From arnold at nipper.de Wed Jun 2 23:23:09 2004 From: arnold at nipper.de (Arnold Nipper) Date: Thu, 03 Jun 2004 01:23:09 +0200 Subject: rancid router hung on loghost? Message-ID: <40BE615D.7090802@nipper.de> Since a couple of hours I get: rancid router hung on loghost? Old lockfile still exists: -rw-r----- 1 rancid rancid 0 Jun 2 20:13 /tmp/.router.run.lock As usual I didn't change anything (TM) :-) I see some rancid processes (loghost:nipper 2 ) ps -alef -opid,user,stime,args | grep rancid 17398 rancid 00:30:49 /usr/bin/perl /usr/local/bin/rancid gw.de-cix.net 17397 rancid 00:30:49 sh -c (rancid-fe \gw.de-cix.net:cisco) 4090 rancid 20:13:01 /bin/sh /usr/local/bin/control_rancid router 4083 rancid 20:13:01 sh -c /usr/local/bin/do-diffs 17411 rancid 00:30:49 /usr/local/bin/expect -- /usr/local/bin/clogin -t 90 -c show version;show insta 17419 rancid 00:30:49 ssh -c 3des -x -l rancid gw.de-cix.net 4086 rancid 20:13:01 /bin/sh /usr/local/bin/do-diffs 17399 rancid 00:30:49 sh -c clogin -t 90 -c "show version;show install active;show env all;show gsr c 4084 rancid 20:13:01 /bin/sh /usr/local/bin/do-diffs 17396 rancid 00:30:49 /usr/bin/perl /usr/local/bin/par -q -n 5 -c rancid-fe \{} /var/rancid/router/ro but have no idea why they got stuck. Looks like processes from 20:13 are still active though all other processes started at 21:13, 22:13, ... wnet thru. Removing /tmp/.router.run.lock does not really help as the same problem reappears some hours later. Any ideas? Thanks for your help! Arnold From heas at shrubbery.net Thu Jun 3 07:57:34 2004 From: heas at shrubbery.net (john heasley) Date: Thu, 3 Jun 2004 07:57:34 +0000 Subject: rancid router hung on loghost? In-Reply-To: <40BE615D.7090802@nipper.de> References: <40BE615D.7090802@nipper.de> Message-ID: <20040603075734.GC231@shrubbery.net> Thu, Jun 03, 2004 at 01:23:09AM +0200, Arnold Nipper: > Since a couple of hours I get: > > rancid router hung on loghost? Old lockfile still exists: > -rw-r----- 1 rancid rancid 0 Jun 2 20:13 /tmp/.router.run.lock > > As usual I didn't change anything (TM) :-) > > I see some rancid processes > > (loghost:nipper 2 ) ps -alef -opid,user,stime,args | grep rancid > 17398 rancid 00:30:49 /usr/bin/perl /usr/local/bin/rancid gw.de-cix.net > 17397 rancid 00:30:49 sh -c (rancid-fe \gw.de-cix.net:cisco) > 4090 rancid 20:13:01 /bin/sh /usr/local/bin/control_rancid router > 4083 rancid 20:13:01 sh -c /usr/local/bin/do-diffs > 17411 rancid 00:30:49 /usr/local/bin/expect -- /usr/local/bin/clogin > -t 90 -c show version;show insta > 17419 rancid 00:30:49 ssh -c 3des -x -l rancid gw.de-cix.net > 4086 rancid 20:13:01 /bin/sh /usr/local/bin/do-diffs > 17399 rancid 00:30:49 sh -c clogin -t 90 -c "show version;show install > active;show env all;show gsr c > 4084 rancid 20:13:01 /bin/sh /usr/local/bin/do-diffs > 17396 rancid 00:30:49 /usr/bin/perl /usr/local/bin/par -q -n 5 -c > rancid-fe \{} /var/rancid/router/ro > > but have no idea why they got stuck. Looks like processes from 20:13 are > still active though all other processes started at 21:13, 22:13, ... > wnet thru. Removing /tmp/.router.run.lock does not really help as the > same problem reappears some hours later. > > Any ideas? Thanks for your help! dollars to donuts you're using a linux or solaris box and its nothing you've done, your timing is just lucky. you need the expect patch on www.shrubbery.net/rancid. we've discovered that solaris 2.8 (possibly others) appears to have a bug whereby that patch will affect the streams device (tty driver) and thus leaves your terminal (or stdin) in non-blocking mode...which happens to really irritate older versions of bash. i havent worked out a better patch yet. From arnold at nipper.de Thu Jun 3 08:16:17 2004 From: arnold at nipper.de (Arnold Nipper) Date: Thu, 03 Jun 2004 10:16:17 +0200 Subject: rancid router hung on loghost? In-Reply-To: <20040603075734.GC231@shrubbery.net> References: <40BE615D.7090802@nipper.de> <20040603075734.GC231@shrubbery.net> Message-ID: <40BEDE51.7040907@nipper.de> On 03.06.2004 09:57 john heasley wrote: > dollars to donuts you're using a linux or solaris box and its nothing you've > done, your timing is just lucky. you need the expect patch on > www.shrubbery.net/rancid. > (loghost:nipper 1 ) uname -a SunOS loghost 5.9 Generic_112233-04 sun4u sparc SUNW,UltraAX-i2 :-) Thanks for the hint. I will apply the patch. Arnold From scotty at coretel.net Mon Jun 14 19:13:51 2004 From: scotty at coretel.net (Scott B. Lowe) Date: Mon, 14 Jun 2004 15:13:51 -0400 Subject: Riverstone Login problem Message-ID: <40CDF8EF.9070001@coretel.net> I am using RANCID 2.3 with great sucess on Cisco gear but I am having an issue with Riverstone 3000's. When you login to one of these, either by telnet or ssh, you must hit return before a login prompt appears. Therefore when I use clogin to try to connect it just sits at the login screen for the Riverstone, not getting to the prompt. Is there a way I can force RANCID to hit a carriage return before looking for the login prompt? From msiy at condor.depaul.edu Mon Jun 14 20:36:08 2004 From: msiy at condor.depaul.edu (Michael C Siy) Date: Mon, 14 Jun 2004 15:36:08 -0500 (CDT) Subject: Riverstone Login problem In-Reply-To: <40CDF8EF.9070001@coretel.net> Message-ID: Scott, \n will force a carriage a return for clogin. For example, clogin -c '\n; show version' switch will do a return on a Cisco gear before doing the show version command. Try that. Mikee Siy Networks and Telecom DePaul University On Mon, 14 Jun 2004, Scott B. Lowe wrote: > I am using RANCID 2.3 with great sucess on Cisco gear but I am having an > issue with Riverstone 3000's. > > When you login to one of these, either by telnet or ssh, you must hit > return before a login prompt appears. Therefore when I use clogin to > try to connect it just sits at the login screen for the Riverstone, not > getting to the prompt. Is there a way I can force RANCID to hit a > carriage return before looking for the login prompt? > From scotty at coretel.net Tue Jun 15 15:37:21 2004 From: scotty at coretel.net (Scott B. Lowe) Date: Tue, 15 Jun 2004 11:37:21 -0400 Subject: rivlogin problem Message-ID: <40CF17B1.7080008@coretel.net> I am having another issue with Riverstone gear. I use tacacs+ to login to my Riverstone gear. To login I enter the tac_username then the tac_password. The enable password and vty password are the same on the Riverstone. According to the documentation, I set up .cloginrc to look like this add password my.river.stone {enable&vtypass} {enable&vtypass} add user my.river.stone {tacuser} add userpassword my.river.stone {tacuserpass} When I run the rivlogin for the router It logs in fine using the tacacs username and password but gives a bad-password error when it trys the enable command. If I disable tacacs and set up .cloginrc to just use the last-resort/enable password for a login it goes all the way through to enable mode just fine. This leads me to believe that rivlogin is trying to use the {tacuserpass} for enable instead of {enable&vtypass}. Perhaps I have missed something in the config? Any help would be greatly appreciated. Thank you From afort at choqolat.org Wed Jun 16 03:45:35 2004 From: afort at choqolat.org (Andrew Fort) Date: Wed, 16 Jun 2004 13:45:35 +1000 Subject: rivlogin problem In-Reply-To: <40CF17B1.7080008@coretel.net> References: <40CF17B1.7080008@coretel.net> Message-ID: <40CFC25F.1020204@choqolat.org> Scott B. Lowe wrote: > I am having another issue with Riverstone gear. Hi, Scott > I use tacacs+ to login to my Riverstone gear. To login I enter the > tac_username then the tac_password. The enable password and vty > password are the same on the Riverstone. According to the > documentation, I set up .cloginrc to look like this > > add password my.river.stone {enable&vtypass} {enable&vtypass} > add user my.river.stone {tacuser} > add userpassword my.river.stone {tacuserpass} We're using RADIUS here, but it should be the same. The 'add password' line handling changed for rivlogin around about rancid 2.2bsomething - if the following suggestion doesn't work, try going to rancid 2.3. Also, non TAC+ logins were broken. In the newer version... For your add password line, the first password on the line should be the password you enter immediately after "Press RETURN to activate console...". The second password is the last resort password (i.e., when you've logged in using that first password, you go to enable, and your TACACS+ credentials cannot be checked because the AAA server is 'unreachable' (buggy network code on the Enterasys shows this up regularly)). The userpassword is your tac+ user password, and the user is your tac+ user. (This handling hasn't changed). > When I run the rivlogin for the router It logs in fine using the tacacs > username and password but gives a bad-password error when it trys the > enable command. If I disable tacacs and set up .cloginrc to just use > the last-resort/enable password for a login it goes all the way through > to enable mode just fine. This leads me to believe that rivlogin is > trying to use the {tacuserpass} for enable instead of > {enable&vtypass}. Perhaps I have missed something in the config? Any > help would be greatly appreciated. Yes, it would appear you've run across a bug I introduced to rivlogin. (oops) Please try the newest available version on the ftp.shrubbery.net server, and if you like mail me off-list if you're still having trouble. -Andrew From sem at mbrd.ru Wed Jun 16 13:38:36 2004 From: sem at mbrd.ru (Sergey Matveychuk) Date: Wed, 16 Jun 2004 17:38:36 +0400 Subject: shorten rules Message-ID: <005901c453a7$398fdd70$090410ac@mbrd.ru> Hello! I'm a newcomer to rancid. My proposal is here. It's looks like I can't set in .cloginrc somethink like: add autoenable * 1 add autoenable some-ip 0 My .cloginrc grows to tens lines w/o this feature. It will be great to implement it. And a question. If I need to use other commands to get configuration from my CISCO systems, what is the best way to do so? I think to clone rancid and modify the copy and rancid-fe script. Is it right? --- Sem. From arnold at nipper.de Wed Jun 16 13:55:07 2004 From: arnold at nipper.de (Arnold Nipper) Date: Wed, 16 Jun 2004 15:55:07 +0200 Subject: shorten rules In-Reply-To: <005901c453a7$398fdd70$090410ac@mbrd.ru> References: <005901c453a7$398fdd70$090410ac@mbrd.ru> Message-ID: <40D0513B.2020608@nipper.de> On 16.06.2004 15:38 Sergey Matveychuk wrote: > Hello! > > I'm a newcomer to rancid. My proposal is here. > It's looks like I can't set in .cloginrc somethink like: > add autoenable * 1 > add autoenable some-ip 0 > > My .cloginrc grows to tens lines w/o this feature. It will be great to > implement it. > But you may do it the otherway round :-) add autoenable some-ip 0 add autoenable * 1 The seconf will not overwrite the first Arnold From scotty at coretel.net Wed Jun 16 16:07:32 2004 From: scotty at coretel.net (Scott B. Lowe) Date: Wed, 16 Jun 2004 12:07:32 -0400 Subject: rivlogin problem In-Reply-To: <40CFC25F.1020204@choqolat.org> References: <40CF17B1.7080008@coretel.net> <40CFC25F.1020204@choqolat.org> Message-ID: <40D07044.7060800@coretel.net> Thanks for the input Andrew, I am using version 2.3 now with no luck. Let me explain a little more of what I have. My Riverstones only have one password for last-resort/enable/vty. They are all the same. I only use tac+ for the initial login after the "Press return to activate...". I set up the .cloginrc file as you explained and it still gave me a bad password error when it went to enable. I was convinced that rivlogin was ignoring the password line and just using the tac+ password for enable so I tested it. I created a tac+ user with a password that is the same as the enable password on the Riverstone. You can guess what happened.....that worked fine. In fact I can remove the password line all together and it will still go all the way through enable. This must be a bug in the rivlogin script as it only pays attention to the first password on the line. I can't leave the tac+ password the same as the enable password so if you have any more suggestions I would be grateful. Andrew Fort wrote: > Scott B. Lowe wrote: > >> I am having another issue with Riverstone gear. > > > Hi, Scott > >> I use tacacs+ to login to my Riverstone gear. To login I enter the >> tac_username then the tac_password. The enable password and vty >> password are the same on the Riverstone. According to the >> documentation, I set up .cloginrc to look like this >> >> add password my.river.stone {enable&vtypass} >> {enable&vtypass} >> add user my.river.stone {tacuser} >> add userpassword my.river.stone {tacuserpass} > > > We're using RADIUS here, but it should be the same. The 'add > password' line handling changed for rivlogin around about rancid > 2.2bsomething - if the following suggestion doesn't work, try going to > rancid 2.3. Also, non TAC+ logins were broken. > > In the newer version... > > For your add password line, the first password on the line should be > the password you enter immediately after "Press RETURN to activate > console...". > > The second password is the last resort password (i.e., when you've > logged in using that first password, you go to enable, and your > TACACS+ credentials cannot be checked because the AAA server is > 'unreachable' (buggy network code on the Enterasys shows this up > regularly)). > > The userpassword is your tac+ user password, and the user is your tac+ > user. (This handling hasn't changed). > >> When I run the rivlogin for the router It logs in fine using the >> tacacs username and password but gives a bad-password error when it >> trys the enable command. If I disable tacacs and set up .cloginrc to >> just use the last-resort/enable password for a login it goes all the >> way through to enable mode just fine. This leads me to believe that >> rivlogin is trying to use the {tacuserpass} for enable instead of >> {enable&vtypass}. Perhaps I have missed something in the config? >> Any help would be greatly appreciated. > > > Yes, it would appear you've run across a bug I introduced to rivlogin. > (oops) > > Please try the newest available version on the ftp.shrubbery.net > server, and if you like mail me off-list if you're still having trouble. > > -Andrew From heas at shrubbery.net Wed Jun 16 17:06:46 2004 From: heas at shrubbery.net (john heasley) Date: Wed, 16 Jun 2004 17:06:46 +0000 Subject: shorten rules In-Reply-To: <40D0513B.2020608@nipper.de> References: <005901c453a7$398fdd70$090410ac@mbrd.ru> <40D0513B.2020608@nipper.de> Message-ID: <20040616170646.GD9834@shrubbery.net> Wed, Jun 16, 2004 at 03:55:07PM +0200, Arnold Nipper: > On 16.06.2004 15:38 Sergey Matveychuk wrote: > > > Hello! > > > > I'm a newcomer to rancid. My proposal is here. > > It's looks like I can't set in .cloginrc somethink like: > > add autoenable * 1 > > add autoenable some-ip 0 > > > > My .cloginrc grows to tens lines w/o this feature. It will be great to > > implement it. > > > > But you may do it the otherway round :-) > > add autoenable some-ip 0 > add autoenable * 1 > > The seconf will not overwrite the first Or more to the point, "the first match wins". note that in order for this to match, you would have to type clogin some-ip clogin does not attempt to resolve a name (or visa versa) for the purpose of scanning .cloginrc. From heas at shrubbery.net Wed Jun 16 17:07:26 2004 From: heas at shrubbery.net (john heasley) Date: Wed, 16 Jun 2004 17:07:26 +0000 Subject: shorten rules In-Reply-To: <005901c453a7$398fdd70$090410ac@mbrd.ru> References: <005901c453a7$398fdd70$090410ac@mbrd.ru> Message-ID: <20040616170726.GE9834@shrubbery.net> Wed, Jun 16, 2004 at 05:38:36PM +0400, Sergey Matveychuk: > > And a question. If I need to use other commands to get configuration from my > CISCO systems, what is the best way to do so? I think to clone rancid and > modify the copy and rancid-fe script. Is it right? For now, yes.