Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
1
Replies

NSO connection error - ned_external_error ned_connect_cli

steven.crutchley
Level 1
Level 1

‎06-24-2023 10:31 AM

I'm using NSO version 5.3 and trying to connected to 4 XRs (R1-4) and 1 IOS-XE (R5) - I can't change the version of the IOS-XRs or NSO.

When I try to fetch the hosts keys it works:

 

 

admin@ncs# devices fetch-ssh-host-keys
fetch-result {
    device R1
    result unchanged
    fingerprint {
        algorithm ssh-rsa
        value 06:eb:5a:c0:3c:66:26:eb:db:83:dc:c4:7c:cf:12:99
    }
}
fetch-result {
    device R2
    result unchanged
    fingerprint {
        algorithm ssh-rsa
        value 1f:02:53:b7:e6:25:f4:56:d8:b8:31:b2:94:96:8a:17
    }
    fingerprint {
        algorithm ssh-dss
        value 87:0b:75:2c:01:97:af:b5:4d:3f:5b:62:64:f4:a6:c0
    }
}
fetch-result {
    device R3
    result unchanged
    fingerprint {
        algorithm ssh-rsa
        value 16:97:30:c9:e4:f1:04:71:3c:5e:55:9f:c9:f6:a4:ce
    }
}
fetch-result {
    device R4
    result unchanged
    fingerprint {
        algorithm ssh-rsa
        value 41:fc:cf:00:fd:fa:8a:d8:f3:3e:65:af:34:e5:cd:22
    }
}
fetch-result {
    device R5
    result unchanged
    fingerprint {
        algorithm ssh-rsa
        value 04:9f:2c:ea:25:a7:ab:c4:f2:ba:5a:9e:9b:f5:29:b0
    }
}
admin@ncs#

 

 

But then I try to sync I get this:

 

 

admin@ncs# devices sync-from
sync-result {
    device R1
    result false
    info Failed to connect to device R1: connection refused: ned_external_error ned_connect_cli: unknown device
}
sync-result {
    device R2
    result false
    info Failed to connect to device R2: connection refused: ned_external_error ned_connect_cli: unknown device
}
sync-result {
    device R3
    result false
    info Failed to connect to device R3: connection refused: ned_external_error ned_connect_cli: unknown device
}
sync-result {
    device R4
    result false
    info Failed to connect to device R4: connection refused: ned_external_error ned_connect_cli: unknown device
}
sync-result {
    device R5
    result true
}
admin@ncs#

 

 

 The IOS-XE works. But on the XR devices I see the following`:

 

 

RP/0/RP0/CPU0:Jun 24 17:15:30.508 UTC: SSHD_[67327]: %SECURITY-SSHD-3-ERR_GENERAL : Error in receiving key exchange packet
RP/0/RP0/CPU0:Jun 24 17:15:31.652 UTC: SSHD_[67338]: %SECURITY-SSHD-3-ERR_GENERAL : Error in receiving key exchange packet
RP/0/RP0/CPU0:Jun 24 17:15:32.750 UTC: SSHD_[67349]: %SECURITY-SSHD-3-ERR_GENERAL : Error in receiving key exchange packet

 

 

I believe it to be a problem with the RSA keys an this has lead me to this link:
https://community.cisco.com/t5/nso-developer-hub-discussions/nso-5-6-3-failed-to-connect-authenticate-to-device/td-p/4522555

Which states that ssh-rsa was dropped as a default protocol in version 5.6. But I'm running 5.3. The suggested fix is to change the support protocols. You can check the current versions using 

show running-config devices global-settings ssh-algorithms

But my NSO doesn't have that option:

 

 

admin@ncs# show running-config devices global-settings ?
Description: Global settings for all managed devices.
Possible completions:
  commit-queue                 - Control settings for the commit queue
  commit-retries               - Retry commits on transient errors
  connect-retries              - Retry connect on transient errors
  connect-timeout              - Timeout in seconds for new connections
  ned-keep-alive               - Controls NED keep alive settings
  ned-settings                 - Control which device capabilities NCS uses
  no-lsa                       - Do not handle any of the LSA nodes as such.
  no-overwrite                 - Control settings for no-overwrite sync check
  no-wait-for-lock             - The action can't be performed while the device is being committed to (or waiting in the commit queue).
  out-of-sync-commit-behaviour - Specifies the behaviour of a commit operation involving a device that is out of sync with NCS.
  read-timeout                 - Timeout in seconds used when reading data
  report-multiple-errors       - By default, when the NCS device manager commits data southbound and when there are errors, we only report the first error to the operator, this flag makes NCS report all errors reported by managed devices
  session-pool                 - Control how sessions to related devices can be pooled.
  ssh-keep-alive               - Controls SSH keep alive settings
  trace                        - Trace the southbound communication to devices
  trace-dir                    - The directory where trace files are stored
  trace-output                 - Trace data output mode.
  use-lsa                      - Handle the LSA nodes as such.
  wait-for-lock                - The action can't be performed while the device is being committed to (or waiting in the commit queue).
  write-timeout                - Timeout in seconds used when writing data
  |                            - Output modifiers
  <cr>                         -
admin@ncs# show running-config devices global-settings

 

 

I can ssh to all my devices from the NSO server. Can anyone advise how to fix this?

 

Labels:
0 Helpful
1 Reply 1

florensk
Cisco Employee
Cisco Employee

‎06-28-2023 11:58 PM

Hi, 

Based on the input it's difficult to say if this is only related to SSH. I would recommend that you open a case with TAC to get support from our engineers. 

Kind regards
Frida 

0 Helpful
Customers Also Viewed These Support Documents