snapshot task on Cisco APIC failing

Dears

NA 2022.11 
Cisco APIC 

Driver discovery for Cisco APIC primary controller has completed, however snapshot task is failing.

Please be noted we are connecting to APIC using SSH user with below format,

apic#TACACS\\sshusername

Does NA accept this format and is this the reason snapshot task is failing.

Is there any way we can specify SSH and SNMP credentials in APIC directly in Network automation itself.

Can we specify timeout parameter for snapshot task.

  • 0  

    I don't want to say "no, that's not formatted" but I've not seen that myself.  

    What "isn't working"?

    You can either set up credentials for a single device (Edit device) or you can set up a Password Rule and then that rule can either be applied to all devices or a subset of devices.  

    Don't you have other APIC controllers working?  Do those use the same credentials?  Or same formatting?  

    If so, perfect - take two smapshots - one on the "problem" device and then one on the "good" device and let them run and when done, look at the logs to see what is | isn't working.  

    Let's try this:

    1) do you see NA ssh to the devicfe

    2) does NA send the credentials

    3) do the credentials get NA logged in

    4) Once logged in, does NA issue any commands

    5) What error(s) are you seeing in the task?  

    One thing that is easy to miss - for APIC controllers, you need to enable HTTP or HTTPS, NA needs this as ssh alone isn't enough.  (think this is mentioned in driver note)

    Timeout value - yes / no.  Not in task form but you can set up optional variables like ssh timeout and things like that - again, edit device or within password rule.  

    Good luck,

    Chris

  • 0 in reply to   

    Chris

    Thanks for your inputs.

    Where I can set up HTTP/HTTPS for APIC controllers, from driver note, I am seeing below, but not sure how can I configure,

    This note applies only for drivers that use HTTP requests for driver functions. HTTP proxy operations are supported by setting the device access variable "http_proxy" to "ip:port", replacing with the IP and port values of the proxy server. SNI-requiring devices (e.g CloudGenix & Cisco Meraki) can be supported by using the device access variable "alternate_host" to contain the DNS name of the host. The host name will be used rather than the normal management IP address for all HTTP requests, effectively supporting SNI

    Also from Driver notes, I am seeing below

    By default, this driver manages the parent APIC and child Nexus devices separately, including the configuration for each using separate virtual devices. Specifically, the APIC parent only contains the configuration for itself and none of the children. If the device access variable "get_all" is set to "true", the parent APIC will collect the configuration for all child nodes in with its own configuration. To disable the collection of controllers, leaf switches and spine switches, set access variable "disable_controllers" to "true". To disable the collection leaf switches and spine switches, set access variable "apic_disable_leaf" to "true".

    Please can you let me know how can I set device access variable "get_all" to true.

  • Verified Answer

    +1   in reply to 

    Hi,

    So, each of your questions back to me have a few options, I'll try to cover each, but the question (back to you) is really about how your NA environment is set up....

    In general, password rules are easier / less administrative work than setting credentials and details for each individual device.  Some places have automation in place that does this manual setting of each device.  I'm unsure how you guys are, but....

    Where I can set up HTTP/HTTPS for APIC controllers

    Two options:

    Globally (as in you set this once and then every single device going forward will have this set unless you turn it off on the ones you don't want it):

    Admin / Administrative Settings -- Device Access

    and / or

    You can set it at the device level.

    For each device (or you can use batch edit - more later)

    Edit / Edit Device

    Under Connection Information

    Batch Edit:

    When you work with a list / group of devices that you want to edit

    You have your list shown on in the Web IUI

    Click Select / All

    Click Actions / Batch Edit

    You'll then see a similar form as you saw with Edit Device

    Check the box for "Set Connection Methods"

    Set whatever value you want for "Transfer Protocol" 

    Scroll down and Save when done

    Next question:

    how can I set device access variable "get_all" to true.

    At best three options...

    First and best case for making this change easily, you use password rules AND you have a rule specific to the APIC devices.

    Admin / Device Password Rules

    Edit your rule that you have in place for these devices

    Click on Show Device Access Settings

    You'll see the available boxes, pick the top empty one that does NOT have a selection value available.  (and don't focus on the number of boxes in this example when comparing to your env - it is a customization that we have done)

    In that name box, you'd enter:get_all

    In the Value box below it, you'd enter true

    Save your change

    I mentioned this works best if you have a rule specific for say the APICs, this isn't necessarily the case here, but something to always keep in mind.  If you set a value here and some other device happens to use this rule, then it will try to use that variable and value.  

    It may be a non-issue OR it may cause a problem, something for you to keep in mind.  

    Option 2 - Edit Device

    If you are assigning the credentials by editing the devices, then you can set up the variable there....But, as shown below, this only works IF you have selected device-specific passwords

    And then save your change.

    lastly, you can usually do this by adding a line in your adjustable_options.rcx file where you will say that for the APIC driver, you want to make that variable / value setting.  I'm not going to show this as too many things could go wrong if you aren't careful.  This is a good option, but I'd suggest working with support on it to be safe.  

    I think I covered your questions, reply back if I missed anything.

    Good luck,

    Chris