EatCommand just takes care of registering and aligning for the next command since that command doesnât produce any ouput, but you still need to do something with what echoes back to expect.
Your below panlogin to firewallv5 worked perfectly.
You can see it repeating each word and building until cli scripting-mode is on, and then everything after that works ok.
Yet it didnât work for firewallv6. This seems like a bug. Iâd open a case with support.paloaltonetworks.com to see whatâs going on. Something weird is causing the cli scripting-mode on to fail.
From: Chip Pleasants [mailto:***@gmail.com]
Sent: Wednesday, June 18, 2014 12:12 PM
To: Hughes, Doug
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] Panrancid with PAN 6.0
I think I see what you are talking about now. Here are the two examples. One from a version 6 and one from a version 5. Now the odd part is when I perform this test manually turning on 'set cli scripting-mode on' it doesn't auto-complete on versions 6.0.2 or 5.0.11. Would there be a difference with the EatCommand portion of the script? Thanks for taking the time to work with me Doug.
[***@cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d FIREWALLV5.domain.com<http://FIREWALLV5.domain.com>
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" FIREWALLV5.domain.com<http://FIREWALLV5.domain.com>
line: FIREWALLV5.domain.com<http://FIREWALLV5.domain.com>
line: ***@FIREWALLV5(active)>
line: ***@FIREWALLV5(active)> set ***@FIREWALLV5(active)> set cli ***@FIREWALLV5(active)> set cli scripting-mode ***@FIREWALLV5(active)> set cli scripting-mode on
PROMPT MATCH: ***@FIREWALLV5\(active\)[#>]
HIT COMMAND:***@FIREWALLV5(active)> set ***@FIREWALLV5(active)> set cli ***@FIREWALLV5(active)> set cli scripting-mode ***@FIREWALLV5(active)> set cli scripting-mode on
COMMAND is: set cli scripting-mode on|EatCommand
HIT COMMAND:***@FIREWALLV5(active)> set cli pager off
COMMAND is: set cli pager off|EatCommand
HIT COMMAND:***@FIREWALLV5(active)> show system info
COMMAND is: show system info|ShowInfo
In ShowInfo:: ***@FIREWALLV5(active)> show system info
HIT COMMAND:***@FIREWALLV5(active)> show config running
COMMAND is: show config running|ShowConfig
In ShowConfig: ***@FIREWALLV5(active)> show config running
line:
exiting
[***@cmh1vlobs01 rancid]$
[***@cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>
line: FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>
line: ***@FIREWALLV6(active)>
line: ***@FIREWALLV6(active)> set ***@FIREWALLV6(active)> set cli ***@FIREWALLV6(active)> set cli scripting-mode ***@FIREWALLV6(active)> set cli scripting-mode on
PROMPT MATCH: ***@FIREWALLV6\(active\)[#>]
HIT COMMAND:***@FIREWALLV6(active)> set ***@FIREWALLV6(active)> set cli ***@FIREWALLV6(active)> set cli scripting-mode ***@FIREWALLV6(active)> set cli scripting-mode on
COMMAND is: set cli scripting-mode on|EatCommand
HIT COMMAND:***@FIREWALLV6(active)> set ***@FIREWALLV6(active)> set cli ***@FIREWALLV6(active)> set cli pager ***@FIREWALLV6(active)> set cli pager off
COMMAND is: set cli pager off|EatCommand
HIT COMMAND:***@FIREWALLV6(active)> show ***@FIREWALLV6(active)> show system ***@FIREWALLV6(active)> show system info
COMMAND is: show system info|ShowInfo
In ShowInfo:: ***@FIREWALLV6(active)> show ***@FIREWALLV6(active)> show system ***@FIREWALLV6(active)> show system info
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: missed cmd(s): show config running
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: missed cmd(s): show config running
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: End of run not found
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: End of run not found
#
[***@cmh1vlobs01 rancid]$ !
-Chip
On Wed, Jun 18, 2014 at 11:35 AM, Hughes, Doug <***@deshawresearch.com<mailto:***@deshawresearch.com>> wrote:
It doesnât look like it is from your very first debugging output:
COMMAND is: show system info|ShowInfo
In ShowInfo:: ***@FIREWALL(active)> show ***@FIREWALL(active)> show system ***@FIREWALL(active)> show system info
if scripting-mode was on, we wouldnât see the stuff in red. (html mode on to read). The fact that the extra prompts show up indicates that it is intercepting the spaces and attempting to do âhelpful command completionâ.
From: Chip Pleasants [mailto:***@gmail.com<mailto:***@gmail.com>]
Sent: Wednesday, June 18, 2014 8:52 AM
To: Hughes, Doug
Cc: rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0
It doesn't appear to be a bug, because I think its operating as you describe. When I turn on 'set cli scripting-mode on' it doesn't autocomplete on versions 6.0.2 or 5.0.11. Any other thoughts what could be going on?
Thanks,
Chip
On Tue, Jun 17, 2014 at 3:34 PM, Hughes, Doug <***@deshawresearch.com<mailto:***@deshawresearch.com>> wrote:
Hrm. Yes, I had it correct the first time. (oof, busy day)
âonâ is needed to prevent this âfeatureâ:
line: ***@FIREWALL(active)> set ***@FIREWALL(active)> set cli ***@FIREWALL(active)> set cli pager ***@FIREWALL(active)> set cli pager off
After each space, it does essentially a rewrite of the line as it tried to âauto-correctâ you from typing the wrong thing. This gets in the way of parsing with expect quite heavily, so I attempt to disable it as soon as possible. If set cli scripting-mode on does not cause this to stop (and it looks like it doesnât), then that appears to be a bug. You can also see this by using type script:
Hereâs how it looks at the command line:
Drdgpfs0002:/tmp$ script
drdgpfs0002:/tmp$ ssh -l admin paloalto.en
***@paloalto.en's<mailto:***@paloalto.en's> password:
Last login: Tue Jun 17 15:05:06 2014 from drdbcntl.en.desres.deshaw.com<http://drdbcntl.en.desres.deshaw.com>
Welcome admin.
***@paloalto.en<mailto:***@paloalto.en>> set cli scripting-mode on
***@paloalto.en<mailto:***@paloalto.en>> set cli ? <ENTER here>
Invalid syntax.
***@paloalto.en<mailto:***@paloalto.en>> exit
Here's how it looks in the corresponding typescript file:
i Script started on Tue 17 Jun 2014 03:25:13 PM EDT
drdgpfs0002:/tmp$ ssh -l admin paloalto
***@paloalto.en's<mailto:***@paloalto.en's> password: ^M
Last login: Tue Jun 17 15:05:06 2014 from drdbcntl.en.desres.deshaw.com<http://drdbcntl.en.desres.deshaw.com>^M^M
Welcome admin.^M
***@paloalto.en<mailto:***@paloalto.en>> set ^M^[[***@paloalto.en> set cli ^M^[[***@paloalto.en>
set cli scripting-mode ^M^[[***@paloalto.en> set cli scripting-mode on^M
***@paloalto.en<mailto:***@paloalto.en>> set cli ?^M
^M
Invalid syntax.^M
***@paloalto.en<mailto:***@paloalto.en>> exit^M
Connection to paloalto.en closed.^M^M
drdgpfs0002:/tmp$ exit^M^M
exit^M
Script done on Tue 17 Jun 2014 03:25:34 PM EDT
If 'set cli scripting-mode on' doesn't disable the 'space' feature, then the rest of the expect is very iffy at best and difficult to manage
Here's another way to confirm the behavior
Type config <space>
If it autocompletes to 'configure', then cli scripting-mode is not on and results *will* vary.
Disabling the pager is also important since it disables the --more-- when show config is running.
I am running 6.0.2 but no HA on PA-3020 and PA-2050
From: Chip Pleasants [mailto:***@gmail.com<mailto:***@gmail.com>]
Sent: Tuesday, June 17, 2014 3:21 PM
To: Hughes, Doug
Cc: rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0
Tried it on both versions. Seems like they both yield the same result. Doesn't the script turn cli scripting-mode on? Or do we don't really care that's its on or off?
***@FIREWALLV6(active)> set cli scripting-mode off
***@FIREWALLV6(active)> set cli scripting-mode
off off
on on
***@FIREWALLV6(active)> set cli scripting-mode
***@FIREWALLV5(active)> set cli scripting-mode off
***@FIREWALLV5(active)> set cli scripting-mode
off off
on on
***@FIREWALLV5(active)> set cli scripting-mode
-Chip
On Tue, Jun 17, 2014 at 3:10 PM, Hughes, Doug <***@deshawresearch.com<mailto:***@deshawresearch.com>> wrote:
Sorry, I meant âoffâ, you need to set it to off and then try the ? test.
From: Chip Pleasants [mailto:***@gmail.com<mailto:***@gmail.com>]
Sent: Tuesday, June 17, 2014 2:48 PM
To: Hughes, Doug
Cc: rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0
Here's what I get. I get the same result from a version 5.x PA. I removed the "set cli scripting-mode on" from the script to test. Version 5.x PA works and version 6.x PA end up with the same result.
***@FIREWALL(active)> set cli scripting-mode on
***@FIREWALL(active)> set cli scripting-mode ?
? is not one of <on|off>
Invalid syntax.
***@FIREWALL(active)>
line: ***@FIREWALL(active)> set ***@FIREWALL(active)> set cli ***@FIREWALL(active)> set cli pager ***@FIREWALL(active)> set cli pager off
PROMPT MATCH: ***@FIREWALL\(active\)[#>]
HIT COMMAND:***@FIREWALL(active)> set ***@FIREWALL(active)> set cli ***@FIREWALL(active)> set cli pager ***@FIREWALL(active)> set cli pager off
COMMAND is: set cli pager off|EatCommand
HIT COMMAND:***@FIREWALL(active)> show ***@FIREWALL(active)> show system ***@FIREWALL(active)> show system info
COMMAND is: show system info|ShowInfo
In ShowInfo:: ***@FIREWALL(active)> show ***@FIREWALL(active)> show system ***@FIREWALL(active)> show system info
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: missed cmd(s): show config running
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: missed cmd(s): show config running
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: End of run not found
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: End of run not found
#
[***@server rancid]$
On Tue, Jun 17, 2014 at 2:28 PM, Hughes, Doug <***@deshawresearch.com<mailto:***@deshawresearch.com>> wrote:
Ah, you are running in HA mode I see. That could be throwing things off, but I think I fixed that in 2013 sometime.
(I donât run any in HA)
It looks to me like âset cli scripting-mode onâ is failing
To confirm this, login to the PA at command line, then type set cli scripting-mode on
Now type âset cli scripting-mode ?â
If you get any sort of command completion, the cli scripting mode setting is not working and needs to be turned into a PA bug report. That is what it looks like it is happening by looking at the command staggering for subsequent lines.
From: Chip Pleasants [mailto:***@gmail.com<mailto:***@gmail.com>]
Sent: Tuesday, June 17, 2014 1:39 PM
To: Hughes, Doug
Cc: rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0
Thanks Doug. I am running the most recent version, but for grins I replaced them anyway. Still seeing the issue on two sets. The others seem to work fine. Anything I provide that help find the trouble?
-Chip
On Mon, Jun 16, 2014 at 4:37 PM, Hughes, Doug <***@deshawresearch.com<mailto:***@deshawresearch.com>> wrote:
Yes, itâs working for me. Are you using the latest? (attached)
From: Rancid-discuss [mailto:rancid-discuss-***@shrubbery.net<mailto:rancid-discuss-***@shrubbery.net>] On Behalf Of Chip Pleasants
Sent: Monday, June 16, 2014 2:01 PM
To: rancid-***@shrubbery.net<mailto:rancid-***@shrubbery.net>
Subject: [rancid] Panrancid with PAN 6.0
Does anyone have Panrancid working with PAN version 6.0.2? I have four sets running PAN version 5.0.11 without an issues. Once I upgraded one set the script times out. Below is a debug. Let me know if you have any questions.
Cheers,
Chip
[***@cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
line: cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
line: spawn ssh -c 3des -x -l rancid cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
line: NOTICE TO USERS
line: This is an official computer system and is the property of POOP Incorporated.
line: It is for authorized users only. Unauthorized users are prohibited.
line: Users (authorized or unauthorized) have no explicit or implicit expectation of
line: privacy. Any or all uses of this system may be subject to one or more of the
line: following actions: interception, monitoring, recording, auditing, inspection and
line: disclosing to security personnel and law enforcement personnel, as well as
line: authorized officials of other agencies, both domestic and foreign. By using this
line: system, the user consents to these actions. Unauthorized or improper use of
line: this system may result in administrative disciplinary action and civil and criminal
line: penalties. By accessing this system you indicate your awareness of and
line: consent to these terms and conditions of use. Discontinue access immediately
line: if you do not agree to the conditions stated in this notice.
line:
line: Password:
line: Last login: Mon Jun 16 08:00:00 2014 from cmh1vlobs01.domain.com<http://cmh1vlobs01.domain.com>
line: Welcome rancid.
line:
line: ***@CMH1-Z4-F01(active)>
line: ***@CMH1-Z4-F01(active)>
line: ***@CMH1-Z4-F01(active)> set ***@CMH1-Z4-F01(active)> set cli ***@CMH1-Z4-F01(active)> set cli scripting-mode ***@CMH1-Z4-F01(active)> set cli scripting-mode on
PROMPT MATCH: ***@CMH1-Z4-F01\(active\)[#>]
HIT COMMAND:***@CMH1-Z4-F01(active)> set ***@CMH1-Z4-F01(active)> set cli ***@CMH1-Z4-F01(active)> set cli scripting-mode ***@CMH1-Z4-F01(active)> set cli scripting-mode on
COMMAND is: set cli scripting-mode on|EatCommand
HIT COMMAND:***@CMH1-Z4-F01(active)> set ***@CMH1-Z4-F01(active)> set cli ***@CMH1-Z4-F01(active)> set cli pager ***@CMH1-Z4-F01(active)> set cli pager off
COMMAND is: set cli pager off|EatCommand
HIT COMMAND:***@CMH1-Z4-F01(active)> show ***@CMH1-Z4-F01(active)> show system ***@CMH1-Z4-F01(active)> show system info
COMMAND is: show system info|ShowInfo
In ShowInfo:: ***@CMH1-Z4-F01(active)> show ***@CMH1-Z4-F01(active)> show system ***@CMH1-Z4-F01(active)> show system info
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : missed cmd(s): show config running
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : missed cmd(s): show config running
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : End of run not found
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : End of run not found