Courseiva
AutomationCCNA 200-301

NETCONF Over SSH Not Working

Presenting Symptom

A network engineer cannot establish a NETCONF session over SSH to a Cisco IOS XE device, receiving 'Connection refused' or timeout errors.

Network Context

The network is a small branch office with a Cisco Catalyst 9300 switch running IOS XE 16.12. The switch is configured for SSH access and is reachable via ping. The engineer is using a management workstation running Python with the ncclient library to connect via NETCONF over port 830.

Diagnostic Steps

1

Verify SSH connectivity to the device

ssh -p 830 admin@192.168.1.1
Connection refused or timeout

If SSH on port 830 fails, NETCONF is not listening. Normal output would be an SSH banner or password prompt.

2

Check NETCONF configuration on the device

show running-config | include netconf
No output or incomplete configuration

If no lines appear, NETCONF is not configured. Expected: 'netconf-yang' and 'netconf ssh' lines.

3

Verify NETCONF is enabled globally

show netconf-yang status
netconf-yang: disabled

If disabled, NETCONF is not operational. Normal: 'netconf-yang: enabled'.

4

Check SSH server configuration and port

show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs
Authentication retries: 3
Port 22

If port 830 is not listed, NETCONF SSH port is not configured. Normal output for NETCONF would show port 830.

Root Cause

NETCONF over SSH is not enabled on the device. The 'netconf-yang' feature is not configured, and the SSH server is not listening on port 830.

Resolution

Enable NETCONF and configure SSH for NETCONF: 1. Enter global configuration mode: configure terminal 2. Enable NETCONF: netconf-yang 3. Set SSH port for NETCONF: netconf ssh port 830 4. Exit and save: end, write memory

Verification

1. show netconf-yang status → should show 'netconf-yang: enabled' 2. show ip ssh → should show 'Port 830' in addition to port 22 3. ssh -p 830 admin@192.168.1.1 → should prompt for password

Prevention

1. Include NETCONF configuration in device provisioning templates. 2. Use automation tools to verify NETCONF status after deployment. 3. Document required ports and services in network design.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of NETCONF and RESTCONF as YANG-based network management protocols. Questions may ask which port NETCONF uses (830) or how to enable it. Expect multiple-choice or drag-and-drop questions about configuration steps.

Exam Tips

1.

Memorize that NETCONF uses TCP port 830 and SSH for transport.

2.

Know that 'netconf-yang' is the global command to enable NETCONF on IOS XE.

3.

Remember that NETCONF is a northbound API, not a routing protocol.

Commands Used in This Scenario

netconf-yang

Enables NETCONF-YANG on the device, allowing programmatic configuration and state retrieval using YANG data models over SSH.

show ip ssh

Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions