Search code examples
opensslciscoietf-restconf

How to connect to cisco CSR1000 restconf


I am learning restconf on CISCO router CSR1000v on GNS3 emulator. Am trying to authenticate with the router using below command

curl -k https://192.168.1.102/restconf/ -u "admin:admin" -v

But the connection is being refused, and giving below error.

*   Trying 192.168.1.102...
* TCP_NODELAY set
* Connected to 192.168.1.102 (192.168.1.102) port 443 (#0)
* schannel: SSL/TLS connection with 192.168.1.102 port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: using IP address, SNI is not supported by OS.
* schannel: sending initial handshake data: sending 153 bytes...
* schannel: sent initial handshake data: sent 153 bytes
* schannel: SSL/TLS connection with 192.168.1.102 port 443 (step 2/3)
* schannel: encrypted data got 7
* schannel: encrypted data buffer: offset 7 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with 192.168.1.102 port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

Also i tried to connect using postman. but the same happens.

enter image description here

CISCO SWITCH CONFIG.

    Current configuration : 1429 bytes
!
! Last configuration change at 13:25:36 UTC Sat Mar 20 2021
!
version 16.7
service config
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9EU20Y6MD61
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
restconf
!
username admin privilege 15 secret 5 $1$ZEPO$AMcwXSrAjBucZrOjRAenN1
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
 ip address 192.168.1.102 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 negotiation auto
 no mop enabled
 no mop sysid
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line vty 0 4
 login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

NOTE : The router is pingable from the physical network.

Pinging 192.168.1.102 with 32 bytes of data:
Reply from 192.168.1.102: bytes=32 time=1ms TTL=255
Reply from 192.168.1.102: bytes=32 time=1ms TTL=255

Solution

  • it seems it is a bug in this router sw release. i used the same configs with csr1000v-universalk9.16.12.03-serial.qcow2 and worked ok. the previous release was csr1000v-universalk9.16.06.07-serial.qcow2