From Tony.Russell at wcg.com Fri Nov 8 20:26:29 2002 From: Tony.Russell at wcg.com (Russell, Tony) Date: Fri, 8 Nov 2002 14:26:29 -0600 Subject: Firewall lock file Message-ID: <4B22DB69FF9C6740816631DE6E85DF09FB3E82@EXCHANGE02.ad.wcg.com> I am constantly receiving the following in e-mail from rancid. Old lockfile still exists: -rw-r----- 1 rancid rancid 0 Nov 8 10:01 /tmp/.firewalls.run.lock I can go in and delete the file but it eventually comes back within a few hours. Can anyone tell me what is going on here so that I can fix it. Tony Russell From heas at shrubbery.net Fri Nov 8 20:45:53 2002 From: heas at shrubbery.net (john heasley) Date: Fri, 8 Nov 2002 12:45:53 -0800 Subject: Firewall lock file In-Reply-To: <4B22DB69FF9C6740816631DE6E85DF09FB3E82@EXCHANGE02.ad.wcg.com>; from Tony.Russell@wcg.com on Fri, Nov 08, 2002 at 02:26:29PM -0600 References: <4B22DB69FF9C6740816631DE6E85DF09FB3E82@EXCHANGE02.ad.wcg.com> Message-ID: <20021108124553.I11423@shrubbery.net> Fri, Nov 08, 2002 at 02:26:29PM -0600, Russell, Tony: > I am constantly receiving the following in e-mail from rancid. > > Old lockfile still exists: > -rw-r----- 1 rancid rancid 0 Nov 8 10:01 /tmp/.firewalls.run.lock > > I can go in and delete the file but it eventually comes back within a few hours. Can anyone tell me what is going on here so that I can fix it. > > Tony Russell if the file is there, i expect that something is stuck. please look for stuck rancid processes (eg: telnet, ssh, expect). From rbrewer at lava.net Wed Nov 13 19:23:35 2002 From: rbrewer at lava.net (Robert Brewer) Date: Wed, 13 Nov 2002 09:23:35 -1000 Subject: RANCID indiscretion Message-ID: <4997596.1037179415@habanero.lava.net> I've noticed that for our Juniper M5s, RANCID insists on including encrypted passwords in email diffs. I know that for some config fields on some devices, RANCID knows to censor the email, but that doesn't seem to happen for JUNOS: retrieving revision 1.186 diff -u -4 -r1.186 foo.lava.net @@ -216,9 +216,9 @@ full-name Joey; uid 150; class wheel; authentication { - encrypted-password "$1$ebscb3$snwiqn32HF3k8ncZpqlAknY."; + encrypted-password "$1$9skeNalaQpd3$nbs$kyegnSnaRGnzl/"; } } user jim { full-name "Jim Stevens"; Is this something that can be easily fixed? Mahalo. From afort at choqolat.org Wed Nov 13 21:10:56 2002 From: afort at choqolat.org (Andrew Fort) Date: Thu, 14 Nov 2002 08:10:56 +1100 Subject: RANCID indiscretion In-Reply-To: <4997596.1037179415@habanero.lava.net> Message-ID: <000101c28b59$2c11a7e0$6401a8c0@milk> Robert Brewer wrote, > I've noticed that for our Juniper M5s, RANCID insists on including > encrypted passwords in email diffs. I know that for some > config fields on > some devices, RANCID knows to censor the email, but that > doesn't seem to > happen for JUNOS: > > Is this something that can be easily fixed? Mahalo. > Setting FILTER_PWDS to "ALL" in ./bin/env will do this. -afort From heas at shrubbery.net Wed Nov 13 23:47:47 2002 From: heas at shrubbery.net (john heasley) Date: Wed, 13 Nov 2002 23:47:47 +0000 Subject: RANCID indiscretion In-Reply-To: <000101c28b59$2c11a7e0$6401a8c0@milk>; from afort@choqolat.org on Thu, Nov 14, 2002 at 08:10:56AM +1100 References: <4997596.1037179415@habanero.lava.net> <000101c28b59$2c11a7e0$6401a8c0@milk> Message-ID: <20021113234747.D7797@shrubbery.net> Thu, Nov 14, 2002 at 08:10:56AM +1100, Andrew Fort: > Robert Brewer wrote, > > > I've noticed that for our Juniper M5s, RANCID insists on including > > encrypted passwords in email diffs. I know that for some > > config fields on > > some devices, RANCID knows to censor the email, but that > > doesn't seem to > > happen for JUNOS: > > > > Is this something that can be easily fixed? Mahalo. > > > > Setting FILTER_PWDS to "ALL" in ./bin/env will do this. > > -afort true. the passwords that were in the original email were md5; not very easily reversible and hence included. From jlewis at lewis.org Thu Nov 14 05:44:49 2002 From: jlewis at lewis.org (jlewis at lewis.org) Date: Thu, 14 Nov 2002 00:44:49 -0500 (EST) Subject: parts of config missing, then back Message-ID: I've noticed an occasional bug, where for some reason rancid will lose large parts of a config (seems to only happen on Cisco AS5200's so far). Eventually, the missing config (or parts of it) comes back. i.e. In the past couple of runs for one particular 5248, first 70 lines of config vanish (everything in interface Ethernet0 other than the interface name, most of interface Virtual-Template1, and the entire sections for interfaces serial0, serial1, serial0:23, and serial1:23). Some number of runs later, the serial interfaces return, but the missing config data from Ethernet0 and Virtual-Template1 are still gone. I'm running do-diffs hourly, so somehow the same incomplete config is downloaded multiple times before returning to normal. Anyone seen this before? Revision 1.4 / (download) - annotate - [select for diffs], Thu Nov 14 05:15:36 2002 UTC (16 minutes, 31 seconds ago) by rancid Branch: MAIN CVS Tags: HEAD Changes since 1.3: +42 -0 lines Diff to previous 1.3 (colored) Revision 1.3 / (download) - annotate - [select for diffs], Thu Nov 14 02:16:12 2002 UTC (3 hours, 15 minutes ago) by rancid Branch: MAIN Changes since 1.2: +0 -70 lines Diff to previous 1.2 (colored) ---------------------------------------------------------------------- Jon Lewis *jlewis at lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From heas at shrubbery.net Thu Nov 14 05:53:42 2002 From: heas at shrubbery.net (john heasley) Date: Thu, 14 Nov 2002 05:53:42 +0000 Subject: parts of config missing, then back In-Reply-To: ; from jlewis@lewis.org on Thu, Nov 14, 2002 at 12:44:49AM -0500 References: Message-ID: <20021114055342.B9736@shrubbery.net> i've seen boxes that ommit their configs at random. usually related to memory shortage. if you cant get it to do it manually, i'd suggest setting NOPIPE=YES in bin/env and add a cronjob that copies the 5200_hostname.raw file to a separate_dir/5200_hostname.raw.time. so you can verify that its not (or is) rancid or the box. and you can prove it to cisco :) Thu, Nov 14, 2002 at 12:44:49AM -0500, jlewis at lewis.org: > I've noticed an occasional bug, where for some reason rancid will lose > large parts of a config (seems to only happen on Cisco AS5200's so far). > Eventually, the missing config (or parts of it) comes back. i.e. > > In the past couple of runs for one particular 5248, first 70 lines of > config vanish (everything in interface Ethernet0 other than the interface > name, most of interface Virtual-Template1, and the entire sections for > interfaces serial0, serial1, serial0:23, and serial1:23). Some number of > runs later, the serial interfaces return, but the missing config data from > Ethernet0 and Virtual-Template1 are still gone. I'm running do-diffs > hourly, so somehow the same incomplete config is downloaded multiple times > before returning to normal. > > Anyone seen this before? > > Revision 1.4 / (download) - annotate - [select for diffs], Thu Nov 14 > 05:15:36 2002 UTC (16 minutes, 31 seconds ago) by rancid > Branch: MAIN > CVS Tags: HEAD > Changes since 1.3: +42 -0 lines > Diff to previous 1.3 (colored) > > Revision 1.3 / (download) - annotate - [select for diffs], Thu Nov 14 > 02:16:12 2002 UTC (3 hours, 15 minutes ago) by rancid > Branch: MAIN > Changes since 1.2: +0 -70 lines > Diff to previous 1.2 (colored) > > > ---------------------------------------------------------------------- > Jon Lewis *jlewis at lewis.org*| I route > System Administrator | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jlewis at lewis.org Thu Nov 14 14:53:24 2002 From: jlewis at lewis.org (jlewis at lewis.org) Date: Thu, 14 Nov 2002 09:53:24 -0500 (EST) Subject: parts of config missing, then back In-Reply-To: <20021114055342.B9736@shrubbery.net> Message-ID: On Thu, 14 Nov 2002, john heasley wrote: > i've seen boxes that ommit their configs at random. usually related > to memory shortage. That would be it. Good old MS IOS leaking memory. tampflxa-as-6>show mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 99B04 7759100 7759060 40 0 40 I/O 20000000 4194304 3716388 477916 466180 128844 ---------------------------------------------------------------------- Jon Lewis *jlewis at lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From mohacsi at niif.hu Thu Nov 14 08:07:29 2002 From: mohacsi at niif.hu (Janos Mohacsi) Date: Thu, 14 Nov 2002 09:07:29 +0100 (CET) Subject: RANCID indiscretion In-Reply-To: <4997596.1037179415@habanero.lava.net> Message-ID: <20021114090537.F5664-100000@evil.ki.iif.hu> On Wed, 13 Nov 2002, Robert Brewer wrote: > I've noticed that for our Juniper M5s, RANCID insists on including > encrypted passwords in email diffs. I know that for some config fields on > some devices, RANCID knows to censor the email, but that doesn't seem to > happen for JUNOS: Not the e-mail censored, but the config file can be stored in secured way: Set up FILTER_PWDS=ALL; export FILTER_PWDS in your rancid env file. By default passwords are not filtered. Janos Mohacsi From browan at houston.rr.com Thu Nov 14 14:24:49 2002 From: browan at houston.rr.com (Bill Rowan) Date: Thu, 14 Nov 2002 08:24:49 -0600 Subject: Daily Flash problems Message-ID: <019901c28be9$971790a0$06711b18@usd25445> I have a fairly large deployment of Cisco routers that I use RANCID to track daily diffs. The problem I have is that RANCID will tell me random routers have no flash one day and then the next day all the flash contents will be back again. I am running RANCID on 71 ubr7246's and 17 120xx GSRs. I am not sure if the problem is happening on the GSRs. I have looked through about a month's worth of data and all I see is the problem occuring on the uBRs. Here is a sample of what I am talking about: - !Flash: No files on device + !Flash: -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name + !Flash: 1 .. image CCD17FFF 66F690 29 6616592 Mar 06 2001 21:14:54 ubr7200-k1ps-mz.120-14.SC.bin + !Flash: 2 .. image C233DAB0 F752A8 30 9460632 Dec 08 2001 17:21:45 ubr7200-ik1s-mz.121-9.5.EC.bin + !Flash: 3 .. config EF397E63 F791AC 14 16003 May 20 2002 01:14:11 running-config This is from last night's diffs and obviously the files have been there all along by the time stamp shown. To verify this, I look at the previous day's diff and see where this router shows: - !Flash: -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name - !Flash: 1 .. image CCD17FFF 66F690 29 6616592 Mar 06 2001 21:14:54 ubr7200-k1ps-mz.120-14.SC.bin - !Flash: 2 .. image C233DAB0 F752A8 30 9460632 Dec 08 2001 17:21:45 ubr7200-ik1s-mz.121-9.5.EC.bin - !Flash: 3 .. config EF397E63 F791AC 14 16003 May 20 2002 01:14:11 running-config + !Flash: No files on device Like I said, there is no regular pattern to which routers get affected and it doesn't happen to all of them at once. Some nights 10 to 15 routers will show this and others only 3 or 4. Ever since I have ran RANCID, I have seen this. Only now have I decided to complain. :-) Ultimately, I guess I could take out the flash check in RANCID, but I really like it because it helps me catch core dumps and line card crash files. However, if nothing can be done to fix this, I would like to know how to take that out of my diffs. From heas at shrubbery.net Thu Nov 14 21:03:10 2002 From: heas at shrubbery.net (john heasley) Date: Thu, 14 Nov 2002 21:03:10 +0000 Subject: RANCID indiscretion In-Reply-To: <20021114090537.F5664-100000@evil.ki.iif.hu>; from mohacsi@niif.hu on Thu, Nov 14, 2002 at 09:07:29AM +0100 References: <4997596.1037179415@habanero.lava.net> <20021114090537.F5664-100000@evil.ki.iif.hu> Message-ID: <20021114210309.N15432@shrubbery.net> Thu, Nov 14, 2002 at 09:07:29AM +0100, Janos Mohacsi: > > > On Wed, 13 Nov 2002, Robert Brewer wrote: > > > I've noticed that for our Juniper M5s, RANCID insists on including > > encrypted passwords in email diffs. I know that for some config fields on > > some devices, RANCID knows to censor the email, but that doesn't seem to > > happen for JUNOS: > > Not the e-mail censored, but the config file can be stored in secured way: > Set up > FILTER_PWDS=ALL; export FILTER_PWDS > > in your rancid env file. By default passwords are not filtered. > Janos Mohacsi > by default, only easily reversable passwords are filtered. also see the NOCOMMSTR variable in evn(5). From asp at partan.com Thu Nov 14 21:42:00 2002 From: asp at partan.com (Andrew Partan) Date: Thu, 14 Nov 2002 16:42:00 -0500 Subject: Daily Flash problems In-Reply-To: <019901c28be9$971790a0$06711b18@usd25445> References: <019901c28be9$971790a0$06711b18@usd25445> Message-ID: <20021114214200.GB25771@partan.com> On Thu, Nov 14, 2002 at 08:24:49AM -0600, Bill Rowan wrote: > Like I said, there is no regular pattern to which routers get > affected and it doesn't happen to all of them at once. Some nights > 10 to 15 routers will show this and others only 3 or 4. Ever since > I have ran RANCID, I have seen this. Only now have I decided to > complain. :-) Looks like a cisco bug to me. Rancid just happens to catch it since it is watching more closely :-) --asp From Anshuman at expertcity.com Thu Nov 14 21:59:44 2002 From: Anshuman at expertcity.com (Anshuman Kanwar) Date: Thu, 14 Nov 2002 13:59:44 -0800 Subject: netscaler 9000 Message-ID: Hi all, I needed rancid to capture configs from netscaler load balancers. (http://www.netscaler.com/product/9000_datasheet.html) To this end I hacked rancid, and added 'nlogin' and 'nrancid' scripts. I would be happy to make them available if there is any interest in the matter. Thanks, -ansh From asp at partan.com Fri Nov 15 03:29:43 2002 From: asp at partan.com (Andrew Partan) Date: Thu, 14 Nov 2002 22:29:43 -0500 Subject: netscaler 9000 In-Reply-To: References: Message-ID: <20021115032943.GD46762@partan.com> On Thu, Nov 14, 2002 at 01:59:44PM -0800, Anshuman Kanwar wrote: > I needed rancid to capture configs from netscaler load balancers. > (http://www.netscaler.com/product/9000_datasheet.html) > > To this end I hacked rancid, and added 'nlogin' and 'nrancid' scripts. I > would be happy to make them available if there is any interest in the > matter. I have never heard of a netscaler, but we would be happy to take your patches & try to incorporate them into the rancid base. Note that we usually try to make minor patches to clogin to make it work with a new router instead of spawning yet another login script. Send them to rancid at shrubbery.net --asp From heas at shrubbery.net Sun Nov 24 23:23:13 2002 From: heas at shrubbery.net (john heasley) Date: Sun, 24 Nov 2002 15:23:13 -0800 Subject: Daily Flash problems In-Reply-To: <019901c28be9$971790a0$06711b18@usd25445>; from browan@houston.rr.com on Thu, Nov 14, 2002 at 08:24:49AM -0600 References: <019901c28be9$971790a0$06711b18@usd25445> Message-ID: <20021124152312.H4097@shrubbery.net> Thu, Nov 14, 2002 at 08:24:49AM -0600, Bill Rowan: > I have a fairly large deployment of Cisco routers that I use RANCID to track daily diffs. The problem I have is that RANCID will tell me random routers have no flash one day and then the next day all the flash contents will be back again. I am running RANCID on 71 ubr7246's and 17 120xx GSRs. I am not sure if the problem is happening on the GSRs. I have looked through about a month's worth of data and all I see is the problem occuring on the uBRs. Here is a sample of what I am talking about: > > - !Flash: No files on device > + !Flash: -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name > + !Flash: 1 .. image CCD17FFF 66F690 29 6616592 Mar 06 2001 21:14:54 ubr7200-k1ps-mz.120-14.SC.bin > + !Flash: 2 .. image C233DAB0 F752A8 30 9460632 Dec 08 2001 17:21:45 ubr7200-ik1s-mz.121-9.5.EC.bin > + !Flash: 3 .. config EF397E63 F791AC 14 16003 May 20 2002 01:14:11 running-config > > > This is from last night's diffs and obviously the files have been there all along by the time stamp shown. To verify this, I look at the previous day's diff and see where this router shows: > > - !Flash: -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name > - !Flash: 1 .. image CCD17FFF 66F690 29 6616592 Mar 06 2001 21:14:54 ubr7200-k1ps-mz.120-14.SC.bin > - !Flash: 2 .. image C233DAB0 F752A8 30 9460632 Dec 08 2001 17:21:45 ubr7200-ik1s-mz.121-9.5.EC.bin > - !Flash: 3 .. config EF397E63 F791AC 14 16003 May 20 2002 01:14:11 running-config > + !Flash: No files on device > > Like I said, there is no regular pattern to which routers get affected and it doesn't happen to all of them at once. Some nights 10 to 15 routers will show this and others only 3 or 4. Ever since I have ran RANCID, I have seen this. Only now have I decided to complain. :-) > > Ultimately, I guess I could take out the flash check in RANCID, but I really like it because it helps me catch core dumps and line card crash files. However, if nothing can be done to fix this, I would like to know how to take that out of my diffs. i agree with andrew; ios bug. if you wanted to have rancid re-collect when there the flash has zero files, return 1 from DirSlot/ShowFlash when it sees "No files on device". it should give up and try again.