Discussion:
[rancid] Fortigate problem
Charles van der Spuy
2013-05-20 10:24:19 UTC
Permalink
I hope someone can assist me.

I have recently upgraded to rancid 2.3.8 and this seems to have broken
the Fortigate module.
Cisco devices still work and I am able to manually login to Fortigate
devices using clogin.

When I run the full rancid-run I get the following in the logfile:

*Trying to get all of the configs.**
**ftg1-universal fnlogin error: Error: Couldn't login: ftg1-universal**
**ftg1-universal: missed cmd(s): show full-configuration,get system status**
**0: found end**
**ftg1-universal: End of run not found*
etc.....

I'm getting to the end of my tether on this one and don't want to have
to degrade to an earlier version.
Has anybody been experiencing the same ?

Charles van der Spuy.
bob watson
2013-05-20 11:37:29 UTC
Permalink
Charles,

Key to debugging login errors is to ensure that your environment since
upgrade has stayed the same for authentication.

I have no knowledge specific to fortigate, but make sure you make use of
the debugging switches to see what happening with the device login.

Expect has wonderful debugging switches on its own, and all output can be
logged.

Unfortunately you don't list what you have tried, so it makes it hard for
us to give anything but general advice. Granted, that there may be
something peculiar to the device, but this can generally be captured by
using the EXPECT exp_internal switches.

Cheers,




Bob Watson
BAppSci, MACS, CP

<a href="http://au.linkedin.com/in/bobthebaritone">

<img src="
Loading Image..." width="160"
height="33" border="0" alt="View Robert Watson's profile on LinkedIn">

</a>
Post by Charles van der Spuy
I hope someone can assist me.
I have recently upgraded to rancid 2.3.8 and this seems to have broken the
Fortigate module.
Cisco devices still work and I am able to manually login to Fortigate
devices using clogin.
*Trying to get all of the configs.**
**ftg1-universal fnlogin error: Error: Couldn't login: ftg1-universal**
**ftg1-universal: missed cmd(s): show full-configuration,get system status
**
**0: found end**
**ftg1-universal: End of run not found*
etc.....
I'm getting to the end of my tether on this one and don't want to have to
degrade to an earlier version.
Has anybody been experiencing the same ?
Charles van der Spuy.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Dean Searle
2013-05-20 13:48:39 UTC
Permalink
I agree with Bob, more information would be helpful to assist with your problem. What version of software is your Fortigate running? What have you tried to resolve your problem so far? Do want to send you the same steps that you might have already done.

I have Both Fotrigate 300C and 100D in house. I had version 2.3.8 running prior to the Fortigates being installed though. We have FortiGate 5.0.1 (build 147) on the 300C and 5.0.2 (build 179) on our 100D.


From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of bob watson
Sent: Monday, May 20, 2013 7:37 AM
To: Charles van der Spuy
Cc: Rancid
Subject: Re: [rancid] Fortigate problem

Charles,

Key to debugging login errors is to ensure that your environment since upgrade has stayed the same for authentication.

I have no knowledge specific to fortigate, but make sure you make use of the debugging switches to see what happening with the device login.

Expect has wonderful debugging switches on its own, and all output can be logged.

Unfortunately you don't list what you have tried, so it makes it hard for us to give anything but general advice. Granted, that there may be something peculiar to the device, but this can generally be captured by using the EXPECT exp_internal switches.

Cheers,




Bob Watson
BAppSci, MACS, CP

<a href="http://au.linkedin.com/in/bobthebaritone">

<img src="http://www.linkedin.com/img/webpromo/btn_viewmy_160x33.png" width="160" height="33" border="0" alt="View Robert Watson's profile on LinkedIn">

</a>

On 20 May 2013 20:24, Charles van der Spuy <***@yahoo.com<mailto:***@yahoo.com>> wrote:
I hope someone can assist me.

I have recently upgraded to rancid 2.3.8 and this seems to have broken the Fortigate module.
Cisco devices still work and I am able to manually login to Fortigate devices using clogin.

When I run the full rancid-run I get the following in the logfile:

Trying to get all of the configs.
ftg1-universal fnlogin error: Error: Couldn't login: ftg1-universal
ftg1-universal: missed cmd(s): show full-configuration,get system status
0: found end
ftg1-universal: End of run not found
etc.....

I'm getting to the end of my tether on this one and don't want to have to degrade to an earlier version.
Has anybody been experiencing the same ?

Charles van der Spuy.
Charles van der Spuy
2013-05-20 14:43:30 UTC
Permalink
Gentlemen,

Thanks for all the input to my problem.
Gareth, you get the prize. As a quickfix I've changed ssh to ssh:22 in
.cloginrc and the sun suddenly rose in the east !!
Thanks to Bob and Dean I'd already started the debug process and picked
up some kind of problem with the port number but I was still a way away
from fixing it.

Clearly the problem is in fnlogin (not fnrancid Gareth :-) and I feel
this should be changed in the package so that others don't have the same
problem.
Any help on what I can do to get this changed in the original package ?
I guess a note to Shrubbery would be a good start.

Again, thanks all and greetings from a sunny Durban, South Africa.

Charles.
heasley
2013-05-20 15:24:59 UTC
Permalink
Post by Charles van der Spuy
Gentlemen,
Thanks for all the input to my problem.
Gareth, you get the prize. As a quickfix I've changed ssh to ssh:22 in
.cloginrc and the sun suddenly rose in the east !!
Thanks to Bob and Dean I'd already started the debug process and picked
up some kind of problem with the port number but I was still a way away
from fixing it.
Clearly the problem is in fnlogin (not fnrancid Gareth :-) and I feel
this should be changed in the package so that others don't have the same
problem.
Any help on what I can do to get this changed in the original package ?
I guess a note to Shrubbery would be a good start.
I do not see the problem with executing ssh. fnlogin does not set a port
or do anything unusual. you will have to be more specific.
Post by Charles van der Spuy
Again, thanks all and greetings from a sunny Durban, South Africa.
Charles.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Skoog, Robert
2013-05-20 15:41:13 UTC
Permalink
Actually you put up a patch to the mailing list previously which resolves this issue:

http://www.gossamer-threads.com/lists/rancid/users/6488

I can't seem to find the post on the shrubbery archives though. I know the patch resolved my issues when using SSH to connect to fortinets. I also put up a patch a while ago dealing with devices with and without vdoms. Devices without vdoms seem not to like having configuration commands sent after the config global command is sent.

http://www.shrubbery.net/pipermail/rancid-discuss/2013-March/006715.html

-----Original Message-----
From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of heasley
Sent: Monday, May 20, 2013 11:25 AM
To: Charles van der Spuy
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] Fortigate problem
Post by Charles van der Spuy
Gentlemen,
Thanks for all the input to my problem.
Gareth, you get the prize. As a quickfix I've changed ssh to ssh:22 in
.cloginrc and the sun suddenly rose in the east !!
Thanks to Bob and Dean I'd already started the debug process and
picked up some kind of problem with the port number but I was still a
way away from fixing it.
Clearly the problem is in fnlogin (not fnrancid Gareth :-) and I feel
this should be changed in the package so that others don't have the
same problem.
Any help on what I can do to get this changed in the original package ?
I guess a note to Shrubbery would be a good start.
I do not see the problem with executing ssh. fnlogin does not set a port or do anything unusual. you will have to be more specific.
Post by Charles van der Spuy
Again, thanks all and greetings from a sunny Durban, South Africa.
Charles.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
____________________________________________________________
This message, including any attachments, may contain confidential information intended for a specific individual and purpose, and may be protected by law. If you are not the intended recipient please delete this message immediately. Any disclosure, copying or distribution of this message, or the taking of any action based on it, by any unintended recipient is strictly prohibited.
heasley
2013-05-20 16:06:28 UTC
Permalink
Post by Skoog, Robert
http://www.gossamer-threads.com/lists/rancid/users/6488
thanks; that had been committed. I missed the difference when I looked at
2.3.8.
Post by Skoog, Robert
I can't seem to find the post on the shrubbery archives though. I know the patch resolved my issues when using SSH to connect to fortinets. I also put up a patch a while ago dealing with devices with and without vdoms. Devices without vdoms seem not to like having configuration commands sent after the config global command is sent.
http://www.shrubbery.net/pipermail/rancid-discuss/2013-March/006715.html
what effect does that have when vdoms are not in use?

what is being matched here:
+ expect {
+ -re "tion: ena" { expect -re $prompt; send "config global\r"}
+ -re "tion: dis" {}
+ }
Skoog, Robert
2013-05-20 16:43:58 UTC
Permalink
The command before it gives this output:

Somefortinethost # get system status
Version: FortiWiFi-80CM v4.0,build0637,120817 (MR3 Patch 9)
Virus-DB: 17.00657(2013-05-19 11:39)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 4.00343(2013-05-16 00:16)
FortiClient application signature package: 4.343(2013-05-20 01:43)
Serial-Number: FW80CM111111111111
BIOS version: 04000004
Log hard disk: Not available
Internal Switch mode: switch
Hostname: SomeHostName
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 2 in NAT mode, 0 in TP mode
Virtual domain configuration: enable
FIPS-CC mode: disable
Current HA mode: standalone
Wifi Chipset: Ralink RT2860
WiFi firmware version: 2.1.3.0
Distribution: International
Branch point: 637
Release Version Information: MR3 Patch 9
System time: Mon May 20 12:36:30 2013

SomeHostname #

That Regex matches for this line:
Virtual domain configuration: enable

I tried some longer regexes, but had problems with the output being chunked or something. If vdoms are enabled the "config global" command is sent if they aren't it just picks up at the next prompt. While the command currently used by fnrancid work fine without the patch we noticed issues when we tried to also the configuration of a device using a list of commands if the config global was sent by rancid and the device didn't use vdoms.

-----Original Message-----
From: heasley [mailto:***@shrubbery.net]
Sent: Monday, May 20, 2013 12:06 PM
To: Skoog, Robert
Cc: heasley; Charles van der Spuy; rancid-***@shrubbery.net
Subject: Re: [rancid] Fortigate problem
Post by Skoog, Robert
http://www.gossamer-threads.com/lists/rancid/users/6488
thanks; that had been committed. I missed the difference when I looked at 2.3.8.
Post by Skoog, Robert
I can't seem to find the post on the shrubbery archives though. I know the patch resolved my issues when using SSH to connect to fortinets. I also put up a patch a while ago dealing with devices with and without vdoms. Devices without vdoms seem not to like having configuration commands sent after the config global command is sent.
http://www.shrubbery.net/pipermail/rancid-discuss/2013-March/006715.ht
ml
what effect does that have when vdoms are not in use?

what is being matched here:
+ expect {
+ -re "tion: ena" { expect -re $prompt; send "config global\r"}
+ -re "tion: dis" {}
+ }

____________________________________________________________
This message, including any attachments, may contain confidential information intended for a specific individual and purpose, and may be protected by law. If you are not the intended recipient please delete this message immediately. Any disclosure, copying or distribution of this message, or the taking of any action based on it, by any unintended recipient is strictly prohibited.
heasley
2013-05-20 17:43:23 UTC
Permalink
Post by Skoog, Robert
Somefortinethost # get system status
Version: FortiWiFi-80CM v4.0,build0637,120817 (MR3 Patch 9)
Virus-DB: 17.00657(2013-05-19 11:39)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 4.00343(2013-05-16 00:16)
FortiClient application signature package: 4.343(2013-05-20 01:43)
Serial-Number: FW80CM111111111111
BIOS version: 04000004
Log hard disk: Not available
Internal Switch mode: switch
Hostname: SomeHostName
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 2 in NAT mode, 0 in TP mode
Virtual domain configuration: enable
FIPS-CC mode: disable
Current HA mode: standalone
Wifi Chipset: Ralink RT2860
WiFi firmware version: 2.1.3.0
Distribution: International
Branch point: 637
Release Version Information: MR3 Patch 9
System time: Mon May 20 12:36:30 2013
SomeHostname #
Virtual domain configuration: enable
I tried some longer regexes, but had problems with the output being chunked or something. If vdoms are enabled the "config global" command is sent if they aren't it just picks up at the next prompt. While the command currently used by fnrancid work fine without the patch we noticed issues when we tried to also the configuration of a device using a list of commands if the config global was sent by rancid and the device didn't use vdoms.
Your match is just as likely to be missed. what happens is that the data
does not necessary arrive all at once or even be read from the socket all
at once. you can't rely on having a complete line unless you force the
behavior by using line mode if the device supports it or
expect {
something
else
the other
-re "^\[^\n\r]*\[\r\n]" { # stuff we dont care about
exp_continue
}
}

anyway, I expect that removing that stuff from fnlogin and handling the
paging without making config changes would be a better path.
Post by Skoog, Robert
-----Original Message-----
Sent: Monday, May 20, 2013 12:06 PM
To: Skoog, Robert
Subject: Re: [rancid] Fortigate problem
Post by Skoog, Robert
http://www.gossamer-threads.com/lists/rancid/users/6488
thanks; that had been committed. I missed the difference when I looked at 2.3.8.
Post by Skoog, Robert
I can't seem to find the post on the shrubbery archives though. I know the patch resolved my issues when using SSH to connect to fortinets. I also put up a patch a while ago dealing with devices with and without vdoms. Devices without vdoms seem not to like having configuration commands sent after the config global command is sent.
http://www.shrubbery.net/pipermail/rancid-discuss/2013-March/006715.ht
ml
what effect does that have when vdoms are not in use?
+ expect {
+ -re "tion: ena" { expect -re $prompt; send "config global\r"}
+ -re "tion: dis" {}
+ }
____________________________________________________________
This message, including any attachments, may contain confidential information intended for a specific individual and purpose, and may be protected by law. If you are not the intended recipient please delete this message immediately. Any disclosure, copying or distribution of this message, or the taking of any action based on it, by any unintended recipient is strictly prohibited.
Skoog, Robert
2013-05-20 19:23:17 UTC
Permalink
This post might be inappropriate. Click to display it.
heasley
2013-05-20 22:48:14 UTC
Permalink
Post by Skoog, Robert
Yes, just handling the paging would be a better option. Unfortunately I don't think anyone has gotten it working without disabling paging. I tried for a bit, but then gave up and implemented that hack to determine if vdoms were enabled or not just to get it working for us.
Well, I do not have access to one of these. it shouldnt be hard to add;
there are a few devices with rancid scripts whose pager can not be
disabled. The PIX for example. You could look at clogin for pager handling
clues.
Post by Skoog, Robert
-----Original Message-----
Sent: Monday, May 20, 2013 1:43 PM
To: Skoog, Robert
Subject: Re: [rancid] Fortigate problem
Post by Skoog, Robert
Somefortinethost # get system status
Version: FortiWiFi-80CM v4.0,build0637,120817 (MR3 Patch 9)
Virus-DB: 17.00657(2013-05-19 11:39)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 4.00343(2013-05-16 00:16)
FortiClient application signature package: 4.343(2013-05-20 01:43)
Serial-Number: FW80CM111111111111
BIOS version: 04000004
Log hard disk: Not available
Internal Switch mode: switch
Hostname: SomeHostName
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 2 in NAT mode, 0 in TP mode Virtual domain
standalone Wifi Chipset: Ralink RT2860 WiFi firmware version: 2.1.3.0
Distribution: International
Branch point: 637
Release Version Information: MR3 Patch 9 System time: Mon May 20
12:36:30 2013
SomeHostname #
Virtual domain configuration: enable
I tried some longer regexes, but had problems with the output being chunked or something. If vdoms are enabled the "config global" command is sent if they aren't it just picks up at the next prompt. While the command currently used by fnrancid work fine without the patch we noticed issues when we tried to also the configuration of a device using a list of commands if the config global was sent by rancid and the device didn't use vdoms.
Your match is just as likely to be missed. what happens is that the data does not necessary arrive all at once or even be read from the socket all at once. you can't rely on having a complete line unless you force the behavior by using line mode if the device supports it or
expect {
something
else
the other
-re "^\[^\n\r]*\[\r\n]" { # stuff we dont care about
exp_continue
}
}
anyway, I expect that removing that stuff from fnlogin and handling the paging without making config changes would be a better path.
Post by Skoog, Robert
-----Original Message-----
Sent: Monday, May 20, 2013 12:06 PM
To: Skoog, Robert
Subject: Re: [rancid] Fortigate problem
Post by Skoog, Robert
http://www.gossamer-threads.com/lists/rancid/users/6488
thanks; that had been committed. I missed the difference when I looked at 2.3.8.
Post by Skoog, Robert
I can't seem to find the post on the shrubbery archives though. I know the patch resolved my issues when using SSH to connect to fortinets. I also put up a patch a while ago dealing with devices with and without vdoms. Devices without vdoms seem not to like having configuration commands sent after the config global command is sent.
http://www.shrubbery.net/pipermail/rancid-discuss/2013-March/006715.
ht
ml
what effect does that have when vdoms are not in use?
+ expect {
+ -re "tion: ena" { expect -re $prompt; send "config global\r"}
+ -re "tion: dis" {}
+ }
____________________________________________________________
This message, including any attachments, may contain confidential information intended for a specific individual and purpose, and may be protected by law. If you are not the intended recipient please delete this message immediately. Any disclosure, copying or distribution of this message, or the taking of any action based on it, by any unintended recipient is strictly prohibited.
____________________________________________________________
This message, including any attachments, may contain confidential information intended for a specific individual and purpose, and may be protected by law. If you are not the intended recipient please delete this message immediately. Any disclosure, copying or distribution of this message, or the taking of any action based on it, by any unintended recipient is strictly prohibited.
Gareth Hopkins
2013-05-20 14:02:59 UTC
Permalink
Hi Charles,

I had the same issue as per http://www.shrubbery.net/pipermail/rancid-discuss/2012-May/006382.html

The following change in fnrancid should work

Replace

} elseif [string match "ssh*" $prog] {
regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
set cmd $sshcmd
if {"$port" == ""} { #BAD!!
set cmd "$cmd -p $port"
}

with

} elseif [string match "ssh*" $prog] {
regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
set cmd $sshcmd
if {"$port" != ""} {
set cmd "$cmd -p $port"
}

Regards,
Gareth
Post by Charles van der Spuy
I hope someone can assist me.
I have recently upgraded to rancid 2.3.8 and this seems to have broken the Fortigate module.
Cisco devices still work and I am able to manually login to Fortigate devices using clogin.
Trying to get all of the configs.
ftg1-universal fnlogin error: Error: Couldn't login: ftg1-universal
ftg1-universal: missed cmd(s): show full-configuration,get system status
0: found end
ftg1-universal: End of run not found
etc.....
I'm getting to the end of my tether on this one and don't want to have to degrade to an earlier version.
Has anybody been experiencing the same ?
Charles van der Spuy.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...