Re: catalyst 9k netconf problems

cmarva · ‎03-04-2025

all, i am running into a few problems with netconf on cat9k platforms. I'm trying to add these into dnac but when i enable netconf-yang, i am seeing the following:

Mar 5 01:16:42.051: yang-infra: ERROR: Failed to create a trustpoint usable for NETCONF

i've seen this on a handful of cat9ks running 17.12.4. what i do not know is, if these are reused from a closed site or not. But up until recently i have not had any problems with netconf or any trustpoint problems like the above.

i have tried searching for any info on this message and where it might lead but i'm not finding anything. Has anyone seen this? will a reboot remedy this? is there anything i need to clean up as far as certs or trustpoints?

i have already zeroized and re-created the ssh key. i have also cleaned up some bad assurance config and the iwan trustpoint. I suspect what people are doing is just an indiscriminate copy of an existing config and putting it into new switches.

anyhow, if anyone has any advice on how to address this message, and get netconf usable by dnac, i sure would appreciate it.

AshSe · ‎03-04-2025

Hello @cmarva

The error message you are encountering, yang-infra: ERROR: Failed to create a trustpoint usable for NETCONF, indicates an issue with the trustpoint configuration required for NETCONF to function properly on the Catalyst 9K platform. This is a common issue when configurations are copied indiscriminately between devices, especially if certificates or trustpoints are reused improperly.

Here are some steps to troubleshoot and resolve the issue:

Verify the Trustpoint Configuration
Recreate the Trustpoint
Check for Existing Certificates
Zeroize and Recreate SSH Keys
Check for Configuration Copy Issues
Restart NETCONF and YANG Infrastructure
Reboot the Device (if necessary)
Verify NETCONF Functionality
Check Compatibility with Cisco DNA Center
Collect Logs for Further Troubleshooting

Summary

The most likely cause of the issue is a misconfigured or invalid trustpoint. Cleaning up the trustpoints and certificates, recreating the trustpoint for NETCONF, and ensuring the configuration is correct should resolve the issue. If the problem persists, a reboot may help, but it is better to address the root cause first.

If you continue to encounter issues, consider opening a TAC case with Cisco for further assistance.

PS: Hope you know the commands to perform above checks. Let me know if you need specific commands to check.

Hope This Helps!!!

AshSe

Community Etiquette:

Insert photos/images inline - don't attach.
Always mark helpful and correct answers, it helps others find what they need.
For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

cmarva · ‎03-05-2025

AshSe,

thanks for the advice. actually, i stayed up way too late last night but i think i got things figured out. Spot on about the trustpoints. I finally stumbled onto a config doc that mentioned this and how to update it. The two commands of relevance are:

crypto pki trustpool import clean

crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b

so after cleaning up some remnants from a bad initial config, i disabled netconf-yang, then issued these two commands. i had term mon enabled so i could see the output, and this looked good. after a wr mem, i restarted netconf-yang and everything seemed to be back to normal. i was able to have dnac discovery be successful.

i was suspecting that it was something iwth the trustpoint, and once i found the magic commands it was smooth sailing. So i'm good with everything now, and this is filed in my notebook in case i see this condition again.

Thanks again for the advice, i had already been through a lot of your suggestions and just needed to dig a little more.

chris