Showing results for 
Search instead for 
Did you mean: 

NSO 4.4.1 Release Announcement


NSO 4.4.1 is now available.

Customers can download the new version from Download Software - Cisco Systems .

The release is available from the Software Jive Sub-space if you are an NSO ATP partner.

Customers are recommended to upgrade to the latest NSO release at least annually, in order to take advantage of the latest features, and to remain on a supported version, as well as benefiting from the latest security updates.

The End-of-Life (EOL) policy is available at Cisco NSO EOL notifications are at

This release includes the following changes:

NSO-4.4.1 [April 26, 2017]



   - Web UI: Deprecated the NSO status view

     (Issue tracker: #25907)

Non-backwards compatible enhancements:

   - ncs: Non-backwards compatible correction:

     Web Server: Cipher suites using RC4 are no longer supported for the

     SSL/TLS server, since this algorithm is not considered secure.


   - ncs: NSO is now integrated with Cisco Smart Licensing.

   - ncs: The Nano Services experimental feature have been introduced as a

     new way of executing/controlling Reactive FASTMAP services.

     See the Nano Services chapter in the Development Guide for more

     information on this.

   - ncs: The speed of the sync-from operation for CLI NEDs has been

     improved. Improvements are mainly for large configurations and has been

     measured to range from reducing the execution time by half to a fourth

     but the improvement varies greatly between different NEDs and


   - ncs: It is now possible to write directly into target transaction in

     CLI NED's show() callback in addition to returning the commands via

     worker.showCliResponse() call. The transaction ID can be accessed with


   - ncs: When committing through the commit-queue on the top-node in a LSA

     cluster, this will now propagate to commit-queue commits on the

     lsa-nodes as well. This implies that top-node commit-queue queue-item

     will not finish before all related lsa-node commit-queue items has also


   - ncs: A new device is now copied to the snapshot database when

     /ncs-config/cdb/snapshot/pre-populate = true.

   - ncs: Implemented 'partial-sync-from' action which allows to synchronize

     parts of the device's configuration by pulling from the network.

     (Issue tracker: #27878)

   - CLI: The yang extension tailf:default-ref has been ported to NSO. It is

     currently limited to relative paths and absolute paths will be ignored.

   - CLI: The southbound interfaces of the CLI are now started already in

     phase1. The northbound interfaces start in phase2 as before.

     (Issue tracker: #26023)

   - CLI: Increased performance during user interaction with the CLI.

     (Issue tracker: #27069)

   - Python API: Removed the undocumented limitation of only supporting

     implementation of validation callbacks in one Daemon per Python VM

     (Issue tracker: #26451)

   - Smart Licensing: An internal notification kicker that keeps track of

     licensing entitlements sent from sub components, such as ESC, was

     added. NSO aggregates the licensing entitlements and reports to the

     Cisco smart licensing cloud.


   - ncs: Previously, set-hooks weren't invoked for uncommitted nodes if

     they were deleted as a result of parent node deletion. Deleting the

     node with the set-hook explicitly invoked the set-hook. The behaviour

     is now consistent; regardless of why the node is deleted, set-hooks are


     (Issue tracker: #25655, #26971)

   - ncs: Trying to create a mandatory empty leaf with

     tailf:cli-hide-in-submode would result in an error. This has been


     (Issue tracker: #25759, #681387776)

   - ncs: If a data model had a symlink to a node that was augmented by

     another model, the augmented nodes would in some cases not appear under

     the symlink.  This bug has been fixed.

     (Issue tracker: #26689)

   - ncs: An un-escaped caret (`^`) was incorrectly treated as negation in a

     regular expression "character group" also when it was not the first

     character in the group. This has been fixed.

     (Issue tracker: #26949)

   - ncs: Previously NSO would get an internal error when trying to display

     the /devices/device-module list without read access to do so.

     (Issue tracker: #27059)

   - ncs: If an rpc or action was implemented via tailf:exec, and the input

     had a leaf augmented from another module into a 'choice', followed by

     non-augmented nodes, the invocation of the executable would fail. This

     has been fixed.

     (Issue tracker: #27138)

   - ncs: When redeploying a package the Python code (if any) contained in

     that package was not updated. This has been fixed.

     (Issue tracker: #27144)

   - ncs: When applying a 'device template', i.e the apply-template action

     on a device, from a service, the backpointers and ref-counters was not

     updated properly. This has been fixed.

   - ncs: Previously paths passed to the showPartial call in the CLI NED

     ignored leafs with hide-in-submode annotation. This has now been fixed.

   - ncs: If a YANG union (other than inet:ip-address) had both

     inet:ipv4-address and inet:ipv6-address member types, in that order,

     IPv6 addresses would be displayed with uppercase A-F instead of a-f.

     This has been fixed.

     (Issue tracker: #27718)

   - ncs: Previously commit queue blocked alarm was not cleared when a

     device reconnected or failed to reconnect. This has now been fixed.

     (Issue tracker: #27724)

   - ncs: Previously NSO could not read leaf-lists correctly in NETCONF

     notifications. This has now been fixed.

   - ncs: The YANG extension tailf:ned-ignore-compare-config excludes this

     model elements from comparison in e.g. /devices/device compare-config.

     This will also be excluded in device data comparison in a commit


   - ncs: out-of-sync-behaviour = accept did not always suppress

     get-trans-id on the NED. This has been fixed.

   - C-API: String <-> value conversion for the type inet:ipv6-prefix could

     fail incorrectly in the C and Python APIs if the prefix length was not

     a multiple of 4. This has been fixed.

     (Issue tracker: #27184)

   - CLI: There is inconsistent behavior when it comes to the tailf:info

     string with backslash. Display of '{{{\\}}}n' is rendered as '\n' or

     'n' in different possible completions in the CLI output. This has now

     been fixed by rendering them all to '\n'. So in order to display one

     backslash character in the tailf:info output, it needs to define either

     '{{{\\}}}' (single quoted string) or "{{{\\\\}}}" (double quoted

     string) for the tailf:info in the yang file.

     (Issue tracker: #12142)

   - CLI: Creating a list instance containing a unique statement referring

     to one of the keys, would in some cases not be reflected when

     displaying the C-style configuration diff (i.e. 'commit dry-run

     outformat native'). This has been fixed.

     (Issue tracker: #24811)

   - CLI: Command "show running-config | extended" returns internal error.

     This has now been fixed.

     (Issue tracker: #26688)

   - CLI: When NSO sync-from a NED device which has unmodeled config that

     CLI fails to parse, the resulting syntax error entries are shown as

     info in the trace log.

   - CLI: Enforce "repeat" command to always suppress pagination.

     (Issue tracker: #27047)

   - CLI: Validation of leaf_list data nodes in the CLI has been added when

     processing parameters to actions.

     (Issue tracker: #27182)

   - CLI: Backslash character is always ignored in tailf:info output. This

     has now been fixed. So in order to display one backslash character in

     the tailf:info output, it needs to define either '{{{\\}}}' (single

     quoted string) or "{{{\\\\}}}" (double quoted string) for the

     tailf:info in the yang file.

     (Issue tracker: #27301)

   - CLI: The combination of using the extensions

     tailf:cli-sequence-commands and tailf:cli-incomplete-no would break the

     functionality of tailf:cli-incomplete-no extension. This has now been


     (Issue tracker: #27311)

   - CLI: TAB completion on enum with tailf:info terminates CLI connection

     abnormally. This has now been fixed.

     (Issue tracker: #27725)

   - Documentation: Support of following Browsers are deprecated:

     Safari older than 10.0

     Internet Explorer older than 11

     Firefox older than 45

     Chrome 50 and older

   - JSON-RPC: The method 'get_schema' couldn't handle a node with multiple

     when statements (through tailf:annotate). This has been fixed.

     (Issue tracker: #27518)

   - NETCONF: A leaf of type empty augmented from another module into the

     'input' of an rpc caused a northbound NETCONF session to terminate, and

     the same for an action was delivered to the callback as an empty

     container (i.e. with begin/end tags). These bugs have been fixed.

     (Issue tracker: #27057, #27068)

   - NETCONF: Invocation of an rpc or action where 'input' had a 'choice'

     child, and the first 'case' of that 'choice' was another 'choice',

     caused a northbound NETCONF session to terminate. This has been fixed.

     (Issue tracker: #27058)

   - Python API: The implementation of events.NOTIF_COMMIT_DIFF was broken.

     It was impossible use the contained tctx to attach to the current

     transaction. This has been fixed.

     (Issue tracker: #26992)

   - Python API: When an action- or service-callback timed out the

     connection to NSO was lost and the only way to restore the connection

     was to reload the affected package. This has been fixed, so now the

     Python-APIs data provider implementation automatically reconnects to


     (Issue tracker: #27012)

   - Python API: When enabling IPC access check in ncs.conf packages written

     in Python didn't work. This has been fixed.

     (Issue tracker: #27279)

   - Python API: When a python service is changed or re-deployed the back

     pointer and reference counter was lost. This has now been corrected.

     To correct this for already instantiated python services do:

     request /path-to-python-service * re-deploy

     If the '*' is not accepted as input the service YANG file needs to be

     updated by importing the tailf-common module:

     import tailf-common {

     prefix tailf; }

     and add the tailf:cli-allow-range annotation to the key leaf node of

     the service.

   - Python API: Some of Maagic's components failed to check for an existing

     MAAPI backend when used as input and output parameters for an Action.

     In some cases this lead to a raised Exception. This has been fixed.

   - Python API: Running NSO with a Python package using Python 3 failed

     with "AttributeError: module '_ncs' has no attribute

     "internal_connect". This has been fixed.

   - REST API: REST Query API fetch-query-result calls don't timeout after

     five seconds anymore, instead it adheres to the default timeout of 600

     seconds (10 minutes). Added timeout parameter to start-query and

     reset-query enabling a custom timeout.

     (Issue tracker: #26893)

   - REST API: An empty rollback file caused the REST(CONF) API to stop

     working. This has been fixed.

     (Issue tracker: #27520)

   - RESTCONF: If an action error response is customized by using

     confd_action_seterr_extended(), the error is now propagated by

     RESTCONF. Previously RESTCONF always responded with a HTTP 400 and

     error-tag "operation-failed".

     (Issue tracker: #27860, #27917)

   - RESTCONF: In some cases RESTCONF erroneously used the mediatypes

     text/xml and text/json. They have been replaced with the correct

     application/yang-data+xml and application/yang-data+json respectively.

   - Smart Licensing: When a 'packages reload' was issued, smart licensing

     failed to report NED packages correctly. This has been fixed.

     (Issue tracker: #24559)

   - SNMP Agent: When compiling yang modules augmenting other yang modules,

     the effective snmp-mib-module-name of any augment node was

     unconditionally inherited from the augment target node. This lead to

     MIB modules with no objects corresponding to the augment nodes, if the

     resulting fxs file was used with ncsc --emit-mib. This has been fixed,

     so that snmp-mib-module-name is only inherited if the current module

     doesn't have a snmp-mib-module-name statement.

     (Issue tracker: #25677)

   - Toolchain: When there was a chain of identities defined in a YANG

     module like a <- b <- c, the ncsc would sometimes not accept all

     derived identities in the "default" statement.  This bug has been


   - Web UI: List of supported browser now only exists in the installation


   - Web UI: Lists on root level now works correctly.

     (Issue tracker: #26063, #26546)

   - Web UI: Leafref widgets now filteres items by regex.

     (Issue tracker: #26710)

   - Web UI: The leaf-list widget now handles special characters correctly.

     (Issue tracker: #27094)

NSO- [April 26, 2017]



   - cluster:Â When-expressions in remote devices have been incorrectly

     evaluated on service node in cluster. This has been fixed.

     (Issue tracker: #27947)

   - ncs: When using 'commit no-overwrite' to commit a transaction towards a

     NETCONF device (or an lsa node), and that transaction contained changes

     to multiple list instances - the filter used to fetch the modified list

     instances would not be correctly built - resulting in an RPC error when

     trying to commit. This has been fixed.

     (Issue tracker: #27881)

   - Smart licensing: The Smart licensing high availability adaption could

     cause node crashes due to out of memory when switching a node from slave

     to master. This has been fixed.

     (Issue tracker: #27799)

NSO- [April 25, 2017]



   - CLI: Un-deploying a service would in some cases cause the CLI to hang until

     host ran out of memory. This has been fixed.

     (Issue tracker: #27711)

   - ncs: Previously un-deploy dry-run did not actually show what the un-deploy

     action would do but rather like 'get-modifications reverse'. This has now

     been fixed.

     (Issue tracker: #27745)