Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Devices running affected IOS-XE image and using access-list (ACL) for the NETCONF-YANG, will experience Netconf sessions timeout after 255 connections to the device. This problem will not occur if we will not use the ACL for the Netconf.
Cisco device should run affected software version and using ACL for the Netconf. Example: netconf-yang netconf-yang ssh ipv4 access-list name NETCONF_CLIENTS ip access-list standard NETCONF_CLIENTS 10 permit any Device#sh netconf-yang statistics netconf-start-time : 2021-02-10T09:04:12+02:00 in-rpcs : 510 in-bad-rpcs : 0 out-rpc-errors : 0 out-notifications : 0 in-sessions : 255 <<< dropped-sessions : 0 in-bad-hellos : 0 Device#show netconf-yang statistics | in in-sessions|source No time source, *09:05:12.340 UTC Wed Feb 10 2021 in-sessions : 255 Device#show netconf-yang statistics | in in-sessions|source No time source, *09:05:19.127 UTC Wed Feb 10 2021 in-sessions : 255 Device#show netconf-yang statistics | in in-sessions|source No time source, *09:05:20.278 UTC Wed Feb 10 2021 in-sessions : 255 Device#show netconf-yang statistics | in in-sessions|source No time source, *09:05:52.752 UTC Wed Feb 10 2021 in-sessions : 255 From the CLI we can see similar logs: Feb 10 09:05:12.340 MET: %DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from : for netconf over ssh. Feb 10 09:05:52.752 MET: %DMI-5-AUTHENTICATION_FAILED: R0/0: dmiauthd: Authentication failure from : for netconf over ssh.
- remove the ACL from the netconf configuration: no netconf-yang ssh ipv4 access-list name - regenerate ssh-rsa key. - re-configuring netconf-yang and therefore restarting the process.
Based on further investigation this particular problem occurs due to a combination of CSCvw30152 and CSCvw30128 (internally visible only) software defects. The software version should contain fixes from two bugs to resolve the issue. The 16.12.5 17.4.1 and 17.4.1a software version contain fix only for the CSCvw30152 bug, so the problem is not resolved in these software images. Code fix for both software defects will be introduced in the 16.12.6, 17.3.3, 17.4.2, 17.5.1 software releases, and later on releases.