Discussion:
[rancid] Oddities with Cisco ASA
Jethro R Binks
2008-01-16 00:17:30 UTC
Permalink
Despite reports on the list of people having no problems with Cisco ASAs,
I am having some problems. This with code 7.1(2). Two problems are
described here, forgive the length of this.

My main issue at the moment is that rancid (2.3.1), does not check in the
new config into CVS because it does not believe that a clean run has
happened. I have run in debugging mode, and I can see the expected
content for both "show running-config" and "write term" in the .raw file.

I think my concern is with this line:

while (/#\s*($cmds_regexp)\s*$/) {

in the main part of the 'rancid' code (line 1625 for rancid.in 1.174)
which tries to match an executed command after the prompt symbol.
Unfortunately, for my ASA, in the raw output from clogin, I see the
following:

...
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:14ed48d4686a8722efaf076dcd4d820c
: end
asa5500-cu#term
: Saved
:
ASA Version 7.1(2)
...

This is the end of "show running-config", and the start of "write term".
But see that only "term" is at the prompt, the rest has been swallowed
somewhere; rancid does not find a match for the command, and so it decides
that this is not a clean run.

Anyone else seen this behaviour?


Here is a related query. A little further on in 'rancid', there is this
code:

...
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
$clean_run = 0;
last TOP;
...

Should that really be 'last'? I am finding on my ASA that for some of the
subroutines executed for commands that are not appropriate for this
platform (many of the "dir" commands, "show env all", and so on) return
-1, and it bails out at this point and does not process output from later
commands.

When I change 'last' to 'next', it carries on processing output from
subsequent commands. Is the retval of -1 supposed to be a fatal 'cannot
continue' indicator? In which case, I have a problem with the frequent
occurences of:

return(-1) if (/command authorization failed/i);

as the ASA seems to say this anyway even for subcommands that it doesn't
understand (see below for notes on privilege level of the user):

asa5500-cu# show rubbish
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed

I may of course be completely misunderstanding what is supposed to be
happening here, but this is the nearest explanation I have got after
several evenings of squinting - however I find it odd that no-one else has
noticed this.


Other information:

FreeBSD 6.1, SMP kernel, expect-5.44.1.4 from lang/expect-devel, I have
read http://www.freebsd.org/cgi/query-pr.cgi?pr=118452

Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Hardware: ASA5550, 3968 MB RAM, CPU Pentium 4 3000 MHz

The user on the ASA is privilege level 7, and I have set the following:

privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module

which seem to be sufficient. I don't get different results with a user of
priv level 15, for what it is worth.

Thanks for any comments,

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
Lance
2008-01-16 01:53:32 UTC
Permalink
Jethro,

I was running rancid on 7.1(2) at a previous job if I am not mistaken.
None the less I have yet to find any issues with running rancid on the
ASAs. The extra commands can be run and a message is displayed but that
should not stop rancid from continueing.

You might want to check the most recent alpha to see if it includes the
same versions that you have and the same lines. Other than that it
sounds like you have a fix for your issue.

-lance
-------- Original Message --------
Subject: [rancid] Oddities with Cisco ASA
Date: Tue, January 15, 2008 5:17 pm
Despite reports on the list of people having no problems with Cisco ASAs,
I am having some problems. This with code 7.1(2). Two problems are
described here, forgive the length of this.
My main issue at the moment is that rancid (2.3.1), does not check in the
new config into CVS because it does not believe that a clean run has
happened. I have run in debugging mode, and I can see the expected
content for both "show running-config" and "write term" in the .raw file.
while (/#\s*($cmds_regexp)\s*$/) {
in the main part of the 'rancid' code (line 1625 for rancid.in 1.174)
which tries to match an executed command after the prompt symbol.
Unfortunately, for my ASA, in the raw output from clogin, I see the
...
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:14ed48d4686a8722efaf076dcd4d820c
: end
asa5500-cu#term
: Saved
ASA Version 7.1(2)
...
This is the end of "show running-config", and the start of "write term".
But see that only "term" is at the prompt, the rest has been swallowed
somewhere; rancid does not find a match for the command, and so it decides
that this is not a clean run.
Anyone else seen this behaviour?
Here is a related query. A little further on in 'rancid', there is this
...
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
$clean_run = 0;
last TOP;
...
Should that really be 'last'? I am finding on my ASA that for some of the
subroutines executed for commands that are not appropriate for this
platform (many of the "dir" commands, "show env all", and so on) return
-1, and it bails out at this point and does not process output from later
commands.
When I change 'last' to 'next', it carries on processing output from
subsequent commands. Is the retval of -1 supposed to be a fatal 'cannot
continue' indicator? In which case, I have a problem with the frequent
return(-1) if (/command authorization failed/i);
as the ASA seems to say this anyway even for subcommands that it doesn't
asa5500-cu# show rubbish
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
I may of course be completely misunderstanding what is supposed to be
happening here, but this is the nearest explanation I have got after
several evenings of squinting - however I find it odd that no-one else has
noticed this.
FreeBSD 6.1, SMP kernel, expect-5.44.1.4 from lang/expect-devel, I have
read http://www.freebsd.org/cgi/query-pr.cgi?pr=118452
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Hardware: ASA5550, 3968 MB RAM, CPU Pentium 4 3000 MHz
privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module
which seem to be sufficient. I don't get different results with a user of
priv level 15, for what it is worth.
Thanks for any comments,
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Jethro R Binks
2008-03-02 21:14:32 UTC
Permalink
Post by Jethro R Binks
Despite reports on the list of people having no problems with Cisco ASAs,
I am having some problems. This with code 7.1(2). Two problems are
described here, forgive the length of this.
You may recall my message a while ago to this effect. I have recently
made another observation, for which I have no explanation, but offer it as
merely as an additional data point.

I have been running rancid persistently against this particular ASA ever
since the above, and it persistently fails in the same way. However I
lately upgraded the 7.1(2) to 7.2(3), and immediately afterwards rancid
was able to connect for the first time since whenever and retrieve the
config. Hurrah! I thought, problem fixed. Unfortunately, it started to
fail again about 12 hours later, and that is the way it has remained since
:(.

FWIW, I am now running rancid.in 1.234 and clogin 1.79.

Jethro.


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
Jethro R Binks
2008-03-06 10:36:40 UTC
Permalink
Post by Jethro R Binks
Post by Jethro R Binks
Despite reports on the list of people having no problems with Cisco ASAs,
I am having some problems. This with code 7.1(2). Two problems are
described here, forgive the length of this.
You may recall my message a while ago to this effect. I have recently
made another observation, for which I have no explanation, but offer it as
merely as an additional data point.
I have been running rancid persistently against this particular ASA ever
since the above, and it persistently fails in the same way. However I
lately upgraded the 7.1(2) to 7.2(3), and immediately afterwards rancid
was able to connect for the first time since whenever and retrieve the
config. Hurrah! I thought, problem fixed. Unfortunately, it started
to fail again about 12 hours later, and that is the way it has remained
since :(.
I have made a little more progress. Ultimately, the reason for the
failure now is because it thinks there are still commands to run.

rancid tries to run these two commands, treated as equivalent:

{'show running-config' => 'WriteTerm'},
{'write term' => 'WriteTerm'},

For some reason, at least with my ASA (see previous messages for detail),
rancid isn't able to pick out the output of the second command, but it can
process the output from the first, so it's not a problem; it sets
$found_end and the command is deleted from the commands list:

delete($commands{$cmd});

Then it tries to call WriteTerm for the second time, and it exits earlier
because $found_end is already set:

return(0) if ($found_end); # Only do this routine once

I think what is happening is that this time:

while (/#\s*($cmds_regexp)\s*$/) {

doesn't match, because it couldn't parse the output for the second
command, and so:

delete($commands{$cmd});

is never called, the command gets left in the command list, and rancid
exits with failure:

missed cmd(s): write term

I suppose the solution is that if WriteTerm has been called once
successfully, it removes all the commands that process that sub from the
command list. However I do not know if for some Cisco kit "show
running-config" and "write term" are intrinsically different in some way.

As a short term fix, I have commented out "write term" from the list of
commands to run, and rancid now works against my ASA.

Grateful for any thoughts on this interpretation.

Jethro.










rancid isn't able to see the output


In the case of the ASA, "show running-config" doesn't work (as a
not-level-15 priv user

In my case, it seems both work, but when the output
from the first is found, it notes that "show running-config" was
successful, and doesn't run the second:



Unfortunately, the command is still in the command list (, and at the end
of
the loop it assumes a command failed because it wasn't removed from the
command list.

I'm puzzled why others do not see this behaviour though ... I checked to
see if I'd made other modifications but other than debugging statements,
no.


I tried with rancid.in,v 1.174 2004/05/27, unmodified,

and that did
exactly the same.

J.
Post by Jethro R Binks
FWIW, I am now running rancid.in 1.234 and clogin 1.79.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
Jethro R Binks
2008-03-06 10:50:13 UTC
Permalink
Post by Jethro R Binks
Grateful for any thoughts on this interpretation.
Jethro.
Excuse the babble after my message, it was from an earlier draft :)
Post by Jethro R Binks
rancid isn't able to see the output
...


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

Loading...