Discussion:
[rancid] Cisco ASA 5505 configs
Gene Lim
2013-07-12 04:15:04 UTC
Permalink
Hi All



Would appreciate some advice on how I can trouble shoot this issue regarding
enable for a Cisco ASA 5505 device. Logs and configuration provided below.
Please advice.



==Version 1 without enable password==

/router.db

192.168.1.84:cisco:up



/.cloginrc

add method 192.168.1.84 ssh

add user 192.168.1.84 admin

add userpassword 192.168.1.84 {adminpwd}



$ bin/clogin 192.168.1.84

192.168.1.84

spawn ssh -c 3des -x -l admin 192.168.1.84

***@192.168.1.84's password:

Type help or '?' for a list of available commands.

CISCOASA5505> enable

Password: ********

Invalid password

Password: ********

Invalid password

Password: ********

Invalid password

Access denied.

Error: Check your Enable passwd

CISCOASA5505>

CISCOASA5505> exit

Logoff



/logs

Trying to get all of the configs.

192.168.1.84 clogin error: Error: Check your Enable passwd

192.168.1.84: missed cmd(s): dir /all slavedisk2:,show rsp chassis-info,show
capture,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir
/all sec-nvram:,show diag chassis-info,dir /all disk2:,show running-config
view full,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir
/all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all
sec-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all
sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all
harddiskb:,show variables boot,show boot,show inventory raw,dir /all
slavedisk1:,show env all,show module,show shun,show controllers,show
diagbus,more system:running-config,dir /all slavedisk0:,show debug,show
idprom backplane,dir /all bootflash:,dir /all sup-bootdisk:,dir /all
sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all
sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all
sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir
/all slaveslot1:,dir /all nvram:,show version,show vlan-switch,show
redundancy secondary,show running-config,show c7200,dir /all slot1:

192.168.1.84: End of run not found

!



==Version 2 with enable password==

/router.db

192.168.1.84:cisco:up



/.cloginrc

add method 192.168.1.84 ssh

add user 192.168.1.84 admin

add password 192.168.1.84 {adminpwd} {***@pwd}



$ bin/clogin 192.168.1.84

192.168.1.84

spawn ssh -c 3des -x -l admin 192.168.1.84

***@192.168.1.84 's password:

Permission denied, please try again.

***@192.168.1.84 's password:

Error: Check your passwd for 192.168.1.84



/logs

192.168.1.84 clogin error: Error: Check your passwd for 192.168.1.84

192.168.1.84: missed cmd(s): dir /all slavedisk2:,show rsp chassis-info,show
capture,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir
/all sec-nvram:,show diag chassis-info,dir /all disk2:,show running-config
view full,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir
/all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all
sec-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all
sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all
harddiskb:,show variables boot,show boot,show inventory raw,dir /all
slavedisk1:,show env all,show module,show shun,show controllers,show
diagbus,more system:running-config,dir /all slavedisk0:,show debug,show
idprom backplane,dir /all bootflash:,dir /all sup-bootdisk:,dir /all
sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all
sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all
sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir
/all slaveslot1:,dir /all nvram:,show version,show vlan-switch,show
redundancy secondary,show running-config,show c7200,dir /all slot1:

192.168.1.84: End of run not found

!



Thank You



Warmest Regards,

Gene Lim
Chris Moody
2013-07-12 17:54:43 UTC
Permalink
Gene,

perhaps I'm reading too much into your post as most people obfuscate
their actual passwords when posting to a mailing-list, but I have to ask.

Your enable password, does it actually have an '@' in it? Reason I ask
is that "special characters" such as this need escaped when software
reads these kinds of values.

Please set your enable pass to something without an '@' or other
punctuation in it and see if you're able to get RANCID working. Once you
can confirm RANCID is operating ok, then we can go about setting your
credentials to more complex values and escaping any strange characters
appropriately.

Cheers,
-Chris
Post by Gene Lim
Hi All
Would appreciate some advice on how I can trouble shoot this issue
regarding enable for a Cisco ASA 5505 device. Logs and configuration
provided below. Please advice.
==Version 1 without enable password==
/router.db
192.168.1.84:cisco:up
/.cloginrc
add method 192.168.1.84 ssh
add user 192.168.1.84 admin
add userpassword 192.168.1.84 {adminpwd}
$ bin/clogin 192.168.1.84
192.168.1.84
spawn ssh -c 3des -x -l admin 192.168.1.84
Type help or '?' for a list of available commands.
CISCOASA5505> enable
Password: ********
Invalid password
Password: ********
Invalid password
Password: ********
Invalid password
Access denied.
Error: Check your Enable passwd
CISCOASA5505>
CISCOASA5505> exit
Logoff
/logs
Trying to get all of the configs.
192.168.1.84 clogin error: Error: Check your Enable passwd
192.168.1.84: missed cmd(s): dir /all slavedisk2:,show rsp
chassis-info,show capture,dir /all sec-slot2:,show diag,dir /all
disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir
/all disk2:,show running-config view full,dir /all sec-bootflash:,show
spe version,dir /all slaveslot2:,dir /all disk0:,show install
active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir /all
harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir
/all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show
variables boot,show boot,show inventory raw,dir /all slavedisk1:,show
env all,show module,show shun,show controllers,show diagbus,more
system:running-config,dir /all slavedisk0:,show debug,show idprom
backplane,dir /all bootflash:,dir /all sup-bootdisk:,dir /all
sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all
sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir
/all sup-microcode:,show vlan,dir /all slavebootflash:,show
controllers cbus,dir /all slaveslot1:,dir /all nvram:,show
version,show vlan-switch,show redundancy secondary,show
192.168.1.84: End of run not found
!
==Version 2 with enable password==
/router.db
192.168.1.84:cisco:up
/.cloginrc
add method 192.168.1.84 ssh
add user 192.168.1.84 admin
$ bin/clogin 192.168.1.84
192.168.1.84
spawn ssh -c 3des -x -l admin 192.168.1.84
Permission denied, please try again.
Error: Check your passwd for 192.168.1.84
/logs
192.168.1.84 clogin error: Error: Check your passwd for 192.168.1.84
192.168.1.84: missed cmd(s): dir /all slavedisk2:,show rsp
chassis-info,show capture,dir /all sec-slot2:,show diag,dir /all
disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir
/all disk2:,show running-config view full,dir /all sec-bootflash:,show
spe version,dir /all slaveslot2:,dir /all disk0:,show install
active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir /all
harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir
/all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show
variables boot,show boot,show inventory raw,dir /all slavedisk1:,show
env all,show module,show shun,show controllers,show diagbus,more
system:running-config,dir /all slavedisk0:,show debug,show idprom
backplane,dir /all bootflash:,dir /all sup-bootdisk:,dir /all
sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all
sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir
/all sup-microcode:,show vlan,dir /all slavebootflash:,show
controllers cbus,dir /all slaveslot1:,dir /all nvram:,show
version,show vlan-switch,show redundancy secondary,show
192.168.1.84: End of run not found
!
Thank You
Warmest Regards,
Gene Lim
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Gene Lim
2013-07-15 10:15:26 UTC
Permalink
Dear Chris



Thank you for the information. Yes you are right my enable password has the
special character @ in it. However from further testing using changed
credentials below I am still receiving the same login issue. Please advice.



==Version 2 with enable password==

/router.db

192.168.1.84:cisco:up



/.cloginrc

add method 192.168.1.84 ssh

add user 192.168.1.84 admin

add password 192.168.1.84 {adminpwd} {enablepwd}



$ bin/clogin 192.168.1.84

192.168.1.84

spawn ssh -c 3des -x -l admin 192.168.1.84

***@192.168.1.84 's password:

Permission denied, please try again.

***@192.168.1.84 's password:

Error: Check your passwd for 192.168.1.84



Thank You

Warmest Regards,

Gene Lim
Gene Lim
2013-07-18 07:48:52 UTC
Permalink
Dear Heasley

Thank you for advicing. Tried using the -d option with below logs. Could you
advice further on how may I troubleshoot this ? Please assist.

/.cloginrc
add method 192.168.1.84 ssh
add user 192.168.1.84 admin
add password 192.168.1.84 {adminpwd} {enablepwd}

bin/clogin -d 192.168.1.84
192.168.1.84
spawn ssh -c 3des -x -l admin 192.168.1.84
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {3229}
Gate keeper glob pattern for '^<-+ More -+>[^
]*' is '<* More *>*'. Activating booster.
Gate keeper glob pattern for '(Connection refused|Secure connection [^
]+ refused)' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(Connection closed by|Connection to [^
]+ closed)' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(Host key not found |The authenticity of host
.* be established).* \(yes/no\)\?' is ''. Not usable, disabling the
performance booster.
Gate keeper glob pattern for 'HOST IDENTIFICATION HAS CHANGED.*
\(yes/no\)\?' is 'HOST IDENTIFICATION HAS CHANGED* (yes/no)\?'. Activating
booster.
Gate keeper glob pattern for 'HOST IDENTIFICATION HAS CHANGED[^
]+' is 'HOST IDENTIFICATION HAS CHANGED*'. Activating booster.
Gate keeper glob pattern for 'Offending key for .* \(yes/no\)\?' is
'Offending key for * (yes/no)\?'. Activating booster.
Gate keeper glob pattern for '(denied|Sorry)' is ''. Not usable, disabling
the performance booster.
Gate keeper glob pattern for '% (Bad passwords|Authentication failed)' is
''. Not usable, disabling the performance booster.
Gate keeper glob pattern for 'Enter Selection: ' is 'Enter Selection: '.
Activating booster.
Gate keeper glob pattern for 'Last login:' is 'Last login:'. Activating
booster.
Gate keeper glob pattern for '@[^
]+ ([Pp]assword|passwd|Enter password for [^ :]+):' is ''. Not usable,
disabling the performance booster.
Gate keeper glob pattern for 'Enter passphrase.*: ' is 'Enter passphrase*:
'. Activating booster.
Gate keeper glob pattern for '(Username|Login|login|user name|User):' is ''.
Not usable, disabling the performance booster.
Gate keeper glob pattern for '([Pp]assword|passwd|Enter password for [^
:]+):' is ''. Not usable, disabling the performance booster.
Gate keeper glob pattern for '(>|#| \(enable\))' is ''. Not usable,
disabling the performance booster.

expect: does "" (spawn_id exp4) match regular expression "^<-+ More
-+>[^\n\r]*"? Gate "<* More *>*"? gate=no
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does "" (spawn_id exp4) match glob pattern "unknown host\r"? no

expect: does "" (spawn_id exp4) match glob pattern "Host is unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be established).*
\(yes/no\)\?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* \(yes/no\)\?"? Gate "HOST IDENTIFICATION
HAS CHANGED* (yes/no)\?"? gate=no
"HOST IDENTIFICATION HAS CHANGED[^\n\r]+"? Gate "HOST IDENTIFICATION HAS
CHANGED*"? gate=no
"Offending key for .* \(yes/no\)\?"? Gate "Offending key for * (yes/no)\?"?
gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE
only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
"Login invalid"? no
***@192.168.1.84's password:
expect: does "***@192.168.1.84's password: " (spawn_id exp4) match regular
expression "^<-+ More -+>[^\n\r]*"? Gate "<* More *>*"? gate=no
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does "***@192.168.1.84's password: " (spawn_id exp4) match glob
pattern "unknown host\r"? no

expect: does "***@192.168.1.84's password: " (spawn_id exp4) match glob
pattern "Host is unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be established).*
\(yes/no\)\?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* \(yes/no\)\?"? Gate "HOST IDENTIFICATION
HAS CHANGED* (yes/no)\?"? gate=no
"HOST IDENTIFICATION HAS CHANGED[^\n\r]+"? Gate "HOST IDENTIFICATION HAS
CHANGED*"? gate=no
"Offending key for .* \(yes/no\)\?"? Gate "Offending key for * (yes/no)\?"?
gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE
only) gate=yes re=yes
expect: set expect_out(0,string) "@192.168.1.84's password:"
expect: set expect_out(1,string) "password"
expect: set expect_out(spawn_id) "exp4"
expect: set expect_out(buffer) "***@192.168.1.84's password:"
send: sending "clearance\r" to { exp4 }
expect: continuing expect

expect: does " " (spawn_id exp4) match regular expression "^<-+ More
-+>[^\n\r]*"? Gate "<* More *>*"? gate=no
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does " " (spawn_id exp4) match glob pattern "unknown host\r"? no

expect: does " " (spawn_id exp4) match glob pattern "Host is unreachable"?
no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be established).*
\(yes/no\)\?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* \(yes/no\)\?"? Gate "HOST IDENTIFICATION
HAS CHANGED* (yes/no)\?"? gate=no
"HOST IDENTIFICATION HAS CHANGED[^\n\r]+"? Gate "HOST IDENTIFICATION HAS
CHANGED*"? gate=no
"Offending key for .* \(yes/no\)\?"? Gate "Offending key for * (yes/no)\?"?
gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE
only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
"Login invalid"? no


expect: does " \r\n" (spawn_id exp4) match regular expression "^<-+ More
-+>[^\n\r]*"? Gate "<* More *>*"? gate=no
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does " \r\n" (spawn_id exp4) match glob pattern "unknown host\r"? no

expect: does " \r\n" (spawn_id exp4) match glob pattern "Host is
unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be established).*
\(yes/no\)\?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* \(yes/no\)\?"? Gate "HOST IDENTIFICATION
HAS CHANGED* (yes/no)\?"? gate=no
"HOST IDENTIFICATION HAS CHANGED[^\n\r]+"? Gate "HOST IDENTIFICATION HAS
CHANGED*"? gate=no
"Offending key for .* \(yes/no\)\?"? Gate "Offending key for * (yes/no)\?"?
gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=no
"Login failed"? no
"% (Bad passwords|Authentication failed)"? (No Gate, RE only) gate=yes re=no
"Press any key to continue"? no
"Enter Selection: "? Gate "Enter Selection: "? gate=no
"Last login:"? Gate "Last login:"? gate=no
"@[^\r\n]+ ([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE
only) gate=yes re=no
"Enter passphrase.*: "? Gate "Enter passphrase*: "? gate=no
"(Username|Login|login|user name|User):"? (No Gate, RE only) gate=yes re=no
"([Pp]assword|passwd|Enter password for [^ :]+):"? (No Gate, RE only)
gate=yes re=no
"(>|#| \(enable\))"? (No Gate, RE only) gate=yes re=no
"Login invalid"? no
Permission denied, please try again.
***@192.168.1.84's password:
expect: does " \r\nPermission denied, please try
again.\r\r\***@192.168.1.84's password: " (spawn_id exp4) match regular
expression "^<-+ More -+>[^\n\r]*"? Gate "<* More *>*"? gate=no
"(Connection refused|Secure connection [^\n\r]+ refused)"? (No Gate, RE
only) gate=yes re=no
"(Connection closed by|Connection to [^\n\r]+ closed)"? (No Gate, RE only)
gate=yes re=no

expect: does " \r\nPermission denied, please try
again.\r\r\***@192.168.1.84's password: " (spawn_id exp4) match glob
pattern "unknown host\r"? no

expect: does " \r\nPermission denied, please try
again.\r\r\***@192.168.1.84's password: " (spawn_id exp4) match glob
pattern "Host is unreachable"? no
"No address associated with name"? no
"(Host key not found |The authenticity of host .* be established).*
\(yes/no\)\?"? (No Gate, RE only) gate=yes re=no
"HOST IDENTIFICATION HAS CHANGED.* \(yes/no\)\?"? Gate "HOST IDENTIFICATION
HAS CHANGED* (yes/no)\?"? gate=no
"HOST IDENTIFICATION HAS CHANGED[^\n\r]+"? Gate "HOST IDENTIFICATION HAS
CHANGED*"? gate=no
"Offending key for .* \(yes/no\)\?"? Gate "Offending key for * (yes/no)\?"?
gate=no
"(denied|Sorry)"? (No Gate, RE only) gate=yes re=yes
expect: set expect_out(0,string) "denied"
expect: set expect_out(1,string) "denied"
expect: set expect_out(spawn_id) "exp4"
expect: set expect_out(buffer) " \r\nPermission denied"

Error: Check your passwd for 192.168.1.84




Thank You

Warmest Regards,
Gene Lim

-----Original Message-----
From: heasley
Sent: Tuesday, 16 July, 2013 3:46 AM
To: Gene Lim
Subject: Re: [rancid] Cisco ASA 5505 configs
Post by Gene Lim
Dear Chris
Thank you for the information. Yes you are right my enable password
changed credentials below I am still receiving the same login issue.
Please advice.

well, it would appear that adminpwd is now not being interpretted correctly.
clogin -d will show you the transcript with the password thats being sent.
Post by Gene Lim
==Version 2 with enable password==
/router.db
192.168.1.84:cisco:up
/.cloginrc
add method 192.168.1.84 ssh
add user 192.168.1.84 admin
add password 192.168.1.84 {adminpwd} {enablepwd}
$ bin/clogin 192.168.1.84
192.168.1.84
spawn ssh -c 3des -x -l admin 192.168.1.84
Permission denied, please try again.
Error: Check your passwd for 192.168.1.84
Thank You
Warmest Regards,
Gene Lim
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...