headers
heasley | 4 Jan 2013 22:06

Re: [rancid] Extra spaces being randomly added - and seen as config changes

Fri, Jan 04, 2013 at 02:30:43AM -0800, Aaron Wasserott:
> RANCID is running from crontab, not from a terminal, and the user on the network devices has root-level
permissions. All RANCID scripts are at 2.3.8. I am having the same issue discussed here:
> 
> http://www.gossamer-threads.com/lists/rancid/users/5887
> 
> Where it's just the email output showing a false difference, not the saved config in CVS.
> 
> I am pretty sure it's not the device either as I just got it on a ScreenOS firewall and there is no option to set
terminal width, just paging (length) which is currently off. Here is an example from a ScreenOS device:
> 
> set ike gateway "xcolo" address 123.45.67.89 Main outgoing-interface "bgroup0" preshare
"wLE/x18INtTxJ6sT42CM5FxvOphJ/3%YZg==" sec-level standard
> + #set ike gateway "xcolo" address 123.45.67.89 Main outgoing-interface 
> + "bgroup0" preshare <removed> sec-level standard

would you try this change?  i'm uncertain that this will have any affect,
its jut a hunch.

Index: bin/nrancid.in
===================================================================
--- bin/nrancid.in	(revision 2658)
+++ bin/nrancid.in	(working copy)
 <at>  <at>  -217,7 +217,7  <at>  <at> 
 	next if /^Total Config.+$/i;
 	last if(/$prompt/);
 	# throw away the pager prompts
-	s/^--- more ---[\s\b]*//g;
+	s/^--- more ---[ \b]*//g;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gerhard Mourani | 4 Jan 2013 21:37
Picon

[rancid] Cisco 3524 PWRXL - Login without username

Hello List,

 

I’m having problem with Rancid 2.3.8 on Linux and old Cisco IOS 12.0 3524 PWRXL on which no username is defined. Therefore for login into the switch I just telnet the IP and enter the password. For this, here my configuration inside .cloginrc file:

 

add password   1.2.3.4  passwd  enablepasswd

add method     1.2.3.4  telnet

 

 

bash-4.2$ clogin -f /usr/share/rancid/.cloginrc 1.2.3.4

1.2.3.4

spawn telnet 1.2.3.4

Trying 1.2.3.4...

Connected to 1.2.3.4.

Escape character is '^]'.

******************************************************************

******************************************************************

Private Equipement

Acces denied without permission

******************************************************************

******************************************************************

 

User Access Verification

 

Password:

Error: Check your passwd for 1.2.3.4

 

The above fail because Rancid expect a username before continuing. How to make my configuration work without having to define a username (add user …..)?

 

Gerhard,

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 2 comments |
headers
Terry Kennedy | 4 Jan 2013 16:47
Favicon

[rancid] Updated module for APC network management cards

  7+ years ago, I released a first cut of a RANCID module for pulling
configs from APC network management cards. As part of migrating my
monitoring systems from RANCID 2.3.1 (heavily modified) to 2.3.8, I've
completely re-done the APC modules. Some of the changes are:

  o Based on 2.3.8 clogin / rancid code base - easier to see what I 
    changed if you want to audit the code
  o Now reports the exact APC model number in the "Chassis Type" com-
    ment line
  o Supports 2nd-generation APC management cards such as the AP9630/
    AP9631
  o Supports a wider variety of FTP clients (different prompts)
  o Better handling of configuration errors (such as specifying a non-
    standard port number)
  o Better handling of errors from the FTP client - errors are now de-
    tected and reported rather than relying on the timeout mechanism
  o RANCID-CONTENT-TYPE header changed to "apc" from "apc-netmgmt"
  o Greatly expanded the amount of info in the 0-README file

  You can download this version from:
http://www.tmk.com/transient/rancid-apc.tar.gz

  If you want the 2005 version for some reason, it is available as:
http://www.tmk.com/transient/rancid-apc-old.tar.gz

        Terry Kennedy             http://www.tmk.com
        terry <at> tmk.com             New York, NY USA
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 0 comments |
headers
David Byers | 4 Jan 2013 16:57
Picon
Picon
Favicon

[rancid] Patch for hlogin

I found that rancid failed to log in to some HP switches that were using
radius and had old enough firmware that autoenable wouldn't work. Rancid
didn't recognize the second username prompt, and stopped.

The following patch fixed the problem:

--- hlogin.in.orig      2013-01-04 16:55:08.703640021 +0100
+++ hlogin.in   2013-01-04 16:55:52.824326718 +0100
 <at>  <at>  -696,7 +696,7  <at>  <at> 
     # Figure out prompts
     set u_prompt [find userprompt $router]
     if { "$u_prompt" == "" } {
-       set u_prompt "(Username|login|user name):"
+       set u_prompt "(Username|login|user name|Login Name):"
     } else {
        set u_prompt [join [lindex $u_prompt 0] ""]
     }

--

-- 
David Byers
Linköping university


_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 0 comments |
headers
Arthur Chilipweli | 2 Jan 2013 20:41

[rancid] Palo Alto

All, I hope someone can help me out, I have followed up on the configuration of the rancid to pull configs from Palo alto devices, based on this discussion string found here:

http://www.gossamer-threads.com/lists/rancid/users/6483?page=unread#unread

 

The login script seems to be working, however I am unable to pull the configs using the scripts, can someone please point me to the right direction please:

[mdrancid <at> mdrancid ~]$ panlogin 3040-palo-altofw01

3040-palo-altofw01

spawn ssh -c 3des -x -l admin 3040-palo-altofw01

Password:

Last login: Wed Jan  2 13:22:13 2013 from 10.1.5.14

admin <at> palo-altofw01 (active)>

admin <at> palo-altofw01 (active)> exit

 

But running a test script to pull configs seems not to be working:

 

[mdrancid <at> mdrancid ~]$ panlogin -t 120 -c "show config running" 3040-palo-altofw01

3040-palo-altofw01

spawn ssh -c 3des -x -l admin 3040-palo-altofw01

Password:

Last login: Wed Jan  2 13:27:43 2013 from 10.1.5.14

admin <at> palo-altofw01 (active)>

admin <at> palo-altofw01 (active)> set cli pager off

admin <at> palo-altofw01 (active)>

Error: TIMEOUT reached

 

--Arthur

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 7 comments |
headers
Aaron Wasserott | 1 Jan 2013 23:29

[rancid] Extra spaces being randomly added - and seen as config changes

I am running RANCID 2.3.8 on Ubuntu 12.04.1 LTS, Precise Pangolin, kernel 3.2.0-35-generic x86_64.

 

I am seeing some odd behavior when running rancid against Cisco and Mikrotik devices. The output will sometimes have extra spaces – or line breaks maybe? – that is then seen as a config change when it’s not. Two examples below. The first from a Mikrotik router and the second a Cisco router.

 

In the first example an extra space was seen after “sensitive source=" . In the second example the ports listed in the VLAN output break across two lines, but sometimes only one. In this second example, I have noticed it will go back and forth. Sometimes the ports are listed all on one line, sometimes two. I have many Mikrotiks with many lines of configs, so I haven’t checked to see if there is a recurring issue with the same line or not.

 

-----------------

 

- add name=startup-tone policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=":for t1 from=1 to=10 step=1 do={\r\n   :for t2 from=300 to=1800 step=40 do={\r \n     :beep frequency=\$t2 length=11ms;\r \n     :delay 11ms;\r \n   }\r \n }\r \n"

+ add name=startup-tone policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=": for t1 from=1 to=10 step=1 do={\r \n   :for t2 from=300 to=1800 step=40 do={\r \n     :beep frequency=\$t2 length=11ms;\r \n     :delay 11ms;\r \n   }\r \n }\r \n"

 

- !VLAN: 1    default                          active    Fa2, Fa3, Fa4, Fa5, Fa6, Fa7

- !VLAN:                                                 Fa8, Fa9

+ !VLAN: 1    default                          active    Fa2, Fa3, Fa4, Fa5, Fa6, Fa7, Fa8, Fa9

 

-----------------

 

Anyone know how to fix this?

 

Thanks,

 

-Aaron

 

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 9 comments |
headers
James Bensley | 19 Dec 2012 18:01
Picon

Re: [rancid] PfSense Package [semi-solved!]

Hi Danilo

Thanks for that link to the pfSense package. Finding a pfSense plugin
was on my to do list, I just hadn't gotten that far yet. I have this
working now although I had a few issues.

To use this, unpack the three files into your RANCID bin directory.
This is likely something like /usr/lib/rancid/bin/ or
/usr/local/rancid/bin/. In there you will find an existing file
"rancid-fe", replace or merge with the new one to update your devices
definitions. Now you can add pfsense firewalls to your devices.db file
with the type of "m0n0", which is what you will use for pfSense. Even
it says m0n0 as pfSense is a fork of m0n0wall, m0n0walls don't support
SSH and this script tries telnet/ssh/rsh so it won't work on them.

Also, note that you must enable SSH on your pfSense box if it isn't
already. I then added user which only has the right to SSH in.

These scripts are a bit broken though and my scripting skills aren't
the best; so I am in fact stuck. I have hacked them about a bit and
now get the following output in my hourly rancid emails (which you can
trigger manually with (rancid-run -r my-pfsense-device.fqdn.com)

Index: configs/my-pfsense-device.fqdn.com
===================================================================
retrieving revision 1.2
diff -U 4 -r1.2 my-pfsense-device.fqdn.com
 <at>  <at>  -1 +1,1769  <at>  <at> 
- exec m0n0login  -t 120 -c "uname -a;cat /cf/conf/config.xml"
my-pfsense-device.fqdn.com
+ my-pfsense-device.fqdn.com
+ spawn ssh -2 -x -l rancid my-pfsense-device.fqdn.com
+ Password:
+ Last login: Wed Dec 19 10:28:47 2012 from 89.21.224.35
+ Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
+ 	The Regents of the University of California.  All rights reserved.
+
+
+  [0;1;33m[ [0;1;37m2.0.1-RELEASE [0;1;33m] [0;1;33m[ [0;1;37mrancid
[0;1;31m <at>  [0;1;37mmy-pfsense-device.fqdn.com [0;1;33m]
[0;1;32m/home/rancid [0;1;33m( [0;1;37m1 [0;1;33m) [0;1;36m [0;1;31m:
[0;40;37m
uname -a
+ FreeBSD my-pfsense-device.fqdn.com 8.1-RELEASE-p6 FreeBSD
8.1-RELEASE-p6 #0: Mon Dec 12 18:59:41 EST 2011
root <at> FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_wrap.8.i386
 i386
+  [0;1;33m[ [0;1;37m2.0.1-RELEASE [0;1;33m] [0;1;33m[ [0;1;37mrancid
[0;1;31m <at>  [0;1;37mmy-pfsense-device.fqdn.com [0;1;33m]
[0;1;32m/home/rancid [0;1;33m( [0;1;37m2 [0;1;33m) [0;1;36m [0;1;31m:
[0;40;37m
cat /cf/conf/config.xml
+ <?xml version="1.0"?>
+ <pfsense>

As you can see from this opening snippet there are two problems;
Firstly, the expect script m0n0login is including the SSH MTOD/Banner
stuff (I said my scripting wasn't great, although this doesn't really
matter). Secondly, an issue which does actually matter, when you SSH
to a pfSense box they have coloured terminal output and SSH is
spitting this out (the colouring info) in to the expect script, so the
prompt on my test pfSense box which usually looks like this;

[2.0.1-RELEASE][username <at> my-pfsense-device.fqdn.com]/home/username(1):

Now looks like this;

 [0;1;33m[ [0;1;37m2.0.1-RELEASE [0;1;33m] [0;1;33m[ [0;1;37mrancid
[0;1;31m <at>  [0;1;37mmy-pfsense-device.fqdn.com [0;1;33m]
[0;1;32m/home/rancid [0;1;33m( [0;1;37m1 [0;1;33m) [0;1;36m [0;1;31m:
[0;40;37m

I will continue to try and fix this by either of the below and post
back the fix here once it is solved, but I have no idea how long that
will take;
1 - Someone wiser than me here can tell me how to stop SSH from either
accepting the colouring info from the pfSense box or not display it on
stdout
2 - I find help else where

In the mean time, for you and anyone else that NEEDs to be backing up
pfSense boxes right now I have modified a m0n0wall bash script making
which makes commits to the rancid CVS for me and it works just fine
(in a different "branch" though"). Similar to the SSH method, add a
rancid user and allow them just access to the diagnostic backup page.
This works with curl over HTTPS:

I hope that helps someone, and I hope someone can help me,
Cheers,
James.

#!/bin/bash
# backup up a pfsense config and puts it into cvs
# depends on: bash, curl, cvs, date, rm

CVSROOT=/var/lib/cvs
export CVSROOT
CVSPROJ=pfsense

## HTTPS firewalls on port 8080...

DEVICES="my-pfsense-device.fqdn.com \
another-pfsense-device.fqdn.com \
3rd-pfsense-device.fqdn.com"

PROTO=https
PORT=8080
USER=rancid
PASS=rancidpassword

for DEVICE in $DEVICES; do
  TMPDIR=/tmp/$$
  mkdir $TMPDIR
  cd $TMPDIR
  cvs -Q co $CVSPROJ
  cd $CVSPROJ
  # Login
  curl -k -o /dev/null --cookie cjar --cookie-jar cjar --data
"login=Login" --data "usernamefld=$USER" --data "passwordfld=$PASS"
--location $PROTO://$DEVICE:$PORT/index.php
  # Download config file
  curl -k -o config-$DEVICE.xml --cookie cjar --cookie-jar cjar --data
"Submit=download" --data "donotbackuprrd=yes" --location
$PROTO://$DEVICE:$PORT/diag_backup.php
  # Log out
  curl -k -o /dev/null --cookie cjar --cookie-jar cjar --location
$PROTO://$DEVICE:$PORT/index.php?logout
  echo  config-$DEVICE.xml
  NOW=`date +%Y-%m-%d <at> %H:%M:%S`
  cvs -Q commit -m "backup of $DEVICE config.xml [$NOW]"
  cvs -Q import -m "backup of $DEVICE config.xml [$NOW]" voswall configs release
  cd /tmp
  rm -rf $TMPDIR
done
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 2 comments |
headers
heasley | 18 Dec 2012 22:10

Re: [rancid] Netscreen jlogin

Tue, Dec 18, 2012 at 12:47:03PM -0800, Raymond Eustaquio:
> I am attempting to run this command.
> 
> /home/rancid/bin/flogin -x /usr/bin/isis_foundry_sfo device1  >>
> /var/tmp/sw/device1
> 
> The scripts never exits because the Netscreen awaits a reply for the
> following question:
> 
> FW1.SVX:FW1a.SVX(M)-> exit
> 
> Configuration modified, save? [y]/n 
> 
> How can I send a reply of 'n' or skip the question all together?

ah, new reasons to hate foundry.  try the following flogin patch and lmk
if it works.

Index: flogin.in
===================================================================
--- flogin.in	(revision 2654)
+++ flogin.in	(working copy)
 <at>  <at>  -513,7 +513,7  <at>  <at> 

 # Run commands given on the command line.
 proc run_commands { prompt command } {
-    global in_proc
+    global do_saveconfig in_proc
     set in_proc 1

     send -h "skip-page-display\r"
 <at>  <at>  -543,6 +543,14  <at>  <at> 
 						  return 0
 						}
 	eof					{ return 0 }
+	-re "Configuration modified, save\? \[\r\n]*" {
+						  if {$do_saveconfig} {
+						    catch {send "y\r"}
+						  } else {
+						    catch {send "n\r"}
+						  }
+						  exp_continue
+						}
     }
     set in_proc 0
 }
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 0 comments |
headers
Raymond Eustaquio | 18 Dec 2012 21:47
Favicon

[rancid] Netscreen jlogin

I am attempting to run this command.

 

/home/rancid/bin/flogin -x /usr/bin/isis_foundry_sfo device1  >> /var/tmp/sw/device1

 

 

The scripts never exits because the Netscreen awaits a reply for the following question:

 

 

FW1.SVX:FW1a.SVX(M)-> exit

Configuration modified, save? [y]/n

 

How can I send a reply of ‘n’ or skip the question all together?

 

Ray

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 0 comments |
headers
Nicolai Langfeldt | 18 Dec 2012 15:09
Picon

[rancid] new x460 switch and xrancid

Hi,

Got two new extreme x460 switches which xrancid was unhappy with.  Turns 
out that they don't have the VRRP module which xrancid uses as a "ended 
well" marker.

What they do have at the end is this:

   # Module vsm configuration.

So:

--- xrancid.orig        2012-06-12 12:11:00.941479040 +0200
+++ xrancid     2012-12-18 15:00:18.116929275 +0100
 <at>  <at>  -434,7 +434,7  <at>  <at> 
         # catch anything that wasnt match above.
         ProcessHistory("COMMENTS","keysort","H0","$_");
         # VT: end of config-XOS hack, use Module VRRP to flag end, very 
dirty!!!
-       if (/^# End of configuration file|# Module VRRP/i) {
+       if (/^# End of configuration file|# Module VRRP|# Module vsm/i) {
             printf STDERR "    End WriteTerm: $_" if ($debug);
             $found_end = 1;
             return(0);

Nicolai
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 0 comments |
headers
Tyler Bushman | 12 Dec 2012 20:26
Picon

[rancid] How to upgrade to 2.3.8

I realize this may be a stupid question, but how do I upgrade from RANCID version 2.3.4 to 2.3.8? 
 
I've found that some of the issues I've been seeing with RANCID and my ProCurve switches has been fixed in the newer version.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Permalink | Reply | 1 comment |

Gmane