Discussion:
[rancid] Problems with getting configuration from a PIX 501.
Steve Ousley
2008-07-15 11:19:57 UTC
Permalink
I have had rancid installed a little while now, and am noticing problems
with rancid on one pix (not sure if it's on more or not, but this is the
only one I can confirm without going through manually checking all of them).



The problem is that it doesn't seem to be updating the CVS repo with the
latest configurations.



I do know that we occasionally get problems like this with pix's where the
ssh connection doesn't work (usually tell this by running clogin to the pix)
however this manages to ssh in no problems, and gets the enable prompt, see
below:



[CODE]

nagios-1:/usr/local/rancid/var/asa# clogin <firewall>

<firewall>

spawn ssh -c 3des -x -l <rancid-user> <firewall>

<rancid-user>@<firewall>'s password:

Type help or '?' for a list of available commands.

<firewall>>

<firewall>> enable

Password: *

<firewall>#

[/CODE]



As you can see, this is logging into the pix no problems (I have changed any
instance of the hostname to <firewall> and the rancid user, and no the
password isn't 1 character long).



Using clogin to log into the firewall, I can also run various commands
successfully (sh run, sh ver etc). However the firewall still will not
update.



Does anyone have any ideas?



I have also set the pix to "down" and back to "up" and ran rancid again, to
no avail. This is really confusing me! Since all our other pix's seem to be
working no problems,



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751
Steve Ousley
2008-07-15 11:28:52 UTC
Permalink
Sorry for the fast follow on to this.



I have now found out that it is actually like this on ALL pix's that we
have. Any ASA that we have is working fine, however no pix is updating.



I have tried running rancid-r <pix> and that runs, for about 1 second, then
finishes, where running this on an ASA takes approximately 10 seconds.
There is however no error on the command line when I run "rancid -r <pix>".
This is now confusing me even more! As far as I can tell, rancid is trying
to get the pix configurations, but failing somewhere that I cannot tell. Is
there a way to manually run the process that rancid-run would do in order to
try and see if there's a problem somewhere?



Thanks



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751



From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Steve Ousley
Sent: 15 July 2008 12:20
To: rancid-***@shrubbery.net
Subject: [rancid] Problems with getting configuration from a PIX 501.



I have had rancid installed a little while now, and am noticing problems
with rancid on one pix (not sure if it's on more or not, but this is the
only one I can confirm without going through manually checking all of them).



The problem is that it doesn't seem to be updating the CVS repo with the
latest configurations.



I do know that we occasionally get problems like this with pix's where the
ssh connection doesn't work (usually tell this by running clogin to the pix)
however this manages to ssh in no problems, and gets the enable prompt, see
below:



[CODE]

nagios-1:/usr/local/rancid/var/asa# clogin <firewall>

<firewall>

spawn ssh -c 3des -x -l <rancid-user> <firewall>

<rancid-user>@<firewall>'s password:

Type help or '?' for a list of available commands.

<firewall>>

<firewall>> enable

Password: *

<firewall>#

[/CODE]



As you can see, this is logging into the pix no problems (I have changed any
instance of the hostname to <firewall> and the rancid user, and no the
password isn't 1 character long).



Using clogin to log into the firewall, I can also run various commands
successfully (sh run, sh ver etc). However the firewall still will not
update.



Does anyone have any ideas?



I have also set the pix to "down" and back to "up" and ran rancid again, to
no avail. This is really confusing me! Since all our other pix's seem to be
working no problems,



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751
Steve Ousley
2008-07-15 12:00:13 UTC
Permalink
Problem solved



I had a stunning idea to check the logs for the pix on rancid... lord only
knows why I didn't think to do this sooner, but in there it stated that
/tmp/.pix.run.lock existed. Knowing that rancid was not running, I removed
this file, and ran rancid, and now we have updates on all the pix firewalls.
:)



The stupid thing is that I had ran ls /tmp numerous times, and not seen
anything there, so assumed that the lock file wasn't there. Stupid me
forgot to run -a with ls so I see hidden files!! I might change rancid's
scripts to not make the lock file a hidden file so ls will see it by default
hehe



Anyway, thanks for the help on this one!! More often than not explaining
your actions to someone gives you a clue.



Note to self... check logs for problems first!



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751



From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Steve Ousley
Sent: 15 July 2008 12:29
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Problems with getting configuration from a PIX 501.



Sorry for the fast follow on to this.



I have now found out that it is actually like this on ALL pix's that we
have. Any ASA that we have is working fine, however no pix is updating.



I have tried running rancid-r <pix> and that runs, for about 1 second, then
finishes, where running this on an ASA takes approximately 10 seconds.
There is however no error on the command line when I run "rancid -r <pix>".
This is now confusing me even more! As far as I can tell, rancid is trying
to get the pix configurations, but failing somewhere that I cannot tell. Is
there a way to manually run the process that rancid-run would do in order to
try and see if there's a problem somewhere?



Thanks



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751



From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Steve Ousley
Sent: 15 July 2008 12:20
To: rancid-***@shrubbery.net
Subject: [rancid] Problems with getting configuration from a PIX 501.



I have had rancid installed a little while now, and am noticing problems
with rancid on one pix (not sure if it's on more or not, but this is the
only one I can confirm without going through manually checking all of them).



The problem is that it doesn't seem to be updating the CVS repo with the
latest configurations.



I do know that we occasionally get problems like this with pix's where the
ssh connection doesn't work (usually tell this by running clogin to the pix)
however this manages to ssh in no problems, and gets the enable prompt, see
below:



[CODE]

nagios-1:/usr/local/rancid/var/asa# clogin <firewall>

<firewall>

spawn ssh -c 3des -x -l <rancid-user> <firewall>

<rancid-user>@<firewall>'s password:

Type help or '?' for a list of available commands.

<firewall>>

<firewall>> enable

Password: *

<firewall>#

[/CODE]



As you can see, this is logging into the pix no problems (I have changed any
instance of the hostname to <firewall> and the rancid user, and no the
password isn't 1 character long).



Using clogin to log into the firewall, I can also run various commands
successfully (sh run, sh ver etc). However the firewall still will not
update.



Does anyone have any ideas?



I have also set the pix to "down" and back to "up" and ran rancid again, to
no avail. This is really confusing me! Since all our other pix's seem to be
working no problems,



Steve Ousley - SO620-RIPE

Nuco Technologies Ltd

<mailto:***@host-it.co.uk> ***@host-it.co.uk

<http://www.nucotechnologies.com/> www.nucotechnologies.com

Tel. 0870 165 1300



Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751
Steve Ousley
2008-07-15 15:56:30 UTC
Permalink
Oh, ok, I hadn't checked if it was still running, but I do remember running
killall -9 rancid-run before I had done that anyway. So I guess
inadvertently I had made sure it wasn't running, but not really consciously.
=/

Steve Ousley - SO620-RIPE
Nuco Technologies Ltd
***@host-it.co.uk
www.nucotechnologies.com
Tel. 0870 165 1300

Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751


-----Original Message-----
From: john heasley [mailto:***@shrubbery.net]
Sent: 15 July 2008 16:54
To: Steve Ousley
Subject: Re: [rancid] Re: Problems with getting configuration from a PIX
501.
Post by Steve Ousley
Problem solved
I had a stunning idea to check the logs for the pix on rancid... lord only
knows why I didn't think to do this sooner, but in there it stated that
/tmp/.pix.run.lock existed. Knowing that rancid was not running, I removed
this file, and ran rancid, and now we have updates on all the pix firewalls.
:)
you should actually check that its really not running before removing that.
it could have been stuck or it could be a left-over from a system crash.
Steve Ousley
2008-07-16 08:36:35 UTC
Permalink
Hi Ingabire

I have had a look, and when rancid runs, I also see a fair few instances of
expect running. However looking at the times on these (840 hours for one),
that looks like a bit of a problem, it may just be that it has locked up,
and crashed. Also stuff in [] I think is usually defunct stuff that has
died, but not properly.

I would suggest to ensure that tancid isnot running, and then killing these
processes manually. Ensure that no processes exist, and that the lock files
(usually in /tmp) are not there, and then try rancid again.

This is all I can really offer from my limited experience.

Regards

Steve Ousley - SO620-RIPE
Nuco Technologies Ltd
***@host-it.co.uk
www.nucotechnologies.com
Tel. 0870 165 1300

Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751


-----Original Message-----
From: Ingabire Grace [mailto:***@rwandatel.rw]
Sent: 15 July 2008 17:26
To: 'Steve Ousley'
Subject: RE: [rancid] Re: Problems with getting configuration from a PIX
501.

Hi Steve,

Congrats as your rancid is now working.
When trying to run rancid, I m seeing a lot of processes: is this normal? I
think no. I could not see what I made wrong...

rancid 74842 24.1 0.2 2756 2464 ?? R 11:30AM 135:08.47 [expect]
rancid 74924 24.1 0.2 2756 2464 ?? R 11:31AM 133:50.24 [expect]
rancid 76016 24.0 0.2 2756 2464 ?? R 6:01PM 4:40.78 [expect]
rancid 69761 23.9 0.2 2756 2464 ?? R Mon11AM 840:14.06 [expect]
rancid 74837 0.0 0.1 1728 1236 ?? I 11:30AM 0:00.00 [sh]
rancid 75976 0.0 0.2 2856 2436 ?? I 6:01PM 0:00.02
/usr/bin/perl5 /usr/local/libexec/rancid//par -q -n 5 -c rancid-fe \\{}
/usr/local/var/rancid
rancid 76000 0.0 0.1 1724 1228 ?? I 6:01PM 0:00.00 sh -c
(rancid-fe \\196.xx.xx.xx:cisco)
rancid 76002 0.0 0.3 3596 3124 ?? I 6:01PM 0:00.04
/usr/bin/perl5 /usr/local/libexec/rancid//rancid 196.xx.xx.xx (perl5.8.8)
rancid 76012 0.0 0.1 1728 1236 ?? I 6:01PM 0:00.00 [sh]
rancid 69610 0.0 0.1 1732 1372 p0- I Mon11AM 0:00.00 /bin/sh
/usr/local/libexec/rancid/rancid-run
rancid 69613 0.0 0.1 1740 1380 p0- I Mon11AM 0:00.04 /bin/sh
/usr/local/libexec/rancid//control_rancid all

Can you please share your knowledge as you make yours working.

Thanks.


-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Steve Ousley
Sent: Tuesday, July 15, 2008 5:56 PM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Problems with getting configuration from a PIX 501.

Oh, ok, I hadn't checked if it was still running, but I do remember running
killall -9 rancid-run before I had done that anyway. So I guess
inadvertently I had made sure it wasn't running, but not really consciously.
=/

Steve Ousley - SO620-RIPE
Nuco Technologies Ltd
***@host-it.co.uk
www.nucotechnologies.com
Tel. 0870 165 1300

Nuco Technologies Ltd is a company registered in England and Wales
with company number 04470751


-----Original Message-----
From: john heasley [mailto:***@shrubbery.net]
Sent: 15 July 2008 16:54
To: Steve Ousley
Subject: Re: [rancid] Re: Problems with getting configuration from a PIX
501.
Post by Steve Ousley
Problem solved
I had a stunning idea to check the logs for the pix on rancid... lord only
knows why I didn't think to do this sooner, but in there it stated that
/tmp/.pix.run.lock existed. Knowing that rancid was not running, I removed
this file, and ran rancid, and now we have updates on all the pix firewalls.
:)
you should actually check that its really not running before removing that.
it could have been stuck or it could be a left-over from a system crash.
Loading...