Solved: Re: ANC Endpoint API gives a HTTP 404

Konrad Reszka · ‎03-23-2018

I'm trying to apply an ANC policy using the ERS API URI of "/ers/config/ancendpoint/apply" but ISE only returns an HTTP 404 error. Other ERS API calls work wonderfully so it's not header or authorization problem.

ISE is on 2.3

hslai · ‎03-30-2018

This is due to CSRF validation. Please read the section on this in ISE 2.3 Release Notes, API Documentation from the ERS Online SDK.

View solution in original post

hslai · ‎03-23-2018

Please turn DEBUG on ers and watch ise-psc.log, which should give you some clues what's missing.

If not, please post a complete request sample.

Below works for me:

curl -X PUT -k -H 'Content-Type:  application/json' -H 'Accept:  application/json' -i 'https://myAdminUser:myPassword@myISE:9060/ers/config/ancendpoint/apply' --data '{
"OperationAdditionalData" : {
    "additionalData" : [ 
    { "name" : "macAddress", "value" : "02:00:00:00:00:01" }, 
    { "name" : "policyName", "value" : "testANC-Q01"}
   ]
  }
}'

Konrad Reszka · ‎03-26-2018

Specifically, ISE is on version 2.3.0.298

It looks like the URI PATH is not being parsed, it's showing as null. Here's a snippet:

Working GET request:

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getPathInfo=/ancendpoint/

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getMethod=GET

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getRequestURL=https://10.101.0.10:9060/ers/config/ancendpoint/

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getRemoteHost=192.168.255.10

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- ## RateLimitFilter Servlet => Continue with the ERS Request, The current bucket count is: 49

cpm.ers.app.web.PICFilter -::::- #### PICFilter.doFilter --> getPathInfo=/ancendpoint/

cpm.ers.app.web.PICFilter -::::- #### PICFilter.doFilter --> getMethod=GET

cpm.ers.app.web.PICFilter -::::- #### PICFilter.doFilter --> getRequestURL=https://10.101.0.10:9060/ers/config/ancendpoint/

cpm.ers.app.web.PICFilter -::::- #### PICFilter.doFilter --> getRemoteHost=192.168.255.10

cpm.ers.app.web.PAPFilter -::::- #### PAPFilter.doFilter --> getPathInfo=/ancendpoint/

cpm.ers.app.web.PAPFilter -::::- #### PAPFilter.doFilter --> getMethod=GET

cpm.ers.app.web.PAPFilter -::::- #### PAPFilter.doFilter --> getRequestURL=https://10.101.0.10:9060/ers/config/ancendpoint/

cpm.ers.app.web.PAPFilter -::::- #### PAPFilter.doFilter --> getRemoteHost=192.168.255.10

cpm.ers.app.web.PAPFilter -::::- #### PAPFilter.doFilter --> passing the filter!

cpm.ers.app.web.AtnAtzFilter -::::- #### AtnAtzFilter.doFilter --> getPathInfo=/ancendpoint/

cpm.ers.app.web.AtnAtzFilter -::::- #### AtnAtzFilter.doFilter --> getMethod=GET

cpm.ers.app.web.AtnAtzFilter -::::- #### AtnAtzFilter.doFilter --> getRequestURL=https://10.101.0.10:9060/ers/config/ancendpoint/

cpm.ers.app.web.AtnAtzFilter -::::- #### AtnAtzFilter.doFilter --> getRemoteHost=192.168.255.10

Failing PUT request:

cpm.ers.app.impl.ERSConfigurationListener -::::- Registering ERS Configuration Listener

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getPathInfo=null

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getMethod=PUT

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getRequestURL=https://10.101.0.10:9060/ers/custom_error_page.jsp

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- #### MaxThreadsFilter.doFilter --> getRemoteHost=192.168.255.10

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- ## RateLimitFilter Servlet => Continue with the ERS Request, The current bucket count is: 49

cpm.ers.app.web.SponsorSessionAttributesFilter -::::- #### SponsorSessionAttributesFilter.doFilter --> getPathInfo=null

cpm.ers.app.web.SponsorSessionAttributesFilter -::::- #### SponsorSessionAttributesFilter.doFilter --> getMethod=PUT

cpm.ers.app.web.SponsorSessionAttributesFilter -::::- #### SponsorSessionAttributesFilter.doFilter --> getRequestURL=https://10.101.0.10:9060/ers/custom_error_page.jsp

cpm.ers.app.web.SponsorSessionAttributesFilter -::::- #### SponsorSessionAttributesFilter.doFilter --> getRemoteHost=192.168.255.10

cpm.ers.app.web.SponsorSessionAttributesFilter -::::- #### SponsorSessionAttributesFilter.doFilter, it is not a sponosr , it will not perform in SponsorSessionAttributeFilter !

cpm.ers.app.web.MaxThreadsLimiterFilter -::::- ## RateLimitFilter Servlet => Continue with the ERS Response, The current bucket count is: 49

api.services.persistance.dao.DistributionDAO -::::- In DAO getRepository method for HostConfig Type: MNT

Postman screenshot of request with your test data

hslai · ‎03-26-2018

I am unable to reproduce your errors in my setups of ISE 2.3 Patch 2 and ISE 2.3 FCS so it seems something odd in yours. I am guessing either the ISE services not properly initialized or the like.

If the setup does not have 16-GB RAM or more, please try allocating more memory.

jeppich · ‎03-26-2018

Hey Konrad,

Unicast me in what you are trying to accomplish, is it simply applying the endpoint to the ANC policy and the failure occurs, i see a custom page error message.

Thanks,

John

jeppich@cisco.com

hslai · ‎03-30-2018

This is due to CSRF validation. Please read the section on this in ISE 2.3 Release Notes, API Documentation from the ERS Online SDK.

Konrad Reszka · ‎04-02-2018

That was it! Thanks!