[rancid] rancid with Cisco ASA 5520 in Multiple Context Mode

Discussion:

Carlo Finotti

2009-04-21 01:37:22 UTC

So I have been trying to use rancid with "clogin" to simply backups up
my firewall running in multiple context mode. When I run the command
below from a ubuntu command line it works with no issues but if I add
it to a bash script it breaks, any suggestions?

sudo /usr/lib/rancid/bin/clogin -f /home/user/.cloginrc-firewall -c
'terminal pager 0; changeto context test; sh run; changeto context
test1; changeto context test2; sh run; changeto context test3; exit'
10.2.2.1 > /home/user/backups/firewall-test.cfg

If anyone has any suggestions on creating a bash script with "clogin"
I would appreciate the feedback because I have been racking my brain
:-\ And I am by no means a linux guru so that is why I am struggling.
My goal is to back up (4) separate firewalls, (3) core switches and
(6) routers while making it as simple as possible.

Thanks,
Carlo

john heasley

2009-04-21 03:52:49 UTC

Permalink

Post by Carlo Finotti
So I have been trying to use rancid with "clogin" to simply backups up
my firewall running in multiple context mode. When I run the command
below from a ubuntu command line it works with no issues but if I add
it to a bash script it breaks, any suggestions?
sudo /usr/lib/rancid/bin/clogin -f /home/user/.cloginrc-firewall -c
'terminal pager 0; changeto context test; sh run; changeto context
test1; changeto context test2; sh run; changeto context test3; exit'
10.2.2.1 > /home/user/backups/firewall-test.cfg
If anyone has any suggestions on creating a bash script with "clogin"
I would appreciate the feedback because I have been racking my brain
:-\ And I am by no means a linux guru so that is why I am struggling.
My goal is to back up (4) separate firewalls, (3) core switches and
(6) routers while making it as simple as possible.

this is probably one of those boxes that gets confused by terminal types.
set TERM to something like vt100.

Carlo Finotti

2009-04-21 20:48:51 UTC

Permalink

But is your ASA running in multiple conext mode? How do you get
around running sudo everytime?
This is what ends up in my firewall.cfg file. The clogin application
can ssh to the firewall but then it does not run any of the
pre-defined Cisco commands. ex (terminal pager 0; changeto context
firewall1; sh run; exit)
spawn ssh -c 3des -x -l rancid 10.2.2.1
Type help or '?' for a list of available commands.
firewall/admin> enable
Password: **********
firewall/admin#

is it possible your sudo is asking for a password? It'll save it the
first time you manually do it, but when ran from a script, it might
not.
#!/bin/sh
NOW=`date +%d%b%Y-%H%M`
~rancid/bin/clogin -f /var/lib/rancid/.cloginrc -c 'ping web 192.168.122.12 ; sh
ow int web ; show cpu usage ; show processes cpu-hog' 192.168.121.11 > /home/bwi
ndle/jax-asa-failover/$NOW
--
deny ip any any (4393649193 matches)

Carlo

2009-04-23 00:29:23 UTC

Permalink

I have no issues backing up our external perimeter firewalls. When you
login into an ASA running in multiple context mode you login into the
"admin" context, this context does not include the other context
configurations. So once you are logged into the "admin" context you run the
"change" or "changeto" commands to switch between the "virtual" firewalls.
Each firewall is separated and there is no global way of backing them up
without running the commands listed above.

The sad thing is I was able to back up everything with kiwi cat:\

login in with ssh

changeto firewall1
terminal pager 0
sh run

changeto firewall2
terminal pager 0
sh run

changeto firewall3
terminal pager 0
sh run
exit

-lo

-----Original Message-----
From: Peter Serwe [mailto:***@gmail.com]
Sent: Wednesday, April 22, 2009 1:38 PM
To: Carlo Finotti
Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context
Mode

That sounds great! I will follow those steps listed below.
But I'm still having issues backing up my ASA running in multiple context

mode:\

-lo

There isn't a good answer to that. I don't use my ASA's that way.
What version of ASA software?

Do you attempt to log into each context automatically, or how do you
switch because they way I understand
it is that every context has a different configuration, but there is a
master context from which you can back up
the entire configuration, is this incorrect?

Peter

--
$B%T!<%?!<(B

Bob Brunette

2009-04-23 13:32:24 UTC

Permalink

I think the problem is that when you change to a different context the system prompt string changes. rancid depends on seeing the prompt string to know when it can send the next command. The solution is to login to each context individually and back it up.

Sadly, there is no way to login to the system execution space, and that's where the "master" config is that defines all of the contexts--you must get to it by issuing a "changeto system" command from the admin context. Of course this changes the system prompt string, so you have the same problem as trying to backup multiple contexts.

Bob

-----Original Message-----
From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Carlo
Sent: Wednesday, April 22, 2009 7:29 PM
To: 'Peter Serwe'; rancid-***@shrubbery.net
Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode

I have no issues backing up our external perimeter firewalls. When you
login into an ASA running in multiple context mode you login into the
"admin" context, this context does not include the other context
configurations. So once you are logged into the "admin" context you run the
"change" or "changeto" commands to switch between the "virtual" firewalls.
Each firewall is separated and there is no global way of backing them up
without running the commands listed above.

The sad thing is I was able to back up everything with kiwi cat:\

login in with ssh

changeto firewall1
terminal pager 0
sh run

changeto firewall2
terminal pager 0
sh run

changeto firewall3
terminal pager 0
sh run
exit

-lo

-----Original Message-----
From: Peter Serwe [mailto:***@gmail.com]
Sent: Wednesday, April 22, 2009 1:38 PM
To: Carlo Finotti
Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context
Mode

That sounds great! I will follow those steps listed below.
But I'm still having issues backing up my ASA running in multiple context

mode:\

-lo

--
$B%T!<%?!<(B

Sam Stickland

2009-04-23 13:54:54 UTC

Permalink

Post by Bob Brunette
Sadly, there is no way to login to the system execution space, and that's where the "master" config is that defines all of the contexts--you must get to it by issuing a "changeto system" command from the admin context

Really? My system context just shows the context allocations, but not
the context config. Is there a magic command I'm missing?

Sam

Bob Brunette

2009-04-23 14:01:37 UTC

Permalink

Sam, you're not missing any magic command.

The system context contains the physical interface configurations as well as the context configurations, which include the interface and resource allocations for each context. All of this is critical information if you need to rebuild a multi-context ASA configuration from scratch after a hardware failure, say.

Bob

-----Original Message-----
From: Sam Stickland [mailto:***@spacething.org]
Sent: Thursday, April 23, 2009 8:55 AM
To: Bob Brunette
Cc: Carlo; 'Peter Serwe'; rancid-***@shrubbery.net
Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode

Really? My system context just shows the context allocations, but not
the context config. Is there a magic command I'm missing?

Sam

Danielson, Graeme

2009-04-23 23:32:23 UTC

Permalink

I think the context configs are stored in the flash: of system and from
memory are displayable with more(?). Remember though that they are the
startup configs not the running configs.
So if you are confident that all your contexts are saved then
potentially all necessary config info is available from system?

-- Graeme Danielson

-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Bob Brunette
Sent: Friday, 24 April 2009 2:02 a.m.
To: Sam Stickland
Cc: Carlo; rancid-***@shrubbery.net
Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context
Mode

Sam, you're not missing any magic command.

The system context contains the physical interface configurations as
well as the context configurations, which include the interface and
resource allocations for each context. All of this is critical
information if you need to rebuild a multi-context ASA configuration
from scratch after a hardware failure, say.

Bob

-----Original Message-----
From: Sam Stickland [mailto:***@spacething.org]
Sent: Thursday, April 23, 2009 8:55 AM
To: Bob Brunette
Cc: Carlo; 'Peter Serwe'; rancid-***@shrubbery.net
Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context
Mode

Post by Bob Brunette
Sadly, there is no way to login to the system execution space, and

that's where the "master" config is that defines all of the
contexts--you must get to it by issuing a "changeto system" command from
the admin context
Really? My system context just shows the context allocations, but not
the context config. Is there a magic command I'm missing?

Sam
_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Good planets are hard to find - please think of the environment before you print this email.
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
For more information on the Air New Zealand Group, visit us online
at http://www.airnewzealand.com
_____________________________________________________________________

Gary T. Giesen

2009-07-21 21:01:50 UTC

Permalink

This might be a good application for the usercmd patch. If you search
through the archives you'll find it. Then treat each context as a
separate device, and use the admin context as the passthrough device.

GG

Post by Danielson, Graeme
I think the context configs are stored in the flash: of system and from
memory are displayable with more(?). Remember though that they are the
startup configs not the running configs.
So if you are confident that all your contexts are saved then
potentially all necessary config info is available from system?
-- Graeme Danielson
-----Original Message-----
Sent: Friday, 24 April 2009 2:02 a.m.
To: Sam Stickland
Subject: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode
Sam, you're not missing any magic command.
The system context contains the physical interface configurations as
well as the context configurations, which include the interface and
resource allocations for each context. All of this is critical
information if you need to rebuild a multi-context ASA configuration
from scratch after a hardware failure, say.
Bob
-----Original Message-----
Sent: Thursday, April 23, 2009 8:55 AM
To: Bob Brunette
Subject: Re: [rancid] Re: rancid with Cisco ASA 5520 in Multiple Context Mode

Post by Bob Brunette
Sadly, there is no way to login to the system execution space, and

that's where the "master" config is that defines all of the
contexts--you must get to it by issuing a "changeto system" command from
the admin context
Really? My system context just shows the context allocations, but not
the context config. Is there a magic command I'm missing?
Sam
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Good planets are hard to find - please think of the environment before you
print this email.
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
For more information on the Air New Zealand Group, visit us online
at http://www.airnewzealand.com
_____________________________________________________________________
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss