1 of 4

System Management

Perform NSO system management and configuration.

NSO consists of a number of modules and executable components. These executable components will be referred to by their command-line name, e.g. ncs, ncs-netsim, ncs_cli, etc. ncs is used to refer to the executable, the running daemon.

Starting NSO

When NSO is started, it reads its configuration file and starts all subsystems configured to start (such as NETCONF, CLI, etc.).

By default, NSO starts in the background without an associated terminal. It is recommended to use a System Install when installing NSO for production deployment. This will create an init script that starts NSO when the system boots, and makes NSO start the service manager.

Licensing NSO

NSO is licensed using Cisco Smart Licensing. To register your NSO instance, you need to enter a token from your Cisco Smart Software Manager account. For more information on this topic, see Cisco Smart Licensing.

Configuring NSO

NSO is configured in the following two ways:

Through its configuration file, ncs.conf.
Through whatever data is configured at run-time over any northbound, for example, turning on trace using the CLI.

`ncs.conf` File

The configuration file ncs.conf is read at startup and can be reloaded. Below is an example of the most common settings. It is included here as an example and should be self-explanatory. See ncs.conf in Manual Pages for more information. Important configuration settings are:

load-path: where NSO should look for compiled YANG files, such as data models for NEDs or Services.
db-dir: the directory on disk that CDB uses for its storage and any temporary files being used. It is also the directory where CDB searches for initialization files. This should be a local disk and not NFS mounted for performance reasons.
Various log settings.
AAA configuration.
Rollback file directory and history length.
Enabling north-bound interfaces like REST, and WebUI.
Enabling of High-Availability mode.

The ncs.conf file is described in the NSO Manual Pages. There is a large number of configuration items in ncs.conf, most of them have sane default values. The ncs.conf file is an XML file that must adhere to the tailf-ncs-config.yang model. If we start the NSO daemon directly, we must provide the path to the NCS configuration file as in:

# ncs -c /etc/ncs/ncs.conf

However, in a System Install, the init script is typically used to start NSO, and it will pass the appropriate options to the ncs command. Thus NSO is started with the command:

# /etc/init.d/ncs start

It is possible to edit the ncs.conf file, and then tell NSO to reload the edited file without restarting the daemon as in:

# ncs --reload

This command also tells NSO to close and reopen all log files, which makes it suitable to use from a system like logrotate.

In this section, some of the important configuration settings will be described and discussed.

Exposed Interfaces

NSO allows access through a number of different interfaces, depending on the use case. In the default configuration, clients can access the system locally through an unauthenticated IPC socket (with the ncs* family of commands, port 4569) and plain (non-HTTPS) HTTP web server (port 8080). Additionally, the system enables remote access through SSH-secured NETCONF and CLI (ports 2022 and 2024).

We strongly encourage you to review and customize the exposed interfaces to your needs in the ncs.conf configuration file. In particular, set:

/ncs-config/webui/match-host-name to true.
/ncs-config/webui/server-name to the hostname of the server.

If you decide to allow remote access to the web server, also make sure you use TLS-secured HTTPS instead of HTTP. Not doing so exposes you to security risks.

Using /ncs-config/webui/match-host-name = true requires you to use the configured hostname when accessing the server. Web browsers do this automatically but you may need to set the Host header when performing requests programmatically using an IP address instead of the hostname.

To additionally secure IPC access, refer to Restricting Access to the IPC port.

For more details on individual interfaces and their use, see Northbound APIs.

Dynamic Configuration

Let's look at all the settings that can be manipulated through the NSO northbound interfaces. NSO itself has a number of built-in YANG modules. These YANG modules describe the structure that is stored in CDB. Whenever we change anything under, say /devices/device, it will change the CDB, but it will also change the configuration of NSO. We call this dynamic configuration since it can be changed at will through all northbound APIs.

We summarize the most relevant parts below:

ncs@ncs(config)#
Possible completions:
  aaa                        AAA management, users and groups
  cluster                    Cluster configuration
  devices                    Device communication settings
  java-vm                    Control of the NCS Java VM
  nacm                       Access control
  packages                   Installed packages
  python-vm                  Control of the NCS Python VM
  services                   Global settings for services, (the services themselves might be augmented somewhere else)
  session                    Global default CLI session parameters
  snmp                       Top-level container for SNMP related configuration and status objects.
  snmp-notification-receiver Configure reception of SNMP notifications
  software                   Software management
  ssh                        Global SSH connection configuration

`tailf-ncs.yang` Module

This is the most important YANG module that is used to control and configure NSO. The module can be found at: $NCS_DIR/src/ncs/yang/tailf-ncs.yang in the release. Everything in that module is available through the northbound APIs. The YANG module has descriptions for everything that can be configured.

tailf-common-monitoring2.yang and tailf-ncs-monitoring2.yang are two modules that are relevant to monitoring NSO.

Built-in or External SSH Server

NSO has a built-in SSH server which makes it possible to SSH directly into the NSO daemon. Both the NSO northbound NETCONF agent and the CLI need SSH. To configure the built-in SSH server we need a directory with server SSH keys - it is specified via /ncs-config/aaa/ssh-server-key-dir in ncs.conf. We also need to enable /ncs-config/netconf-north-bound/transport/ssh and /ncs-config/cli/ssh in ncs.conf. In a System Install, ncs.conf is installed in the "config directory", by default /etc/ncs, with the SSH server keys in /etc/ncs/ssh.

Run-time Configuration

There are also configuration parameters that are more related to how NSO behaves when talking to the devices. These reside in devices global-settings.

admin@ncs(config)# devices global-settings
Possible completions:
  backlog-auto-run               Auto-run the backlog at successful connection
  backlog-enabled                Backlog requests to non-responding devices
  commit-queue
  commit-retries                 Retry commits on transient errors
  connect-timeout                Timeout in seconds for new connections
  ned-settings                   Control which device capabilities NCS uses
  out-of-sync-commit-behaviour   Specifies the behaviour of a commit operation involving a device that is out of sync with NCS.
  read-timeout                   Timeout in seconds used when reading data
  report-multiple-errors         By default, when the NCS device manager commits data southbound and when there are errors, we only
                                 report the first error to the operator, this flag makes NCS report all errors reported by managed
                                 devices
  trace                          Trace the southbound communication to devices
  trace-dir                      The directory where trace files are stored
  write-timeout                  Timeout in seconds used when writing
  data

User Management

Users are configured at the path aaa authentication users.

admin@ncs(config)# show full-configuration aaa authentication users user
aaa authentication users user admin
 uid        1000
 gid        1000
 password   $1$GNwimSPV$E82za8AaDxukAi8Ya8eSR.
 ssh_keydir /var/ncs/homes/admin/.ssh
 homedir    /var/ncs/homes/admin
!
aaa authentication users user oper
 uid        1000
 gid        1000
 password   $1$yOstEhXy$nYKOQgslCPyv9metoQALA.
 ssh_keydir /var/ncs/homes/oper/.ssh
 homedir    /var/ncs/homes/oper
!...

Access control, including group memberships, is managed using the NACM model (RFC 6536).

admin@ncs(config)# show full-configuration nacm
nacm write-default permit
nacm groups group admin
 user-name [ admin private ]
!
nacm groups group oper
 user-name [ oper public ]
!
nacm rule-list admin
 group [ admin ]
 rule any-access
  action permit
 !
!
nacm rule-list any-group
 group [ * ]
 rule tailf-aaa-authentication
  module-name       tailf-aaa
  path              /aaa/authentication/users/user[name='$USER']
  access-operations read,update
  action            permit
 !

Adding a User

Adding a user includes the following steps:

Create the user: admin@ncs(config)# aaa authentication users user <user-name>.
Add the user to a NACM group: admin@ncs(config)# nacm groups <group-name> admin user-name <user-name>.
Verify/change access rules.

It is likely that the new user also needs access to work with device configuration. The mapping from NSO users and corresponding device authentication is configured in authgroups. So, the user needs to be added there as well.

admin@ncs(config)# show full-configuration devices authgroups
devices authgroups group default
 umap admin
  remote-name     admin
  remote-password $4$wIo7Yd068FRwhYYI0d4IDw==
 !
 umap oper
  remote-name     oper
  remote-password $4$zp4zerM68FRwhYYI0d4IDw==
 !
!

If the last step is forgotten, you will see the following error:

jim@ncs(config)# devices device c0 config ios:snmp-server community fee
jim@ncs(config-config)# commit
Aborted: Resource authgroup for jim doesn't exist

Monitoring NSO

This section describes how to monitor NSO. See also NSO Alarms.

Use the command ncs --status to get runtime information on NSO.

NSO Status

Checking the overall status of NSO can be done using the shell:

$ ncs --status

Or, in the CLI:

ncs# show ncs-state

For details on the output see $NCS_DIR/src/yang/tailf-common-monitoring2.yang.

Below is an overview of the output:

It is also important to look at the packages that are loaded. This can be done in the CLI with:

admin> show packages
packages package cisco-asa
 package-version 3.4.0
 description     "NED package for Cisco ASA"
 ncs-min-version [ 3.2.2 3.3 3.4 4.0 ]
 directory       ./state/packages-in-use/1/cisco-asa
 component upgrade-ned-id
  upgrade java-class-name com.tailf.packages.ned.asa.UpgradeNedId
 component ASADp
  callback java-class-name [ com.tailf.packages.ned.asa.ASADp ]
 component cisco-asa
  ned cli ned-id  cisco-asa
  ned cli java-class-name com.tailf.packages.ned.asa.ASANedCli
  ned device vendor Cisco

Monitoring the NSO Daemon

NSO runs the following processes:

The daemon: ncs.smp: this is the NCS process running in the Erlang VM.
Java VM: com.tailf.ncs.NcsJVMLauncher: service applications implemented in Java run in this VM. There are several options on how to start the Java VM, it can be monitored and started/restarted by NSO or by an external monitor. See the ncs.conf(5) Manual Page and the java-vm settings in the CLI.
Python VMs: NSO packages can be implemented in Python. The individual packages can be configured to run a VM each or share a Python VM. Use the show python-vm status current to see current threads and show python-vm status start to see which threads were started at startup time.

Logging

NSO has extensive logging functionality. Log settings are typically very different for a production system compared to a development system. Furthermore, the logging of the NSO daemon and the NSO Java VM/Python VM is controlled by different mechanisms. During development, we typically want to turn on the developer-log. The sample ncs.conf that comes with the NSO release has log settings suitable for development, while the ncs.conf created by a System Install are suitable for production deployment.

NSO logs in /logs in your running directory, (depends on your settings in ncs.conf). You might want the log files to be stored somewhere else. See man ncs.conf for details on how to configure the various logs. Below is a list of the most useful log files:

ncs.log : NCS daemon log. See Log Messages and Formats. Can be configured to Syslog.
ncserr.log.1, ncserr.log.idx, ncserr.log.siz: if the NSO daemon has a problem. this contains debug information relevant to support. The content can be displayed with ncs --printlog ncserr.log.
audit.log: central audit log covering all northbound interfaces. See Log Messages and Formats. Can be configured to Syslog.
localhost:8080.access: all HTTP requests to the daemon. This is an access log for the embedded Web server. This file adheres to the Common Log Format, as defined by Apache and others. This log is not enabled by default and is not rotated, i.e. use logrotate(8). Can be configured to Syslog.
devel.log: developer-log is a debug log for troubleshooting user-written code. This log is enabled by default and is not rotated, i.e. use logrotate(8). This log shall be used in combination with the java-vm or python-vm logs. The user code logs in the VM logs and the corresponding library logs in devel.log. Disable this log in production systems. Can be configured to Syslog. You can manage this log and set its logging level in ncs.conf.
```
    <developer-log>
      <enabled>true</enabled>
      <file>
        <name>${NCS_LOG_DIR}/devel.log</name>
        <enabled>false</enabled>
      </file>
      <syslog>
        <enabled>true</enabled>
      </syslog>
    </developer-log>
    <developer-log-level>trace</developer-log-level>
```
ncs-java-vm.log, ncs-python-vm.log: logger for code running in Java or Python VM, for example, service applications. Developers writing Java and Python code use this log (in combination with devel.log) for debugging. Both Java and Python log levels can be set from their respective VM settings in, for example, the CLI.
```
admin@ncs(config)# python-vm logging level level-info
admin@ncs(config)# java-vm java-logging logger com.tailf.maapi level level-info
```
netconf.log, snmp.log: Log for northbound agents. Can be configured to Syslog.
rollbackNNNNN: All NSO commits generate a corresponding rollback file. The maximum number of rollback files and file numbering can be configured in ncs.conf.
xpath.trace: XPATH is used in many places, for example, XML templates. This log file shows the evaluation of all XPATH expressions and can be enabled in the ncs.conf.
```
    <xpathTraceLog>
      <enabled>true</enabled>
      <filename>${NCS_LOG_DIR}/xpath.trace</filename>
    </xpathTraceLog>
```
To debug XPATH for a template, use the pipe target debug in the CLI instead.
```
admin@ncs(config)# commit | debug template
```
ned-cisco-ios-xr-pe1.trace (for example): if device trace is turned on a trace file will be created per device. The file location is not configured in ncs.conf but is configured when the device trace is turned on, for example in the CLI.
```
admin@ncs(config)# devices device r0 trace pretty
```
Progress trace log: When a transaction or action is applied, NSO emits specific progress events. These events can be displayed and recorded in a number of different ways, either in CLI with the pipe target details on a commit, or by writing it to a log file. You can read more about it in the Progress Trace.
Transaction error log: log for collecting information on failed transactions that lead to either a CDB boot error or a runtime transaction failure. The default is false (disabled). More information about the log is available in the Manual Pages under Configuration Parameters (see logs/transaction-error-log).
Upgrade log: log containing information about CDB upgrade. The log is enabled by default and not rotated (i.e., use logrotate). With the NSO example set, the following examples populate the log in the logs/upgrade.log file: examples.ncs/development-guide/ned-upgrade/yang-revision, examples.ncs/development-guide/high-availability/upgrade-basic, examples.ncs/development-guide/high-availability/upgrade-cluster, and examples.ncs/getting-started/developing-with-ncs/14-upgrade-service. More information about the log is available in the Manual Pages under Configuration Parameters (see logs/upgrade-log).

Syslog

NSO can syslog to a local Syslog. See man ncs.conf how to configure the Syslog settings. All Syslog messages are documented in Log Messages. The ncs.conf also lets you decide which of the logs should go into Syslog: ncs.log, devel.log, netconf.log, snmp.log, audit.log, WebUI access log. There is also a possibility to integrate with rsyslog to log the NCS, developer, audit, netconf, SNMP, and WebUI access logs to syslog with the facility set to daemon in ncs.conf. For reference, see the upgrade-l2 example, located in examples.ncs/development-guide/high-availability/hcc .

Below is an example of Syslog configuration:

    <syslog-config>
      <facility>daemon</facility>
    </syslog-config>

    <ncs-log>
      <enabled>true</enabled>
      <file>
        <name>./logs/ncs.log</name>
        <enabled>true</enabled>
      </file>
      <syslog>
        <enabled>true</enabled>
      </syslog>
    </ncs-log>

Log messages are described on the link below:

NSO Alarms

NSO generates alarms for serious problems that must be remedied. Alarms are available over all the northbound interfaces and exist at the path /alarms. NSO alarms are managed as any other alarms by the general NSO Alarm Manager, see the specific section on the alarm manager in order to understand the general alarm mechanisms.

The NSO alarm manager also presents a northbound SNMP view, alarms can be retrieved as an alarm table, and alarm state changes are reported as SNMP Notifications. See the "NSO Northbound" documentation on how to configure the SNMP Agent.

This is also documented in the example /examples.ncs/getting-started/using-ncs/5-snmp-alarm-northbound.

Alarms are described on the link below:

Trace ID

NSO can issue a unique Trace ID per northbound request, visible in logs and trace headers. This Trace ID can be used to follow the request from service invocation to configuration changes pushed to any device affected by the change. The Trace ID may either be passed in from an external client or generated by NSO.

Trace ID is enabled by default, and can be turned off by adding the following snippet to NSO.conf:

<trace-id>false</trace-id>

Trace ID is propagated downwards in LSA setups and is fully integrated with commit queues.

Trace ID can be passed to NSO over NETCONF, RESTCONF, JSON-RPC, or CLI as a commit parameter.

If Trace ID is not given as a commit parameter, NSO will generate one. The generated Trace ID is an array of 16 random bytes, encoded as a 32-character hexadecimal string, in accordance with Trace ID.

For RESTCONF requests, this generated Trace ID will be communicated back to the requesting client as an HTTP header called X-Cisco-NSO-Trace-ID. The trace-id query parameter can also be used with RPCs and actions to relay a trace-id from northbound requests.

For NETCONF, the Trace ID will be returned as an attribute called trace-id.

Trace ID will appear in relevant log entries and trace file headers on the form trace-id=....

Disaster Management

This section describes a number of disaster scenarios and recommends various actions to take in the different disaster variants.

NSO Fails to Start

CDB keeps its data in four files A.cdb, C.cdb, O.cdb and S.cdb. If NSO is stopped, these four files can be copied, and the copy is then a full backup of CDB.

Furthermore, if neither files exist in the configured CDB directory, CDB will attempt to initialize from all files in the CDB directory with the suffix .xml.

Thus, there exist two different ways to re-initiate CDB from a previously known good state, either from .xml files or from a CDB backup. The .xml files would typically be used to reinstall factory defaults whereas a CDB backup could be used in more complex scenarios.

If the S.cdb file has become inconsistent or has been removed, all commit queue items will be removed, and devices not yet processed out of sync. For such an event, appropriate alarms will be raised on the devices and any service instance that has unprocessed device changes will be set in the failed state.

When NSO starts and fails to initialize, the following exit codes can occur:

Exit codes 1 and 19 mean that an internal error has occurred. A text message should be in the logs, or if the error occurred at startup before logging had been activated, on standard error (standard output if NSO was started with --foreground --verbose). Generally, the message will only be meaningful to the NSO developers, and an internal error should always be reported to support.
Exit codes 2 and 3 are only used for the NCS control commands (see the section COMMUNICATING WITH NCS in the ncs(1) in Manual Pages manual page) and mean that the command failed due to timeout. Code 2 is used when the initial connect to NSO didn't succeed within 5 seconds (or the TryTime if given), while code 3 means that the NSO daemon did not complete the command within the time given by the --timeout option.
Exit code 10 means that one of the init files in the CDB directory was faulty in some way — further information in the log.
Exit code 11 means that the CDB configuration was changed in an unsupported way. This will only happen when an existing database is detected, which was created with another configuration than the current in ncs.conf.
Exit code 13 means that the schema change caused an upgrade, but for some reason, the upgrade failed. Details are in the log. The way to recover from this situation is either to correct the problem or to re-install the old schema (fxs) files.
Exit code 14 means that the schema change caused an upgrade, but for some reason the upgrade failed, corrupting the database in the process. This is rare and usually caused by a bug. To recover, either start from an empty database with the new schema, or re-install the old schema files and apply a backup.
Exit code 15 means that A.cdb or C.cdb is corrupt in a non-recoverable way. Remove the files and re-start using a backup or init files.
Exit code 16 means that CDB ran into an unrecoverable file error (such as running out of space on the device while performing journal compaction).
Exit code 20 means that NSO failed to bind a socket.
Exit code 21 means that some NSO configuration file is faulty. More information is in the logs.
Exit code 22 indicates an NSO installation-related problem, e.g., that the user does not have read access to some library files, or that some file is missing.

If the NSO daemon starts normally, the exit code is 0.

If the AAA database is broken, NSO will start but with no authorization rules loaded. This means that all write access to the configuration is denied. The NSO CLI can be started with a flag ncs_cli --noaaa that will allow full unauthorized access to the configuration.

NSO Failure After Startup

NSO attempts to handle all runtime problems without terminating, e.g., by restarting specific components. However, there are some cases where this is not possible, described below. When NSO is started the default way, i.e. as a daemon, the exit codes will of course not be available, but see the --foreground option in the ncs(1) Manual Page.

Out of memory: If NSO is unable to allocate memory, it will exit by calling abort(3). This will generate an exit code, as for reception of the SIGABRT signal - e.g. if NSO is started from a shell script, it will see 134, as the exit code (128 + the signal number).
Out of file descriptors for accept(2): If NSO fails to accept a TCP connection due to lack of file descriptors, it will log this and then exit with code 25. To avoid this problem, make sure that the process and system-wide file descriptor limits are set high enough, and if needed configure session limits in ncs.conf. The out-of-file descriptors issue may also manifest itself in that applications are no longer able to open new file descriptors. In many Linux systems, the default limit is 1024, but if we, for example, assume that there are four northbound interface ports, CLI, RESTCONF, SNMP, WebUI/JSON-RPC, or similar, plus a few hundred IPC ports, x 1024 == 5120. But one might as well use the next power of two, 8192, to be on the safe side.
Several application issues can contribute to consuming extra ports. In the scope of an NSO application that could, for example, be a script application that invokes CLI command or a callback daemon application that does not close the connection socket as it should.
A commonly used command for changing the maximum number of open file descriptors is ulimit -n [limit]. Commands such as netstat and lsof can be useful to debug file descriptor-related issues.

Transaction Commit Failure

When the system is updated, NSO executes a two-phase commit protocol towards the different participating databases including CDB. If a participant fails in the commit() phase although the participant succeeded in the preparation phase, the configuration is possibly in an inconsistent state.

When NSO considers the configuration to be in an inconsistent state, operations will continue. It is still possible to use NETCONF, the CLI, and all other northbound management agents. The CLI has a different prompt which reflects that the system is considered to be in an inconsistent state and also the Web UI shows this:

  -- WARNING ------------------------------------------------------
  Running db may be inconsistent. Enter private configuration mode and
  install a rollback configuration or load a saved configuration.
  ------------------------------------------------------------------

The MAAPI API has two interface functions that can be used to set and retrieve the consistency status, those are maapi_set_running_db_status() and maapi_get_running_db_status() corresponding. This API can thus be used to manually reset the consistency state. The only alternative to reset the state to a consistent state is by reloading the entire configuration.

Backup and Restore

All parts of the NSO installation can be backed up and restored with standard file system backup procedures.

The most convenient way to do backup and restore is to use the ncs-backup command. In that case, the following procedure is used.

Take a Backup

NSO Backup backs up the database (CDB) files, state files, config files, and rollback files from the installation directory. To take a complete backup (for disaster recovery), use:

# ncs-backup

The backup will be stored in the "run directory", by default /var/opt/ncs, as /var/opt/ncs/backups/ncs-VERSION@DATETIME.backup.

For more information on backup, refer to the ncs-backup(1) in Manual Pages.

Restore a Backup

NSO Restore is performed if you would like to switch back to a previous good state or restore a backup.

It is always advisable to stop NSO before performing a restore.

First stop NSO if NSO is not stopped yet.
```
/etc/init.d/ncs stop
```
Restore the backup.
```
ncs-backup --restore
```
Select the backup to be restored from the available list of backups. The configuration and database with run-time state files are restored in /etc/ncs and /var/opt/ncs.
Start NSO.
```
/etc/init.d/ncs start
```

Rollbacks

NSO supports creating rollback files during the commit of a transaction that allows for rolling back the introduced changes. Rollbacks do not come without a cost and should be disabled if the functionality is not going to be used. Enabling rollbacks impacts both the time it takes to commit a change and requires sufficient storage on disk.

Rollback files contain a set of headers and the data required to restore the changes that were made when the rollback was created. One of the header fields includes a unique rollback ID that can be used to address the rollback file independent of the rollback numbering format.

The use of rollbacks from the supported APIs and the CLI is documented in the documentation for the given API.

`ncs.conf` Config for Rollback

As described earlier, NSO is configured through the configuration file, ncs.conf. In that file, we have the following items related to rollbacks:

/ncs-config/rollback/enabled: If set to true, then a rollback file will be created whenever the running configuration is modified.
/ncs-config/rollback/directory: Location where rollback files will be created.
/ncs-config/rollback/history-size: The number of old rollback files to save.

Troubleshooting

New users can face problems when they start to use NSO. If you face an issue, reach out to our support team regardless if your problem is listed here or not.

A useful tool in this regard is the ncs-collect-tech-report tool, which is the Bash script that comes with the product. It collects all log files, CDB backup, and several debug dumps as a TAR file. Note that it works only with a System Install.

root@linux:/# ncs-collect-tech-report --full

Some noteworthy issues are covered here.

Installation Problems: Error Messages During Installation

Error

tar: Skipping to next header
gzip: stdin: invalid compressed data--format violated

Impact The resulting installation is incomplete.

Cause This happens if the installation program has been damaged, most likely because it has been downloaded in ASCII mode.

Resolution Remove the installation directory. Download a new copy of NSO from our servers. Make sure you use binary transfer mode every step of the way.

Problem Starting NSO: NSO Terminating with GLIBC Error

Error

Internal error: Open failed: /lib/tls/libc.so.6: version
`GLIBC_2.3.4' not found (required by
.../lib/ncs/priv/util/syst_drv.so)

Impact NSO terminates immediately with a message similar to the one above.

Cause This happens if you are running on a very old Linux version. The GNU libc (GLIBC) version is older than 2.3.4, which was released in 2004.

Resolution Use a newer Linux system, or upgrade the GLIBC installation.

Problem in Running Examples: The netconf-console Program Fails

Error You must install the Python SSH implementation Paramiko in order to use SSH.

Impact Sending NETCONF commands and queries with netconf-console fails, while it works using netconf-console-tcp.

Cause The netconf-console command is implemented using the Python programming language. It depends on the Python SSHv2 implementation Paramiko. Since you are seeing this message, your operating system doesn't have the Python module Paramiko installed.

Resolution Install Paramiko using the instructions from https://www.paramiko.org. When properly installed, you will be able to import the Paramiko module without error messages.
```
$ python
...
>>> import paramiko
>>>
```
Exit the Python interpreter with Ctrl+D.

Workaround A workaround is to use netconf-console-tcp. It uses TCP instead of SSH and doesn't require Paramiko. Note that TCP traffic is not encrypted.

Problems Using and Developing Services

If you encounter issues while loading service packages, creating service instances, or developing service models, templates, and code, you can consult the Troubleshooting section in Implementing Services.

General Troubleshooting Strategies

If you have trouble starting or running NSO, examples, or the clients you write, here are some troubleshooting tips.

Transcript

When contacting support, it often helps the support engineer to understand what you are trying to achieve if you copy-paste the commands, responses, and shell scripts that you used to trigger the problem, together with any CLI outputs and logs produced by NSO.

Source ENV Variables

If you have problems executing ncs commands, make sure you source the ncsrc script in your NSO directory (your path may be different than the one in the example if you are using a local install), which sets the required environmental variables.

$ source /etc/profile.d/ncs.sh

Log Files

To find out what NSO is/was doing, browsing NSO log files is often helpful. In the examples, they are called devel.log, ncs.log, audit.log. If you are working with your own system, make sure that the log files are enabled in ncs.conf. They are already enabled in all the examples. You can read more about how to enable and inspect various logs in the Logging section.

Verify HW Resources

Both high CPU utilization and a lack of memory can negatively affect the performance of NSO. You can use commands such as top to examine resource utilization, and free -mh to see the amount of free and consumed memory. A common symptom of a lack of memory is NSO or Java-VM restarting. A sufficient amount of disk space is also required for CDB persistence and logs, so you can also check disk space with df -h command. In case there is enough space on the disk and you still encounter ENOSPC errors, check the inode usage with df -i command.

Status

NSO will give you a comprehensive status of daemon status, YANG modules, loaded packages, MIBs, active user sessions, CDB locks, and more if you run:

$ ncs --status

NSO status information is also available as operational data under /ncs-state.

Check Data Provider

If you are implementing a data provider (for operational or configuration data), you can verify that it works for all possible data items using:

$ ncs --check-callbacks

Debug Dump

If you suspect you have experienced a bug in NSO, or NSO told you so, you can give Support a debug dump to help us diagnose the problem. It contains a lot of status information (including a full ncs --status report) and some internal state information. This information is only readable and comprehensible to the NSO development team, so send the dump to your support contact. A debug dump is created using:

$ ncs --debug-dump mydump1

Just as in CSI on TV, the information must be collected as soon as possible after the event. Many interesting traces will wash away with time, or stay undetected if there are lots of irrelevant facts in the dump.

If NSO gets stuck while terminating, it can optionally create a debug dump after being stuck for 60 seconds. To enable this mechanism, set the environment variable $NCS_DEBUG_DUMP_NAME to a filename of your choice.

Error Log

Another thing you can do in case you suspect that you have experienced a bug in NSO is to collect the error log. The logged information is only readable and comprehensible to the NSO development team, so send the log to your support contact. The log actually consists of a number of files called ncserr.log.* - make sure to provide them all.

System Dump

If NSO aborts due to failure to allocate memory (see Disaster Management), and you believe that this is due to a memory leak in NSO, creating one or more debug dumps as described above (before NSO aborts) will produce the most useful information for Support. If this is not possible, NSO will produce a system dump by default before aborting, unless DISABLE_NCS_DUMP is set.

The default system dump file name is ncs_crash.dump and it could be changed by setting the environment variable $NCS_DUMP before starting NSO. The dumped information is only comprehensible to the NSO development team, so send the dump to your support contact.

System Call Trace

To catch certain types of problems, especially relating to system start and configuration, the operating system's system call trace can be invaluable. This tool is called strace/ktrace/truss. Please send the result to your support contact for a diagnosis.

By running the instructions below.

Linux:

# strace -f -o mylog1.strace -s 1024 ncs ...

BSD:

# ktrace -ad -f mylog1.ktrace ncs ...
# kdump -f mylog1.ktrace > mylog1.kdump

Solaris:

# truss -f -o mylog1.truss ncs ...

Cisco Smart Licensing

Manage purchase and licensing of Cisco software.

Cisco Smart Licensing is a cloud-based approach to licensing and it simplifies the purchase, deployment, and management of Cisco software assets. Entitlements are purchased through a Cisco account via Cisco Commerce Workspace (CCW) and are immediately deposited into a Smart Account for usage. This eliminates the need to install license files on every device. Products that are smart-enabled communicate directly to Cisco to report consumption.

Cisco Smart Software Manager (CSSM) enables the management of software licenses and Smart Account from a single portal. The interface allows you to activate your product, manage entitlements, and renew and upgrade software.

A functioning Smart Account is required to complete the registration process. For detailed information about CSSM, see Cisco Smart Software Manager.

Smart Accounts and Virtual Accounts

A Virtual Account exists as a sub-account within the Smart Account. Virtual Accounts are a customer-defined structure based on organizational layout, business function, geography, or any defined hierarchy. They are created and maintained by the Smart Account administrator(s).

Visit Cisco Cisco Software Central to learn about how to create and manage Smart Accounts.

Request a Smart Account

The creation of a new Smart Account is a one-time event and subsequent management of users is a capability provided through the tool. To request a Smart Account, visit Cisco Cisco Software Central and take the following steps:

After logging in select Request a Smart Account in the Administration section.
Select the type of Smart Account to create. There are two options: (a) Individual Smart Account requiring agreement to represent your company. By creating this Smart Account you agree to authorization to create and manage product and service entitlements, users, and roles on behalf of your organization. (b) Create the account on behalf of someone else.
Provide the required domain identifier and the preferred account name.
The account request will be pending approval of the Account Domain Identifier. A subsequent email will be sent to the requester to complete the setup process.

Adding Users to a Smart Account

Smart Account user management is available in the Administration section of Cisco Cisco Software Central. Take the following steps to add a new user to a Smart Account:

After logging in Select Manage Smart Account in the Administration section.
Choose the Users tab.
Select New User and follow the instructions in the wizard to add a new user.

Create a License Registration Token

To create a new token, log into CSSM and select the appropriate Virtual Account.
Click on the Smart Licenses link to enter CSSM.
In CSSM click on New Token.
Follow the dialog to provide a description, expiration, and export compliance applicability before accepting the terms and responsibilities. Click on Create Token to continue.
Click on the new token.
Copy the token from the dialogue window into your clipboard.

Go to the NSO CLI and provide the token to the license smart register idtoken command:

admin@ncs# license smart register idtoken YzY2YjFlOTYtOWYzZi00MDg1...
Registration process in progress.
Use the 'show license status' command to check the progress and result.

Notes on Configuring Smart Licensing

If ncs.conf contains configuration for any of java-executable, java-options, override-url/url, or proxy/url under the configure path /ncs-config/smart-license/smart-agent/ any corresponding configuration done via the CLI is ignored.

The smart licensing component of NSO runs its own Java virtual machine. Usually, the default Java options are sufficient:

          leaf java-options {
          tailf:info "Smart licensing Java VM start options";
          type string;
          default "-Xmx64M -Xms16M
          -Djava.security.egd=file:/dev/./urandom";
          description
          "Options which NCS will use when starting
          the Java VM.";}

If you for some reason need to modify the Java options, remember to include the default values as found in the YANG model.

Validation and Troubleshooting

Available `show` and `debug` Commands

show license all: Displays all information.
show license status: Displays status information.
show license summary: Displays summary.
show license tech: Displays license tech support information.
show license usage: Displays usage information.
debug smart_lic all: All available Smart Licensing debug flags.

Alarm Types

alarm-type
    certificate-expiration
    ha-alarm
        ha-node-down-alarm
            ha-primary-down
            ha-secondary-down
    ncs-cluster-alarm
        cluster-subscriber-failure
    ncs-dev-manager-alarm
        abort-error
        bad-user-input
        commit-through-queue-blocked
        commit-through-queue-failed
        commit-through-queue-failed-transiently
        commit-through-queue-rollback-failed
        configuration-error
        connection-failure
        final-commit-error
        missing-transaction-id
        ned-live-tree-connection-failure
        out-of-sync
        revision-error
    ncs-package-alarm
        package-load-failure
        package-operation-failure
    ncs-service-manager-alarm
        service-activation-failure
    ncs-snmp-notification-receiver-alarm
        receiver-configuration-error
    time-violation-alarm
        transaction-lock-time-violation

Alarm Type Descriptions

abort-error

Initial Perceived Severity major
Description An error happened while aborting or reverting a transaction. Device's configuration is likely to be inconsistent with the NCS CDB.
Recommended Action Inspect the configuration difference with compare-config, resolve conflicts with sync-from or sync-to if any.
Clear Condition(s) If NCS achieves sync with the device, or receives a transaction id for a netconf session towards the device, the alarm is cleared.
Alarm Message(s)
- Device {dev} is locked
- Device {dev} is southbound locked
- abort error

alarm-type

Description Base identity for alarm types. A unique identification of the fault, not including the managed object. Alarm types are used to identify if alarms indicate the same problem or not, for lookup into external alarm documentation, etc. Different managed object types and instances can share alarm types. If the same managed object reports the same alarm type, it is to be considered to be the same alarm. The alarm type is a simplification of the different X.733 and 3GPP alarm IRP alarm correlation mechanisms and it allows for hierarchical extensions. A 'specific-problem' can be used in addition to the alarm type in order to have different alarm types based on information not known at design-time, such as values in textual SNMP Notification varbinds.

bad-user-input

Initial Perceived Severity critical
Description Invalid input from user. NCS cannot recognize parameters needed to connect to device.
Recommended Action Verify that the user supplied input are correct.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- Resource {resource} doesn't exist

certificate-expiration

Description The certificate is nearing its expiry or has already expired. The severity depends on the time left to expiry, it ranges from warning to critical.
Recommended Action Replace certificate.
Clear Condition(s) This alarm is cleared when the certificate is no longer loaded.
Alarm Message(s)
- Certificate expires in less than {days} day(s)/Certificate has expired.

cluster-subscriber-failure

Initial Perceived Severity critical
Description Failure to establish a notification subscription towards a remote node.
Recommended Action Verify IP connectivity between cluster nodes.
Clear Condition(s) This alarm is cleared if NCS succeeds to establish a subscription towards the remote node, or when the subscription is explicitly stopped.
Alarm Message(s)
- Failed to establish netconf notification subscription to node ~s, stream ~s
- Commit queue items with remote nodes will not receive required event notifications.

commit-through-queue-blocked

Initial Perceived Severity warning
Description A commit was queued behind a queue item waiting to be able to connect to one of its devices. This is potentially dangerous since one unreachable device can potentially fill up the commit queue indefinitely.
Clear Condition(s) An alarm raised due to a transient error will be cleared when NCS is able to reconnect to the device.
Alarm Message(s)
- Commit queue item ~p is blocked because item ~p cannot connect to ~s

commit-through-queue-failed

Initial Perceived Severity critical
Description A queued commit failed.
Recommended Action Resolve with rollback if possible.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- Failed to authenticate towards device {device}: {reason}
- Device {dev} is locked
- {Reason}
- Device {dev} is southbound locked
- Commit queue item {CqId} rollback invoked
- Commit queue item {CqId} has failed: Operation failed because: inconsistent database
- Remote commit queue item ~p cannot be unlocked: cluster node not configured correctly

commit-through-queue-failed-transiently

Initial Perceived Severity critical
Description A queued commit failed as it exhausted its retry attempts on transient errors.
Recommended Action Resolve with rollback if possible.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- Failed to connect to device {dev}: {reason}
- Connection to {dev} timed out
- Failed to authenticate towards device {device}: {reason}
- The configuration database is locked for device {dev}: {reason}
- the configuration database is locked by session {id} {identification}
- the configuration database is locked by session {id} {identification}
- {Dev}: Device is locked in a {Op} operation by session {session-id}
- resource denied
- Commit queue item {CqId} rollback invoked
- Commit queue item {CqId} has failed: Operation failed because: inconsistent database
- Remote commit queue item ~p cannot be unlocked: cluster node not configured correctly

commit-through-queue-rollback-failed

Initial Perceived Severity critical
Description Rollback of a commit-queue item failed.
Recommended Action Investigate the status of the device and resolve the situation by issuing the appropriate action, i.e., service redeploy or a sync operation.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- {Reason}

configuration-error

Initial Perceived Severity critical
Description Invalid configuration of NCS managed device, NCS cannot recognize parameters needed to connect to device.
Recommended Action Verify that the configuration parameters defined in tailf-ncs-devices.yang submodule are consistent for this device.
Clear Condition(s) The alarm is cleared when NCS reads the configuration parameters for the device, and is raised again if the parameters are invalid.
Alarm Message(s)
- Failed to resolve IP address for {dev}
- the configuration database is locked by session {id} {identification}
- {Reason}
- Resource {resource} doesn't exist

connection-failure

Initial Perceived Severity major
Description NCS failed to connect to a managed device before the timeout expired.
Recommended Action Verify address, port, authentication, check that the device is up and running. If the error occurs intermittently, increase connect-timeout.
Clear Condition(s) If NCS successfully reconnects to the device, the alarm is cleared.
Alarm Message(s)
- The connection to {dev} was closed
- Failed to connect to device {dev}: {reason}

final-commit-error

Initial Perceived Severity critical
Description A managed device validated a configuration change, but failed to commit. When this happens, NCS and the device are out of sync.
Recommended Action Reconcile by comparing and sync-from or sync-to.
Clear Condition(s) If NCS achieves sync with a device, the alarm is cleared.
Alarm Message(s)
- The connection to {dev} was closed
- External error in the NED implementation for device {dev}: {reason}
- Internal error in the NED NCS framework affecting device {dev}: {reason}

ha-alarm

Description Base type for all alarms related to high availablity. This is never reported, sub-identities for the specific high availability alarms are used in the alarms.

ha-node-down-alarm

Description Base type for all alarms related to nodes going down in high availablity. This is never reported, sub-identities for the specific node down alarms are used in the alarms.

ha-primary-down

Initial Perceived Severity critical
Description The node lost the connection to the primary node.
Recommended Action Make sure the HA cluster is operational, investigate why the primary went down and bring it up again.
Clear Condition(s) This alarm is never automatically cleared and has to be cleared manually when the HA cluster has been restored.
Alarm Message(s)
- Lost connection to primary due to: Primary closed connection
- Lost connection to primary due to: Tick timeout
- Lost connection to primary due to: code {Code}

ha-secondary-down

Initial Perceived Severity critical
Description The node lost the connection to a secondary node.
Recommended Action Investigate why the secondary node went down, fix the connectivity issue and reconnect the secondary to the HA cluster.
Clear Condition(s) This alarm is cleared when the secondary node is reconnected to the HA cluster.
Alarm Message(s)
- Lost connection to secondary

missing-transaction-id

Initial Perceived Severity warning
Description A device announced in its NETCONF hello message that it supports the transaction-id as defined in http://tail-f.com/yang/netconf-monitoring. However when NCS tries to read the transaction-id no data is returned. The NCS check-sync feature will not work. This is usually a case of misconfigured NACM rules on the managed device.
Recommended Action Verify NACM rules on the concerned device.
Clear Condition(s) If NCS successfully reads a transaction id for which it had previously failed to do so, the alarm is cleared.
Alarm Message(s)
- {Reason}

ncs-cluster-alarm

Description Base type for all alarms related to cluster. This is never reported, sub-identities for the specific cluster alarms are used in the alarms.

ncs-dev-manager-alarm

Description Base type for all alarms related to the device manager This is never reported, sub-identities for the specific device alarms are used in the alarms.

ncs-package-alarm

Description Base type for all alarms related to packages. This is never reported, sub-identities for the specific package alarms are used in the alarms.

ncs-service-manager-alarm

Description Base type for all alarms related to the service manager This is never reported, sub-identities for the specific service alarms are used in the alarms.

ncs-snmp-notification-receiver-alarm

Description Base type for SNMP notification receiver Alarms. This is never reported, sub-identities for specific SNMP notification receiver alarms are used in the alarms.

ned-live-tree-connection-failure

Initial Perceived Severity major
Description NCS failed to connect to a managed device using one of the optional live-status-protocol NEDs.
Recommended Action Verify the configuration of the optional NEDs. If the error occurs intermittently, increase connect-timeout.
Clear Condition(s) If NCS successfully reconnects to the managed device, the alarm is cleared.
Alarm Message(s)
- The connection to {dev} was closed
- Failed to connect to device {dev}: {reason}

out-of-sync

Initial Perceived Severity major
Description A managed device is out of sync with NCS. Usually it means that the device has been configured out of band from NCS point of view.
Recommended Action Inspect the difference with compare-config, reconcile by invoking sync-from or sync-to.
Clear Condition(s) If NCS achieves sync with a device, the alarm is cleared.
Alarm Message(s)
- Device {dev} is out of sync
- Out of sync due to no-networking or failed commit-queue commits.
- got: ~s expected: ~s.

package-load-failure

Initial Perceived Severity critical
Description NCS failed to load a package.
Recommended Action Check the package for the reason.
Clear Condition(s) If NCS successfully loads a package for which an alarm was previously raised, it will be cleared.
Alarm Message(s)
- failed to open file {file}: {str}
- Specific to the concerned package.

package-operation-failure

Initial Perceived Severity critical
Description A package has some problem with its operation.
Recommended Action Check the package for the reason.
Clear Condition(s) This alarm is not cleared.

receiver-configuration-error

Initial Perceived Severity major
Description The snmp-notification-receiver could not setup its configuration, either at startup or when reconfigured. SNMP notifications will now be missed.
Recommended Action Check the error-message and change the configuration.
Clear Condition(s) This alarm will be cleared when the NCS is configured to successfully receive SNMP notifications
Alarm Message(s)
- Configuration has errors.

revision-error

Initial Perceived Severity major
Description A managed device arrived with a known module, but too new revision.
Recommended Action Upgrade the Device NED using the new YANG revision in order to use the new features in the device.
Clear Condition(s) If all device yang modules are supported by NCS, the alarm is cleared.
Alarm Message(s)
- The device has YANG module revisions not supported by NCS. Use the /devices/device/check-yang-modules action to check which modules that are not compatible.

service-activation-failure

Initial Perceived Severity critical
Description A service failed during re-deploy.
Recommended Action Corrective action and another re-deploy is needed.
Clear Condition(s) If the service is successfully redeployed, the alarm is cleared.
Alarm Message(s)
- Multiple device errors: {str}

time-violation-alarm

Description Base type for all alarms related to time violations. This is never reported, sub-identities for the specific time violation alarms are used in the alarms.

transaction-lock-time-violation

Initial Perceived Severity warning
Description The transaction lock time exceeded its threshold and might be stuck in the critical section. This threshold is configured in /ncs-config/transaction-lock-time-violation-alarm/timeout.
Recommended Action Investigate if the transaction is stuck and possibly interrupt it by closing the user session which it is attached to.
Clear Condition(s) This alarm is cleared when the transaction has finished.
Alarm Message(s)
- Transaction lock time exceeded threshold.

Alarm Types

alarm-type
    certificate-expiration
    ha-alarm
        ha-node-down-alarm
            ha-primary-down
            ha-secondary-down
    ncs-cluster-alarm
        cluster-subscriber-failure
    ncs-dev-manager-alarm
        abort-error
        bad-user-input
        commit-through-queue-blocked
        commit-through-queue-failed
        commit-through-queue-failed-transiently
        commit-through-queue-rollback-failed
        configuration-error
        connection-failure
        final-commit-error
        missing-transaction-id
        ned-live-tree-connection-failure
        out-of-sync
        revision-error
    ncs-package-alarm
        package-load-failure
        package-operation-failure
    ncs-service-manager-alarm
        service-activation-failure
    ncs-snmp-notification-receiver-alarm
        receiver-configuration-error
    time-violation-alarm
        transaction-lock-time-violation

Alarm Type Descriptions

abort-error

Initial Perceived Severity major
Description An error happened while aborting or reverting a transaction. Device's configuration is likely to be inconsistent with the NCS CDB.
Recommended Action Inspect the configuration difference with compare-config, resolve conflicts with sync-from or sync-to if any.
Clear Condition(s) If NCS achieves sync with the device, or receives a transaction id for a netconf session towards the device, the alarm is cleared.
Alarm Message(s)
- Device {dev} is locked
- Device {dev} is southbound locked
- abort error

alarm-type

Description Base identity for alarm types. A unique identification of the fault, not including the managed object. Alarm types are used to identify if alarms indicate the same problem or not, for lookup into external alarm documentation, etc. Different managed object types and instances can share alarm types. If the same managed object reports the same alarm type, it is to be considered to be the same alarm. The alarm type is a simplification of the different X.733 and 3GPP alarm IRP alarm correlation mechanisms and it allows for hierarchical extensions. A 'specific-problem' can be used in addition to the alarm type in order to have different alarm types based on information not known at design-time, such as values in textual SNMP Notification varbinds.

bad-user-input

Initial Perceived Severity critical
Description Invalid input from user. NCS cannot recognize parameters needed to connect to device.
Recommended Action Verify that the user supplied input are correct.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- Resource {resource} doesn't exist

certificate-expiration

Description The certificate is nearing its expiry or has already expired. The severity depends on the time left to expiry, it ranges from warning to critical.
Recommended Action Replace certificate.
Clear Condition(s) This alarm is cleared when the certificate is no longer loaded.
Alarm Message(s)
- Certificate expires in less than {days} day(s)/Certificate has expired.

cluster-subscriber-failure

Initial Perceived Severity critical
Description Failure to establish a notification subscription towards a remote node.
Recommended Action Verify IP connectivity between cluster nodes.
Clear Condition(s) This alarm is cleared if NCS succeeds to establish a subscription towards the remote node, or when the subscription is explicitly stopped.
Alarm Message(s)
- Failed to establish netconf notification subscription to node ~s, stream ~s
- Commit queue items with remote nodes will not receive required event notifications.

commit-through-queue-blocked

Initial Perceived Severity warning
Description A commit was queued behind a queue item waiting to be able to connect to one of its devices. This is potentially dangerous since one unreachable device can potentially fill up the commit queue indefinitely.
Clear Condition(s) An alarm raised due to a transient error will be cleared when NCS is able to reconnect to the device.
Alarm Message(s)
- Commit queue item ~p is blocked because item ~p cannot connect to ~s

commit-through-queue-failed

Initial Perceived Severity critical
Description A queued commit failed.
Recommended Action Resolve with rollback if possible.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- Failed to authenticate towards device {device}: {reason}
- Device {dev} is locked
- {Reason}
- Device {dev} is southbound locked
- Commit queue item {CqId} rollback invoked
- Commit queue item {CqId} has failed: Operation failed because: inconsistent database
- Remote commit queue item ~p cannot be unlocked: cluster node not configured correctly

commit-through-queue-failed-transiently

Initial Perceived Severity critical
Description A queued commit failed as it exhausted its retry attempts on transient errors.
Recommended Action Resolve with rollback if possible.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- Failed to connect to device {dev}: {reason}
- Connection to {dev} timed out
- Failed to authenticate towards device {device}: {reason}
- The configuration database is locked for device {dev}: {reason}
- the configuration database is locked by session {id} {identification}
- the configuration database is locked by session {id} {identification}
- {Dev}: Device is locked in a {Op} operation by session {session-id}
- resource denied
- Commit queue item {CqId} rollback invoked
- Commit queue item {CqId} has failed: Operation failed because: inconsistent database
- Remote commit queue item ~p cannot be unlocked: cluster node not configured correctly

commit-through-queue-rollback-failed

Initial Perceived Severity critical
Description Rollback of a commit-queue item failed.
Recommended Action Investigate the status of the device and resolve the situation by issuing the appropriate action, i.e., service redeploy or a sync operation.
Clear Condition(s) This alarm is not cleared.
Alarm Message(s)
- {Reason}

configuration-error

Initial Perceived Severity critical
Description Invalid configuration of NCS managed device, NCS cannot recognize parameters needed to connect to device.
Recommended Action Verify that the configuration parameters defined in tailf-ncs-devices.yang submodule are consistent for this device.
Clear Condition(s) The alarm is cleared when NCS reads the configuration parameters for the device, and is raised again if the parameters are invalid.
Alarm Message(s)
- Failed to resolve IP address for {dev}
- the configuration database is locked by session {id} {identification}
- {Reason}
- Resource {resource} doesn't exist

connection-failure

Initial Perceived Severity major
Description NCS failed to connect to a managed device before the timeout expired.
Recommended Action Verify address, port, authentication, check that the device is up and running. If the error occurs intermittently, increase connect-timeout.
Clear Condition(s) If NCS successfully reconnects to the device, the alarm is cleared.
Alarm Message(s)
- The connection to {dev} was closed
- Failed to connect to device {dev}: {reason}

final-commit-error

Initial Perceived Severity critical
Description A managed device validated a configuration change, but failed to commit. When this happens, NCS and the device are out of sync.
Recommended Action Reconcile by comparing and sync-from or sync-to.
Clear Condition(s) If NCS achieves sync with a device, the alarm is cleared.
Alarm Message(s)
- The connection to {dev} was closed
- External error in the NED implementation for device {dev}: {reason}
- Internal error in the NED NCS framework affecting device {dev}: {reason}

ha-alarm

Description Base type for all alarms related to high availablity. This is never reported, sub-identities for the specific high availability alarms are used in the alarms.

ha-node-down-alarm

Description Base type for all alarms related to nodes going down in high availablity. This is never reported, sub-identities for the specific node down alarms are used in the alarms.

ha-primary-down

Initial Perceived Severity critical
Description The node lost the connection to the primary node.
Recommended Action Make sure the HA cluster is operational, investigate why the primary went down and bring it up again.
Clear Condition(s) This alarm is never automatically cleared and has to be cleared manually when the HA cluster has been restored.
Alarm Message(s)
- Lost connection to primary due to: Primary closed connection
- Lost connection to primary due to: Tick timeout
- Lost connection to primary due to: code {Code}

ha-secondary-down

Initial Perceived Severity critical
Description The node lost the connection to a secondary node.
Recommended Action Investigate why the secondary node went down, fix the connectivity issue and reconnect the secondary to the HA cluster.
Clear Condition(s) This alarm is cleared when the secondary node is reconnected to the HA cluster.
Alarm Message(s)
- Lost connection to secondary

missing-transaction-id

Initial Perceived Severity warning
Description A device announced in its NETCONF hello message that it supports the transaction-id as defined in http://tail-f.com/yang/netconf-monitoring. However when NCS tries to read the transaction-id no data is returned. The NCS check-sync feature will not work. This is usually a case of misconfigured NACM rules on the managed device.
Recommended Action Verify NACM rules on the concerned device.
Clear Condition(s) If NCS successfully reads a transaction id for which it had previously failed to do so, the alarm is cleared.
Alarm Message(s)
- {Reason}

ncs-cluster-alarm

Description Base type for all alarms related to cluster. This is never reported, sub-identities for the specific cluster alarms are used in the alarms.

ncs-dev-manager-alarm

Description Base type for all alarms related to the device manager This is never reported, sub-identities for the specific device alarms are used in the alarms.

ncs-package-alarm

Description Base type for all alarms related to packages. This is never reported, sub-identities for the specific package alarms are used in the alarms.

ncs-service-manager-alarm

Description Base type for all alarms related to the service manager This is never reported, sub-identities for the specific service alarms are used in the alarms.

ncs-snmp-notification-receiver-alarm

Description Base type for SNMP notification receiver Alarms. This is never reported, sub-identities for specific SNMP notification receiver alarms are used in the alarms.

ned-live-tree-connection-failure

Initial Perceived Severity major
Description NCS failed to connect to a managed device using one of the optional live-status-protocol NEDs.
Recommended Action Verify the configuration of the optional NEDs. If the error occurs intermittently, increase connect-timeout.
Clear Condition(s) If NCS successfully reconnects to the managed device, the alarm is cleared.
Alarm Message(s)
- The connection to {dev} was closed
- Failed to connect to device {dev}: {reason}

out-of-sync

Initial Perceived Severity major
Description A managed device is out of sync with NCS. Usually it means that the device has been configured out of band from NCS point of view.
Recommended Action Inspect the difference with compare-config, reconcile by invoking sync-from or sync-to.
Clear Condition(s) If NCS achieves sync with a device, the alarm is cleared.
Alarm Message(s)
- Device {dev} is out of sync
- Out of sync due to no-networking or failed commit-queue commits.
- got: ~s expected: ~s.

package-load-failure

Initial Perceived Severity critical
Description NCS failed to load a package.
Recommended Action Check the package for the reason.
Clear Condition(s) If NCS successfully loads a package for which an alarm was previously raised, it will be cleared.
Alarm Message(s)
- failed to open file {file}: {str}
- Specific to the concerned package.

package-operation-failure

Initial Perceived Severity critical
Description A package has some problem with its operation.
Recommended Action Check the package for the reason.
Clear Condition(s) This alarm is not cleared.

receiver-configuration-error

Initial Perceived Severity major
Description The snmp-notification-receiver could not setup its configuration, either at startup or when reconfigured. SNMP notifications will now be missed.
Recommended Action Check the error-message and change the configuration.
Clear Condition(s) This alarm will be cleared when the NCS is configured to successfully receive SNMP notifications
Alarm Message(s)
- Configuration has errors.

revision-error

Initial Perceived Severity major
Description A managed device arrived with a known module, but too new revision.
Recommended Action Upgrade the Device NED using the new YANG revision in order to use the new features in the device.
Clear Condition(s) If all device yang modules are supported by NCS, the alarm is cleared.
Alarm Message(s)
- The device has YANG module revisions not supported by NCS. Use the /devices/device/check-yang-modules action to check which modules that are not compatible.

service-activation-failure

Initial Perceived Severity critical
Description A service failed during re-deploy.
Recommended Action Corrective action and another re-deploy is needed.
Clear Condition(s) If the service is successfully redeployed, the alarm is cleared.
Alarm Message(s)
- Multiple device errors: {str}

time-violation-alarm

Description Base type for all alarms related to time violations. This is never reported, sub-identities for the specific time violation alarms are used in the alarms.

transaction-lock-time-violation

Initial Perceived Severity warning
Description The transaction lock time exceeded its threshold and might be stuck in the critical section. This threshold is configured in /ncs-config/transaction-lock-time-violation-alarm/timeout.
Recommended Action Investigate if the transaction is stuck and possibly interrupt it by closing the user session which it is attached to.
Clear Condition(s) This alarm is cleared when the transaction has finished.
Alarm Message(s)
- Transaction lock time exceeded threshold.

Log Messages and Formats

AAA_LOAD_FAIL

Severity CRIT
Description Failed to load the AAA data, it could be that an external db is misbehaving or AAA is mounted/populated badly
Format String "Failed to load AAA: ~s"

ABORT_CAND_COMMIT

Severity INFO
Description Aborting candidate commit, request from user, reverting configuration.
Format String "Aborting candidate commit, request from user, reverting configuration."

ABORT_CAND_COMMIT_REBOOT

Severity INFO
Description ConfD restarted while having a ongoing candidate commit timer, reverting configuration.
Format String "ConfD restarted while having a ongoing candidate commit timer, reverting configuration."

ABORT_CAND_COMMIT_TERM

Severity INFO
Description Candidate commit session terminated, reverting configuration.
Format String "Candidate commit session terminated, reverting configuration."

ABORT_CAND_COMMIT_TIMER

Severity INFO
Description Candidate commit timer expired, reverting configuration.
Format String "Candidate commit timer expired, reverting configuration."

ACCEPT_FATAL

Severity CRIT
Description ConfD encountered an OS-specific error indicating that networking support is unavailable.
Format String "Fatal error for accept() - ~s"

ACCEPT_FDLIMIT

Severity CRIT
Description ConfD failed to accept a connection due to reaching the process or system-wide file descriptor limit.
Format String "Out of file descriptors for accept() - ~s limit reached"

AUTH_LOGIN_FAIL

Severity INFO
Description A user failed to log in to ConfD.
Format String "login failed via ~s from ~s with ~s: ~s"

AUTH_LOGIN_SUCCESS

Severity INFO
Description A user logged into ConfD.
Format String "logged in via ~s from ~s with ~s using ~s authentication"

AUTH_LOGOUT

Severity INFO
Description A user was logged out from ConfD.
Format String "logged out <~s> user"

BADCONFIG

Severity CRIT
Description confd.conf contained bad data.
Format String "Bad configuration: ~s:~s: ~s"

BAD_DEPENDENCY

Severity ERR
Description A dependency was not found
Format String "The dependency node '~s' for node '~s' in module '~s' does not exist"

BAD_NS_HASH

Severity CRIT
Description Two namespaces have the same hash value. The namespace hashvalue MUST be unique. You can pass the flag --nshash to confdc when linking the .xso files to force another value for the namespace hash.
Format String "~s"

BIND_ERR

Severity CRIT
Description ConfD failed to bind to one of the internally used listen sockets.
Format String "~s"

BRIDGE_DIED

Severity ERR
Description ConfD is configured to start the confd_aaa_bridge and the C program died.
Format String "confd_aaa_bridge died - ~s"

CANDIDATE_BAD_FILE_FORMAT

Severity WARNING
Description The candidate database file has a bad format. The candidate database is reset to the empty database.
Format String "Bad format found in candidate db file ~s; resetting candidate"

CANDIDATE_CORRUPT_FILE

Severity WARNING
Description The candidate database file is corrupt and cannot be read. The candidate database is reset to the empty database.
Format String "Corrupt candidate db file ~s; resetting candidate"

CAND_COMMIT_ROLLBACK_DONE

Severity INFO
Description Candidate commit rollback done
Format String "Candidate commit rollback done"

CAND_COMMIT_ROLLBACK_FAILURE

Severity ERR
Description Failed to rollback candidate commit
Format String "Failed to rollback candidate commit due to: ~s"

CDB_BOOT_ERR

Severity CRIT
Description CDB failed to start. Some grave error in the cdb data files prevented CDB from starting - a recovery from backup is necessary.
Format String "CDB boot error: ~s"

CDB_CLIENT_TIMEOUT

Severity ERR
Description A CDB client failed to answer within the timeout period. The client will be disconnected.
Format String "CDB client (~s) timed out, waiting for ~s"

CDB_CONFIG_LOST

Severity INFO
Description CDB found it's data files but no schema file. CDB recovers by starting from an empty database.
Format String "CDB: lost config, deleting DB"

CDB_DB_LOST

Severity INFO
Description CDB found it's data schema file but not it's data file. CDB recovers by starting from an empty database.
Format String "CDB: lost DB, deleting old config"

CDB_FATAL_ERROR

Severity CRIT
Description CDB encounterad an unrecoverable error
Format String "fatal error in CDB: ~s"

CDB_INIT_LOAD

Severity INFO
Description CDB is processing an initialization file.
Format String "CDB load: processing file: ~s"

CDB_OP_INIT

Severity ERR
Description The operational DB was deleted and re-initialized (because of upgrade or corrupt file)
Format String "CDB: Operational DB re-initialized"

CDB_UPGRADE_FAILED

Severity ERR
Description Automatic CDB upgrade failed. This means that the data model has been changed in a non-supported way.
Format String "CDB: Upgrade failed: ~s"

CGI_REQUEST

Severity INFO
Description CGI script requested.
Format String "CGI: '~s' script with method ~s"

CLI_CMD

Severity INFO
Description User executed a CLI command.
Format String "CLI '~s'"

CLI_CMD_ABORTED

Severity INFO
Description CLI command aborted.
Format String "CLI aborted"

CLI_CMD_DONE

Severity INFO
Description CLI command finished successfully.
Format String "CLI done"

CLI_DENIED

Severity INFO
Description User was denied to execute a CLI command due to permissions.
Format String "CLI denied '~s'"

COMMIT_INFO

Severity INFO
Description Information about configuration changes committed to the running data store.
Format String "commit ~s"

COMMIT_QUEUE_CORRUPT

Severity ERR
Description Failed to load commit queue. ConfD recovers by starting from an empty commit queue.
Format String "Resetting commit queue due do inconsistent or corrupt data."

CONFIG_CHANGE

Severity INFO
Description A change to ConfD configuration has taken place, e.g., by a reload of the configuration file
Format String "ConfD configuration change: ~s"

CONFIG_TRANSACTION_LIMIT

Severity INFO
Description Configuration transaction limit reached, rejected new transaction request.
Format String "Configuration transaction limit of type '~s' reached, rejected new transaction request"

CONSULT_FILE

Severity INFO
Description ConfD is reading its configuration file.
Format String "Consulting daemon configuration file ~s"

DAEMON_DIED

Severity CRIT
Description An external database daemon closed its control socket.
Format String "Daemon ~s died"

DAEMON_TIMEOUT

Severity CRIT
Description An external database daemon did not respond to a query.
Format String "Daemon ~s timed out"

DEVEL_AAA

Severity INFO
Description Developer aaa log message
Format String "~s"

DEVEL_CAPI

Severity INFO
Description Developer C api log message
Format String "~s"

DEVEL_CDB

Severity INFO
Description Developer CDB log message
Format String "~s"

DEVEL_CONFD

Severity INFO
Description Developer ConfD log message
Format String "~s"

DEVEL_ECONFD

Severity INFO
Description Developer econfd api log message
Format String "~s"

DEVEL_SLS

Severity INFO
Description Developer smartlicensing api log message
Format String "~s"

DEVEL_SNMPA

Severity INFO
Description Developer snmp agent log message
Format String "~s"

DEVEL_SNMPGW

Severity INFO
Description Developer snmp GW log message
Format String "~s"

DEVEL_WEBUI

Severity INFO
Description Developer webui log message
Format String "~s"

DUPLICATE_NAMESPACE

Severity CRIT
Description Duplicate namespace found.
Format String "The namespace ~s is defined in both module ~s and ~s."

DUPLICATE_PREFIX

Severity CRIT
Description Duplicate prefix found.
Format String "The prefix ~s is defined in both ~s and ~s."

ERRLOG_SIZE_CHANGED

Severity INFO
Description Notify change of log size for error log
Format String "Changing size of error log (~s) to ~s (was ~s)"

EVENT_SOCKET_TIMEOUT

Severity CRIT
Description An event notification subscriber did not reply within the configured timeout period
Format String "Event notification subscriber with bitmask ~s timed out, waiting for ~s"

EVENT_SOCKET_WRITE_BLOCK

Severity CRIT
Description Write on an event socket blocked for too long time
Format String "~s"

EXEC_WHEN_CIRCULAR_DEPENDENCY

Severity WARNING
Description An error occurred while evaluating a when-expression.
Format String "When-expression evaluation error: circular dependency in ~s"

EXTAUTH_BAD_RET

Severity ERR
Description Authentication is external and the external program returned badly formatted data.
Format String "External auth program (user=~s) ret bad output: ~s"

EXT_AUTH_2FA

Severity INFO
Description External challenge sent to a user.
Format String "external challenge sent to ~s from ~s with ~s"

EXT_AUTH_2FA_FAIL

Severity INFO
Description External challenge authentication failed for a user.
Format String "external challenge authentication failed via ~s from ~s with ~s: ~s"

EXT_AUTH_2FA_SUCCESS

Severity INFO
Description An external challenge authenticated user logged in.
Format String "external challenge authentication succeeded via ~s from ~s with ~s, member of groups: ~s~s"

EXT_AUTH_FAIL

Severity INFO
Description External authentication failed for a user.
Format String "external authentication failed via ~s from ~s with ~s: ~s"

EXT_AUTH_SUCCESS

Severity INFO
Description An externally authenticated user logged in.
Format String "external authentication succeeded via ~s from ~s with ~s, member of groups: ~s~s"

EXT_AUTH_TOKEN_FAIL

Severity INFO
Description External token authentication failed for a user.
Format String "external token authentication failed via ~s from ~s with ~s: ~s"

EXT_AUTH_TOKEN_SUCCESS

Severity INFO
Description An externally token authenticated user logged in.
Format String "external token authentication succeeded via ~s from ~s with ~s, member of groups: ~s~s"

EXT_BIND_ERR

Severity CRIT
Description ConfD failed to bind to one of the externally visible listen sockets.
Format String "~s"

FILE_ERROR

Severity CRIT
Description File error
Format String "~s: ~s"

FILE_LOAD

Severity DEBUG
Description System loaded a file.
Format String "Loaded file ~s"

FILE_LOADING

Severity DEBUG
Description System starts to load a file.
Format String "Loading file ~s"

FILE_LOAD_ERR

Severity CRIT
Description System tried to load a file in its load path and failed.
Format String "Failed to load file ~s: ~s"

FXS_MISMATCH

Severity ERR
Description A secondary connected to a primary where the fxs files are different
Format String "Fxs mismatch, secondary is not allowed"

GROUP_ASSIGN

Severity INFO
Description A user was assigned to a set of groups.
Format String "assigned to groups: ~s"

GROUP_NO_ASSIGN

Severity INFO
Description A user was logged in but wasn't assigned to any groups at all.
Format String "Not assigned to any groups - all access is denied"

HA_BAD_VSN

Severity ERR
Description A secondary connected to a primary with an incompatible HA protocol version
Format String "Incompatible HA version (~s, expected ~s), secondary is not allowed"

HA_DUPLICATE_NODEID

Severity ERR
Description A secondary arrived with a node id which already exists
Format String "Nodeid ~s already exists"

HA_FAILED_CONNECT

Severity ERR
Description An attempted library become secondary call failed because the secondary couldn't connect to the primary
Format String "Failed to connect to primary: ~s"

HA_SECONDARY_KILLED

Severity ERR
Description A secondary node didn't produce its ticks
Format String "Secondary ~s killed due to no ticks"

INTERNAL_ERROR

Severity CRIT
Description A ConfD internal error - should be reported to support@tail-f.com.
Format String "Internal error: ~s"

JIT_ENABLED

Severity INFO
Description Show if JIT is enabled.
Format String "JIT ~s"

JSONRPC_LOG_MSG

Severity INFO
Description JSON-RPC traffic log message
Format String "JSON-RPC traffic log: ~s"

JSONRPC_REQUEST

Severity INFO
Description JSON-RPC method requested.
Format String "JSON-RPC: '~s' with JSON params ~s"

JSONRPC_REQUEST_ABSOLUTE_TIMEOUT

Severity INFO
Description JSON-RPC absolute timeout.
Format String "Stopping session due to absolute timeout: ~s"

JSONRPC_REQUEST_IDLE_TIMEOUT

Severity INFO
Description JSON-RPC idle timeout.
Format String "Stopping session due to idle timeout: ~s"

JSONRPC_WARN_MSG

Severity WARNING
Description JSON-RPC warning message
Format String "JSON-RPC warning: ~s"

KICKER_MISSING_SCHEMA

Severity INFO
Description Failed to load kicker schema
Format String "Failed to load kicker schema"

LIB_BAD_SIZES

Severity ERR
Description An application connecting to ConfD used a library version that can't handle the depth and number of keys used by the data model.
Format String "Got connect from library with insufficient keypath depth/keys support (~s/~s, needs ~s/~s)"

LIB_BAD_VSN

Severity ERR
Description An application connecting to ConfD used a library version that doesn't match the ConfD version (e.g. old version of the client library).
Format String "Got library connect from wrong version (~s, expected ~s)"

LIB_NO_ACCESS

Severity ERR
Description Access check failure occurred when an application connected to ConfD.
Format String "Got library connect with failed access check: ~s"

LISTENER_INFO

Severity INFO
Description ConfD starts or stops to listen for incoming connections.
Format String "~s to listen for ~s on ~s:~s"

LOCAL_AUTH_FAIL

Severity INFO
Description Authentication for a locally configured user failed.
Format String "local authentication failed via ~s from ~s with ~s: ~s"

LOCAL_AUTH_FAIL_BADPASS

Severity INFO
Description Authentication for a locally configured user failed due to providing bad password.
Format String "local authentication failed via ~s from ~s with ~s: ~s"

LOCAL_AUTH_FAIL_NOUSER

Severity INFO
Description Authentication for a locally configured user failed due to user not found.
Format String "local authentication failed via ~s from ~s with ~s: ~s"

LOCAL_AUTH_SUCCESS

Severity INFO
Description A locally authenticated user logged in.
Format String "local authentication succeeded via ~s from ~s with ~s, member of groups: ~s"

LOGGING_DEST_CHANGED

Severity INFO
Description The target logfile will change to another file
Format String "Changing destination of ~s log to ~s"

LOGGING_SHUTDOWN

Severity INFO
Description Logging subsystem terminating
Format String "Daemon logging terminating, reason: ~s"

LOGGING_STARTED

Severity INFO
Description Logging subsystem started
Format String "Daemon logging started"

LOGGING_STARTED_TO

Severity INFO
Description Write logs for a subsystem to a specific file
Format String "Writing ~s log to ~s"

LOGGING_STATUS_CHANGED

Severity INFO
Description Notify a change of logging status (enabled/disabled) for a subsystem
Format String "~s ~s log"

LOGIN_REJECTED

Severity INFO
Description Authentication for a user was rejected by application callback.
Format String "~s"

MAAPI_LOGOUT

Severity INFO
Description A maapi user was logged out.
Format String "Logged out from maapi ctx=~s (~s)"

MAAPI_WRITE_TO_SOCKET_FAIL

Severity INFO
Description maapi failed to write to a socket.
Format String "maapi server failed to write to a socket. Op: ~s Ecode: ~s Error: ~s~s"

MISSING_AES256CFB128_SETTINGS

Severity ERR
Description AES256CFB128 keys were not found in confd.conf
Format String "AES256CFB128 keys were not found in confd.conf"

MISSING_AESCFB128_SETTINGS

Severity ERR
Description AESCFB128 keys were not found in confd.conf
Format String "AESCFB128 keys were not found in confd.conf"

MISSING_DES3CBC_SETTINGS

Severity ERR
Description DES3CBC keys were not found in confd.conf
Format String "DES3CBC keys were not found in confd.conf"

MISSING_NS

Severity CRIT
Description While validating the consistency of the config - a required namespace was missing.
Format String "The namespace ~s could not be found in the loadPath."

MISSING_NS2

Severity CRIT
Description While validating the consistency of the config - a required namespace was missing.
Format String "The namespace ~s (referenced by ~s) could not be found in the loadPath."

MMAP_SCHEMA_FAIL

Severity ERR
Description Failed to setup the shared memory schema
Format String "Failed to setup the shared memory schema"

NETCONF

Severity INFO
Description NETCONF traffic log message
Format String "~s"

NETCONF_HDR_ERR

Severity ERR
Description The cleartext header indicating user and groups was badly formatted.
Format String "Got bad NETCONF TCP header"

NIF_LOG

Severity INFO
Description Log message from NIF code.
Format String "~s: ~s"

NOAAA_CLI_LOGIN

Severity INFO
Description A user used the --noaaa flag to confd_cli
Format String "logged in from the CLI with aaa disabled"

NOTIFICATION_REPLAY_STORE_FAILURE

Severity CRIT
Description A failure occurred in the builtin notification replay store
Format String "~s"

NO_CALLPOINT

Severity CRIT
Description ConfD tried to populate an XML tree but no code had registered under the relevant callpoint.
Format String "no registration found for callpoint ~s of type=~s"

NO_SUCH_IDENTITY

Severity CRIT
Description The fxs file with the base identity is not loaded
Format String "The identity ~s in namespace ~s refers to a non-existing base identity ~s in namespace ~s"

NO_SUCH_NS

Severity CRIT
Description A nonexistent namespace was referred to. Typically this means that a .fxs was missing from the loadPath.
Format String "No such namespace ~s, used by ~s"

NO_SUCH_TYPE

Severity CRIT
Description A nonexistent type was referred to from a ns. Typically this means that a bad version of an .fxs file was found in the loadPath.
Format String "No such simpleType '~s' in ~s, used by ~s"

NS_LOAD_ERR

Severity CRIT
Description System tried to process a loaded namespace and failed.
Format String "Failed to process namespace ~s: ~s"

NS_LOAD_ERR2

Severity CRIT
Description System tried to process a loaded namespace and failed.
Format String "Failed to process namespaces: ~s"

OPEN_LOGFILE

Severity INFO
Description Indicate target file for certain type of logging
Format String "Logging subsystem, opening log file '~s' for ~s"

PAM_AUTH_FAIL

Severity INFO
Description A user failed to authenticate through PAM.
Format String "PAM authentication failed via ~s from ~s with ~s: phase ~s, ~s"

PAM_AUTH_SUCCESS

Severity INFO
Description A PAM authenticated user logged in.
Format String "pam authentication succeeded via ~s from ~s with ~s"

PHASE0_STARTED

Severity INFO
Description ConfD has just started its start phase 0.
Format String "ConfD phase0 started"

PHASE1_STARTED

Severity INFO
Description ConfD has just started its start phase 1.
Format String "ConfD phase1 started"

READ_STATE_FILE_FAILED

Severity CRIT
Description Reading of a state file failed
Format String "Reading state file failed: ~s: ~s (~s)"

RELOAD

Severity INFO
Description Reload of daemon configuration has been initiated.
Format String "Reloading daemon configuration."

REOPEN_LOGS

Severity INFO
Description Logging subsystem, reopening log files
Format String "Logging subsystem, reopening log files"

RESTCONF_REQUEST

Severity INFO
Description RESTCONF request
Format String "RESTCONF: request with ~s: ~s"

RESTCONF_RESPONSE

Severity INFO
Description RESTCONF response
Format String "RESTCONF: response with ~s: ~s duration ~s us"

REST_AUTH_FAIL

Severity INFO
Description Rest authentication for a user failed.
Format String "rest authentication failed from ~s"

REST_AUTH_SUCCESS

Severity INFO
Description A rest authenticated user logged in.
Format String "rest authentication succeeded from ~s , member of groups: ~s"

REST_REQUEST

Severity INFO
Description REST request
Format String "REST: request with ~s: ~s"

REST_RESPONSE

Severity INFO
Description REST response
Format String "REST: response with ~s: ~s duration ~s ms"

ROLLBACK_FAIL_CREATE

Severity ERR
Description Error while creating rollback file.
Format String "Error while creating rollback file: ~s: ~s"

ROLLBACK_FAIL_DELETE

Severity ERR
Description Failed to delete rollback file.
Format String "Failed to delete rollback file ~s: ~s"

ROLLBACK_FAIL_RENAME

Severity ERR
Description Failed to rename rollback file.
Format String "Failed to rename rollback file ~s to ~s: ~s"

ROLLBACK_FAIL_REPAIR

Severity ERR
Description Failed to repair rollback files.
Format String "Failed to repair rollback files."

ROLLBACK_REMOVE

Severity INFO
Description Found half created rollback0 file - removing and creating new.
Format String "Found half created rollback0 file - removing and creating new"

ROLLBACK_REPAIR

Severity INFO
Description Found half created rollback0 file - repairing.
Format String "Found half created rollback0 file - repairing"

SESSION_CREATE

Severity INFO
Description A new user session was created
Format String "created new session via ~s from ~s with ~s"

SESSION_LIMIT

Severity INFO
Description Session limit reached, rejected new session request.
Format String "Session limit of type '~s' reached, rejected new session request"

SESSION_MAX_EXCEEDED

Severity INFO
Description A user failed to create a new user sessions due to exceeding sessions limits
Format String "could not create new session via ~s from ~s with ~s due to session limits"

SESSION_TERMINATION

Severity INFO
Description A user session was terminated due to specified reason
Format String "terminated session (reason: ~s)"

SKIP_FILE_LOADING

Severity DEBUG
Description System skips a file.
Format String "Skipping file ~s: ~s"

SNMP_AUTHENTICATION_FAILED

Severity INFO
Description An SNMP authentication failed.
Format String "SNMP authentication failed: ~s"

SNMP_CANT_LOAD_MIB

Severity CRIT
Description The SNMP Agent failed to load a MIB file
Format String "Can't load MIB file: ~s"

SNMP_MIB_LOADING

Severity DEBUG
Description SNMP Agent loading a MIB file
Format String "Loading MIB: ~s"

SNMP_NOT_A_TRAP

Severity INFO
Description An UDP package was received on the trap receiving port, but it's not an SNMP trap.
Format String "SNMP gateway: Non-trap received from ~s"

SNMP_READ_STATE_FILE_FAILED

Severity CRIT
Description Read SNMP agent state file failed
Format String "Read state file failed: ~s: ~s"

SNMP_REQUIRES_CDB

Severity WARNING
Description The SNMP agent requires CDB to be enabled in order to be started.
Format String "Can't start SNMP. CDB is not enabled"

SNMP_TRAP_NOT_FORWARDED

Severity INFO
Description An SNMP trap was to be forwarded, but couldn't be.
Format String "SNMP gateway: Can't forward trap from ~s; ~s"

SNMP_TRAP_NOT_RECOGNIZED

Severity INFO
Description An SNMP trap was received on the trap receiving port, but its definition is not known
Format String "SNMP gateway: Can't forward trap with OID ~s from ~s; There is no notification with this OID in the loaded models."

SNMP_TRAP_OPEN_PORT

Severity ERR
Description The port for listening to SNMP traps could not be opened.
Format String "SNMP gateway: Can't open trap listening port ~s: ~s"

SNMP_TRAP_UNKNOWN_SENDER

Severity INFO
Description An SNMP trap was to be forwarded, but the sender was not listed in confd.conf.
Format String "SNMP gateway: Not forwarding trap from ~s; the sender is not recognized"

SNMP_TRAP_V1

Severity INFO
Description An SNMP v1 trap was received on the trap receiving port, but forwarding v1 traps is not supported.
Format String "SNMP gateway: V1 trap received from ~s"

SNMP_WRITE_STATE_FILE_FAILED

Severity WARNING
Description Write SNMP agent state file failed
Format String "Write state file failed: ~s: ~s"

SSH_HOST_KEY_UNAVAILABLE

Severity ERR
Description No SSH host keys available.
Format String "No SSH host keys available"

SSH_SUBSYS_ERR

Severity INFO
Description Typically errors where the client doesn't properly send the "subsystem" command.
Format String "ssh protocol subsys - ~s"

STARTED

Severity INFO
Description ConfD has started.
Format String "ConfD started vsn: ~s"

STARTING

Severity INFO
Description ConfD is starting.
Format String "Starting ConfD vsn: ~s"

STOPPING

Severity INFO
Description ConfD is stopping (due to e.g. confd --stop).
Format String "ConfD stopping (~s)"

TOKEN_MISMATCH

Severity ERR
Description A secondary connected to a primary with a bad auth token
Format String "Token mismatch, secondary is not allowed"

UPGRADE_ABORTED

Severity INFO
Description In-service upgrade was aborted.
Format String "Upgrade aborted"

UPGRADE_COMMITTED

Severity INFO
Description In-service upgrade was committed.
Format String "Upgrade committed"

UPGRADE_INIT_STARTED

Severity INFO
Description In-service upgrade initialization has started.
Format String "Upgrade init started"

UPGRADE_INIT_SUCCEEDED

Severity INFO
Description In-service upgrade initialization succeeded.
Format String "Upgrade init succeeded"

UPGRADE_PERFORMED

Severity INFO
Description In-service upgrade has been performed (not committed yet).
Format String "Upgrade performed"

WEBUI_LOG_MSG

Severity INFO
Description WebUI access log message
Format String "WebUI access log: ~s"

WEB_ACTION

Severity INFO
Description User executed a Web UI action.
Format String "WebUI action '~s'"

WEB_CMD

Severity INFO
Description User executed a Web UI command.
Format String "WebUI cmd '~s'"

WEB_COMMIT

Severity INFO
Description User performed Web UI commit.
Format String "WebUI commit ~s"

WRITE_STATE_FILE_FAILED

Severity CRIT
Description Writing of a state file failed
Format String "Writing state file failed: ~s: ~s (~s)"

XPATH_EVAL_ERROR1

Severity WARNING
Description An error occurred while evaluating an XPath expression.
Format String "XPath evaluation error: ~s for ~s"

XPATH_EVAL_ERROR2

Severity WARNING
Description An error occurred while evaluating an XPath expression.
Format String "XPath evaluation error: '~s' resulted in ~s for ~s"

COMMIT_UN_SYNCED_DEV

Severity INFO
Description Data was committed toward a device with bad or unknown sync state
Format String "Committed data towards device ~s which is out of sync"

NCS_DEVICE_OUT_OF_SYNC

Severity INFO
Description A check-sync action reported out-of-sync for a device
Format String "NCS device-out-of-sync Device '~s' Info '~s'"

NCS_JAVA_VM_FAIL

Severity ERR
Description The NCS Java VM failure/timeout
Format String "The NCS Java VM ~s"

NCS_JAVA_VM_START

Severity INFO
Description Starting the NCS Java VM
Format String "Starting the NCS Java VM"

NCS_PACKAGE_AUTH_BAD_RET

Severity ERR
Description Package authentication program returned badly formatted data.
Format String "package authentication using ~s program ret bad output: ~s"

NCS_PACKAGE_AUTH_FAIL

Severity INFO
Description Package authentication failed.
Format String "package authentication using ~s failed via ~s from ~s with ~s: ~s"

NCS_PACKAGE_AUTH_SUCCESS

Severity INFO
Description A package authenticated user logged in.
Format String "package authentication using ~s succeeded via ~s from ~s with ~s, member of groups: ~s~s"

NCS_PACKAGE_BAD_DEPENDENCY

Severity CRIT
Description Bad NCS package dependency
Format String "Failed to load NCS package: ~s; required package ~s of version ~s is not present (found ~s)"

NCS_PACKAGE_BAD_NCS_VERSION

Severity CRIT
Description Bad NCS version for package
Format String "Failed to load NCS package: ~s; requires NCS version ~s"

NCS_PACKAGE_CHAL_2FA

Severity INFO
Description Package authentication challenge sent to a user.
Format String "package authentication challenge sent to ~s from ~s with ~s"

NCS_PACKAGE_CHAL_FAIL

Severity INFO
Description Package authentication challenge failed.
Format String "package authentication challenge using ~s failed via ~s from ~s with ~s: ~s"

NCS_PACKAGE_CIRCULAR_DEPENDENCY

Severity CRIT
Description Circular NCS package dependency
Format String "Failed to load NCS package: ~s; circular dependency found"

NCS_PACKAGE_COPYING

Severity DEBUG
Description A package is copied from the load path to private directory
Format String "Copying NCS package from ~s to ~s"

NCS_PACKAGE_DUPLICATE

Severity CRIT
Description Duplicate package found
Format String "Failed to load duplicate NCS package ~s: (~s)"

NCS_PACKAGE_SYNTAX_ERROR

Severity CRIT
Description Syntax error in package file
Format String "Failed to load NCS package: ~s; syntax error in package file"

NCS_PACKAGE_UPGRADE_ABORTED

Severity CRIT
Description The CDB upgrade was aborted implying that CDB is untouched. However the package state is changed
Format String "NCS package upgrade failed with reason '~s'"

NCS_PACKAGE_UPGRADE_UNSAFE

Severity CRIT
Description Package upgrade has been aborted due to warnings.
Format String "NCS package upgrade has been aborted due to warnings:\n~s"

NCS_PYTHON_VM_FAIL

Severity ERR
Description The NCS Python VM failure/timeout
Format String "The NCS Python VM ~s"

NCS_PYTHON_VM_START

Severity INFO
Description Starting the named NCS Python VM
Format String "Starting the NCS Python VM ~s"

NCS_PYTHON_VM_START_UPGRADE

Severity INFO
Description Starting a Python VM to run upgrade code
Format String "Starting upgrade of NCS Python package ~s"

NCS_SERVICE_OUT_OF_SYNC

Severity INFO
Description A check-sync action reported out-of-sync for a service
Format String "NCS service-out-of-sync Service '~s' Info '~s'"

NCS_SET_PLATFORM_DATA_ERROR

Severity ERR
Description The device failed to set the platform operational data at connect
Format String "NCS Device '~s' failed to set platform data Info '~s'"

NCS_SMART_LICENSING_ENTITLEMENT_NOTIFICATION

Severity INFO
Description Smart Licensing Entitlement Notification
Format String "Smart Licensing Entitlement Notification: ~s"

NCS_SMART_LICENSING_EVALUATION_COUNTDOWN

Severity INFO
Description Smart Licensing evaluation time remaining
Format String "Smart Licensing evaluation time remaining: ~s"

NCS_SMART_LICENSING_FAIL

Severity INFO
Description The NCS Smart Licensing Java VM failure/timeout
Format String "The NCS Smart Licensing Java VM ~s"

NCS_SMART_LICENSING_GLOBAL_NOTIFICATION

Severity INFO
Description Smart Licensing Global Notification
Format String "Smart Licensing Global Notification: ~s"

NCS_SMART_LICENSING_START

Severity INFO
Description Starting the NCS Smart Licensing Java VM
Format String "Starting the NCS Smart Licensing Java VM"

NCS_SNMPM_START

Severity INFO
Description Starting the NCS SNMP manager component
Format String "Starting the NCS SNMP manager component"

NCS_SNMPM_STOP

Severity INFO
Description The NCS SNMP manager component has been stopped
Format String "The NCS SNMP manager component has been stopped"

NCS_SNMP_INIT_ERR

Severity INFO
Description Failed to locate snmp_init.xml in loadpath
Format String "Failed to locate snmp_init.xml in loadpath ~s"

BAD_LOCAL_PASS

Severity INFO
Description A locally configured user provided a bad password.
Format String "Provided bad password"

EXT_LOGIN

Severity INFO
Description An externally authenticated user logged in.
Format String "Logged in over ~s using externalauth, member of groups: ~s~s"

EXT_NO_LOGIN

Severity INFO
Description External authentication failed for a user.
Format String "failed to login using externalauth: ~s"

NO_SUCH_LOCAL_USER

Severity INFO
Description A non existing local user tried to login.
Format String "no such local user"

PAM_LOGIN_FAILED

Severity INFO
Description A user failed to login through PAM.
Format String "pam phase ~s failed to login through PAM: ~s"

PAM_NO_LOGIN

Severity INFO
Description A user failed to login through PAM
Format String "failed to login through PAM: ~s"

SSH_LOGIN

Severity INFO
Description A user logged into ConfD's builtin ssh server.
Format String "logged in over ssh from ~s with authmeth:~s"

SSH_LOGOUT

Severity INFO
Description A user was logged out from ConfD's builtin ssh server.
Format String "Logged out ssh <~s> user"

SSH_NO_LOGIN

Severity INFO
Description A user failed to login to ConfD's builtin SSH server.
Format String "Failed to login over ssh: ~s"

WEB_LOGIN

Severity INFO
Description A user logged in through the WebUI.
Format String "logged in through Web UI from ~s"

WEB_LOGOUT

Severity INFO
Description A Web UI user logged out.
Format String "logged out from Web UI"

System Management

Perform NSO system management and configuration.

Starting NSO

When NSO is started, it reads its configuration file and starts all subsystems configured to start (such as NETCONF, CLI, etc.).

Licensing NSO

Configuring NSO

NSO is configured in the following two ways:

Through its configuration file, ncs.conf.
Through whatever data is configured at run-time over any northbound, for example, turning on trace using the CLI.

`ncs.conf` File

load-path: where NSO should look for compiled YANG files, such as data models for NEDs or Services.
db-dir: the directory on disk that CDB uses for its storage and any temporary files being used. It is also the directory where CDB searches for initialization files. This should be a local disk and not NFS mounted for performance reasons.
Various log settings.
AAA configuration.
Rollback file directory and history length.
Enabling north-bound interfaces like REST, and WebUI.
Enabling of High-Availability mode.

# ncs -c /etc/ncs/ncs.conf

However, in a System Install, the init script is typically used to start NSO, and it will pass the appropriate options to the ncs command. Thus NSO is started with the command:

# /etc/init.d/ncs start

It is possible to edit the ncs.conf file, and then tell NSO to reload the edited file without restarting the daemon as in:

# ncs --reload

This command also tells NSO to close and reopen all log files, which makes it suitable to use from a system like logrotate.

In this section, some of the important configuration settings will be described and discussed.

Exposed Interfaces

We strongly encourage you to review and customize the exposed interfaces to your needs in the ncs.conf configuration file. In particular, set:

/ncs-config/webui/match-host-name to true.
/ncs-config/webui/server-name to the hostname of the server.

If you decide to allow remote access to the web server, also make sure you use TLS-secured HTTPS instead of HTTP. Not doing so exposes you to security risks.

To additionally secure IPC access, refer to Restricting Access to the IPC port.

For more details on individual interfaces and their use, see Northbound APIs.

Dynamic Configuration

We summarize the most relevant parts below:

ncs@ncs(config)#
Possible completions:
  aaa                        AAA management, users and groups
  cluster                    Cluster configuration
  devices                    Device communication settings
  java-vm                    Control of the NCS Java VM
  nacm                       Access control
  packages                   Installed packages
  python-vm                  Control of the NCS Python VM
  services                   Global settings for services, (the services themselves might be augmented somewhere else)
  session                    Global default CLI session parameters
  snmp                       Top-level container for SNMP related configuration and status objects.
  snmp-notification-receiver Configure reception of SNMP notifications
  software                   Software management
  ssh                        Global SSH connection configuration

`tailf-ncs.yang` Module

tailf-common-monitoring2.yang and tailf-ncs-monitoring2.yang are two modules that are relevant to monitoring NSO.

Built-in or External SSH Server

Run-time Configuration

There are also configuration parameters that are more related to how NSO behaves when talking to the devices. These reside in devices global-settings.

admin@ncs(config)# devices global-settings
Possible completions:
  backlog-auto-run               Auto-run the backlog at successful connection
  backlog-enabled                Backlog requests to non-responding devices
  commit-queue
  commit-retries                 Retry commits on transient errors
  connect-timeout                Timeout in seconds for new connections
  ned-settings                   Control which device capabilities NCS uses
  out-of-sync-commit-behaviour   Specifies the behaviour of a commit operation involving a device that is out of sync with NCS.
  read-timeout                   Timeout in seconds used when reading data
  report-multiple-errors         By default, when the NCS device manager commits data southbound and when there are errors, we only
                                 report the first error to the operator, this flag makes NCS report all errors reported by managed
                                 devices
  trace                          Trace the southbound communication to devices
  trace-dir                      The directory where trace files are stored
  write-timeout                  Timeout in seconds used when writing
  data

User Management

Users are configured at the path aaa authentication users.

admin@ncs(config)# show full-configuration aaa authentication users user
aaa authentication users user admin
 uid        1000
 gid        1000
 password   $1$GNwimSPV$E82za8AaDxukAi8Ya8eSR.
 ssh_keydir /var/ncs/homes/admin/.ssh
 homedir    /var/ncs/homes/admin
!
aaa authentication users user oper
 uid        1000
 gid        1000
 password   $1$yOstEhXy$nYKOQgslCPyv9metoQALA.
 ssh_keydir /var/ncs/homes/oper/.ssh
 homedir    /var/ncs/homes/oper
!...

Access control, including group memberships, is managed using the NACM model (RFC 6536).

admin@ncs(config)# show full-configuration nacm
nacm write-default permit
nacm groups group admin
 user-name [ admin private ]
!
nacm groups group oper
 user-name [ oper public ]
!
nacm rule-list admin
 group [ admin ]
 rule any-access
  action permit
 !
!
nacm rule-list any-group
 group [ * ]
 rule tailf-aaa-authentication
  module-name       tailf-aaa
  path              /aaa/authentication/users/user[name='$USER']
  access-operations read,update
  action            permit
 !

Adding a User

Adding a user includes the following steps:

Create the user: admin@ncs(config)# aaa authentication users user <user-name>.
Add the user to a NACM group: admin@ncs(config)# nacm groups <group-name> admin user-name <user-name>.
Verify/change access rules.

admin@ncs(config)# show full-configuration devices authgroups
devices authgroups group default
 umap admin
  remote-name     admin
  remote-password $4$wIo7Yd068FRwhYYI0d4IDw==
 !
 umap oper
  remote-name     oper
  remote-password $4$zp4zerM68FRwhYYI0d4IDw==
 !
!

If the last step is forgotten, you will see the following error:

jim@ncs(config)# devices device c0 config ios:snmp-server community fee
jim@ncs(config-config)# commit
Aborted: Resource authgroup for jim doesn't exist

Monitoring NSO

This section describes how to monitor NSO. See also NSO Alarms.

Use the command ncs --status to get runtime information on NSO.

NSO Status

Checking the overall status of NSO can be done using the shell:

$ ncs --status

Or, in the CLI:

ncs# show ncs-state

For details on the output see $NCS_DIR/src/yang/tailf-common-monitoring2.yang.

Below is an overview of the output:

It is also important to look at the packages that are loaded. This can be done in the CLI with:

admin> show packages
packages package cisco-asa
 package-version 3.4.0
 description     "NED package for Cisco ASA"
 ncs-min-version [ 3.2.2 3.3 3.4 4.0 ]
 directory       ./state/packages-in-use/1/cisco-asa
 component upgrade-ned-id
  upgrade java-class-name com.tailf.packages.ned.asa.UpgradeNedId
 component ASADp
  callback java-class-name [ com.tailf.packages.ned.asa.ASADp ]
 component cisco-asa
  ned cli ned-id  cisco-asa
  ned cli java-class-name com.tailf.packages.ned.asa.ASANedCli
  ned device vendor Cisco

Monitoring the NSO Daemon

NSO runs the following processes:

The daemon: ncs.smp: this is the NCS process running in the Erlang VM.
Java VM: com.tailf.ncs.NcsJVMLauncher: service applications implemented in Java run in this VM. There are several options on how to start the Java VM, it can be monitored and started/restarted by NSO or by an external monitor. See the ncs.conf(5) Manual Page and the java-vm settings in the CLI.
Python VMs: NSO packages can be implemented in Python. The individual packages can be configured to run a VM each or share a Python VM. Use the show python-vm status current to see current threads and show python-vm status start to see which threads were started at startup time.

Logging

ncs.log : NCS daemon log. See Log Messages and Formats. Can be configured to Syslog.
ncserr.log.1, ncserr.log.idx, ncserr.log.siz: if the NSO daemon has a problem. this contains debug information relevant to support. The content can be displayed with ncs --printlog ncserr.log.
audit.log: central audit log covering all northbound interfaces. See Log Messages and Formats. Can be configured to Syslog.
localhost:8080.access: all HTTP requests to the daemon. This is an access log for the embedded Web server. This file adheres to the Common Log Format, as defined by Apache and others. This log is not enabled by default and is not rotated, i.e. use logrotate(8). Can be configured to Syslog.
devel.log: developer-log is a debug log for troubleshooting user-written code. This log is enabled by default and is not rotated, i.e. use logrotate(8). This log shall be used in combination with the java-vm or python-vm logs. The user code logs in the VM logs and the corresponding library logs in devel.log. Disable this log in production systems. Can be configured to Syslog. You can manage this log and set its logging level in ncs.conf.
```
    <developer-log>
      <enabled>true</enabled>
      <file>
        <name>${NCS_LOG_DIR}/devel.log</name>
        <enabled>false</enabled>
      </file>
      <syslog>
        <enabled>true</enabled>
      </syslog>
    </developer-log>
    <developer-log-level>trace</developer-log-level>
```
ncs-java-vm.log, ncs-python-vm.log: logger for code running in Java or Python VM, for example, service applications. Developers writing Java and Python code use this log (in combination with devel.log) for debugging. Both Java and Python log levels can be set from their respective VM settings in, for example, the CLI.
```
admin@ncs(config)# python-vm logging level level-info
admin@ncs(config)# java-vm java-logging logger com.tailf.maapi level level-info
```
netconf.log, snmp.log: Log for northbound agents. Can be configured to Syslog.
rollbackNNNNN: All NSO commits generate a corresponding rollback file. The maximum number of rollback files and file numbering can be configured in ncs.conf.
xpath.trace: XPATH is used in many places, for example, XML templates. This log file shows the evaluation of all XPATH expressions and can be enabled in the ncs.conf.
```
    <xpathTraceLog>
      <enabled>true</enabled>
      <filename>${NCS_LOG_DIR}/xpath.trace</filename>
    </xpathTraceLog>
```
To debug XPATH for a template, use the pipe target debug in the CLI instead.
```
admin@ncs(config)# commit | debug template
```
ned-cisco-ios-xr-pe1.trace (for example): if device trace is turned on a trace file will be created per device. The file location is not configured in ncs.conf but is configured when the device trace is turned on, for example in the CLI.
```
admin@ncs(config)# devices device r0 trace pretty
```
Progress trace log: When a transaction or action is applied, NSO emits specific progress events. These events can be displayed and recorded in a number of different ways, either in CLI with the pipe target details on a commit, or by writing it to a log file. You can read more about it in the Progress Trace.
Transaction error log: log for collecting information on failed transactions that lead to either a CDB boot error or a runtime transaction failure. The default is false (disabled). More information about the log is available in the Manual Pages under Configuration Parameters (see logs/transaction-error-log).
Upgrade log: log containing information about CDB upgrade. The log is enabled by default and not rotated (i.e., use logrotate). With the NSO example set, the following examples populate the log in the logs/upgrade.log file: examples.ncs/development-guide/ned-upgrade/yang-revision, examples.ncs/development-guide/high-availability/upgrade-basic, examples.ncs/development-guide/high-availability/upgrade-cluster, and examples.ncs/getting-started/developing-with-ncs/14-upgrade-service. More information about the log is available in the Manual Pages under Configuration Parameters (see logs/upgrade-log).

Syslog

Below is an example of Syslog configuration:

    <syslog-config>
      <facility>daemon</facility>
    </syslog-config>

    <ncs-log>
      <enabled>true</enabled>
      <file>
        <name>./logs/ncs.log</name>
        <enabled>true</enabled>
      </file>
      <syslog>
        <enabled>true</enabled>
      </syslog>
    </ncs-log>

Log messages are described on the link below:

Log Messages and Formats

NSO Alarms

This is also documented in the example /examples.ncs/getting-started/using-ncs/5-snmp-alarm-northbound.

Alarms are described on the link below:

Alarm Types

Trace ID

Trace ID is enabled by default, and can be turned off by adding the following snippet to NSO.conf:

<trace-id>false</trace-id>

Trace ID is propagated downwards in LSA setups and is fully integrated with commit queues.

Trace ID can be passed to NSO over NETCONF, RESTCONF, JSON-RPC, or CLI as a commit parameter.

For NETCONF, the Trace ID will be returned as an attribute called trace-id.

Trace ID will appear in relevant log entries and trace file headers on the form trace-id=....

Disaster Management

This section describes a number of disaster scenarios and recommends various actions to take in the different disaster variants.

NSO Fails to Start

CDB keeps its data in four files A.cdb, C.cdb, O.cdb and S.cdb. If NSO is stopped, these four files can be copied, and the copy is then a full backup of CDB.

Furthermore, if neither files exist in the configured CDB directory, CDB will attempt to initialize from all files in the CDB directory with the suffix .xml.

When NSO starts and fails to initialize, the following exit codes can occur:

Exit codes 1 and 19 mean that an internal error has occurred. A text message should be in the logs, or if the error occurred at startup before logging had been activated, on standard error (standard output if NSO was started with --foreground --verbose). Generally, the message will only be meaningful to the NSO developers, and an internal error should always be reported to support.
Exit codes 2 and 3 are only used for the NCS control commands (see the section COMMUNICATING WITH NCS in the ncs(1) in Manual Pages manual page) and mean that the command failed due to timeout. Code 2 is used when the initial connect to NSO didn't succeed within 5 seconds (or the TryTime if given), while code 3 means that the NSO daemon did not complete the command within the time given by the --timeout option.
Exit code 10 means that one of the init files in the CDB directory was faulty in some way — further information in the log.
Exit code 11 means that the CDB configuration was changed in an unsupported way. This will only happen when an existing database is detected, which was created with another configuration than the current in ncs.conf.
Exit code 13 means that the schema change caused an upgrade, but for some reason, the upgrade failed. Details are in the log. The way to recover from this situation is either to correct the problem or to re-install the old schema (fxs) files.
Exit code 14 means that the schema change caused an upgrade, but for some reason the upgrade failed, corrupting the database in the process. This is rare and usually caused by a bug. To recover, either start from an empty database with the new schema, or re-install the old schema files and apply a backup.
Exit code 15 means that A.cdb or C.cdb is corrupt in a non-recoverable way. Remove the files and re-start using a backup or init files.
Exit code 16 means that CDB ran into an unrecoverable file error (such as running out of space on the device while performing journal compaction).
Exit code 20 means that NSO failed to bind a socket.
Exit code 21 means that some NSO configuration file is faulty. More information is in the logs.
Exit code 22 indicates an NSO installation-related problem, e.g., that the user does not have read access to some library files, or that some file is missing.

If the NSO daemon starts normally, the exit code is 0.

NSO Failure After Startup

Out of memory: If NSO is unable to allocate memory, it will exit by calling abort(3). This will generate an exit code, as for reception of the SIGABRT signal - e.g. if NSO is started from a shell script, it will see 134, as the exit code (128 + the signal number).
Out of file descriptors for accept(2): If NSO fails to accept a TCP connection due to lack of file descriptors, it will log this and then exit with code 25. To avoid this problem, make sure that the process and system-wide file descriptor limits are set high enough, and if needed configure session limits in ncs.conf. The out-of-file descriptors issue may also manifest itself in that applications are no longer able to open new file descriptors. In many Linux systems, the default limit is 1024, but if we, for example, assume that there are four northbound interface ports, CLI, RESTCONF, SNMP, WebUI/JSON-RPC, or similar, plus a few hundred IPC ports, x 1024 == 5120. But one might as well use the next power of two, 8192, to be on the safe side.
Several application issues can contribute to consuming extra ports. In the scope of an NSO application that could, for example, be a script application that invokes CLI command or a callback daemon application that does not close the connection socket as it should.
A commonly used command for changing the maximum number of open file descriptors is ulimit -n [limit]. Commands such as netstat and lsof can be useful to debug file descriptor-related issues.

Transaction Commit Failure

  -- WARNING ------------------------------------------------------
  Running db may be inconsistent. Enter private configuration mode and
  install a rollback configuration or load a saved configuration.
  ------------------------------------------------------------------

Backup and Restore

All parts of the NSO installation can be backed up and restored with standard file system backup procedures.

The most convenient way to do backup and restore is to use the ncs-backup command. In that case, the following procedure is used.

Take a Backup

NSO Backup backs up the database (CDB) files, state files, config files, and rollback files from the installation directory. To take a complete backup (for disaster recovery), use:

# ncs-backup

The backup will be stored in the "run directory", by default /var/opt/ncs, as /var/opt/ncs/backups/ncs-VERSION@DATETIME.backup.

For more information on backup, refer to the ncs-backup(1) in Manual Pages.

Restore a Backup

NSO Restore is performed if you would like to switch back to a previous good state or restore a backup.

It is always advisable to stop NSO before performing a restore.

First stop NSO if NSO is not stopped yet.
```
/etc/init.d/ncs stop
```
Restore the backup.
```
ncs-backup --restore
```
Select the backup to be restored from the available list of backups. The configuration and database with run-time state files are restored in /etc/ncs and /var/opt/ncs.
Start NSO.
```
/etc/init.d/ncs start
```

Rollbacks

The use of rollbacks from the supported APIs and the CLI is documented in the documentation for the given API.

`ncs.conf` Config for Rollback

As described earlier, NSO is configured through the configuration file, ncs.conf. In that file, we have the following items related to rollbacks:

/ncs-config/rollback/enabled: If set to true, then a rollback file will be created whenever the running configuration is modified.
/ncs-config/rollback/directory: Location where rollback files will be created.
/ncs-config/rollback/history-size: The number of old rollback files to save.

Troubleshooting

New users can face problems when they start to use NSO. If you face an issue, reach out to our support team regardless if your problem is listed here or not.

root@linux:/# ncs-collect-tech-report --full

Some noteworthy issues are covered here.

Installation Problems: Error Messages During Installation

Error

tar: Skipping to next header
gzip: stdin: invalid compressed data--format violated

Impact The resulting installation is incomplete.

Cause This happens if the installation program has been damaged, most likely because it has been downloaded in ASCII mode.

Resolution Remove the installation directory. Download a new copy of NSO from our servers. Make sure you use binary transfer mode every step of the way.

Problem Starting NSO: NSO Terminating with GLIBC Error

Error

Internal error: Open failed: /lib/tls/libc.so.6: version
`GLIBC_2.3.4' not found (required by
.../lib/ncs/priv/util/syst_drv.so)

Impact NSO terminates immediately with a message similar to the one above.

Cause This happens if you are running on a very old Linux version. The GNU libc (GLIBC) version is older than 2.3.4, which was released in 2004.

Resolution Use a newer Linux system, or upgrade the GLIBC installation.

Problem in Running Examples: The netconf-console Program Fails

Error You must install the Python SSH implementation Paramiko in order to use SSH.

Impact Sending NETCONF commands and queries with netconf-console fails, while it works using netconf-console-tcp.

Cause The netconf-console command is implemented using the Python programming language. It depends on the Python SSHv2 implementation Paramiko. Since you are seeing this message, your operating system doesn't have the Python module Paramiko installed.

Resolution Install Paramiko using the instructions from https://www.paramiko.org. When properly installed, you will be able to import the Paramiko module without error messages.
```
$ python
...
>>> import paramiko
>>>
```
Exit the Python interpreter with Ctrl+D.

Workaround A workaround is to use netconf-console-tcp. It uses TCP instead of SSH and doesn't require Paramiko. Note that TCP traffic is not encrypted.

Problems Using and Developing Services

General Troubleshooting Strategies

If you have trouble starting or running NSO, examples, or the clients you write, here are some troubleshooting tips.

Transcript

Source ENV Variables

$ source /etc/profile.d/ncs.sh

Log Files

Verify HW Resources

Status

NSO will give you a comprehensive status of daemon status, YANG modules, loaded packages, MIBs, active user sessions, CDB locks, and more if you run:

$ ncs --status

NSO status information is also available as operational data under /ncs-state.

Check Data Provider

If you are implementing a data provider (for operational or configuration data), you can verify that it works for all possible data items using:

$ ncs --check-callbacks

Debug Dump

$ ncs --debug-dump mydump1

Error Log

System Dump

System Call Trace

By running the instructions below.

Linux:

# strace -f -o mylog1.strace -s 1024 ncs ...

BSD:

# ktrace -ad -f mylog1.ktrace ncs ...
# kdump -f mylog1.ktrace > mylog1.kdump

Solaris:

# truss -f -o mylog1.truss ncs ...

System Management

Starting NSO

Licensing NSO

Configuring NSO

ncs.conf File

Exposed Interfaces

Dynamic Configuration

tailf-ncs.yang Module

Built-in or External SSH Server

Run-time Configuration

User Management

Adding a User

Monitoring NSO

NSO Status

Monitoring the NSO Daemon

Logging

Syslog

NSO Alarms

Trace ID

Disaster Management

NSO Fails to Start

NSO Failure After Startup

Transaction Commit Failure

Backup and Restore

Take a Backup

Restore a Backup

Rollbacks

ncs.conf Config for Rollback

Troubleshooting

General Troubleshooting Strategies

Cisco Smart Licensing

Smart Accounts and Virtual Accounts

Request a Smart Account

Adding Users to a Smart Account

Create a License Registration Token

Notes on Configuring Smart Licensing

Validation and Troubleshooting

Available show and debug Commands

Alarm Types

Alarm Type Descriptions

Cisco Smart Licensing

Smart Accounts and Virtual Accounts

Request a Smart Account

Adding Users to a Smart Account

Create a License Registration Token

Notes on Configuring Smart Licensing

Validation and Troubleshooting

Available show and debug Commands

Alarm Types

Alarm Type Descriptions

Log Messages and Formats

System Management

Starting NSO

Licensing NSO

Configuring NSO

ncs.conf File

Exposed Interfaces

Dynamic Configuration

tailf-ncs.yang Module

Built-in or External SSH Server

Run-time Configuration

User Management

Adding a User

Monitoring NSO

NSO Status

Monitoring the NSO Daemon

Logging

Syslog

NSO Alarms

Trace ID

Disaster Management

NSO Fails to Start

NSO Failure After Startup

Transaction Commit Failure

Backup and Restore

Take a Backup

Restore a Backup

Rollbacks

ncs.conf Config for Rollback

Troubleshooting

`ncs.conf` File

`tailf-ncs.yang` Module

`ncs.conf` Config for Rollback

Available `show` and `debug` Commands

Available `show` and `debug` Commands

`ncs.conf` File

`tailf-ncs.yang` Module

`ncs.conf` Config for Rollback