroup SMF;
device-type {
netconf {
ned-id smf-nc-1.0;
}
}
state {
admin-state unlocked;
}
I am able to do sync-from to other device with the same authgroup and ned-id:
dmin@ncs> request devices device z68bcsmf01 sync-from
result true
[ok][2024-02-18 13:49:42]
admin@ncs> show configuration devices device z68bcsmf01
address x.x.x.x;
port 22;
authgroup SMF;
device-type {
netconf {
ned-id smf-nc-1.0;
}
}
state {
admin-state unlocked;
}
Does anyone have same expierence?
What does "Protocol error" mean?
THX
sm000x
02-19-2024 10:55 AM
One of the reasons could be that SSH RSA algorithm on the device is not included to the NSO global settings. Hence the communication with the device fails. You can check the algorithm used by your device in the ~/.ssh/known_hosts file. In NSO check the global setting like this:
admin@ncs> show configuration devices global-settings ssh-algorithms public-key
public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ssh-rsa ssh-dss ];
Make sure the algorithm is listed. If not, modify the global settings by adding the missing algorithm.
02-20-2024 05:38 AM
02-20-2024 07:42 AM
Hi,
One possible reason can be that the device SSH server has keyboard-interactive authentication enabled, tries keyboard-interactive authentication before trying public-key authentication, and behaves non-standard for the keyboard-interactive authentication.
The OpenSSH client may timeout the keyboard-interactive authentication and try the next authentication method, public-key authentication, while the NSO SSH client reports a protocol error.
If the keyboard-interactive authentication type is enabled for the device SSH server, try disabling it.
Also, try adding a "-v" or "-vv" when testing with the OpenSSH "ssh" client to debug why the device "takes longer than usual" to invoke NETCONF.
Regards
02-20-2024 08:59 AM - edited 02-20-2024 09:00 AM
It is great that 'ssh fetch-host-keys' worked! That shows SSH communication is working. Some netconf devices require to do 'connect' before the 'sync-from'. I have seen this behavior while working on device-onboarding package. Please try this before going into further investigations.
02-20-2024 09:29 AM
02-21-2024 12:41 AM
@ygorelik wrote:
It is great that 'ssh fetch-host-keys' worked! That shows SSH communication is working.
The SSH authentication is likely failing as I wrote above. @sm000x, have you ready my post?
02-21-2024 05:55 AM
02-21-2024 09:15 AM - edited 02-21-2024 09:25 AM
Hi @sm000x,
You cut out the interesting part. What comes after "debug1: Next authentication method: keyboard-interactive\n Password:" is likely what is breaking the standard (RFC 4256)
The OpenSSH client is an open-source project that tolerates non-compliant messages and waits until the expected message is eventually received. NSO expects a compliant message, and the protocol error occurs when a non-compliant message is received.
If the device is from vendor H, you can log in to the SSH server CLI and run the undo SSH server authentication-type keyboard-interactive enable command to disable "keyboard-interactive" authentication.
Since you do not use "publickey" authentication, you likely need to enable "password" authentication on the device.
02-21-2024 09:24 AM
02-21-2024 09:39 AM
Hi @sm000x,
@sm000x wrote:
Sorry that I cut out the important part, here is the post again.
[sm000x@mtnjdslncs06 ~]$ ssh -vv [email protected]
You are showing the debug info for when you are connecting to a CLI? You cannot connect to a CLI using a NETCONF NED.
I was expecting the OpenSSH client debug output when connecting to the NETCONF subsystem. Something like:
ssh -vv -s [email protected] netconf
02-21-2024 09:47 AM
02-21-2024 10:10 AM - edited 02-21-2024 10:12 AM
The "authgroup SMF" configuration in NSO, is that authgroup configured to use public-key authentication or password authentication?
In NSO:
admin@ncs> show configuration devices authgroups group SMF
02-21-2024 10:39 AM
02-21-2024 10:16 PM
It is likely the banner that follows the password that is the cause of the protocol error. It seems like OpenSSH ignores the non-standard messages until the expected packet/message is received, but NSO follows the standard strictly and does not expect it.
You are in Privilege Class (FULLACCESS)
Also, it does not make sense to have a banner for a machine-to-machine interface like NETCONF. For a human-to-machine CLI interface, yes.
If you set verbosity three, "ssh -vvv -s [email protected] -p 22 netconf", you will likely see something like:
Password:
debug3: send packet: type 61
debug3: receive packet: type 53
debug3: input_userauth_banner
You are in Privilege Class (FULLACCESS)
Where the NSO NETCONF over SSH client implementation does not expect a type 53 input_user_auth packet with a "You are in Privilege Class (FULLACCESS)" banner instead of a type 52 authentication succeeded.
I believe your options with this device are, for example:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide