Discussion:
[rancid] issue with bigip rancid diff
Shaun Krok
2012-11-29 09:20:53 UTC
Permalink
Hi there

Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%

But the problem is that the cron which runs every hour is generating an email that shows the following :
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.

Any help would be much appreciated ???


// snip of email diff *****************************************************************************************

iENM_F5_SNMP_1 {

- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"

+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"

auth-protocol sha

oid-subset .1

- privacy-password-encrypted @fG9HR]i^K4YOVM<g:jTAKFBWN1b,7_RA*mFq_5lg\\P2Z9h

+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"

privacy-protocol des

security-level auth-privacy

username ENM_F5_SNMP


Shaun Krok
IBM Networking and Security Department

[Description: cid:***@01CD8508.B733CBB0]
13 Ha'amal St., P.O.Box 11793
Afek Industrial Park, Rosh-Ha'ayin 48092 Israel
Office +972-73-790-2791
Mobile +972-54-2030399
heasley
2012-11-29 22:20:29 UTC
Permalink
Post by Shaun Krok
Hi there
Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.
Any help would be much appreciated ???
you would need to add a filter to the script. i'm fairly ignorant of the
F5; in the output of which command does this appear?
Post by Shaun Krok
// snip of email diff *****************************************************************************************
iENM_F5_SNMP_1 {
- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"
+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"
auth-protocol sha
oid-subset .1
+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
Shaun Krok
IBM Networking and Security Department
13 Ha'amal St., P.O.Box 11793
Afek Industrial Park, Rosh-Ha'ayin 48092 Israel
Office +972-73-790-2791
Mobile +972-54-2030399
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Shaun Krok
2012-11-30 09:38:33 UTC
Permalink
Hi there

Thanks for your reply.

The command on the F5 using tmsh is :

I am guessing and have not confirmed but I should just hash this command out of the F5rancid script ?

Thanks

Shaun


(tmos)# list sys snmp users
sys snmp {
users {
iENM_F5_SNMP_1 {
auth-password-encrypted "***@K@kT::OA3<[Eik_\?_OIYSb=N7:_<c\\]2R4[\?Ck_A:m"
auth-protocol sha
oid-subset .1
privacy-password-encrypted "EX\\AHd:HY_QV/H2]a_Y,HS\\RH:=2g5A<TbP<>VGd>16^V9F"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP

-----Original Message-----
From: heasley [mailto:***@shrubbery.net]
Sent: Friday, November 30, 2012 12:20 AM
To: Shaun Krok
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] issue with bigip rancid diff
Post by Shaun Krok
Hi there
Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.
Any help would be much appreciated ???
you would need to add a filter to the script. i'm fairly ignorant of the F5; in the output of which command does this appear?
Post by Shaun Krok
// snip of email diff
**********************************************************************
*******************
iENM_F5_SNMP_1 {
- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"
+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"
auth-protocol sha
oid-subset .1
+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
Shaun Krok
IBM Networking and Security Department
13 Ha'amal St., P.O.Box 11793
Afek Industrial Park, Rosh-Ha'ayin 48092 Israel Office
+972-73-790-2791 Mobile +972-54-2030399
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
heasley
2012-12-01 17:34:11 UTC
Permalink
Post by Shaun Krok
Hi there
Thanks for your reply.
I am guessing and have not confirmed but I should just hash this command out of the F5rancid script ?
Thanks
Shaun
(tmos)# list sys snmp users
sys snmp {
users {
iENM_F5_SNMP_1 {
auth-protocol sha
oid-subset .1
privacy-password-encrypted "EX\\AHd:HY_QV/H2]a_Y,HS\\RH:=2g5A<TbP<>VGd>16^V9F"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
it does not use that command; it uses these:

{'bigpipe version' => 'ShowVersion'},
{'bigpipe platform' => 'ShowPlatform'},
{'cat /config/bigip.license' => 'ShowLicense'},
{'bigpipe monitor list all' => 'ShowMonitor'},
{'bigpipe profile list' => 'ShowProfile'},
{'bigpipe base list' => 'ShowBaseRun'},
{'bigpipe db show' => 'ShowDb'},
{'bigpipe route static show' => 'ShowRouteStatic'},
{'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'},
{'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'},
{'bigpipe list' => 'WriteTerm'}
Post by Shaun Krok
-----Original Message-----
Sent: Friday, November 30, 2012 12:20 AM
To: Shaun Krok
Subject: Re: [rancid] issue with bigip rancid diff
Post by Shaun Krok
Hi there
Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.
Any help would be much appreciated ???
you would need to add a filter to the script. i'm fairly ignorant of the F5; in the output of which command does this appear?
Post by Shaun Krok
// snip of email diff
**********************************************************************
*******************
iENM_F5_SNMP_1 {
- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"
+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"
auth-protocol sha
oid-subset .1
+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
Shaun Krok
IBM Networking and Security Department
13 Ha'amal St., P.O.Box 11793
Afek Industrial Park, Rosh-Ha'ayin 48092 Israel Office
+972-73-790-2791 Mobile +972-54-2030399
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Shaun Krok
2012-12-02 07:44:14 UTC
Permalink
Thanks - okay to the command used is : bigpipe base list
If I grep for the SNMP user I see it, but now how do I filter this command to not show the usmuser

Thank you for your help this far

Shaun


usmuser iENM_F5_SNMP_1 {
access ro
auth password crypt "*VQ3\\1fLG;JlcWfvB?M>=RsRL[1T]*92A+0hr`T@\\QT\\P9:"
auth protocol SHA
oid ".1"
privacy password crypt "c)Yi:O-4o=X<Km1SV`=V:[]JZ2bFoA;dpYh<L[0fc7OT7:V"
privacy protocol DES
security level authPriv
username "ENM_F5_SNMP"

-----Original Message-----
From: heasley [mailto:***@shrubbery.net]
Sent: Saturday, December 01, 2012 7:34 PM
To: Shaun Krok
Cc: heasley; rancid-***@shrubbery.net
Subject: Re: [rancid] issue with bigip rancid diff
Post by Shaun Krok
Hi there
Thanks for your reply.
I am guessing and have not confirmed but I should just hash this command out of the F5rancid script ?
Thanks
Shaun
(tmos)# list sys snmp users
sys snmp {
users {
iENM_F5_SNMP_1 {
auth-protocol sha
oid-subset .1
privacy-password-encrypted "EX\\AHd:HY_QV/H2]a_Y,HS\\RH:=2g5A<TbP<>VGd>16^V9F"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
it does not use that command; it uses these:

{'bigpipe version' => 'ShowVersion'},
{'bigpipe platform' => 'ShowPlatform'},
{'cat /config/bigip.license' => 'ShowLicense'},
{'bigpipe monitor list all' => 'ShowMonitor'},
{'bigpipe profile list' => 'ShowProfile'},
{'bigpipe base list' => 'ShowBaseRun'},
{'bigpipe db show' => 'ShowDb'},
{'bigpipe route static show' => 'ShowRouteStatic'},
{'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'},
{'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'},
{'bigpipe list' => 'WriteTerm'}
Post by Shaun Krok
-----Original Message-----
Sent: Friday, November 30, 2012 12:20 AM
To: Shaun Krok
Subject: Re: [rancid] issue with bigip rancid diff
Post by Shaun Krok
Hi there
Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.
Any help would be much appreciated ???
you would need to add a filter to the script. i'm fairly ignorant of the F5; in the output of which command does this appear?
Post by Shaun Krok
// snip of email diff
**********************************************************************
*******************
iENM_F5_SNMP_1 {
- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"
+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"
auth-protocol sha
oid-subset .1
+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
Shaun Krok
IBM Networking and Security Department
13 Ha'amal St., P.O.Box 11793
Afek Industrial Park, Rosh-Ha'ayin 48092 Israel Office
+972-73-790-2791 Mobile +972-54-2030399
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Chris Moody
2012-12-05 22:25:32 UTC
Permalink
So this actually raises a somewhat related point.

We actually just got some new F5 gear in recently and bigpipe is no
longer a supported command.

I wanted to check in to see if any development efforts were underway on
a 'tmsh' version of the F5 backup routine.

=====
[***@qdc-sl01-lb1:/S1-green-P:Active] config # bigpipe
/bin/bigpipe: bigpipe is no longer supported; please use tmsh.
-----
***@qdc-sl01-lb1(/S1-green-P:Active)(/Common)(tmos.sys.version)# show

Sys::Version
Main Package
Product BIG-IP
Version 11.1.0
Build 2027.0
Edition Hotfix HF2
Date Mon Feb 20 22:39:59 PST 2012
=====

Cheers,
-Chris
Post by Shaun Krok
Thanks - okay to the command used is : bigpipe base list
If I grep for the SNMP user I see it, but now how do I filter this command to not show the usmuser
Thank you for your help this far
Shaun
usmuser iENM_F5_SNMP_1 {
access ro
auth protocol SHA
oid ".1"
privacy password crypt "c)Yi:O-4o=X<Km1SV`=V:[]JZ2bFoA;dpYh<L[0fc7OT7:V"
privacy protocol DES
security level authPriv
username "ENM_F5_SNMP"
-----Original Message-----
Sent: Saturday, December 01, 2012 7:34 PM
To: Shaun Krok
Subject: Re: [rancid] issue with bigip rancid diff
Post by Shaun Krok
Hi there
Thanks for your reply.
I am guessing and have not confirmed but I should just hash this command out of the F5rancid script ?
Thanks
Shaun
(tmos)# list sys snmp users
sys snmp {
users {
iENM_F5_SNMP_1 {
auth-protocol sha
oid-subset .1
privacy-password-encrypted "EX\\AHd:HY_QV/H2]a_Y,HS\\RH:=2g5A<TbP<>VGd>16^V9F"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
{'bigpipe version' => 'ShowVersion'},
{'bigpipe platform' => 'ShowPlatform'},
{'cat /config/bigip.license' => 'ShowLicense'},
{'bigpipe monitor list all' => 'ShowMonitor'},
{'bigpipe profile list' => 'ShowProfile'},
{'bigpipe base list' => 'ShowBaseRun'},
{'bigpipe db show' => 'ShowDb'},
{'bigpipe route static show' => 'ShowRouteStatic'},
{'ls --full-time --color=never /config/ssl/ssl.crt' => 'ShowSslCrt'},
{'ls --full-time --color=never /config/ssl/ssl.key' => 'ShowSslKey'},
{'bigpipe list' => 'WriteTerm'}
Post by Shaun Krok
-----Original Message-----
Sent: Friday, November 30, 2012 12:20 AM
To: Shaun Krok
Subject: Re: [rancid] issue with bigip rancid diff
Post by Shaun Krok
Hi there
Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.
Any help would be much appreciated ???
you would need to add a filter to the script. i'm fairly ignorant of the F5; in the output of which command does this appear?
Post by Shaun Krok
// snip of email diff
**********************************************************************
*******************
iENM_F5_SNMP_1 {
- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"
+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"
auth-protocol sha
oid-subset .1
+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
Shaun Krok
IBM Networking and Security Department
13 Ha'amal St., P.O.Box 11793
Afek Industrial Park, Rosh-Ha'ayin 48092 Israel Office
+972-73-790-2791 Mobile +972-54-2030399
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Darius Seroka
2012-12-06 09:26:39 UTC
Permalink
Same problem here, a couple of devices with 11.x software. In the meantime
I am using the devcentral backup scripts which work well but have not got
rancid commands onto tmsh yet. There are a couple of example patches that
have changed things to tmsh but these were likely never submitted to
shurbbery.

Darius
We actually just got some new F5 gear in recently and bigpipe is no longer
a supported command.
I wanted to check in to see if any development efforts were underway on a
'tmsh' version of the F5 backup routine.
=====
/bin/bigpipe: bigpipe is no longer support
Adam Korab
2012-12-06 16:42:10 UTC
Permalink
I'll see what I can do regarding mapping the bigpipe commands in cmdtable
over to their tosh equivalents.

Here's the deal - tmos (the underlying OS for all BIG-IP modules like LTM,
GTM, APM etc) used bigpipe (b) through version 9 and it coexists with tmsh
in v10. In v11.0 and up, it's tmsh exclusively.

--Adam
--
Adam Korab

On Dec 6, 2012, at 3:57 AM, Darius Seroka <***@gmail.com> wrote:

Same problem here, a couple of devices with 11.x software. In the meantime
I am using the devcentral backup scripts which work well but have not got
rancid commands onto tmsh yet. There are a couple of example patches that
have changed things to tmsh but these were likely never submitted to
shurbbery.

Darius
We actually just got some new F5 gear in recently and bigpipe is no longer
a supported command.
I wanted to check in to see if any development efforts were underway on a
'tmsh' version of the F5 backup routine.
=====
/bin/bigpipe: bigpipe is no longer support
_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Ian Stong
2012-12-06 22:36:26 UTC
Permalink
There is a script forf rancid for v10 and v11 for F5's available via google. Have you already tried that version?

Ian

From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Adam Korab
Sent: Thursday, December 06, 2012 11:42 AM
To: Darius Seroka
Cc: Shaun Krok; rancid-***@shrubbery.net
Subject: Re: [rancid] F5 & tmsh - was Re: issue with bigip rancid diff

I'll see what I can do regarding mapping the bigpipe commands in cmdtable over to their tosh equivalents.

Here's the deal - tmos (the underlying OS for all BIG-IP modules like LTM, GTM, APM etc) used bigpipe (b) through version 9 and it coexists with tmsh in v10. In v11.0 and up, it's tmsh exclusively.

--Adam
--
Adam Korab

On Dec 6, 2012, at 3:57 AM, Darius Seroka <***@gmail.com<mailto:***@gmail.com>> wrote:
Same problem here, a couple of devices with 11.x software. In the meantime I am using the devcentral backup scripts which work well but have not got rancid commands onto tmsh yet. There are a couple of example patches that have changed things to tmsh but these were likely never submitted to shurbbery.

Darius

On Wed, Dec 5, 2012 at 11:25 PM, Chris Moody <***@node-nine.com<mailto:***@node-nine.com>> wrote:

We actually just got some new F5 gear in recently and bigpipe is no longer a supported command.

I wanted to check in to see if any development efforts were underway on a 'tmsh' version of the F5 backup routine.

=====
[***@qdc-sl01-lb1:/S1-green-P:Active] config # bigpipe
/bin/bigpipe: bigpipe is no longer support
Mick O'Rourke
2012-12-06 21:18:48 UTC
Permalink
There is a working tmsh version in the rancid git repo.

The only thing that doesn't work when adjusting the script to list all
partition co config is a tmsh -q -c "cd /; list recursive" - it errors out
due to extra double quotes required by the -c option.
Post by Darius Seroka
Same problem here, a couple of devices with 11.x software. In the meantime
I am using the devcentral backup scripts which work well but have not got
rancid commands onto tmsh yet. There are a couple of example patches that
have changed things to tmsh but these were likely never submitted to
shurbbery.
Darius
Post by Chris Moody
We actually just got some new F5 gear in recently and bigpipe is no
longer a supported command.
I wanted to check in to see if any development efforts were underway on a
'tmsh' version of the F5 backup routine.
=====
/bin/bigpipe: bigpipe is no longer support
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Darius Seroka
2012-12-07 10:32:29 UTC
Permalink
Mick,

Cheers for your reply, never knew about the git repository with the these
updates. Only ever looked at shrubbery.net's pages. Will give this a go.

Regards,
Darius
Post by Mick O'Rourke
a working tmsh version in the rancid git repo.
The only thing that doesn't work when adjusting the script to list all
partition co config is a tmsh -q -c "cd /; list recursive" - it errors out
due to extra double quotes required by the -c option.
heasley
2012-12-05 01:24:20 UTC
Permalink
Post by Shaun Krok
Post by Shaun Krok
Hi there
Please could I ask if someone has some input as to how fix/stop the following issue.
Rancid and BIGIP boxes using tmsh F5 rancid script are working 100%
The same is generated for every F5 device in that is being monitored by Rancid.
It would seem the issue is that the F5 seems to be changing or re-hashing the SNMP password or something like this.
Any help would be much appreciated ???
you would need to add a filter to the script. i'm fairly ignorant of the F5; in the output of which command does this appear?
Post by Shaun Krok
// snip of email diff
**********************************************************************
*******************
iENM_F5_SNMP_1 {
- auth-password-encrypted ";ZdCaD>7S2YO,J6I\\C<dSO;HMSK<,4uDl4AHPXXhcb8Ta>p"
+ auth-password-encrypted "KAaTUL;ZRHjJDPG,SLGKlXZ3JlReGCL;mORiEcKek_cUS9a"
auth-protocol sha
oid-subset .1
+ privacy-password-encrypted "P;`P9[6`e1iD\\[>UbCakLYcSLm<\?\?=dWCEdcbSXoe[Q;U7o"
privacy-protocol des
security-level auth-privacy
username ENM_F5_SNMP
as follows:

Index: bin/f5rancid.in
===================================================================
--- bin/f5rancid.in (revision 2654)
+++ bin/f5rancid.in (working copy)
@@ -184,6 +184,8 @@
if (!$line++) {
ProcessHistory("SHOWBASE","","","#\n#base:\n");
}
+ if (/(auth-password-encrypted )\S+/) &&
+ ProcessHistory("SHOWBASE","","","# $1 <removed>") && next;
ProcessHistory("SHOWBASE","","","# $_") && next;
}
return(0);
Loading...