Nice summary. thanks!
I finally got it working for ASA post-8.3. I thought Iâd share my
findings.
Â
For refresher, I historically had an ASA-specific .cloginrc that
overrode the âmethodâ field and then called the primary .cloginrc.Â
This was for rancid-1.x - we started with rancid sometime around 2001
or 2002 - where I just copied clogin and rancid as clogin-asa and
rancid-asa and change the one line from ârancidâ to ârancid âf
cloginrc-asaâ (a few other small tweaks, but you get the point). When
the 15yr-old-server finally died, we moved to a VM running
rancid-v3.x; rather than try to figure out how to make it work, I just
set about trying to figure out how to make ASAs work the way theyâre
supposed to.
Â
The kicker? I need telnet as the first method to support my bulk
deployment of really old Cisco Catalysts that donât support SSH and
cause rancid to timeout on that, but that was causing timeout errors
for ASAs. Yes, I could have fixed the SSH problem instead, or even
raised RANCiDâs timeout, but Iâm trying to avoid server-side
customizations - since I head a network shop that only uses servers
where I need to, Cisco configs are easier to manage policy and
compliance rules than server configs.
Â
Â
1. Apply the global config âservice resetoutsideâ
This tells the ASA to send a TCP RST packet if a connection request is
denied, but only when the IP destination is the ASA itself.  By
default, the ASA silently discards the TCP SYN when the connection is
denied.  Without the RST, telnet times out before returning control
back to the shell.  Unfortunately, the telnet timeout was longer than
rancidâs timeout.
Â
2. Do not apply the global configs âservice resetinboutâ or âservice
resetoutboundâ
I never figured out why this was necessary, but under some conditions
the three commands together werenât playing nice with each
other.  Feel free to play with this if you need it.
Â
3. Do not allow telnet to the least-secure interface from anywhere.
if telnet is allowed to the least-secure interface, AKA the interface
with the lowest security-level (check with packet-tracer, youâll see
it at the end despite all the âALLOWâ results), and if your telnet
connection attempt is trying to connect to that interface, the ASA
silently drops the connection request despite the resetoutside
command. Personally I think itâs a bug to override the âresetoutsideâ
command, though I never confirmed it. I also didnât experiment with
any interface except the least-secure interface.
Â
weylin
Â
*Date: *Thursday, September 14, 2017 at 07:53
*Subject: *Re: [rancid] ASA Config for Rancid
Â
Hmm...
https://www.zenoss.com/product/zenpacks/rancid-integration-community
Â
We are in fact using ZenOSS for monitoring/alerting (free version, we
canât afford the licensed version). Now THAT is something interesting
to evaluate. Iâll ask someone on my team to evaluate that. Allowing
telnet <shudder> is another possibility. We had also considered
shifting everything into PRIME Insfrastructure (which we will anyway
for other reasons than config backups - we did get enough licensing
for that at least), but RANCiD has some capabilities that I like that
PRIME doesnât do so well - consider all the hijinks you can do in
Linux, like aggregating certain parameters occurs across a subset of
devices by doing something like... I donât know if I have the syntax
right, this is just quickly off the top of my head âecho $[`for $(find
âname <pattern> âexec egrep âL <chassis_model> \{} \; ) do grep
<another_regex>  |  awk â{print $3}â   ;  done |  tr â\nâ â+â |
sed âs/+$//â`]â . We havenât yet found a good way to do that in PRIME.
Â
Thanks everyone for the help!
Â
weylin
Â
*Date: *Tuesday, September 12, 2017 at 17:23
*Subject: *Re: [rancid] ASA Config for Rancid
Â
Zenoss is a tool that has RANCiD integration/pluin connectivity.
Â
*Chris Gauthier*
 Â
Senior Network Engineer
 |Â
comScore, Inc.
o +1Â
*503-331-2704* <tel:503-331-2704>
 Â
317 SW Alder St, Suite 500 | Portland | OR 97204
............................................................................................................................................................................................................................
Â
On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West"
Thanks Ryan. We used to do exactly that, but it got to the point
that ASAs
VPN
... well ok these are just ASAs
Firewall
PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think thereâs a
CheckPoint somewhere we havenât yet replaced
NAT
ASA, ASR1k, Catalyst6k, 7301, 3825
Routing
Oh let me count the ways....
BGP Service Advertisement
Nexus7k, ASR9k, ASR1k, 7301, ASA
Since the devices performing a function are so varied, the naming
standard
cannot take model into account, merely function. It got to the point
where I
was essentially starting to list every ASA by specific name; after a
few of
these it became clear this approach wouldnât scale.
And to answer the other question â somewhere around 20,000 devices;
11,000+ VoIP handsets, 6,000â7,000 access points, and 3,000+ of
everything
else (though largely only that last are needed in rancid).
Sounds like a fun problem to have. There are some open source NMS
products out there that integrate with RANCID and can probably write
out the file for you, otherwise you would need to modify how RANCID
works and have it switch to the type of device after login with a show
ver command or something similar. Let us know if you come up with
anything though, I like the idea of having the device login decide the
type, or at least a discovery mechanism for RANCID that would write
out the proper lines to .cloginrc.
-ryan
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss