From colin.whittaker at heanet.ie Mon Aug 16 09:15:01 2004 From: colin.whittaker at heanet.ie (Colin Whittaker) Date: Mon, 16 Aug 2004 10:15:01 +0100 Subject: Router vs TFTP configs Message-ID: <20040816091501.GD22111@grainne.heanet.ie> Hi all, I am currently looking for a way to check that our tftp configs which we use for configuring our routers against what is actually on the routers. I figured someone must have come up with a way to deal with the idiosyncrasies of the show run output of various ciscos. Colin -- Colin Whittaker colin.whittaker at heanet.ie Tel: +353 1 6609040 HEAnet NOC noc at heanet.ie iNOC-DBA: 1213*752 From heas at shrubbery.net Mon Aug 16 15:53:02 2004 From: heas at shrubbery.net (john heasley) Date: Mon, 16 Aug 2004 15:53:02 +0000 Subject: Router vs TFTP configs In-Reply-To: <20040816091501.GD22111@grainne.heanet.ie> References: <20040816091501.GD22111@grainne.heanet.ie> Message-ID: <20040816155302.GC1263@shrubbery.net> Mon, Aug 16, 2004 at 10:15:01AM +0100, Colin Whittaker: > > Hi all, > > I am currently looking for a way to check that our tftp configs which we > use for configuring our routers against what is actually on the routers. > > I figured someone must have come up with a way to deal with the > idiosyncrasies of the show run output of various ciscos. ISC folks have some consistency checking scripts. not this precisely, but might give you some ideas. see last entry of the FAQ. From Brian.Wilson at sas.com Thu Aug 19 17:59:38 2004 From: Brian.Wilson at sas.com (Brian Wilson) Date: Thu, 19 Aug 2004 13:59:38 -0400 Subject: A few questions with 2.3.1 Message-ID: First off, coming from someone who has written their own config downloader/revision control program, rancid is very straight forward and easy to get going. I thank the author for all the time he has put into to make it a valuable network tool. I've gotten things setup fairly well for our environment less a few issues: First, many of our devices resolve in DNS to multiple IP addresses (internal & external firewall addresses), thus, this tends to cause problems with rancid and ssh. For instance: $ ssh -1 firewall -x -l user -c des ssh: connect to address 192.x.x.x port 22: Connection refused Warning: use of DES is strongly discouraged due to cryptographic weaknesses user at firewall's password: The regex in clogin is actually catching the first "Connection refused", thus stops processing the device and never gets to the password prompt. The device is failing with this error "clogin error: Error: Connection Refused (ssh)" as expected. This can be worked around by commenting out the section below in clogin, but I was wondering if there was another way (besides putting all the correct addresses in /etc/hosts) to accomplish this. What I have done in the past (with the current scripts that download all the configurations) is to wait for the password prompt for ssh connections, if passwd is never found then expect will eventually timeout on the device. I'm assuming by commenting this section out in clogin will accomplish the same thing: #-re "(Connection refused|Secure connection \[^\n\r]+ refused)" { # catch {close}; wait # if !$progs { # send_user "\nError: Connection Refused ($prog): $router\n" # return 1 # } #} Anyone else have any suggestions? The second issue I ran across is that passwords containing either "{" or "}" need to be escaped (since they are, dividers for passwords). I worked around this by modifying my code that generates my .cloginrc and regex'ing all passwords ($pw =~ s/([{}])/\\$1/g;). The last question is has anyone developed a method for encrypting .cloginrc? Thanks in advance, Brian -- Brian Wilson Network Engineer Systems and Information Security, ISD W: 919.531.0575 SAS Institute, Inc. http://www.sas.com From heas at shrubbery.net Thu Aug 19 19:52:44 2004 From: heas at shrubbery.net (john heasley) Date: Thu, 19 Aug 2004 12:52:44 -0700 Subject: A few questions with 2.3.1 In-Reply-To: References: Message-ID: <20040819195244.GC7191@shrubbery.net> Thu, Aug 19, 2004 at 01:59:38PM -0400, Brian Wilson: > > First off, coming from someone who has written their own config downloader/revision control program, rancid is very straight forward and easy to get going. I thank the author for all the time he has put into to make it a valuable network tool. > > I've gotten things setup fairly well for our environment less a few issues: > > First, many of our devices resolve in DNS to multiple IP addresses (internal & external firewall addresses), thus, this tends to cause problems with rancid and ssh. For instance: > > $ ssh -1 firewall -x -l user -c des > ssh: connect to address 192.x.x.x port 22: Connection refused > Warning: use of DES is strongly discouraged due to cryptographic weaknesses > user at firewall's password: > > The regex in clogin is actually catching the first "Connection refused", thus stops processing the device and never gets to the password prompt. The device is failing with this error "clogin error: Error: Connection Refused (ssh)" as expected. This can be worked around by commenting out the section below in clogin, but I was wondering if there was another way (besides putting all the correct addresses in /etc/hosts) to accomplish this. What I have done in the past (with the current scripts that download all the configurations) is to wait for the password prompt for ssh connections, if passwd is never found then expect will eventually timeout on the device. I'm assuming by commenting this section out in clogin will accomplish the same thing: > > #-re "(Connection refused|Secure connection \[^\n\r]+ refused)" { > # catch {close}; wait > # if !$progs { > # send_user "\nError: Connection Refused ($prog): $router\n" > # return 1 > # } > #} > > Anyone else have any suggestions? one solution would be to check if the pipe is still open for reading (or writing). if so, the child process has not exited and is presumably trying more addresses so it should exp_continue. maybe something like catch { send null }? > The second issue I ran across is that passwords containing either "{" or "}" need to be escaped (since they are, dividers for passwords). I worked around this by modifying my code that generates my .cloginrc and regex'ing all passwords > ($pw =~ s/([{}])/\\$1/g;). > > The last question is has anyone developed a method for encrypting .cloginrc? > > Thanks in advance, > Brian > > -- > Brian Wilson Network Engineer > Systems and Information Security, ISD W: 919.531.0575 > SAS Institute, Inc. http://www.sas.com From jejs+rancid at sahala.org Thu Aug 19 19:55:33 2004 From: jejs+rancid at sahala.org (joshua sahala) Date: Thu, 19 Aug 2004 15:55:33 -0400 Subject: A few questions with 2.3.1 In-Reply-To: References: Message-ID: <20040819195533.GA16698@aurvandil.sahala.org> On (19/08/04 13:59), Brian Wilson wrote: [cut] > > First, many of our devices resolve in DNS to multiple IP addresses > (internal & external firewall addresses), thus, this tends to cause > problems with rancid and ssh. For instance: > [cut] > > Anyone else have any suggestions? > i personally would have a management name in dns (or /etc/hosts) for each device, then you would only have one address to resolve ex: mgmt-myrouter.mydomain or create a subdomain for you management addresses ex: myrouter.mgmt.mydomain as to your other questions, i haven't encountered a need to do either. my passwords are complex and ugly, but stay with a few 'standard' special characters. the only user(s) that have access to the rancid account/directories are the admins who have enable rights, and the rancid host is secured and monitored (like the rest of the servers) /joshua -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. - Douglas Adams - From bjohnson at drtel.com Mon Aug 23 16:58:48 2004 From: bjohnson at drtel.com (bjohnson at drtel.com) Date: Mon, 23 Aug 2004 11:58:48 -0500 Subject: Cisco switch config issues Message-ID: I have been running rancid for a little more than a year now and have been enduring the one little nagging problem I have... until today. :) I have a cisco 3750 switch with vlans configured on it that keeps sending me diffs for a non-change event. Here it is: Index: configs/ =================================================================== retrieving revision 1.17 diff -U4 -r1.17 @@ -59,19 +59,11 @@ !VTP: Local updater ID is on interface Vl2 (lowest numbered VLAN interface found) ! !VLAN: VLAN Name Status Ports !VLAN: ---- -------------------------------- --------- ------------------------------- - !VLAN: 1 default active Gi1/0/9, Gi1/0/10, Gi1/0/11 - !VLAN: Gi1/0/12, Gi1/0/13, Gi1/0/14 - !VLAN: Gi1/0/15, Gi1/0/16, Gi1/0/17 - !VLAN: Gi1/0/18, Gi1/0/19, Gi1/0/20 - !VLAN: Gi1/0/21, Gi1/0/22, Gi1/0/23 - !VLAN: Gi1/0/26 - !VLAN: 2 VLAN0002 active Gi1/0/1, Gi1/0/2, Gi1/0/3 - !VLAN: Gi1/0/4, Gi1/0/5, Gi1/0/6 - !VLAN: Gi1/0/7, Gi1/0/8 - !VLAN: 10 VLAN0010 active Gi1/0/24, Gi1/0/25, Gi1/0/27 - !VLAN: Gi1/0/28 + !VLAN: 1 default active Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/26 + !VLAN: 2 VLAN0002 active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8 + !VLAN: 10 VLAN0010 active Gi1/0/24, Gi1/0/25, Gi1/0/27, Gi1/0/28 !VLAN: 1002 fddi-default act/unsup !VLAN: 1003 token-ring-default act/unsup !VLAN: 1004 fddinet-default act/unsup !VLAN: 1005 trnet-default act/unsup The information is just a slightly different format of the version from before. Is there an easy way to "fix" this? - Brian J. From terry at tmk.com Mon Aug 23 16:59:51 2004 From: terry at tmk.com (Terry Kennedy) Date: Mon, 23 Aug 2004 12:59:51 -0400 (EDT) Subject: Cisco switch config issues In-Reply-To: "Your message dated Mon, 23 Aug 2004 11:58:48 -0500" Message-ID: <01LE06IMFW22002M8X@tmk.com> > I have been running rancid for a little more than a year now and have been > enduring the one little nagging problem I have... until today. :) > > I have a cisco 3750 switch with vlans configured on it that keeps sending > me diffs for a non-change event. Here it is: [snip] > The information is just a slightly different format of the version from > before. Is there an easy way to "fix" this? This comes up a bit. Here's what I posted the last time: -------- From: IN%"terry at tmk.com" 6-APR-2004 10:18:34.47 To: IN%"dcorbe at resultstel.com" CC: IN%"rancid-discuss at shrubbery.net" Subj: Re: [Fwd: [netops] switches router config diffs] > I'm getting a lot of these on my Cisco Catalyst 2950 during every single > rancid-run update. These are worthless diffs as there aren't any > changes in configuration but changes in port status. I know this one 8-) I bet you have people accessing the switches with different terminal width settings in their terminal programs. The VTY picks this up as part of telnet option negotiations. Since RANCID is a non-interactive session to the switch, it doesn't negotiate width. Try this patch for clogin (you'll probably need to apply it manually): *** clogin_orig Fri Aug 9 16:54:10 2002 --- clogin Sun Apr 6 19:20:42 2003 *************** *** 455,460 **** --- 455,462 ---- send "set length 0\r" } else { send "term length 0\r" + expect -re $prompt {} + send "term width 80\r" } regsub -all "\[)(]" $prompt {\\&} reprompt # match cisco config mode prompts too, but not for catalyst ie: (enable) *************** *** 699,704 **** --- 701,708 ---- send "set logging session disable\r" } else { send "term length 0\r" + expect -re $prompt {} + send "term width 80\r" } expect -re $prompt {} source $sfile Terry Kennedy http://www.tmk.com terry at tmk.com New York, NY USA -------- From afort at choqolat.org Mon Aug 23 22:55:46 2004 From: afort at choqolat.org (Andrew Fort) Date: Tue, 24 Aug 2004 08:55:46 +1000 Subject: Do you need 'sh vlan' output on your switch? In-Reply-To: <01LE06IMFW22002M8X@tmk.com> References: <01LE06IMFW22002M8X@tmk.com> Message-ID: <412A75F2.1040706@choqolat.org> Terry Kennedy provided a patch for issues from rancid's choice of 'terminal'... >>I have been running rancid for a little more than a year now and have been >>enduring the one little nagging problem I have... until today. :) >> >>I have a cisco 3750 switch with vlans configured on it that keeps sending >>me diffs for a non-change event. Here it is: > > [snip] > >>The information is just a slightly different format of the version from >>before. Is there an easy way to "fix" this? In addition to the patch Terry suggested, it'd be interesting to know if people need the "show vlan" output from their switches anymore? Do the non-malibu switches (i.e., does the 2950) store its VLAN table in the main configuration, or only in vlan.dat? If the former, well, we can tell rancid not to include the "show vlan" output for that model of switch (however, both modes are available, so a default option means some people won't get their VLAN table stored). As you may be aware, "show vlan" parsing to RANCID was added for the 2924/3500 series (malibu) switch because cisco (due to possible autonymous updates from VTP) put the VLAN config in a seperate mode ("vlan database"). Parsing "show vlan" was a bit of a hack to get around not seperately backing up the vlan.dat file from the switch. Newer boxes when running extended VLAN IDs (required for Multi-instance STP config, for example) force the switch into VTP transparent mode, and then VLANs are configured inside the main config (phew!). Looking for the command and then optionally running 'sh vlan' parser requires some big changes to the code... -andrew From terry at tmk.com Tue Aug 24 04:11:35 2004 From: terry at tmk.com (Terry Kennedy) Date: Tue, 24 Aug 2004 00:11:35 -0400 (EDT) Subject: Do you need 'sh vlan' output on your switch? In-Reply-To: "Your message dated Tue, 24 Aug 2004 08:55:46 +1000" <412A75F2.1040706@choqolat.org> References: <01LE06IMFW22002M8X@tmk.com> Message-ID: <01LE0U2QYG8A001YLT@tmk.com> > In addition to the patch Terry suggested, it'd be interesting to know if > people need the "show vlan" output from their switches anymore? Yup 8-) > As you may be aware, "show vlan" parsing to RANCID was added for the > 2924/3500 series (malibu) switch because cisco (due to possible > autonymous updates from VTP) put the VLAN config in a seperate mode > ("vlan database"). Parsing "show vlan" was a bit of a hack to get > around not seperately backing up the vlan.dat file from the switch. I added "show vlan" to RANCID. I'm not sure if the current implementation is from me, or if it was done by somebody else (I added a lot of stuff in the 1.5/1.6 timeframe). At the time, I only had C55xx's and C2900XL's to work with. Since then, I have added 650x's and various C2550 / C3500XL / C3550 boxes. My techs find the "show vlan" output useful as it is saved by RANCID on all platforms in a consistent manner. It also means that changes that ripple through the net- work (for example, a learned VLAN via an update from another switch) show up. I don't think that happens when parsing "show run", though I could be mistaken. Terry Kennedy http://www.tmk.com terry at tmk.com New York, NY USA From afort at choqolat.org Tue Aug 24 04:25:19 2004 From: afort at choqolat.org (Andrew Fort) Date: Tue, 24 Aug 2004 14:25:19 +1000 Subject: Do you need 'sh vlan' output on your switch? In-Reply-To: <01LE0U2QYG8A001YLT@tmk.com> References: <01LE06IMFW22002M8X@tmk.com> <01LE0U2QYG8A001YLT@tmk.com> Message-ID: <412AC32F.2060902@choqolat.org> Terry Kennedy wrote: > At the time, I only had C55xx's and C2900XL's to work with. Since then, I > have added 650x's and various C2550 / C3500XL / C3550 boxes. My techs find > the "show vlan" output useful as it is saved by RANCID on all platforms in > a consistent manner. It also means that changes that ripple through the > net- > work (for example, a learned VLAN via an update from another switch) show > up. I don't think that happens when parsing "show run", though I could be > mistaken. Right; this is the 'problem'. VTP managed switches require this command's output, non-VTP managed switches, well, don't (perhaps). (And if you want to use VLAN IDs >1005 you'll setting vtp mode transparent). Commands in write term/show run output are purely static definitions (since that only happens when vtp is set transparent and 'extended' (full) VLAN range is confiured) (at least on IOS switches). Cheers, Andrew From shekhar at mos.com.np Tue Aug 24 06:59:29 2004 From: shekhar at mos.com.np (Shekhar Basnet) Date: Tue, 24 Aug 2004 12:44:29 +0545 (NPT) Subject: keep on receiving routers down messages Message-ID: I have just installed rancid version 2.3. Everything seems to work fine. But I keep on receiving messages informing about routers changes in the group every hour that rancid-run is run. My inbox is overwhelmed with these messages. I have included the message below for reference. I was previously running rancid 2.2.2 smoothly without any problems. Cvs status shows up-to-date. Has anyone else encountered this kind of prob? I am running rancid 2.3 under Fedora Core release 1. tia shekhar. ---------- Forwarded message ---------- Date: Tue, 24 Aug 2004 06:01:27 +0545 To: rancid-durbarmarg at chulu.mos.com.np Subject: changes in durbarmarg routers Routers changed to down: From heas at shrubbery.net Tue Aug 24 16:42:06 2004 From: heas at shrubbery.net (john heasley) Date: Tue, 24 Aug 2004 09:42:06 -0700 Subject: keep on receiving routers down messages In-Reply-To: References: Message-ID: <20040824164206.GF28021@shrubbery.net> Tue, Aug 24, 2004 at 12:44:29PM +0545, Shekhar Basnet: > I have just installed rancid version 2.3. Everything seems to work fine. > But I keep on receiving messages informing about routers changes in the > group every hour that rancid-run is run. My inbox is overwhelmed with > these messages. I have included the message below for reference. I was > previously running rancid 2.2.2 smoothly without any problems. Cvs status > shows > up-to-date. Has anyone else encountered this kind of prob? I am running > rancid > 2.3 under Fedora Core release 1. its due to the diff(1) that is being picked-up via the PATH in rancid.conf or the options that are being passed to it, both chosen by the configure script. most likely it is that gnu diff started refusing the -4 (number of context lines) option at some point. see the diff commands in control_rancid and try them, eg diff -u -4 /dev/null /dev/null should produce the exit code 0. if you use 2.3.1, this should be dealt with acceptably for linux, but still doesnt work quite right for solaris. and, we're trying to come up with a better configure test for diff. > tia > shekhar. > > > ---------- Forwarded message ---------- > Date: Tue, 24 Aug 2004 06:01:27 +0545 > To: rancid-durbarmarg at chulu.mos.com.np > Subject: changes in durbarmarg routers > > Routers changed to down: From heas at shrubbery.net Thu Aug 26 14:58:13 2004 From: heas at shrubbery.net (john heasley) Date: Thu, 26 Aug 2004 07:58:13 -0700 Subject: Problem with rancid & rsh In-Reply-To: <20040825171840.36207.qmail@web51404.mail.yahoo.com> References: <20040825171840.36207.qmail@web51404.mail.yahoo.com> Message-ID: <20040826145813.GD20681@shrubbery.net> sorry, rsh does not work well at the moment. clogin (et al) need some rework to handle rsh properly. Wed, Aug 25, 2004 at 10:18:40AM -0700, Chris Garcia: > Hi, > I'm trying to use rancid, with rsh. My .cloginrc > contains the following: > > add method * {rsh} > add user * privuser > add password * test test > add autoenable * 1 > > When trying to do a clogin, I get > $ ./clogin 172.15.254.31 > 172.15.254.31 > spawn /usr/bin/rsh -l privuser 172.15.254.31 > ::ffff:172.15.254.31: Connection refused > > Error: Connection Refused (rsh) > > But, when just running > $/usr/bin/rsh -l privuser 172.15.254.31 sh ver > I do get back what I should... > > Cisco Internetwork Operating System Software > IOS (tm) C3750 Software (C3750-I5-M), ... > > If I run $/usr/bin/rsh -l lprivuser 172.15.254.31, > without the sh ver, I get reproduce the Connection > Refused message. > > I get the similar behavior when running do-diffs. > > $ more pod-c.20040825.114819 > starting: Wed Aug 25 11:48:19 CDT 2004 > > cvs status: failed to create lock directory for > `/opt/rancid/CVS/pod-c/configs' > (/opt/rancid/CVS/pod-c/ > configs/#cvs.lock): Permission denied > cvs status: failed to obtain dir lock in repository > `/opt/rancid/CVS/pod-c/configs' > cvs [status aborted]: read lock failed - giving up > > Trying to get all of the configs. > 172.15.254.31 clogin error: Error: Connection Refused > (rsh) > 172.15.254.31: missed cmd(s): show env all,show > module,show controllers,show diagbus,show diag,dir > /all disk1 > :,show gsr chassis,dir /all bootflash:,write term,dir > /all disk2:,show vtp status,dir /all > sup-bootflash:,dir > /all slot2:,dir /all slot0:,dir /all > sup-microcode:,dir /all disk0:,show install > active,show bootvar,show vl > an,show controllers cbus,dir /all nvram:,show > flash,show version,show variables boot,show c7200,show > boot,dir > /all slot1: > 172.15.254.31: End of run not found > ! > ===================================== > It's like the commands are never sent to the device. > I think rsh is being handled the same as telnet/ssh, > where expect is expecting something back, but it isn't > getting anything, so it never sends commands to the > router, and just times out the rsh connection. > Or am I doing something wrong? > Any help you can provide would be appreciated. > Thanks, > Chris Garcia > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - 50x more storage than other providers! > http://promotions.yahoo.com/new_mail From lists at lowside.org Fri Aug 27 03:46:50 2004 From: lists at lowside.org (Len) Date: Thu, 26 Aug 2004 20:46:50 -0700 Subject: rancid 2.2.2 Problem Message-ID: <412EAEAA.9030609@lowside.org> Howdy all, new to the list but I"m wondering if you guys can help me out. I'm using clogin to log into a a group of cisco access points to enable mac authentication on a given ssid on the dot11radio0 interface. Like I said I"m using 2.2.2 on FreeBSD 4.10-Release. I'm using a command file, of which I can literally copy and paste when logging into the router manually, but when I try to process the command file it doesn't hangs when adding the following command - aaa group server radius rad_mac . When running the command through truss to watch the system calls I see a signal 28 which is new screen, obviously can't be right. My hypothesis looking through the clogin.in is that there isn't a proper regular expression for the prompt which you're presented after entering that command (it drops to a sub menu ala sub interface). That prompt looks like this WM036-1230-(config-sg-radius)# ... I would think it'd be okay since it should probably just match text before a # (showing enabled) but what the hell do I know. Any help afforded by you guys would be great TIA Len From heas at shrubbery.net Fri Aug 27 04:49:56 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 27 Aug 2004 04:49:56 +0000 Subject: rancid 2.2.2 Problem In-Reply-To: <412EAEAA.9030609@lowside.org> References: <412EAEAA.9030609@lowside.org> Message-ID: <20040827044956.GA4502@shrubbery.net> Thu, Aug 26, 2004 at 08:46:50PM -0700, Len: > Howdy all, new to the list but I"m wondering if you guys can help me > out. I'm using clogin to log into a a group of cisco access points to > enable mac authentication on a given ssid on the dot11radio0 interface. > > Like I said I"m using 2.2.2 on FreeBSD 4.10-Release. > > I'm using a command file, of which I can literally copy and paste when > logging into the router manually, but when I try to process the command > file it doesn't hangs when adding the following command - > aaa group server radius rad_mac . When running the command through truss > to watch the system calls I see a signal 28 which is new screen, > obviously can't be right. My hypothesis looking through the clogin.in > is that there isn't a proper regular expression for the prompt which > you're presented after entering that command (it drops to a sub menu ala > sub interface). That prompt looks like this > WM036-1230-(config-sg-radius)# ... I would think it'd be okay since it that looks like your prompt got truncated. that was fixed in 2.3, please try 2.3.1 with expect 5.40 or greater. i believe that'l do it for you; iirc, it truncates the prompt to no more that 14 chars, but what you have above is only 11. 508 # match cisco config mode prompts too, such as router(config-if)#, 509 # but catalyst does not change in this fashion. 510 regsub -all {^(.{1,14}).*([#>])$} $reprompt {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt 511 expect { i guess that'l have to be reduced to 10 or so. please try that out and let me know. again, note the expect version, prior version bugger the regex. > should probably just match text before a # (showing enabled) but what > the hell do I know. Any help afforded by you guys would be great > > > TIA > > > Len From lists at lowside.org Fri Aug 27 05:18:42 2004 From: lists at lowside.org (Len) Date: Thu, 26 Aug 2004 22:18:42 -0700 Subject: rancid 2.2.2 Problem In-Reply-To: <20040827044956.GA4502@shrubbery.net> References: <412EAEAA.9030609@lowside.org> <20040827044956.GA4502@shrubbery.net> Message-ID: <412EC432.70701@lowside.org> No go.. I've upgraded to rancid 2.3.1 (Tcl 8.4.7 + expect 5.4.2) and it now seems like my prompt is not cut off, but the hang still occurs. Is there a max number of characters behind the # or some combo of that and the quantity between the ( )s ? -lenny john heasley wrote: > Thu, Aug 26, 2004 at 08:46:50PM -0700, Len: > >>Howdy all, new to the list but I"m wondering if you guys can help me >>out. I'm using clogin to log into a a group of cisco access points to >>enable mac authentication on a given ssid on the dot11radio0 interface. >> >> Like I said I"m using 2.2.2 on FreeBSD 4.10-Release. >> >>I'm using a command file, of which I can literally copy and paste when >>logging into the router manually, but when I try to process the command >>file it doesn't hangs when adding the following command - >>aaa group server radius rad_mac . When running the command through truss >>to watch the system calls I see a signal 28 which is new screen, >>obviously can't be right. My hypothesis looking through the clogin.in >>is that there isn't a proper regular expression for the prompt which >>you're presented after entering that command (it drops to a sub menu ala >>sub interface). That prompt looks like this >>WM036-1230-(config-sg-radius)# ... I would think it'd be okay since it > > > that looks like your prompt got truncated. that was fixed in 2.3, please > try 2.3.1 with expect 5.40 or greater. i believe that'l do it for you; > iirc, it truncates the prompt to no more that 14 chars, but what you have > above is only 11. > > 508 # match cisco config mode prompts too, such as router(config-if)#, > 509 # but catalyst does not change in this fashion. > 510 regsub -all {^(.{1,14}).*([#>])$} $reprompt {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt > 511 expect { > > i guess that'l have to be reduced to 10 or so. please try that out and > let me know. > > again, note the expect version, prior version bugger the regex. > > >>should probably just match text before a # (showing enabled) but what >>the hell do I know. Any help afforded by you guys would be great >> >> >>TIA >> >> >>Len > > From asp at partan.com Fri Aug 27 15:15:09 2004 From: asp at partan.com (Andrew Partan) Date: Fri, 27 Aug 2004 11:15:09 -0400 Subject: rancid 2.2.2 Problem In-Reply-To: <412EC432.70701@lowside.org> References: <412EAEAA.9030609@lowside.org> <20040827044956.GA4502@shrubbery.net> <412EC432.70701@lowside.org> Message-ID: <20040827151509.GA4570@partan.com> On Thu, Aug 26, 2004 at 10:18:42PM -0700, Len wrote: > >>I'm using a command file, of which I can literally copy and paste when > >>logging into the router manually, but when I try to process the command > >>file it doesn't hangs when adding the following command - You seem to be running into problems with the prompt changing (enable prompt, config prompt, config submode prompt, ...). rancid doesn't handle this very well. Have you looked at the example expect script cisco-load.exp? Doing something like that where you are matching your own prompts might be the way to go. Or try something like: clogin -c 'conf t\rint lo0\rip addr 10.0.0.0/32\rend;cop run star' - i.e.: embed the newlines in the 'command' & rancid will send the entire multiline command at once & only wait for the enable prompt at the end. --asp From heas at shrubbery.net Fri Aug 27 15:16:50 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 27 Aug 2004 08:16:50 -0700 Subject: rancid 2.2.2 Problem In-Reply-To: <412EC432.70701@lowside.org> References: <412EAEAA.9030609@lowside.org> <20040827044956.GA4502@shrubbery.net> <412EC432.70701@lowside.org> Message-ID: <20040827151650.GA16606@shrubbery.net> Thu, Aug 26, 2004 at 10:18:42PM -0700, Len: > No go.. I've upgraded to rancid 2.3.1 (Tcl 8.4.7 + expect 5.4.2) and it > now seems like my prompt is not cut off, but the hang still occurs. Is > there a max number of characters behind the # or some combo of that and > the quantity between the ( )s ? what value did you use for the bound that I mentioned? > >iirc, it truncates the prompt to no more that 14 chars, but what you have > >above is only 11. > > > > 508 # match cisco config mode prompts too, such as > > router(config-if)#, 509 # but catalyst does not change in > > this fashion. > > 510 regsub -all {^(.{1,14}).*([#>])$} $reprompt > > {\1([^#>\r\n]+)?[#>](\\([^)\\r\\n]+\\))?} reprompt > > 511 expect { > > > >i guess that'l have to be reduced to 10 or so. please try that out and > >let me know. From jejs+rancid at sahala.org Mon Aug 30 16:36:34 2004 From: jejs+rancid at sahala.org (joshua sahala) Date: Mon, 30 Aug 2004 12:36:34 -0400 Subject: Fwd: rancid.diff Message-ID: <20040830163634.GA12043@aurvandil.sahala.org> i upgraded to 2.3.1 the other day and started getting warnings that rancid could not contact my netscreens...looking at the previous nlogin versus the newer nlogin, i saw that the enable variable had been changed to avenable, but that it hadn't been changed in the enable loop --- nlogin-2.3.1.bak 2004-08-30 12:23:48.000000000 -0400 +++ /usr/local/rancid/bin/nlogin 2004-08-30 12:24:31.000000000 -0400 @@ -485,7 +485,7 @@ if {[login $firewall $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} { continue } - if { $enable } { + if { $avenable } { if {[do_enable $enauser $enapasswd]} { if { $do_command || $do_script } { close; wait cheers /joshua -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. - Douglas Adams -