Device queries from Netbox GUI via Napalm fail after upgrade from 3.1.2 to 3.1.5 #5932

New Issue

Closed

opened 2025-12-29 19:34:26 +01:00 by adam · 5 comments

adam commented 2025-12-29 19:34:26 +01:00

Owner

Copy Link

Originally created by @Eschin on GitHub (Jan 12, 2022).

NetBox version

v3.1.5

Python version

3.8

Steps to Reproduce

1. Connecting to device to pull Status, LLDP Neighbors, or Configuration from Netbox GUI results in ConnectAuthError (picture attached) on Juniper SRX devices, but not Juniper MX devices.

Expected Behavior

Should connect via SSH and pull device configuration, lldp neighbors, or status and display on Netbox GUI.

Observed Behavior

When attempting to connect to devices via GUI, the following error displays.

SSH host/server/device shows this error for failed inbound connections in the logs; userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 [preauth].

Manual SSH via backend CLI OpenSSH_8.2p1 using the same key pair(that fails in Netbox GUI) works fine.

Attempting to switch to different key type(ed25519) unsuccessful.

Really odd, as we're only seeing this behavior on Juniper SRX devices, but Juniper MX devices working normally.

Originally created by @Eschin on GitHub (Jan 12, 2022). ### NetBox version v3.1.5 ### Python version 3.8 ### Steps to Reproduce 1. Connecting to device to pull Status, LLDP Neighbors, or Configuration from Netbox GUI results in `ConnectAuthError` (picture attached) on Juniper SRX devices, but not Juniper MX devices. ### Expected Behavior Should connect via SSH and pull device configuration, lldp neighbors, or status and display on Netbox GUI. ### Observed Behavior When attempting to connect to devices via GUI, the following error displays.  SSH host/server/device shows this error for failed inbound connections in the logs; `userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 [preauth]`. Manual SSH via backend CLI OpenSSH_8.2p1 using the same key pair(that fails in Netbox GUI) works fine. Attempting to switch to different key type(ed25519) unsuccessful. Really odd, as we're only seeing this behavior on Juniper SRX devices, but Juniper MX devices working normally.

adam closed this issue 2025-12-29 19:34:27 +01:00

adam commented 2025-12-29 19:34:27 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 12, 2022):

Was the NAPALM driver upgraded when you upgraded NetBox? That's the only thing I can think of, assuming the configuration has not been modified. NetBox has no control over the actual NAPALM connection.

@jeremystretch commented on GitHub (Jan 12, 2022): Was the NAPALM driver upgraded when you upgraded NetBox? That's the only thing I can think of, assuming the configuration has not been modified. NetBox has no control over the actual NAPALM connection.

adam commented 2025-12-29 19:34:28 +01:00

Author

Owner

Copy Link

@Eschin commented on GitHub (Jan 12, 2022):

Napalm was not recently upgraded. We're currently running on Napalm 3.3.1, which was released Jun 16, 2021 (I believe?). We stay current with all system packages and Python packages on our Netbox servers, so we've been running on Napalm 3.3.1 since middle of last year roughly(We update once or twice monthly). I will look through our Ansible upgrade logs to pinpoint exactly when we upgraded to 3.3.1.

We have 3 systems running Netbox, all kept on identical versions. We were able to confirm this issue only appeared after upgrading from 3.1.2 to 3.1.5 on the third(final) system we upgraded.

One of these systems is a "dog food/testing" system, so I can easily roll it back to last week and scope out the state the system was in pre-upgrade.

Our configuration.py has remained unchanged for years. We've always kept the NAPALM_USERNAME and NAPALM_PASSWORD blank, so it defaults to the netbox system user the software stack runs under, and authenticates via the netbox user's ssh-key pair.

I was already suspicious of the Napalm package being the culprit as mentioned, but when I saw "#7246 - Don't attempt to URL-decode NAPALM response payloads" on the 3.1.3 release notes, I got suspicious these two issues may be connected somehow... But looking over that issue, I see no immediate way they could be.... Maybe a coincidence?

@Eschin commented on GitHub (Jan 12, 2022): Napalm was not recently upgraded. We're currently running on Napalm 3.3.1, which was released Jun 16, 2021 (I believe?). We stay current with all system packages and Python packages on our Netbox servers, so we've been running on Napalm 3.3.1 since middle of last year roughly(We update once or twice monthly). I will look through our Ansible upgrade logs to pinpoint exactly when we upgraded to 3.3.1. We have 3 systems running Netbox, all kept on identical versions. We were able to confirm this issue only appeared after upgrading from 3.1.2 to 3.1.5 on the third(final) system we upgraded. One of these systems is a "dog food/testing" system, so I can easily roll it back to last week and scope out the state the system was in pre-upgrade. Our configuration.py has remained unchanged for years. We've always kept the NAPALM_USERNAME and NAPALM_PASSWORD blank, so it defaults to the `netbox` system user the software stack runs under, and authenticates via the `netbox` user's ssh-key pair. I was already suspicious of the Napalm package being the culprit as mentioned, but when I saw "#7246 - Don't attempt to URL-decode NAPALM response payloads" on the 3.1.3 release notes, I got suspicious these two issues may be connected somehow... But looking over that issue, I see no immediate way they could be.... Maybe a coincidence?

adam commented 2025-12-29 19:34:28 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 12, 2022):

I don't believe #7246 is related as it deals solely with the processing of a response after a connection has been established and a request has been sent.

The error message certainly seems to suggest an issue with an underlying library. Can you connect to one of these devices using napalm directly (within a Python shell) and the same credentials?

@jeremystretch commented on GitHub (Jan 12, 2022): I don't believe #7246 is related as it deals solely with the processing of a response after a connection has been established and a request has been sent. The error message certainly seems to suggest an issue with an underlying library. Can you connect to one of these devices using napalm directly (within a Python shell) and the same credentials?

adam commented 2025-12-29 19:34:28 +01:00

Author

Owner

Copy Link

@Eschin commented on GitHub (Jan 12, 2022):

Hey Jeremy,

I agree, starting to think the issue is an underlying library.

Napalm direct connections from Netbox's Python environment to SRX devices also fail.

I did not notice this before, but there was a minor release upgrade to the SSH client during our last upgrade. We were on OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020, and after the upgrade, ssh client was upgraded to OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020. Ubuntu-4ubuntu0.3 changed to Ubuntu-4ubuntu0.4. Napalm was still on 3.3.1 pre/post upgrade.

So yeah, starting to think the issue is in the (Ubuntu) SSH package itself.

Appreciate your time, apologies for the false alarm. Going to close this out now :)

@Eschin commented on GitHub (Jan 12, 2022): Hey Jeremy, I agree, starting to think the issue is an underlying library. Napalm direct connections from Netbox's Python environment to SRX devices also fail. I did not notice this before, but there was a minor release upgrade to the SSH client during our last upgrade. We were on `OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020`, and after the upgrade, ssh client was upgraded to `OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020`. `Ubuntu-4ubuntu0.3` changed to `Ubuntu-4ubuntu0.4`. Napalm was still on 3.3.1 pre/post upgrade. So yeah, starting to think the issue is in the (Ubuntu) SSH package itself. Appreciate your time, apologies for the false alarm. Going to close this out now :)

adam commented 2025-12-29 19:34:28 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 12, 2022):

No worries. Thanks for following up! I suspect you just need to restrict the set of algorithms offered by the SSH client somehow.

@jeremystretch commented on GitHub (Jan 12, 2022): No worries. Thanks for following up! I suspect you just need to restrict the set of algorithms offered by the SSH client somehow.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#5932