From WilliamD at ps-rec.com Thu Mar 1 16:55:35 2007 From: WilliamD at ps-rec.com (William Dyer) Date: Thu, 1 Mar 2007 16:55:35 -0000 Subject: [rancid] Juniper ERX Professionals Required! Message-ID: <4244D7CB5BFAF74DB37A2FEC199BC50A033DA12E@MAILSERVER> Would you like to work on-site for 6 months+ for some of the largest organisations in the World? My client are in the fastest 300 growing technology companies, so have very quickly become hugely successful and are making themselves well known on a global scale. They mainly supply high level Juniper network solutions to blue-chip companies Worldwide. Due to their rapid growth they are seeking full-time Juniper E-Series / ERX professionals to join their team! Your main focus over the last 3 years should have been the Juniper E-Series platform. To be considered for this position, at the very least you need to have worked on the E-Series "a lot" in the last 3 years. Bonus: Italian language is currently highly desirable Wherever you live in the World, if you feel you have strong enough Juniper E-Series skills for this role or a similar sounding role, please send me your CV as soon as you can. If you have no Juniper E-Series experience and think of someone that could be good for this position, please forward this e-mail over to him/her as we have a ?250 referral bonus in place for you if we successfully make a placement as a result of your referral. Kind regards, William Dyer - Senior Consultant IT Support, Networking & Security Specialist "Contract & Permanent Support Division" mailto:william.d at ps-rec.com +44 (0) 870 013 6380 PSR Recruitment 3rd Floor Connect Building, 30 St Georges Road London. SW19 4BD This e-mail (which includes any files transmitted with it) is intended for the above named only. It may contain privileged, confidential and/or price sensitive information. If you are not the intended recipient please notify the sender immediately and confirm that all copies have been destroyed and it has been deleted from your computer system. This e-mail is protected by copyright. Unless you are the intended recipient you should not use, disclose or copy the e-mail nor should you rely upon it in any way whatsoever. All liability for viruses is excluded to the fullest extent permitted by law. Any views expressed in this message are those of the individual sender except where the sender specifically states them to be the views of PSR Recruitment Ltd. Polesoft Lockspam - Safe Anti Spam Way! http://www.polesoft.com/ ------------------------------------------------------------------------------------ Email the way you want it - scanned for viruses and unwanted content by emailsystems Information regarding this service can be found at www.emailsystems.com From randy at psg.com Fri Mar 2 15:57:27 2007 From: randy at psg.com (Randy Bush) Date: Fri, 02 Mar 2007 23:57:27 +0800 Subject: [rancid] Re: Juniper ERX Professionals Required! In-Reply-To: <4244D7CB5BFAF74DB37A2FEC199BC50A033DA12E@MAILSERVER> References: <4244D7CB5BFAF74DB37A2FEC199BC50A033DA12E@MAILSERVER> Message-ID: <45E84967.9040609@psg.com> William Dyer wrote: > Would you like to work on-site for 6 months+ for some of the largest > organisations in the World? not when associated with an asshole slimeball spammer. who would even talk to someone so unethical. bound to get screwed by low-live like you. what part of FOAD don't you understand? From aanand at uebiz.net Fri Mar 2 16:05:28 2007 From: aanand at uebiz.net (Aditya Anand) Date: Fri, 2 Mar 2007 11:05:28 -0500 Subject: [rancid] Re: accessing routers from another router In-Reply-To: Message-ID: Hi All, I am having problems setting up rancid. I am doing it for the first time , so not much experience with it. Please help. I can login to the device from rancid, however cannot pull the configs. It gives error if I see the logs...... PLEASE HELP IF SOMEBODY CAN.................. Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show di ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all sec- slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show boot ,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show re dundancy secondary,show running-config,show c7200,dir /all slot1: 10.10.100.1: End of run not found ! 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show dia g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all sec-s lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show boot, show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir / all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show red undancy secondary,show running-config,show c7200,dir /all slot1: 10.10.1.11: End of run not found ! 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 10.10.64.175: missed cmd(s): get system,get conf 10.10.64.175: End of run not found # 10.10.1.152 nlogin error: Error: TIMEOUT reached 10.10.1.152: missed cmd(s): get system,get conf 10.10.1.152: End of run not found 10.10.64.146 nlogin error: Error: TIMEOUT reached 10.10.64.146: missed cmd(s): get system,get conf 10.10.64.146: End of run not found # # 10.10.1.183 nlogin error: Error: TIMEOUT reached 10.10.1.183: missed cmd(s): get system,get conf 10.10.1.183: End of run not found # 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 10.100.16.140: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all se c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show bo ot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idpr om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,di r /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Bo?tjan Fele Sent: Tuesday, February 27, 2007 11:21 PM To: rancid-discuss at shrubbery.net Subject: [rancid] accessing routers from another router Hi everyone, I need to collect the config from routers that are not directly reachable by the host that rancid runs on. I can ssh to the first router, then telnet to the ones that I need the config from. Was searching mailing list and found two threads but none of them works for me. http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html Does anybody have implemented hop-by-hop accessing to the routers? Bostjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070302/a3ee20bd/attachment.html From aanand at uebiz.net Fri Mar 2 16:54:13 2007 From: aanand at uebiz.net (Aditya Anand) Date: Fri, 2 Mar 2007 11:54:13 -0500 Subject: [rancid] Re: accessing routers from another router In-Reply-To: <45E84D89.3000000@hcis.net> Message-ID: See the output of login to a device from the rancid box... [rancid at netscreen1 ~]$ /usr/local/rancid/bin/clogin -f /usr/local/rancid/.cloginrc -u rancid 10.100.3.3 10.100.3.3 spawn telnet 10.100.3.3 Trying 10.100.3.3... Connected to 10.100.3.3 (10.100.3.3). Escape character is '^]'. User Access Verification Username: rancid Password: SACNCD02# sh run Error: TIMEOUT reached [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ sh run sh: run: No such file or directory Does not any further.....DOES NOT RUN ANYTHING.........Please advise...... -----Original Message----- From: Gary Roberts [mailto:groberts at hcis.net] Sent: Friday, March 02, 2007 11:15 AM To: Aditya Anand Subject: Re: [rancid] Re: accessing routers from another router Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 It appears, judging by the second line in the log, that you have an incorrect password in your /rancid/.cloginrc file Aditya Anand wrote: > > Hi All, > > I am having problems setting up rancid. I am doing it for the first > time , so not much experience with it. Please help. I can login to the > device from rancid, however cannot pull the configs. It gives error if > I see the logs...... > > *PLEASE HELP IF SOMEBODY CAN..................* > > Trying to get all of the configs. > > 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 > > 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show di > > ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec- > > slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot > > ,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir > > /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show re > > dundancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.100.1: End of run not found > > ! > > 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 > > 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show dia > > g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec-s > > lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot, > > show inventory raw,dir /all slavedisk1:,show env all,show module,admin > show env all,show controllers,admin show version,show diagbus,dir /all > slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir / > > all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers > cbus,dir /all slaveslot1:,dir /all nvram:,show version,show > vlan-switch,admin show variables boot,show red > > undancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.1.11: End of run not found > > ! > > 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 > > 10.10.64.175: missed cmd(s): get system,get conf > > 10.10.64.175: End of run not found > > # > > 10.10.1.152 nlogin error: Error: TIMEOUT reached > > 10.10.1.152: missed cmd(s): get system,get conf > > 10.10.1.152: End of run not found > > 10.10.64.146 nlogin error: Error: TIMEOUT reached > > 10.10.64.146: missed cmd(s): get system,get conf > > 10.10.64.146: End of run not found > > # > > # > > 10.10.1.183 nlogin error: Error: TIMEOUT reached > > 10.10.1.183: missed cmd(s): get system,get conf > > 10.10.1.183: End of run not found > > # > > 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 > > 10.100.16.140: missed cmd(s): admin show diag,dir /all > slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir > /all disk1:,show gsr chassis,dir /all sec-nvram:,show > > diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all se > > c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show bo > > ot,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idpr > > om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,di > > r /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show > > redundancy secondary,show running-config,show c7200,dir /all slot1: > > ------------------------------------------------------------------------ > > *From:* rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Bo?tjan Fele > *Sent:* Tuesday, February 27, 2007 11:21 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] accessing routers from another router > > Hi everyone, > > I need to collect the config from routers that are not directly > reachable by the host that rancid runs on. I can ssh to the first > router, then telnet to the ones that I need the config from. > > Was searching mailing list and found two threads but none of them > works for me. > > http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > Does anybody have implemented hop-by-hop accessing to the routers? > > Bostjan > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070302/2c58a9da/attachment.html From mashcraft at omniture.com Fri Mar 2 17:06:00 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Fri, 2 Mar 2007 10:06:00 -0700 Subject: [rancid] Re: accessing routers from another router In-Reply-To: References: <45E84D89.3000000@hcis.net> Message-ID: <2036820397BC8048A6A6A17F421DBC87039E2F89@EXCHANGE.orm.omniture.com> You need to set autoenable to 1 in /usr/local/rancid/.cloginrc. For example: add autoenable 10.* 1 What you are seeing is that clogin is waiting for a user level prompt in order to request enable mode until it times out. Mike ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aditya Anand Sent: Friday, March 02, 2007 9:54 AM To: groberts at hcis.net Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: accessing routers from another router See the output of login to a device from the rancid box... [rancid at netscreen1 ~]$ /usr/local/rancid/bin/clogin -f /usr/local/rancid/.cloginrc -u rancid 10.100.3.3 10.100.3.3 spawn telnet 10.100.3.3 Trying 10.100.3.3... Connected to 10.100.3.3 (10.100.3.3). Escape character is '^]'. User Access Verification Username: rancid Password: SACNCD02# sh run Error: TIMEOUT reached [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ sh run sh: run: No such file or directory Does not any further.....DOES NOT RUN ANYTHING.........Please advise...... -----Original Message----- From: Gary Roberts [mailto:groberts at hcis.net] Sent: Friday, March 02, 2007 11:15 AM To: Aditya Anand Subject: Re: [rancid] Re: accessing routers from another router Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 It appears, judging by the second line in the log, that you have an incorrect password in your /rancid/.cloginrc file Aditya Anand wrote: > > Hi All, > > I am having problems setting up rancid. I am doing it for the first > time , so not much experience with it. Please help. I can login to the > device from rancid, however cannot pull the configs. It gives error if > I see the logs...... > > *PLEASE HELP IF SOMEBODY CAN..................* > > Trying to get all of the configs. > > 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 > > 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show di > > ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec- > > slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot > > ,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir > > /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show re > > dundancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.100.1: End of run not found > > ! > > 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 > > 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show dia > > g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec-s > > lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot, > > show inventory raw,dir /all slavedisk1:,show env all,show module,admin > show env all,show controllers,admin show version,show diagbus,dir /all > slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir / > > all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers > cbus,dir /all slaveslot1:,dir /all nvram:,show version,show > vlan-switch,admin show variables boot,show red > > undancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.1.11: End of run not found > > ! > > 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 > > 10.10.64.175: missed cmd(s): get system,get conf > > 10.10.64.175: End of run not found > > # > > 10.10.1.152 nlogin error: Error: TIMEOUT reached > > 10.10.1.152: missed cmd(s): get system,get conf > > 10.10.1.152: End of run not found > > 10.10.64.146 nlogin error: Error: TIMEOUT reached > > 10.10.64.146: missed cmd(s): get system,get conf > > 10.10.64.146: End of run not found > > # > > # > > 10.10.1.183 nlogin error: Error: TIMEOUT reached > > 10.10.1.183: missed cmd(s): get system,get conf > > 10.10.1.183: End of run not found > > # > > 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 > > 10.100.16.140: missed cmd(s): admin show diag,dir /all > slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir > /all disk1:,show gsr chassis,dir /all sec-nvram:,show > > diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all se > > c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show bo > > ot,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idpr > > om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,di > > r /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show > > redundancy secondary,show running-config,show c7200,dir /all slot1: > > ------------------------------------------------------------------------ > > *From:* rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Bo?tjan Fele > *Sent:* Tuesday, February 27, 2007 11:21 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] accessing routers from another router > > Hi everyone, > > I need to collect the config from routers that are not directly > reachable by the host that rancid runs on. I can ssh to the first > router, then telnet to the ones that I need the config from. > > Was searching mailing list and found two threads but none of them > works for me. > > http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > Does anybody have implemented hop-by-hop accessing to the routers? > > Bostjan > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070302/3050f454/attachment.html From aanand at uebiz.net Fri Mar 2 17:16:07 2007 From: aanand at uebiz.net (Aditya Anand) Date: Fri, 2 Mar 2007 12:16:07 -0500 Subject: [rancid] Re: accessing routers from another router In-Reply-To: <2036820397BC8048A6A6A17F421DBC87039E2F89@EXCHANGE.orm.omniture.com> Message-ID: I did that and I could go futher and run the command on the router but its still not pulling the configs....here is the logfile....would really appreciate any help....thanks a zillion times in advance..... Trying to get all of the configs. 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 10.100.16.140: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all se c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show bo ot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idpr om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,di r /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: 10.100.16.140: End of run not found 10.100.16.141 clogin error: Error: Couldn't login: 10.100.16.141 10.100.16.141: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all se c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show bo ot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idpr om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,di r /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: 10.100.16.141: End of run not found ! 10.100.16.3 nlogin error: Error: TIMEOUT reached 10.100.16.3: missed cmd(s): get system,get conf 10.100.16.3: End of run not found # 10.100.16.2 nlogin error: Error: TIMEOUT reached 10.100.16.2: missed cmd(s): get system,get conf 10.100.16.2: End of run not found # 10.100.3.201 jlogin error: Error: TIMEOUT reached 10.100.3.201: missed cmd(s): show chassis alarms,show chassis hardware detail,show system license,show chassis scb,show chassis feb,show chassis routing-engine,show chassis firm ware,show version detail,show chassis feb detail,show configuration,show system boot-messages,show chassis cfeb,show chassis clocks,show chassis sfm detail,show chassis ssb,show chassis fpc detail,show chassis environment,show system core-dumps 10.100.3.201: End of run not found # 10.100.3.202 jlogin error: Error: TIMEOUT reached 10.100.3.202: missed cmd(s): show chassis alarms,show chassis hardware detail,show system license,show chassis scb,show chassis feb,show chassis routing-engine,show chassis firm ware,show version detail,show chassis feb detail,show configuration,show system boot-messages,show chassis cfeb,show chassis clocks,show chassis sfm detail,show chassis ssb,show chassis fpc detail,show chassis environment,show system core-dumps 10.100.3.202: End of run not found # 10.100.3.204 jlogin error: Error: TIMEOUT reached 10.100.3.204: missed cmd(s): show chassis alarms,show chassis hardware detail,show system license,show chassis scb,show chassis feb,show chassis routing-engine,show chassis firm ware,show version detail,show chassis feb detail,show configuration,show system boot-messages,show chassis cfeb,show chassis clocks,show chassis sfm detail,show chassis ssb,show chassis fpc detail,show chassis environment,show system core-dumps 10.100.3.204: End of run not found : ________________________________ From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 02, 2007 12:06 PM To: Aditya Anand Cc: rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: accessing routers from another router You need to set autoenable to 1 in /usr/local/rancid/.cloginrc. For example: add autoenable 10.* 1 What you are seeing is that clogin is waiting for a user level prompt in order to request enable mode until it times out. Mike ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aditya Anand Sent: Friday, March 02, 2007 9:54 AM To: groberts at hcis.net Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: accessing routers from another router See the output of login to a device from the rancid box... [rancid at netscreen1 ~]$ /usr/local/rancid/bin/clogin -f /usr/local/rancid/.cloginrc -u rancid 10.100.3.3 10.100.3.3 spawn telnet 10.100.3.3 Trying 10.100.3.3... Connected to 10.100.3.3 (10.100.3.3). Escape character is '^]'. User Access Verification Username: rancid Password: SACNCD02# sh run Error: TIMEOUT reached [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ sh run sh: run: No such file or directory Does not any further.....DOES NOT RUN ANYTHING.........Please advise...... -----Original Message----- From: Gary Roberts [mailto:groberts at hcis.net] Sent: Friday, March 02, 2007 11:15 AM To: Aditya Anand Subject: Re: [rancid] Re: accessing routers from another router Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 It appears, judging by the second line in the log, that you have an incorrect password in your /rancid/.cloginrc file Aditya Anand wrote: > > Hi All, > > I am having problems setting up rancid. I am doing it for the first > time , so not much experience with it. Please help. I can login to the > device from rancid, however cannot pull the configs. It gives error if > I see the logs...... > > *PLEASE HELP IF SOMEBODY CAN..................* > > Trying to get all of the configs. > > 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 > > 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show di > > ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec- > > slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot > > ,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir > > /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show re > > dundancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.100.1: End of run not found > > ! > > 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 > > 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show dia > > g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec-s > > lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot, > > show inventory raw,dir /all slavedisk1:,show env all,show module,admin > show env all,show controllers,admin show version,show diagbus,dir /all > slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir / > > all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers > cbus,dir /all slaveslot1:,dir /all nvram:,show version,show > vlan-switch,admin show variables boot,show red > > undancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.1.11: End of run not found > > ! > > 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 > > 10.10.64.175: missed cmd(s): get system,get conf > > 10.10.64.175: End of run not found > > # > > 10.10.1.152 nlogin error: Error: TIMEOUT reached > > 10.10.1.152: missed cmd(s): get system,get conf > > 10.10.1.152: End of run not found > > 10.10.64.146 nlogin error: Error: TIMEOUT reached > > 10.10.64.146: missed cmd(s): get system,get conf > > 10.10.64.146: End of run not found > > # > > # > > 10.10.1.183 nlogin error: Error: TIMEOUT reached > > 10.10.1.183: missed cmd(s): get system,get conf > > 10.10.1.183: End of run not found > > # > > 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 > > 10.100.16.140: missed cmd(s): admin show diag,dir /all > slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir > /all disk1:,show gsr chassis,dir /all sec-nvram:,show > > diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all se > > c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show bo > > ot,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idpr > > om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,di > > r /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show > > redundancy secondary,show running-config,show c7200,dir /all slot1: > > ------------------------------------------------------------------------ > > *From:* rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Bo?tjan Fele > *Sent:* Tuesday, February 27, 2007 11:21 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] accessing routers from another router > > Hi everyone, > > I need to collect the config from routers that are not directly > reachable by the host that rancid runs on. I can ssh to the first > router, then telnet to the ones that I need the config from. > > Was searching mailing list and found two threads but none of them > works for me. > > http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > Does anybody have implemented hop-by-hop accessing to the routers? > > Bostjan > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070302/4907e624/attachment.html From mashcraft at omniture.com Fri Mar 2 17:35:36 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Fri, 2 Mar 2007 10:35:36 -0700 Subject: [rancid] Re: accessing routers from another router In-Reply-To: References: <2036820397BC8048A6A6A17F421DBC87039E2F89@EXCHANGE.orm.omniture.com> Message-ID: <2036820397BC8048A6A6A17F421DBC87039E2FAC@EXCHANGE.orm.omniture.com> It looks like you still have problems in your .cloginrc file. Make sure that you can login using clogin/nlogin/jlogin as appropriate to every device with only the hostname as an option. Work through each device, one at a time. You may need to set username, password, autoenable, method and other options (all documented in the .cloginrc file) specifically for each device instead of using wildcards. For example as the rancid user, the following command should log you in and allow you to run commands on the device: $ clogin 10.100.16.140 Once this is done for all devices, and they have the right device type in router.db so that they use the right script, you should be set. Mike ________________________________ From: Aditya Anand [mailto:aanand at uebiz.net] Sent: Friday, March 02, 2007 10:16 AM To: Mike Ashcraft Cc: rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: accessing routers from another router I did that and I could go futher and run the command on the router but its still not pulling the configs....here is the logfile....would really appreciate any help....thanks a zillion times in advance..... Trying to get all of the configs. 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 10.100.16.140: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all se c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show bo ot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idpr om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,di r /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: 10.100.16.140: End of run not found 10.100.16.141 clogin error: Error: Couldn't login: 10.100.16.141 10.100.16.141: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all se c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show bo ot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idpr om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,di r /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: 10.100.16.141: End of run not found ! 10.100.16.3 nlogin error: Error: TIMEOUT reached 10.100.16.3: missed cmd(s): get system,get conf 10.100.16.3: End of run not found # 10.100.16.2 nlogin error: Error: TIMEOUT reached 10.100.16.2: missed cmd(s): get system,get conf 10.100.16.2: End of run not found # 10.100.3.201 jlogin error: Error: TIMEOUT reached 10.100.3.201: missed cmd(s): show chassis alarms,show chassis hardware detail,show system license,show chassis scb,show chassis feb,show chassis routing-engine,show chassis firm ware,show version detail,show chassis feb detail,show configuration,show system boot-messages,show chassis cfeb,show chassis clocks,show chassis sfm detail,show chassis ssb,show chassis fpc detail,show chassis environment,show system core-dumps 10.100.3.201: End of run not found # 10.100.3.202 jlogin error: Error: TIMEOUT reached 10.100.3.202: missed cmd(s): show chassis alarms,show chassis hardware detail,show system license,show chassis scb,show chassis feb,show chassis routing-engine,show chassis firm ware,show version detail,show chassis feb detail,show configuration,show system boot-messages,show chassis cfeb,show chassis clocks,show chassis sfm detail,show chassis ssb,show chassis fpc detail,show chassis environment,show system core-dumps 10.100.3.202: End of run not found # 10.100.3.204 jlogin error: Error: TIMEOUT reached 10.100.3.204: missed cmd(s): show chassis alarms,show chassis hardware detail,show system license,show chassis scb,show chassis feb,show chassis routing-engine,show chassis firm ware,show version detail,show chassis feb detail,show configuration,show system boot-messages,show chassis cfeb,show chassis clocks,show chassis sfm detail,show chassis ssb,show chassis fpc detail,show chassis environment,show system core-dumps 10.100.3.204: End of run not found : ________________________________ From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 02, 2007 12:06 PM To: Aditya Anand Cc: rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: accessing routers from another router You need to set autoenable to 1 in /usr/local/rancid/.cloginrc. For example: add autoenable 10.* 1 What you are seeing is that clogin is waiting for a user level prompt in order to request enable mode until it times out. Mike ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aditya Anand Sent: Friday, March 02, 2007 9:54 AM To: groberts at hcis.net Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: accessing routers from another router See the output of login to a device from the rancid box... [rancid at netscreen1 ~]$ /usr/local/rancid/bin/clogin -f /usr/local/rancid/.cloginrc -u rancid 10.100.3.3 10.100.3.3 spawn telnet 10.100.3.3 Trying 10.100.3.3... Connected to 10.100.3.3 (10.100.3.3). Escape character is '^]'. User Access Verification Username: rancid Password: SACNCD02# sh run Error: TIMEOUT reached [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ sh run sh: run: No such file or directory Does not any further.....DOES NOT RUN ANYTHING.........Please advise...... -----Original Message----- From: Gary Roberts [mailto:groberts at hcis.net] Sent: Friday, March 02, 2007 11:15 AM To: Aditya Anand Subject: Re: [rancid] Re: accessing routers from another router Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 It appears, judging by the second line in the log, that you have an incorrect password in your /rancid/.cloginrc file Aditya Anand wrote: > > Hi All, > > I am having problems setting up rancid. I am doing it for the first > time , so not much experience with it. Please help. I can login to the > device from rancid, however cannot pull the configs. It gives error if > I see the logs...... > > *PLEASE HELP IF SOMEBODY CAN..................* > > Trying to get all of the configs. > > 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 > > 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show di > > ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec- > > slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot > > ,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir > > /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show re > > dundancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.100.1: End of run not found > > ! > > 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 > > 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show dia > > g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec-s > > lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot, > > show inventory raw,dir /all slavedisk1:,show env all,show module,admin > show env all,show controllers,admin show version,show diagbus,dir /all > slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir / > > all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers > cbus,dir /all slaveslot1:,dir /all nvram:,show version,show > vlan-switch,admin show variables boot,show red > > undancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.1.11: End of run not found > > ! > > 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 > > 10.10.64.175: missed cmd(s): get system,get conf > > 10.10.64.175: End of run not found > > # > > 10.10.1.152 nlogin error: Error: TIMEOUT reached > > 10.10.1.152: missed cmd(s): get system,get conf > > 10.10.1.152: End of run not found > > 10.10.64.146 nlogin error: Error: TIMEOUT reached > > 10.10.64.146: missed cmd(s): get system,get conf > > 10.10.64.146: End of run not found > > # > > # > > 10.10.1.183 nlogin error: Error: TIMEOUT reached > > 10.10.1.183: missed cmd(s): get system,get conf > > 10.10.1.183: End of run not found > > # > > 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 > > 10.100.16.140: missed cmd(s): admin show diag,dir /all > slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir > /all disk1:,show gsr chassis,dir /all sec-nvram:,show > > diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all se > > c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show bo > > ot,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idpr > > om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,di > > r /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show > > redundancy secondary,show running-config,show c7200,dir /all slot1: > > ------------------------------------------------------------------------ > > *From:* rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Bo?tjan Fele > *Sent:* Tuesday, February 27, 2007 11:21 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] accessing routers from another router > > Hi everyone, > > I need to collect the config from routers that are not directly > reachable by the host that rancid runs on. I can ssh to the first > router, then telnet to the ones that I need the config from. > > Was searching mailing list and found two threads but none of them > works for me. > > http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > Does anybody have implemented hop-by-hop accessing to the routers? > > Bostjan > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070302/93d66220/attachment.html From Shain.Singh at aapt.com.au Sat Mar 3 08:27:08 2007 From: Shain.Singh at aapt.com.au (Shain Singh) Date: Sat, 3 Mar 2007 19:27:08 +1100 Subject: [rancid] Re: Juniper ERX Professionals Required! References: <4244D7CB5BFAF74DB37A2FEC199BC50A033DA12E@MAILSERVER> <45E84967.9040609@psg.com> Message-ID: <9E46C1E4D380954DB952EB3E3FCB86CA123D7B@SYEXBE01.au.tcnz.net> Randy Bush wrote: > William Dyer wrote: >> Would you like to work on-site for 6 months+ for some of the largest >> organisations in the World? >not when associated with an asshole slimeball spammer. who would even >talk to someone so unethical. bound to get screwed by low-live like you. >what part of FOAD don't you understand? Presumably it's hard to understand FOAD when manual directed spam can't even be "placed" in the more applicable lists out there. However I daresay he would be given the same response on those as well.. IANAL but it's illegal to spam here in Australia. -- Shaineel Singh MakePeace Media LTD http://mpm.org.au/shsingh pgp id: 0xA9D8D351 fp: 38 0D A8 C8 74 A2 33 5E CE 0E 5A FA D5 A0 04 7C This message was written entirely with recycled electrons. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. From yuvalba at netvision.net.il Mon Mar 5 12:43:43 2007 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Mon, 5 Mar 2007 14:43:43 +0200 Subject: [rancid] admin mail Message-ID: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> Hi, For some reason I started getting all the mail including the admin mail to the mailrcpt address. I might have messed something somewhere but can't figure where. the control_rancid scripts read this: # the receipient(s) of diffs mailrcpt=${mailrcpt:-"@MAILPLUS@${GROUP}${MAILDOMAIN}"}; export mailrcpt adminmailrcpt=${mailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; export adminmailrcpt doesn't it mean that as long as there is mailrcp it will be used ? 10x -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070305/b2e7dbbe/attachment.html From heas at shrubbery.net Mon Mar 5 19:38:22 2007 From: heas at shrubbery.net (john heasley) Date: Mon, 5 Mar 2007 11:38:22 -0800 Subject: [rancid] Re: admin mail In-Reply-To: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> References: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> Message-ID: <20070305193822.GK26313@shrubbery.net> Mon, Mar 05, 2007 at 02:43:43PM +0200, Yuval Ben-Ari: > Hi, > > For some reason I started getting all the mail including the admin mail > to the mailrcpt address. > I might have messed something somewhere but can't figure where. > > the control_rancid scripts read this: > > # the receipient(s) of diffs > mailrcpt=${mailrcpt:-"@MAILPLUS@${GROUP}${MAILDOMAIN}"}; export mailrcpt > adminmailrcpt=${mailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; > export adminmailrcpt > > > doesn't it mean that as long as there is mailrcp it will be used ? > yes, that was a pasto bug. that line should be: adminmailrcpt=${adminmailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; From aanand at uebiz.net Mon Mar 5 20:10:13 2007 From: aanand at uebiz.net (Aditya Anand) Date: Mon, 5 Mar 2007 15:10:13 -0500 Subject: [rancid] Re: accessing routers from another router References: <45E84D89.3000000@hcis.net> <2036820397BC8048A6A6A17F421DBC87039E2F89@EXCHANGE.orm.omniture.com> Message-ID: Mike, One more thing, I can get the cisco configs however still having issues with the netscreen devices. It says to check password in the log files, whereas I can login to those devices using the same username and password as its in rancid. Thanks, Adi ________________________________ From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 02, 2007 12:06 PM To: Aditya Anand Cc: rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: accessing routers from another router You need to set autoenable to 1 in /usr/local/rancid/.cloginrc. For example: add autoenable 10.* 1 What you are seeing is that clogin is waiting for a user level prompt in order to request enable mode until it times out. Mike ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aditya Anand Sent: Friday, March 02, 2007 9:54 AM To: groberts at hcis.net Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: accessing routers from another router See the output of login to a device from the rancid box... [rancid at netscreen1 ~]$ /usr/local/rancid/bin/clogin -f /usr/local/rancid/.cloginrc -u rancid 10.100.3.3 10.100.3.3 spawn telnet 10.100.3.3 Trying 10.100.3.3... Connected to 10.100.3.3 (10.100.3.3). Escape character is '^]'. User Access Verification Username: rancid Password: SACNCD02# sh run Error: TIMEOUT reached [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ sh run sh: run: No such file or directory Does not any further.....DOES NOT RUN ANYTHING.........Please advise...... -----Original Message----- From: Gary Roberts [mailto:groberts at hcis.net] Sent: Friday, March 02, 2007 11:15 AM To: Aditya Anand Subject: Re: [rancid] Re: accessing routers from another router Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 It appears, judging by the second line in the log, that you have an incorrect password in your /rancid/.cloginrc file Aditya Anand wrote: > > Hi All, > > I am having problems setting up rancid. I am doing it for the first > time , so not much experience with it. Please help. I can login to the > device from rancid, however cannot pull the configs. It gives error if > I see the logs...... > > *PLEASE HELP IF SOMEBODY CAN..................* > > Trying to get all of the configs. > > 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 > > 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show di > > ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec- > > slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot > > ,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir > > /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show re > > dundancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.100.1: End of run not found > > ! > > 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 > > 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show dia > > g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec-s > > lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot, > > show inventory raw,dir /all slavedisk1:,show env all,show module,admin > show env all,show controllers,admin show version,show diagbus,dir /all > slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir / > > all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers > cbus,dir /all slaveslot1:,dir /all nvram:,show version,show > vlan-switch,admin show variables boot,show red > > undancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.1.11: End of run not found > > ! > > 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 > > 10.10.64.175: missed cmd(s): get system,get conf > > 10.10.64.175: End of run not found > > # > > 10.10.1.152 nlogin error: Error: TIMEOUT reached > > 10.10.1.152: missed cmd(s): get system,get conf > > 10.10.1.152: End of run not found > > 10.10.64.146 nlogin error: Error: TIMEOUT reached > > 10.10.64.146: missed cmd(s): get system,get conf > > 10.10.64.146: End of run not found > > # > > # > > 10.10.1.183 nlogin error: Error: TIMEOUT reached > > 10.10.1.183: missed cmd(s): get system,get conf > > 10.10.1.183: End of run not found > > # > > 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 > > 10.100.16.140: missed cmd(s): admin show diag,dir /all > slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir > /all disk1:,show gsr chassis,dir /all sec-nvram:,show > > diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all se > > c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show bo > > ot,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idpr > > om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,di > > r /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show > > redundancy secondary,show running-config,show c7200,dir /all slot1: > > ------------------------------------------------------------------------ > > *From:* rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Bo?tjan Fele > *Sent:* Tuesday, February 27, 2007 11:21 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] accessing routers from another router > > Hi everyone, > > I need to collect the config from routers that are not directly > reachable by the host that rancid runs on. I can ssh to the first > router, then telnet to the ones that I need the config from. > > Was searching mailing list and found two threads but none of them > works for me. > > http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > Does anybody have implemented hop-by-hop accessing to the routers? > > Bostjan > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070305/d1640bac/attachment.html From aanand at uebiz.net Mon Mar 5 20:15:32 2007 From: aanand at uebiz.net (Aditya Anand) Date: Mon, 5 Mar 2007 15:15:32 -0500 Subject: [rancid] Re: accessing routers from another router In-Reply-To: References: <45E84D89.3000000@hcis.net><2036820397BC8048A6A6A17F421DBC87039E2F89@EXCHANGE.orm.omniture.com> Message-ID: Well thanks, and sorry for trouble...I gottit. It was the encryption type. Netscreen was expecting 3des and I had configured the othe. Thanks all, Adi ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aditya Anand Sent: Monday, March 05, 2007 3:10 PM To: Mike Ashcraft Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: accessing routers from another router Mike, One more thing, I can get the cisco configs however still having issues with the netscreen devices. It says to check password in the log files, whereas I can login to those devices using the same username and password as its in rancid. Thanks, Adi ________________________________ From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 02, 2007 12:06 PM To: Aditya Anand Cc: rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: accessing routers from another router You need to set autoenable to 1 in /usr/local/rancid/.cloginrc. For example: add autoenable 10.* 1 What you are seeing is that clogin is waiting for a user level prompt in order to request enable mode until it times out. Mike ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Aditya Anand Sent: Friday, March 02, 2007 9:54 AM To: groberts at hcis.net Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: accessing routers from another router See the output of login to a device from the rancid box... [rancid at netscreen1 ~]$ /usr/local/rancid/bin/clogin -f /usr/local/rancid/.cloginrc -u rancid 10.100.3.3 10.100.3.3 spawn telnet 10.100.3.3 Trying 10.100.3.3... Connected to 10.100.3.3 (10.100.3.3). Escape character is '^]'. User Access Verification Username: rancid Password: SACNCD02# sh run Error: TIMEOUT reached [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ [rancid at netscreen1 ~]$ sh run sh: run: No such file or directory Does not any further.....DOES NOT RUN ANYTHING.........Please advise...... -----Original Message----- From: Gary Roberts [mailto:groberts at hcis.net] Sent: Friday, March 02, 2007 11:15 AM To: Aditya Anand Subject: Re: [rancid] Re: accessing routers from another router Trying to get all of the configs. 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 It appears, judging by the second line in the log, that you have an incorrect password in your /rancid/.cloginrc file Aditya Anand wrote: > > Hi All, > > I am having problems setting up rancid. I am doing it for the first > time , so not much experience with it. Please help. I can login to the > device from rancid, however cannot pull the configs. It gives error if > I see the logs...... > > *PLEASE HELP IF SOMEBODY CAN..................* > > Trying to get all of the configs. > > 10.10.100.1 clogin error: Error: Check your passwd for 10.10.100.1 > > 10.10.100.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show di > > ag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec- > > slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot > > ,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir > > /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show re > > dundancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.100.1: End of run not found > > ! > > 10.10.1.11 clogin error: Error: Check your passwd for 10.10.1.11 > > 10.10.1.11: missed cmd(s): admin show diag,dir /all slavedisk2:,show > rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show > gsr chassis,dir /all sec-nvram:,show dia > > g chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all sec-s > > lot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show boot, > > show inventory raw,dir /all slavedisk1:,show env all,show module,admin > show env all,show controllers,admin show version,show diagbus,dir /all > slavedisk0:,show debug,show idprom > > backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,dir / > > all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers > cbus,dir /all slaveslot1:,dir /all nvram:,show version,show > vlan-switch,admin show variables boot,show red > > undancy secondary,show running-config,show c7200,dir /all slot1: > > 10.10.1.11: End of run not found > > ! > > 10.10.64.175 nlogin error: Error: Check your passwd for 10.10.64.175 > > 10.10.64.175: missed cmd(s): get system,get conf > > 10.10.64.175: End of run not found > > # > > 10.10.1.152 nlogin error: Error: TIMEOUT reached > > 10.10.1.152: missed cmd(s): get system,get conf > > 10.10.1.152: End of run not found > > 10.10.64.146 nlogin error: Error: TIMEOUT reached > > 10.10.64.146: missed cmd(s): get system,get conf > > 10.10.64.146: End of run not found > > # > > # > > 10.10.1.183 nlogin error: Error: TIMEOUT reached > > 10.10.1.183: missed cmd(s): get system,get conf > > 10.10.1.183: End of run not found > > # > > 10.100.16.140 clogin error: Error: Couldn't login: 10.100.16.140 > > 10.100.16.140: missed cmd(s): admin show diag,dir /all > slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir > /all disk1:,show gsr chassis,dir /all sec-nvram:,show > > diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe > version,dir /all slaveslot2:,dir /all disk0:,show install active,show > bootvar,dir /all slaveslot0:,dir /all se > > c-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all > sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all > harddiskb:,show variables boot,show bo > > ot,show inventory raw,dir /all slavedisk1:,show env all,show > module,admin show env all,show controllers,admin show version,show > diagbus,dir /all slavedisk0:,show debug,show idpr > > om backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all > sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all > slot2:,dir /all harddisk:,dir /all slot0:,di > > r /all sup-microcode:,show vlan,dir /all slavebootflash:,show > controllers cbus,dir /all slaveslot1:,dir /all nvram:,show > version,show vlan-switch,admin show variables boot,show > > redundancy secondary,show running-config,show c7200,dir /all slot1: > > ------------------------------------------------------------------------ > > *From:* rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Bo?tjan Fele > *Sent:* Tuesday, February 27, 2007 11:21 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] accessing routers from another router > > Hi everyone, > > I need to collect the config from routers that are not directly > reachable by the host that rancid runs on. I can ssh to the first > router, then telnet to the ones that I need the config from. > > Was searching mailing list and found two threads but none of them > works for me. > > http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > Does anybody have implemented hop-by-hop accessing to the routers? > > Bostjan > > ------------------------------------------------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070305/b0ac7a9f/attachment.html From aanand at uebiz.net Tue Mar 6 16:42:38 2007 From: aanand at uebiz.net (Aditya Anand) Date: Tue, 6 Mar 2007 11:42:38 -0500 Subject: [rancid] Re: admin mail In-Reply-To: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> References: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> Message-ID: Just wondering if rancid has any GUI....or if we can integrate something to have one. Thanks, Adi ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Yuval Ben-Ari Sent: Monday, March 05, 2007 7:44 AM To: Rancid-discuss at shrubbery.net Subject: [rancid] admin mail Hi, For some reason I started getting all the mail including the admin mail to the mailrcpt address. I might have messed something somewhere but can't figure where. the control_rancid scripts read this: # the receipient(s) of diffs mailrcpt=${mailrcpt:-"@MAILPLUS@${GROUP}${MAILDOMAIN}"}; export mailrcpt adminmailrcpt=${mailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; export adminmailrcpt doesn't it mean that as long as there is mailrcp it will be used ? 10x -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070306/d613f5d1/attachment.html From randy at psg.com Wed Mar 7 02:16:26 2007 From: randy at psg.com (Randy Bush) Date: Wed, 7 Mar 2007 11:16:26 +0900 Subject: [rancid] Re: admin mail References: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> Message-ID: <17902.8314.68747.281243@roam.psg.com> > Just wondering if rancid has any GUI. cvsweb From rmordasiewicz at samuelmanutech.com Wed Mar 7 03:32:19 2007 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Tue, 6 Mar 2007 22:32:19 -0500 (EST) Subject: [rancid] Re: admin mail In-Reply-To: <17902.8314.68747.281243@roam.psg.com> References: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> <17902.8314.68747.281243@roam.psg.com> Message-ID: On Wed, 7 Mar 2007, Randy Bush wrote: >> Just wondering if rancid has any GUI. > > cvsweb I prefer trac for a front end to the repository. There is no gui for install/configuring rancid. From rancid at gheek.net Wed Mar 7 16:19:43 2007 From: rancid at gheek.net (Lance) Date: Wed, 07 Mar 2007 09:19:43 -0700 Subject: [rancid] Re: admin mail Message-ID: <20070307091943.8e114e4890519e5179c192e02d6bca26.70bddd0090.wbe@email.secureserver.net> Where is a working version of trac running CVS on the web? I have always ran viewvc/cvsweb/etc. > -------- Original Message -------- > Subject: [rancid] Re: admin mail > From: Robin Mordasiewicz > Date: Tue, March 06, 2007 8:32 pm > To: Randy Bush > Cc: Rancid-discuss at shrubbery.net > > On Wed, 7 Mar 2007, Randy Bush wrote: > > >> Just wondering if rancid has any GUI. > > > > cvsweb > > I prefer trac for a front end to the repository. > There is no gui for install/configuring rancid. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rmordasiewicz at samuelmanutech.com Wed Mar 7 16:25:53 2007 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Wed, 7 Mar 2007 11:25:53 -0500 (EST) Subject: [rancid] Re: admin mail In-Reply-To: <20070307091943.8e114e4890519e5179c192e02d6bca26.70bddd0090.wbe@email.secureserver.net> References: <20070307091943.8e114e4890519e5179c192e02d6bca26.70bddd0090.wbe@email.secureserver.net> Message-ID: On Wed, 7 Mar 2007, Lance wrote: > Where is a working version of trac running CVS on the web? I have always > ran viewvc/cvsweb/etc. I did a quick search and found this site using trac. http://www.pumacode.org/projects/svndotnet/browser Trac is a free product by edgewall http://trac.edgewall.org/ From babydr at baby-dragons.com Wed Mar 7 20:17:24 2007 From: babydr at baby-dragons.com (Mr. James W. Laferriere) Date: Wed, 7 Mar 2007 12:17:24 -0800 (PST) Subject: [rancid] Re: admin mail In-Reply-To: <20070307091943.8e114e4890519e5179c192e02d6bca26.70bddd0090.wbe@email.secureserver.net> References: <20070307091943.8e114e4890519e5179c192e02d6bca26.70bddd0090.wbe@email.secureserver.net> Message-ID: Hello Lance , On Wed, 7 Mar 2007, Lance wrote: > Where is a working version of trac running CVS on the web? I have always > ran viewvc/cvsweb/etc. Would you be intrested/willing to share your desensitized config with us ? Especially if the configuration is used for rancid viewing . Tia , JimL >> -------- Original Message -------- >> Subject: [rancid] Re: admin mail >> From: Robin Mordasiewicz >> Date: Tue, March 06, 2007 8:32 pm >> To: Randy Bush >> Cc: Rancid-discuss at shrubbery.net >> >> On Wed, 7 Mar 2007, Randy Bush wrote: >> >>>> Just wondering if rancid has any GUI. >>> >>> cvsweb >> >> I prefer trac for a front end to the repository. >> There is no gui for install/configuring rancid. >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- +-----------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | 663 Beaumont Blvd | Give me Linux | | babydr at baby-dragons.com | Pacifica, CA. 94044 | only on AXP | +-----------------------------------------------------------------+ From Todd at equivoice.com Wed Mar 7 20:31:52 2007 From: Todd at equivoice.com (Todd Heide) Date: Wed, 7 Mar 2007 14:31:52 -0600 Subject: [rancid] Using Rancid to pus DST changes Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 Thanks CCNA CWLSS CS-CISecS ? Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean From rmordasiewicz at samuelmanutech.com Wed Mar 7 20:43:23 2007 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Wed, 7 Mar 2007 15:43:23 -0500 (EST) Subject: [rancid] Re: Using Rancid to pus DST changes In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> References: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> Message-ID: On Wed, 7 Mar 2007, Todd Heide wrote: > How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, > clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 One thing you can use is expect. Here is a simple example expect script which you can run on each router which looping through your router.db file [ myusername at localhost ]$ expect -f summertime_DST.exp myrouter.mydomain.com < summertime_DST.exp > #!/usr/bin/expect -f # set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn't run conservatively originally if {$force_conservative} { set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- $arg } } set timeout -1 set userid "myusername" set vtypasswd "mypassword" set rtr [lindex $argv 0] spawn telnet $rtr match_max 100000 expect { {Username} { send "$userid\r" expect { {*Password*} { send "$vtypasswd\r" } } } {telnet>} { send_user "$rtr - telnet failed\n" exit } {Password} { send "$vtypasswd\r" } } send -- "conf t\r" send -- "clock summer-time $DST_timezone recurring 2 Sun Mar 2:00 1 Sun Nov 2:00\r" send -- "wr mem\r" send -- "end\r" send -- "exit\r" expect eof < /summertime_DST.exp > From shawn at smorris.com Wed Mar 7 20:44:58 2007 From: shawn at smorris.com (Shawn Morris) Date: Wed, 7 Mar 2007 14:44:58 -0600 Subject: [rancid] Re: Using Rancid to pus DST changes In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> References: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> Message-ID: put the following in a text file configure terminal clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 end write mem (optional) then run clogin -x yourfile.txt router1 router2.... On 3/7/07, Todd Heide wrote: > How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, > > clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 > > > > > Thanks > > CCNA CWLSS CS-CISecS > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- Shawn Morris IP Development - NTT America shawn at smorris.com/shawn at ntt.net/shawn at us.ntt.net v: +1 214 413 1115x1006 f: +1 815 327 3016 From Todd at equivoice.com Wed Mar 7 20:53:13 2007 From: Todd at equivoice.com (Todd Heide) Date: Wed, 7 Mar 2007 14:53:13 -0600 Subject: [rancid] Re: Using Rancid to pus DST changes In-Reply-To: Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6BC2@exchange.Equivoice.local> OK, I will give this a try. There are over 100 devices that need to be updated, and if this works it will make life so much easier. :) Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Robin Mordasiewicz [mailto:rmordasiewicz at samuelmanutech.com] Sent: Wednesday, March 07, 2007 2:43 PM To: Todd Heide Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Using Rancid to pus DST changes On Wed, 7 Mar 2007, Todd Heide wrote: > How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, > clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 One thing you can use is expect. Here is a simple example expect script which you can run on each router which looping through your router.db file [ myusername at localhost ]$ expect -f summertime_DST.exp myrouter.mydomain.com < summertime_DST.exp > #!/usr/bin/expect -f # set force_conservative 0 ;# set to 1 to force conservative mode even if ;# script wasn't run conservatively originally if {$force_conservative} { set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- $arg } } set timeout -1 set userid "myusername" set vtypasswd "mypassword" set rtr [lindex $argv 0] spawn telnet $rtr match_max 100000 expect { {Username} { send "$userid\r" expect { {*Password*} { send "$vtypasswd\r" } } } {telnet>} { send_user "$rtr - telnet failed\n" exit } {Password} { send "$vtypasswd\r" } } send -- "conf t\r" send -- "clock summer-time $DST_timezone recurring 2 Sun Mar 2:00 1 Sun Nov 2:00\r" send -- "wr mem\r" send -- "end\r" send -- "exit\r" expect eof < /summertime_DST.exp > From rancid at gheek.net Wed Mar 7 20:54:03 2007 From: rancid at gheek.net (Lance) Date: Wed, 07 Mar 2007 13:54:03 -0700 Subject: [rancid] Re: Using Rancid to pus DST changes Message-ID: <20070307135403.8e114e4890519e5179c192e02d6bca26.1ec576d725.wbe@email.secureserver.net> I would think it would be much easier than that. Use clogin and do it like so. for i in `cat /usr/local/rancid/var/BWI/router.db | egrep "cisco:up$" | sed 's/:.*$//g'` do clogin -t 90 -c "conf t;clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00;exit;wr mem;exit" $i done I wouldn't use end if you have a big mix of IOS versions. Some will not support the word end to return to the cli. Just change out egrep "up$" with egrep "cat5:up$" to get the catos devices. Make sure to change the clogin statemetn to match as well. -Lance > -------- Original Message -------- > Subject: [rancid] Re: Using Rancid to pus DST changes > From: Robin Mordasiewicz > Date: Wed, March 07, 2007 1:43 pm > To: Todd Heide > Cc: rancid-discuss at shrubbery.net > > On Wed, 7 Mar 2007, Todd Heide wrote: > > > How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, > > clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 > > One thing you can use is expect. Here is a simple example expect script > which you can run on each router which looping through your router.db file > > [ myusername at localhost ]$ expect -f summertime_DST.exp myrouter.mydomain.com > > < summertime_DST.exp > > #!/usr/bin/expect -f > # > set force_conservative 0 ;# set to 1 to force conservative mode even if > ;# script wasn't run conservatively originally > if {$force_conservative} { > set send_slow {1 .1} > proc send {ignore arg} { > sleep .1 > exp_send -s -- $arg > } > } > > set timeout -1 > set userid "myusername" > set vtypasswd "mypassword" > set rtr [lindex $argv 0] > > spawn telnet $rtr > match_max 100000 > > expect { > {Username} { send "$userid\r" > expect { > {*Password*} { send "$vtypasswd\r" } > } > } > {telnet>} { send_user "$rtr - telnet failed\n" > exit > } > {Password} { send "$vtypasswd\r" } > } > > > > send -- "conf t\r" > send -- "clock summer-time $DST_timezone recurring 2 Sun Mar 2:00 1 Sun Nov 2:00\r" > send -- "wr mem\r" > send -- "end\r" > send -- "exit\r" > > expect eof > > < /summertime_DST.exp > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From cmoody at qualcomm.com Wed Mar 7 20:56:35 2007 From: cmoody at qualcomm.com (Chris Moody) Date: Wed, 07 Mar 2007 12:56:35 -0800 Subject: [rancid] Re: Using Rancid to pus DST changes In-Reply-To: References: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> Message-ID: <45EF2703.10101@qualcomm.com> Or, even easier. Write the line(s) of config you want to issue on every device into a file....I'll call it `dst-config`. Then, issue the following: ------ ./clogin -f .cloginrc -x dst-config I personally create a shell for loop: ------ ex> for i in `cat .cloginrc | grep user | cut -f 2 `; do ./clogin -f .cloginrc -x dst-config $i ; done Basically, you just need to feed the first command a device name...and clogin will handle issuing the correct command(s) for you. Easy. I did the same operation to some systems under my control for DST. I had my firewalls and network gear all updated in a matter of a few minutes. Please feel free to contact me offline if you need more help. This type of operation is VERY easy to accomplish and really shows how much rancid shines. Cheers, -Chris Robin Mordasiewicz wrote: > On Wed, 7 Mar 2007, Todd Heide wrote: > >> How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, >> clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 > > One thing you can use is expect. Here is a simple example expect script > which you can run on each router which looping through your router.db file > > [ myusername at localhost ]$ expect -f summertime_DST.exp myrouter.mydomain.com > > < summertime_DST.exp > > #!/usr/bin/expect -f > # > set force_conservative 0 ;# set to 1 to force conservative mode even if > ;# script wasn't run conservatively originally > if {$force_conservative} { > set send_slow {1 .1} > proc send {ignore arg} { > sleep .1 > exp_send -s -- $arg > } > } > > set timeout -1 > set userid "myusername" > set vtypasswd "mypassword" > set rtr [lindex $argv 0] > > spawn telnet $rtr > match_max 100000 > > expect { > {Username} { send "$userid\r" > expect { > {*Password*} { send "$vtypasswd\r" } > } > } > {telnet>} { send_user "$rtr - telnet failed\n" > exit > } > {Password} { send "$vtypasswd\r" } > } > > > > send -- "conf t\r" > send -- "clock summer-time $DST_timezone recurring 2 Sun Mar 2:00 1 Sun Nov 2:00\r" > send -- "wr mem\r" > send -- "end\r" > send -- "exit\r" > > expect eof > > < /summertime_DST.exp > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From rancid at gheek.net Wed Mar 7 20:59:57 2007 From: rancid at gheek.net (Lance) Date: Wed, 07 Mar 2007 13:59:57 -0700 Subject: [rancid] Re: admin mail Message-ID: <20070307135957.8e114e4890519e5179c192e02d6bca26.a4ecbac2ab.wbe@email.secureserver.net> Robin, James, Here is my "viewvc.conf". Keep in mind that I don't use standard prefix or CVS group name. So you will need to adjust for that. I have also enabled searching in my viewvc. The file is attached. I also listed below my ViewVC which that config is for. Let me know if you need some help. Powered by ViewVC 1.0.1 > -------- Original Message -------- > Subject: Re: [rancid] Re: admin mail > From: "Mr. James W. Laferriere" > Date: Wed, March 07, 2007 1:17 pm > To: Lance > Cc: Robin Mordasiewicz , > Rancid-discuss at shrubbery.net > > Hello Lance , > > On Wed, 7 Mar 2007, Lance wrote: > > Where is a working version of trac running CVS on the web? I have always > > ran viewvc/cvsweb/etc. > Would you be intrested/willing to share your desensitized config with us > ? Especially if the configuration is used for rancid viewing . > Tia , JimL > > >> -------- Original Message -------- > >> Subject: [rancid] Re: admin mail > >> From: Robin Mordasiewicz > >> Date: Tue, March 06, 2007 8:32 pm > >> To: Randy Bush > >> Cc: Rancid-discuss at shrubbery.net > >> > >> On Wed, 7 Mar 2007, Randy Bush wrote: > >> > >>>> Just wondering if rancid has any GUI. > >>> > >>> cvsweb > >> > >> I prefer trac for a front end to the repository. > >> There is no gui for install/configuring rancid. > >> _______________________________________________ > >> Rancid-discuss mailing list > >> Rancid-discuss at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > -- > +-----------------------------------------------------------------+ > | James W. Laferriere | System Techniques | Give me VMS | > | Network Engineer | 663 Beaumont Blvd | Give me Linux | > | babydr at baby-dragons.com | Pacifica, CA. 94044 | only on AXP | > +-----------------------------------------------------------------+ -------------- next part -------------- A non-text attachment was scrubbed... Name: viewvc-config.txt Type: text/plain,english Size: 20849 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070307/839c8ab6/attachment.bin From Todd at equivoice.com Wed Mar 7 21:04:00 2007 From: Todd at equivoice.com (Todd Heide) Date: Wed, 7 Mar 2007 15:04:00 -0600 Subject: [rancid] Re: admin mail In-Reply-To: <20070307135957.8e114e4890519e5179c192e02d6bca26.a4ecbac2ab.wbe@email.secureserver.net> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6BC9@exchange.Equivoice.local> I have used what Lance has created, with some modifications to use PHP and mysql for a nice front end for Rancid. I used Dreamweaver to put it all together so we can manage everything except the .clogin script since we use Tacacs and it isn't needed unless we change the rancid login in Tacacs. His CGI script works well for adding and removing devices from the router.db files. Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Lance Sent: Wednesday, March 07, 2007 3:00 PM To: Mr. James W. Laferriere Cc: Rancid-discuss at shrubbery.net Subject: [rancid] Re: admin mail Robin, James, Here is my "viewvc.conf". Keep in mind that I don't use standard prefix or CVS group name. So you will need to adjust for that. I have also enabled searching in my viewvc. The file is attached. I also listed below my ViewVC which that config is for. Let me know if you need some help. Powered by ViewVC 1.0.1 > -------- Original Message -------- > Subject: Re: [rancid] Re: admin mail > From: "Mr. James W. Laferriere" > Date: Wed, March 07, 2007 1:17 pm > To: Lance > Cc: Robin Mordasiewicz , > Rancid-discuss at shrubbery.net > > Hello Lance , > > On Wed, 7 Mar 2007, Lance wrote: > > Where is a working version of trac running CVS on the web? I have always > > ran viewvc/cvsweb/etc. > Would you be intrested/willing to share your desensitized config with us > ? Especially if the configuration is used for rancid viewing . > Tia , JimL > > >> -------- Original Message -------- > >> Subject: [rancid] Re: admin mail > >> From: Robin Mordasiewicz > >> Date: Tue, March 06, 2007 8:32 pm > >> To: Randy Bush > >> Cc: Rancid-discuss at shrubbery.net > >> > >> On Wed, 7 Mar 2007, Randy Bush wrote: > >> > >>>> Just wondering if rancid has any GUI. > >>> > >>> cvsweb > >> > >> I prefer trac for a front end to the repository. > >> There is no gui for install/configuring rancid. > >> _______________________________________________ > >> Rancid-discuss mailing list > >> Rancid-discuss at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > -- > +-----------------------------------------------------------------+ > | James W. Laferriere | System Techniques | Give me VMS | > | Network Engineer | 663 Beaumont Blvd | Give me Linux | > | babydr at baby-dragons.com | Pacifica, CA. 94044 | only on AXP | > +-----------------------------------------------------------------+ From rancid at gheek.net Thu Mar 8 00:04:49 2007 From: rancid at gheek.net (Lance) Date: Wed, 07 Mar 2007 17:04:49 -0700 Subject: [rancid] Re: admin mail Message-ID: <20070307170449.8e114e4890519e5179c192e02d6bca26.dea93d28f3.wbe@email.secureserver.net> What Todd is talking about I think is a WebFE I quickly created to edit RANCIDs router.db file. I have attached that. It is very basic but handy for those people that don't understand configs. -Lance > -------- Original Message -------- > Subject: RE: [rancid] Re: admin mail > From: "Todd Heide" > Date: Wed, March 07, 2007 2:04 pm > To: "Lance" , "Mr. James W. Laferriere" > > Cc: > > I have used what Lance has created, with some modifications to use PHP > and mysql for a nice front end for Rancid. I used Dreamweaver to put it > all together so we can manage everything except the .clogin script since > we use Tacacs and it isn't needed unless we change the rancid login in > Tacacs. His CGI script works well for adding and removing devices from > the router.db files. > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Lance > Sent: Wednesday, March 07, 2007 3:00 PM > To: Mr. James W. Laferriere > Cc: Rancid-discuss at shrubbery.net > Subject: [rancid] Re: admin mail > > Robin, > > James, > > Here is my "viewvc.conf". Keep in mind that I don't use standard prefix > or CVS group name. So you will need to adjust for that. I have also > enabled searching in my viewvc. The file is attached. I also listed > below my ViewVC which that config is for. Let me know if you need some > help. > > Powered by ViewVC 1.0.1 > > > -------- Original Message -------- > > Subject: Re: [rancid] Re: admin mail > > From: "Mr. James W. Laferriere" > > Date: Wed, March 07, 2007 1:17 pm > > To: Lance > > Cc: Robin Mordasiewicz , > > Rancid-discuss at shrubbery.net > > > > Hello Lance , > > > > On Wed, 7 Mar 2007, Lance wrote: > > > Where is a working version of trac running CVS on the web? I have > always > > > ran viewvc/cvsweb/etc. > > Would you be intrested/willing to share your desensitized config > with us > > ? Especially if the configuration is used for rancid viewing . > > Tia , JimL > > > > >> -------- Original Message -------- > > >> Subject: [rancid] Re: admin mail > > >> From: Robin Mordasiewicz > > >> Date: Tue, March 06, 2007 8:32 pm > > >> To: Randy Bush > > >> Cc: Rancid-discuss at shrubbery.net > > >> > > >> On Wed, 7 Mar 2007, Randy Bush wrote: > > >> > > >>>> Just wondering if rancid has any GUI. > > >>> > > >>> cvsweb > > >> > > >> I prefer trac for a front end to the repository. > > >> There is no gui for install/configuring rancid. > > >> _______________________________________________ > > >> Rancid-discuss mailing list > > >> Rancid-discuss at shrubbery.net > > >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > -- > > +-----------------------------------------------------------------+ > > | James W. Laferriere | System Techniques | Give me VMS | > > | Network Engineer | 663 Beaumont Blvd | Give me Linux | > > | babydr at baby-dragons.com | Pacifica, CA. 94044 | only on AXP | > > +-----------------------------------------------------------------+ -------------- next part -------------- A non-text attachment was scrubbed... Name: rancidmod.zip Type: application/x-zip Size: 4246 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070307/d9a8a23c/attachment.bin From justin at justinshore.com Thu Mar 8 17:34:35 2007 From: justin at justinshore.com (Justin Shore) Date: Thu, 08 Mar 2007 11:34:35 -0600 Subject: [rancid] Re: Using Rancid to pus DST changes In-Reply-To: <45EF2703.10101@qualcomm.com> References: <082FEA82DC985B4F8A6B412D5AC4E2205B6BB9@exchange.Equivoice.local> <45EF2703.10101@qualcomm.com> Message-ID: <45F0492B.6080408@justinshore.com> I basically do the same thing only I pull the device names out of the router.db files just in case I have some configured devices that are configured as being down. If I really wanted to be thorough I would read routers.down as input and exclude those hosts from the $LIST (or just read in routers.up). LIST=$(cat var/gro/router.db | egrep -v "down|FW|fw|4006|gro-2621" | awk -F ":" '{print $1}'); echo $LIST I pick out all the devices that either can use the commands or I don't want the commands executed on, plus all the devices that are configured as down. for i in $LIST; do clogin -x commands.run $i; done With a little more effort I could output a list of devices that I could successfully apply the commands and those that I couldn't but I haven't. I watch the output anyhow. Justin Chris Moody wrote: > Or, even easier. > > Write the line(s) of config you want to issue on every device into a > file....I'll call it `dst-config`. > > Then, issue the following: > ------ > ./clogin -f .cloginrc -x dst-config > > > > I personally create a shell for loop: > ------ > ex> > for i in `cat .cloginrc | grep user | cut -f 2 `; do ./clogin -f > .cloginrc -x dst-config $i ; done > > > Basically, you just need to feed the first command a device name...and > clogin will handle issuing the correct command(s) for you. > > Easy. > > I did the same operation to some systems under my control for DST. I > had my firewalls and network gear all updated in a matter of a few minutes. > > Please feel free to contact me offline if you need more help. This type > of operation is VERY easy to accomplish and really shows how much rancid > shines. > > Cheers, > -Chris > > > Robin Mordasiewicz wrote: >> On Wed, 7 Mar 2007, Todd Heide wrote: >> >>> How can I use (if I can) rancid to push a configuration change for the DST to all the routers? Basically it is one line, >>> clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 >> One thing you can use is expect. Here is a simple example expect script >> which you can run on each router which looping through your router.db file >> >> [ myusername at localhost ]$ expect -f summertime_DST.exp myrouter.mydomain.com >> >> < summertime_DST.exp > >> #!/usr/bin/expect -f >> # >> set force_conservative 0 ;# set to 1 to force conservative mode even if >> ;# script wasn't run conservatively originally >> if {$force_conservative} { >> set send_slow {1 .1} >> proc send {ignore arg} { >> sleep .1 >> exp_send -s -- $arg >> } >> } >> >> set timeout -1 >> set userid "myusername" >> set vtypasswd "mypassword" >> set rtr [lindex $argv 0] >> >> spawn telnet $rtr >> match_max 100000 >> >> expect { >> {Username} { send "$userid\r" >> expect { >> {*Password*} { send "$vtypasswd\r" } >> } >> } >> {telnet>} { send_user "$rtr - telnet failed\n" >> exit >> } >> {Password} { send "$vtypasswd\r" } >> } >> >> >> >> send -- "conf t\r" >> send -- "clock summer-time $DST_timezone recurring 2 Sun Mar 2:00 1 Sun Nov 2:00\r" >> send -- "wr mem\r" >> send -- "end\r" >> send -- "exit\r" >> >> expect eof >> >> < /summertime_DST.exp > >> >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> >> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From yuvalba at netvision.net.il Thu Mar 8 22:32:41 2007 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Fri, 9 Mar 2007 00:32:41 +0200 Subject: [rancid] Re: admin mail References: <58D14E53A4F69C4EAF4D29171C447CC49200C5@NTX-CL.forest.netvision.net.il> <20070305193822.GK26313@shrubbery.net> Message-ID: <58D14E53A4F69C4EAF4D29171C447CC49200E9@NTX-CL.forest.netvision.net.il> thanks, it seems to work now :) > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, March 05, 2007 9:38 PM > To: Yuval Ben-Ari > Cc: Rancid-discuss at shrubbery.net > Subject: Re: [rancid] admin mail > > Mon, Mar 05, 2007 at 02:43:43PM +0200, Yuval Ben-Ari: > > Hi, > > > > For some reason I started getting all the mail including > the admin mail > > to the mailrcpt address. > > I might have messed something somewhere but can't figure where. > > > > the control_rancid scripts read this: > > > > # the receipient(s) of diffs > > mailrcpt=${mailrcpt:-"@MAILPLUS@${GROUP}${MAILDOMAIN}"}; > export mailrcpt > > adminmailrcpt=${mailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILDOMAIN}"}; > > export adminmailrcpt > > > > > > doesn't it mean that as long as there is mailrcp it will be used ? > > > yes, that was a pasto bug. that line should be: > > adminmailrcpt=${adminmailrcpt:-"@ADMINMAILPLUS@${GROUP}${MAILD > OMAIN}"}; > > From Todd at equivoice.com Fri Mar 9 14:49:12 2007 From: Todd at equivoice.com (Todd Heide) Date: Fri, 9 Mar 2007 08:49:12 -0600 Subject: [rancid] PIX authentication Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6CF6@exchange.Equivoice.local> I have been wondering why I never get an update when trying to get rancid to pull a config from a PIX and discovered that when Rancid logs in, it doesn't put in enable and password, so the device times out. Where can I fix that? Thanks Todd ???? CCNA CWLSS CS-CISecS ? Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean From Todd at equivoice.com Fri Mar 9 14:51:28 2007 From: Todd at equivoice.com (Todd Heide) Date: Fri, 9 Mar 2007 08:51:28 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E2205B6CF6@exchange.Equivoice.local> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6CF8@exchange.Equivoice.local> I found a second issue, another pix I log into, if I type enable it hangs! Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide Sent: Friday, March 09, 2007 8:49 AM To: Rancid-discuss at shrubbery.net Subject: [rancid] PIX authentication I have been wondering why I never get an update when trying to get rancid to pull a config from a PIX and discovered that when Rancid logs in, it doesn't put in enable and password, so the device times out. Where can I fix that? Thanks Todd ???? CCNA CWLSS CS-CISecS ? Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From sawall at gmail.com Fri Mar 9 15:00:59 2007 From: sawall at gmail.com (sawall) Date: Fri, 9 Mar 2007 09:00:59 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E2205B6CF8@exchange.Equivoice.local> References: <082FEA82DC985B4F8A6B412D5AC4E2205B6CF6@exchange.Equivoice.local> <082FEA82DC985B4F8A6B412D5AC4E2205B6CF8@exchange.Equivoice.local> Message-ID: <870bf9090703090700k4ffb7bfas372f1d4244bc78a5@mail.gmail.com> are you using the default clogin files? i am backing up 60+ pix firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any problems at all. have you run clogin manually to see how it's connecting to the pix and to see if that works. chris On 3/9/07, Todd Heide wrote: > > I found a second issue, another pix I log into, if I type enable it hangs! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 8:49 AM > To: Rancid-discuss at shrubbery.net > Subject: [rancid] PIX authentication > > I have been wondering why I never get an update when trying to get rancid > to pull a config from a PIX and discovered that when Rancid logs in, it > doesn't put in enable and password, so the device times out. Where can I fix > that? > > Thanks > Todd > > > CCNA CWLSS CS-CISecS > > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/8cb18c04/attachment.html From Todd at equivoice.com Fri Mar 9 16:45:32 2007 From: Todd at equivoice.com (Todd Heide) Date: Fri, 9 Mar 2007 10:45:32 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <870bf9090703090824xa70a38dt975214ac8be2ee07@mail.gmail.com> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6D0B@exchange.Equivoice.local> Yep, the logs indicate basically the same thing that running clogin does, error: TIMEOUT reached. It is hanging when trying to get to privileged exec mode on the PIX. All the routers work fine with ssh, so I am not sure what the problem is, and why it hangs, but I can ssh to the pix from the command prompt and get all the way in. Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean ________________________________ From: sawall [mailto:sawall at gmail.com] Sent: Friday, March 09, 2007 10:25 AM To: Todd Heide Subject: Re: [rancid] Re: PIX authentication sorry. i'm not the greatest rancid guy. i modified my bin/rancid and bin/clogin files slightly. and i'm not having any issues. what if you run "bin/rancid -d {fw ip addr}" should show some debug. On 3/9/07, Todd Heide wrote: add user 67.1x.x.x rancid add password 67.1x.x.x {********} {*********} add method 67.1x.x.x ssh This login setup works fine on a router, all our routers use Tacacs+ as well. ________________________________________ From: sawall [mailto:sawall at gmail.com] Sent: Friday, March 09, 2007 10:10 AM To: Todd Heide Subject: Re: [rancid] Re: PIX authentication what does your cloginrc file look like? On 3/9/07, Todd Heide wrote: I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x ________________________________________ From: sawall [mailto:sawall at gmail.com] Sent: Friday, March 09, 2007 9:50 AM To: Todd Heide Subject: Re: [rancid] Re: PIX authentication what version of pix? does the user "rancid" have rights to call enable? just trying to figure out your issue.... On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password: Type help or '?' for a list of available commands. pixfirewall> pixfirewall> en Error: TIMEOUT reached [rancid at server ~]$ en Thanks Toddc. CCNA CWLSS CS-CISecS Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean ________________________________________ From: sawall [mailto:sawall at gmail.com ] Sent: Friday, March 09, 2007 9:39 AM To: Todd Heide Subject: Re: [rancid] Re: PIX authentication what does the output look like when you try it manually. below is what i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i could limit the commands that could run for this user). # su - rancid > clogin pixver63 pixver63 spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: Type help or '?' for a list of available commands. pixver63> pixver63> enable 5 Password: ******* pixver63# pixver63# exit Logoff Connection to pixver63 closed. > clogin pixver72 pixver72 spawn ssh -c 3des -x -l pixbkup pixver72 pixbkup at pixver72 's password: Type help or '?' for a list of available commands. pixcof01p> enable 5 Password: ******* pixcof01p# pixcof01p# exit Logoff Connection to pixver72 closed. On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: Running it manually is when I found the problem. It hangs when I enter enable, then times out. Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean ________________________________________ From: sawall [mailto: sawall at gmail.com] Sent: Friday, March 09, 2007 9:01 AM To: Todd Heide Cc: Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication are you using the default clogin files? i am backing up 60+ pix firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any problems at all. have you run clogin manually to see how it's connecting to the pix and to see if that works. chris On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: I found a second issue, another pix I log into, if I type enable it hangs! Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto: rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide Sent: Friday, March 09, 2007 8:49 AM To: Rancid-discuss at shrubbery.net Subject: [rancid] PIX authentication I have been wondering why I never get an update when trying to get rancid to pull a config from a PIX and discovered that when Rancid logs in, it doesn't put in enable and password, so the device times out. Where can I fix that? Thanks Todd CCNA CWLSS CS-CISecS Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/4545622b/attachment.html From Todd at equivoice.com Fri Mar 9 17:33:12 2007 From: Todd at equivoice.com (Todd Heide) Date: Fri, 9 Mar 2007 11:33:12 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <714E7478-3B7D-4161-BF6C-C9FF0C17D0B8@amnetcorp.com> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6D1B@exchange.Equivoice.local> OK, I didn't have the autoenable in there, I will see if that helps, but I am still puzzled as to why it is hanging when I try clogin IPADDRESS to the pix' Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Manuel Noriega [mailto:mnoriega at amnetcorp.com] Sent: Friday, March 09, 2007 11:19 AM To: Todd Heide Cc: sawall; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication Are you using autoenable? I had troule at the beginning. This is what I have in my .clogonrc file. add autoenable pix* 0 add method pixsps ssh add cyphertype pixsps des add user pixsps pix add password pixsps vtypassword enablepassword Regards, Manuel On Mar 9, 2007, at 10:45 AM, Todd Heide wrote: > Yep, the logs indicate basically the same thing that running clogin > does, error: TIMEOUT reached. It is hanging when trying to get to > privileged exec mode on the PIX. All the routers work fine with > ssh, so I am not sure what the problem is, and why it hangs, but I > can ssh to the pix from the command prompt and get all the way in. > > > > > > Nothing ever goes as planned, Its a hell of a notion, > > Even pharaohs turn to sand, Like a drop in the ocean > > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 10:25 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > > > sorry. i'm not the greatest rancid guy. i modified my bin/rancid > and bin/clogin files slightly. and i'm not having any issues. > > what if you run "bin/rancid -d {fw ip addr}" > > should show some debug. > > > > On 3/9/07, Todd Heide wrote: > > > > add user 67.1x.x.x rancid > add password 67.1x.x.x {********} {*********} > add method 67.1x.x.x ssh > > > This login setup works fine on a router, all our routers use Tacacs > + as > well. > ________________________________________ > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 10:10 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does your cloginrc file look like? > > > On 3/9/07, Todd Heide wrote: > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x > > ________________________________________ > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 9:50 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what version of pix? does the user "rancid" have rights to call > enable? > > just trying to figure out your issue.... > > > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > [rancid at server ~]$ bin/clogin 67.1x.x.x > 67.1x.x.x > spawn ssh -c 3des -x -l rancid 67.1x.x.x > rancid at 67.1x.x.x 's password: > Type help or '?' for a list of available commands. > pixfirewall> > pixfirewall> en > > Error: TIMEOUT reached > [rancid at server ~]$ en > > Thanks > Toddc. > > > CCNA CWLSS CS-CISecS > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto:sawall at gmail.com ] > Sent: Friday, March 09, 2007 9:39 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does the output look like when you try it manually. below is > what i > have for version 6.3 and 7.2. (i changed the enable to enable 5 so i > could limit the commands that could run for this user). > > # su - rancid > > > clogin pixver63 > pixver63 > spawn ssh -c 3des -x -l pixbkup pixver63 > pixbkup at pixver63's password: > Type help or '?' for a list of available commands. > pixver63> > pixver63> enable 5 > Password: ******* > pixver63# > pixver63# exit > > Logoff > > Connection to pixver63 closed. > > > > clogin pixver72 > pixver72 > spawn ssh -c 3des -x -l pixbkup pixver72 > pixbkup at pixver72 's password: > Type help or '?' for a list of available commands. > pixcof01p> enable 5 > Password: ******* > pixcof01p# > pixcof01p# exit > > Logoff > > Connection to pixver72 closed. > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > Running it manually is when I found the problem. It hangs when I enter > enable, then times out. > > Thanks > Todd Heide > Equivoice Inc. > > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:01 AM > To: Todd Heide > Cc: Rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: PIX authentication > > are you using the default clogin files? i am backing up 60+ pix > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any > problems > at all. > > have you run clogin manually to see how it's connecting to the pix and > to see if that works. > > chris > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > I found a second issue, another pix I log into, if I type enable it > hangs! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 8:49 AM > To: Rancid-discuss at shrubbery.net > Subject: [rancid] PIX authentication > > I have been wondering why I never get an update when trying to get > rancid to pull a config from a PIX and discovered that when Rancid > logs > in, it doesn't put in enable and password, so the device times out. > Where can I fix that? > > Thanks > Todd > > > CCNA CWLSS CS-CISecS > > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From mashcraft at omniture.com Fri Mar 9 18:49:10 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Fri, 9 Mar 2007 11:49:10 -0700 Subject: [rancid] Re: PIX authentication In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E2205B6D1B@exchange.Equivoice.local> References: <714E7478-3B7D-4161-BF6C-C9FF0C17D0B8@amnetcorp.com> <082FEA82DC985B4F8A6B412D5AC4E2205B6D1B@exchange.Equivoice.local> Message-ID: <2036820397BC8048A6A6A17F421DBC8703CD30CF@EXCHANGE.orm.omniture.com> Todd, clogin IPADDRESS is 'hanging' because it is waiting for the pix to return an enabled prompt. While you can type at the user prompt, the clogin program is still in control and will not pass your keystrokes on to the PIX. Notice that after the timeout, your 'en' is entered at the shell prompt. Setting autoenable to 0 will tell clogin that it will have to use the enable command to get the enabled prompt. Unlike other Cisco devices, the PIX will not allow a tacacs+ authenticated user to go straight to enable mode. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide Sent: Friday, March 09, 2007 10:33 AM To: Manuel Noriega Cc: Rancid-discuss at shrubbery.net Subject: [rancid] Re: PIX authentication OK, I didn't have the autoenable in there, I will see if that helps, but I am still puzzled as to why it is hanging when I try clogin IPADDRESS to the pix' Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Manuel Noriega [mailto:mnoriega at amnetcorp.com] Sent: Friday, March 09, 2007 11:19 AM To: Todd Heide Cc: sawall; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication Are you using autoenable? I had troule at the beginning. This is what I have in my .clogonrc file. add autoenable pix* 0 add method pixsps ssh add cyphertype pixsps des add user pixsps pix add password pixsps vtypassword enablepassword Regards, Manuel On Mar 9, 2007, at 10:45 AM, Todd Heide wrote: > Yep, the logs indicate basically the same thing that running clogin > does, error: TIMEOUT reached. It is hanging when trying to get to > privileged exec mode on the PIX. All the routers work fine with ssh, > so I am not sure what the problem is, and why it hangs, but I can ssh > to the pix from the command prompt and get all the way in. > > > > > > Nothing ever goes as planned, Its a hell of a notion, > > Even pharaohs turn to sand, Like a drop in the ocean > > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 10:25 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > > > sorry. i'm not the greatest rancid guy. i modified my bin/rancid and > bin/clogin files slightly. and i'm not having any issues. > > what if you run "bin/rancid -d {fw ip addr}" > > should show some debug. > > > > On 3/9/07, Todd Heide wrote: > > > > add user 67.1x.x.x rancid > add password 67.1x.x.x {********} {*********} > add method 67.1x.x.x ssh > > > This login setup works fine on a router, all our routers use Tacacs > + as > well. > ________________________________________ > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 10:10 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does your cloginrc file look like? > > > On 3/9/07, Todd Heide wrote: > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x > > ________________________________________ > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 9:50 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what version of pix? does the user "rancid" have rights to call > enable? > > just trying to figure out your issue.... > > > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x > -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password: > Type help or '?' for a list of available commands. > pixfirewall> > pixfirewall> en > > Error: TIMEOUT reached > [rancid at server ~]$ en > > Thanks > Toddc. > > > CCNA CWLSS CS-CISecS > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto:sawall at gmail.com ] > Sent: Friday, March 09, 2007 9:39 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does the output look like when you try it manually. below is what > i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i > could limit the commands that could run for this user). > > # su - rancid > > > clogin pixver63 > pixver63 > spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: > Type help or '?' for a list of available commands. > pixver63> > pixver63> enable 5 > Password: ******* > pixver63# > pixver63# exit > > Logoff > > Connection to pixver63 closed. > > > > clogin pixver72 > pixver72 > spawn ssh -c 3des -x -l pixbkup pixver72 > pixbkup at pixver72 's password: > Type help or '?' for a list of available commands. > pixcof01p> enable 5 > Password: ******* > pixcof01p# > pixcof01p# exit > > Logoff > > Connection to pixver72 closed. > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > Running it manually is when I found the problem. It hangs when I enter > enable, then times out. > > Thanks > Todd Heide > Equivoice Inc. > > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:01 AM > To: Todd Heide > Cc: Rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: PIX authentication > > are you using the default clogin files? i am backing up 60+ pix > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any > problems at all. > > have you run clogin manually to see how it's connecting to the pix and > to see if that works. > > chris > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > I found a second issue, another pix I log into, if I type enable it > hangs! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 8:49 AM > To: Rancid-discuss at shrubbery.net > Subject: [rancid] PIX authentication > > I have been wondering why I never get an update when trying to get > rancid to pull a config from a PIX and discovered that when Rancid > logs in, it doesn't put in enable and password, so the device times > out. > Where can I fix that? > > Thanks > Todd > > > CCNA CWLSS CS-CISecS > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From Todd at equivoice.com Fri Mar 9 18:55:22 2007 From: Todd at equivoice.com (Todd Heide) Date: Fri, 9 Mar 2007 12:55:22 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <2036820397BC8048A6A6A17F421DBC8703CD30CF@EXCHANGE.orm.omniture.com> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6D29@exchange.Equivoice.local> DOH Helps to read the instructions. I added autoenable, but didn't put the ip of the device in. It is working from bin.clogin now. Lets see if it pulss the config this time. Thanks for everyone who helped! Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 09, 2007 12:49 PM To: Todd Heide Cc: Rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: PIX authentication Todd, clogin IPADDRESS is 'hanging' because it is waiting for the pix to return an enabled prompt. While you can type at the user prompt, the clogin program is still in control and will not pass your keystrokes on to the PIX. Notice that after the timeout, your 'en' is entered at the shell prompt. Setting autoenable to 0 will tell clogin that it will have to use the enable command to get the enabled prompt. Unlike other Cisco devices, the PIX will not allow a tacacs+ authenticated user to go straight to enable mode. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide Sent: Friday, March 09, 2007 10:33 AM To: Manuel Noriega Cc: Rancid-discuss at shrubbery.net Subject: [rancid] Re: PIX authentication OK, I didn't have the autoenable in there, I will see if that helps, but I am still puzzled as to why it is hanging when I try clogin IPADDRESS to the pix' Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Manuel Noriega [mailto:mnoriega at amnetcorp.com] Sent: Friday, March 09, 2007 11:19 AM To: Todd Heide Cc: sawall; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication Are you using autoenable? I had troule at the beginning. This is what I have in my .clogonrc file. add autoenable pix* 0 add method pixsps ssh add cyphertype pixsps des add user pixsps pix add password pixsps vtypassword enablepassword Regards, Manuel On Mar 9, 2007, at 10:45 AM, Todd Heide wrote: > Yep, the logs indicate basically the same thing that running clogin > does, error: TIMEOUT reached. It is hanging when trying to get to > privileged exec mode on the PIX. All the routers work fine with ssh, > so I am not sure what the problem is, and why it hangs, but I can ssh > to the pix from the command prompt and get all the way in. > > > > > > Nothing ever goes as planned, Its a hell of a notion, > > Even pharaohs turn to sand, Like a drop in the ocean > > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 10:25 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > > > sorry. i'm not the greatest rancid guy. i modified my bin/rancid and > bin/clogin files slightly. and i'm not having any issues. > > what if you run "bin/rancid -d {fw ip addr}" > > should show some debug. > > > > On 3/9/07, Todd Heide wrote: > > > > add user 67.1x.x.x rancid > add password 67.1x.x.x {********} {*********} > add method 67.1x.x.x ssh > > > This login setup works fine on a router, all our routers use Tacacs > + as > well. > ________________________________________ > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 10:10 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does your cloginrc file look like? > > > On 3/9/07, Todd Heide wrote: > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x > > ________________________________________ > From: sawall [mailto:sawall at gmail.com] > Sent: Friday, March 09, 2007 9:50 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what version of pix? does the user "rancid" have rights to call > enable? > > just trying to figure out your issue.... > > > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x > -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password: > Type help or '?' for a list of available commands. > pixfirewall> > pixfirewall> en > > Error: TIMEOUT reached > [rancid at server ~]$ en > > Thanks > Toddc. > > > CCNA CWLSS CS-CISecS > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto:sawall at gmail.com ] > Sent: Friday, March 09, 2007 9:39 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does the output look like when you try it manually. below is what > i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i > could limit the commands that could run for this user). > > # su - rancid > > > clogin pixver63 > pixver63 > spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: > Type help or '?' for a list of available commands. > pixver63> > pixver63> enable 5 > Password: ******* > pixver63# > pixver63# exit > > Logoff > > Connection to pixver63 closed. > > > > clogin pixver72 > pixver72 > spawn ssh -c 3des -x -l pixbkup pixver72 > pixbkup at pixver72 's password: > Type help or '?' for a list of available commands. > pixcof01p> enable 5 > Password: ******* > pixcof01p# > pixcof01p# exit > > Logoff > > Connection to pixver72 closed. > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > Running it manually is when I found the problem. It hangs when I enter > enable, then times out. > > Thanks > Todd Heide > Equivoice Inc. > > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:01 AM > To: Todd Heide > Cc: Rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: PIX authentication > > are you using the default clogin files? i am backing up 60+ pix > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any > problems at all. > > have you run clogin manually to see how it's connecting to the pix and > to see if that works. > > chris > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > I found a second issue, another pix I log into, if I type enable it > hangs! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 8:49 AM > To: Rancid-discuss at shrubbery.net > Subject: [rancid] PIX authentication > > I have been wondering why I never get an update when trying to get > rancid to pull a config from a PIX and discovered that when Rancid > logs in, it doesn't put in enable and password, so the device times > out. > Where can I fix that? > > Thanks > Todd > > > CCNA CWLSS CS-CISecS > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From sawall at gmail.com Fri Mar 9 20:50:50 2007 From: sawall at gmail.com (sawall) Date: Fri, 9 Mar 2007 14:50:50 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E2205B6D29@exchange.Equivoice.local> References: <2036820397BC8048A6A6A17F421DBC8703CD30CF@EXCHANGE.orm.omniture.com> <082FEA82DC985B4F8A6B412D5AC4E2205B6D29@exchange.Equivoice.local> Message-ID: <870bf9090703091250r3e6e49a0x558eeacae70616b2@mail.gmail.com> The weird thing, I think, is that I don't have autoenable set in my cloginrc file and it's working great with all of my firewalls. not that todd shouldn't try it. i'm just confused.... chris On 3/9/07, Todd Heide wrote: > > DOH Helps to read the instructions. I added autoenable, but didn't put > the ip of the device in. It is working from bin.clogin now. Lets see if > it pulss the config this time. Thanks for everyone who helped! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, > Even pharaohs turn to sand, Like a drop in the ocean > > -----Original Message----- > From: Mike Ashcraft [mailto:mashcraft at omniture.com] > Sent: Friday, March 09, 2007 12:49 PM > To: Todd Heide > Cc: Rancid-discuss at shrubbery.net > Subject: RE: [rancid] Re: PIX authentication > > Todd, > > clogin IPADDRESS is 'hanging' because it is waiting for the pix to > return an enabled prompt. While you can type at the user prompt, the > clogin program is still in control and will not pass your keystrokes on > to the PIX. Notice that after the timeout, your 'en' is entered at the > shell prompt. Setting autoenable to 0 will tell clogin that it will > have to use the enable command to get the enabled prompt. > > Unlike other Cisco devices, the PIX will not allow a tacacs+ > authenticated user to go straight to enable mode. > > Mike > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 10:33 AM > To: Manuel Noriega > Cc: Rancid-discuss at shrubbery.net > Subject: [rancid] Re: PIX authentication > > OK, I didn't have the autoenable in there, I will see if that helps, but > I am still puzzled as to why it is hanging when I try clogin IPADDRESS > to the pix' > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn > to sand, Like a drop in the ocean > > -----Original Message----- > From: Manuel Noriega [mailto:mnoriega at amnetcorp.com] > Sent: Friday, March 09, 2007 11:19 AM > To: Todd Heide > Cc: sawall; Rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: PIX authentication > > Are you using autoenable? I had troule at the beginning. This is what I > have in my .clogonrc file. > > add autoenable pix* 0 > add method pixsps ssh > add cyphertype pixsps des > add user pixsps pix > add password pixsps vtypassword enablepassword > > > > Regards, > > Manuel > > On Mar 9, 2007, at 10:45 AM, Todd Heide wrote: > > > Yep, the logs indicate basically the same thing that running clogin > > does, error: TIMEOUT reached. It is hanging when trying to get to > > privileged exec mode on the PIX. All the routers work fine with ssh, > > so I am not sure what the problem is, and why it hangs, but I can ssh > > to the pix from the command prompt and get all the way in. > > > > > > > > > > > > Nothing ever goes as planned, Its a hell of a notion, > > > > Even pharaohs turn to sand, Like a drop in the ocean > > > > From: sawall [mailto:sawall at gmail.com] > > Sent: Friday, March 09, 2007 10:25 AM > > To: Todd Heide > > Subject: Re: [rancid] Re: PIX authentication > > > > > > > > sorry. i'm not the greatest rancid guy. i modified my bin/rancid and > > > bin/clogin files slightly. and i'm not having any issues. > > > > what if you run "bin/rancid -d {fw ip addr}" > > > > should show some debug. > > > > > > > > On 3/9/07, Todd Heide wrote: > > > > > > > > add user 67.1x.x.x rancid > > add password 67.1x.x.x {********} {*********} > > add method 67.1x.x.x ssh > > > > > > This login setup works fine on a router, all our routers use Tacacs > > + as > > well. > > ________________________________________ > > From: sawall [mailto:sawall at gmail.com] > > Sent: Friday, March 09, 2007 10:10 AM > > To: Todd Heide > > Subject: Re: [rancid] Re: PIX authentication > > > > what does your cloginrc file look like? > > > > > > On 3/9/07, Todd Heide wrote: > > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x > > > > ________________________________________ > > From: sawall [mailto:sawall at gmail.com] > > Sent: Friday, March 09, 2007 9:50 AM > > To: Todd Heide > > Subject: Re: [rancid] Re: PIX authentication > > > > what version of pix? does the user "rancid" have rights to call > > enable? > > > > just trying to figure out your issue.... > > > > > > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > > [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x > > > -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password: > > Type help or '?' for a list of available commands. > > pixfirewall> > > pixfirewall> en > > > > Error: TIMEOUT reached > > [rancid at server ~]$ en > > > > Thanks > > Toddc. > > > > > > CCNA CWLSS CS-CISecS > > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > > turn to sand, Like a drop in the ocean > > ________________________________________ > > From: sawall [mailto:sawall at gmail.com ] > > Sent: Friday, March 09, 2007 9:39 AM > > To: Todd Heide > > Subject: Re: [rancid] Re: PIX authentication > > > > what does the output look like when you try it manually. below is what > > > i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i > > > could limit the commands that could run for this user). > > > > # su - rancid > > > > > clogin pixver63 > > pixver63 > > spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: > > Type help or '?' for a list of available commands. > > pixver63> > > pixver63> enable 5 > > Password: ******* > > pixver63# > > pixver63# exit > > > > Logoff > > > > Connection to pixver63 closed. > > > > > > > clogin pixver72 > > pixver72 > > spawn ssh -c 3des -x -l pixbkup pixver72 > > pixbkup at pixver72 's password: > > Type help or '?' for a list of available commands. > > pixcof01p> enable 5 > > Password: ******* > > pixcof01p# > > pixcof01p# exit > > > > Logoff > > > > Connection to pixver72 closed. > > > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > > Running it manually is when I found the problem. It hangs when I enter > > > enable, then times out. > > > > Thanks > > Todd Heide > > Equivoice Inc. > > > > > > CCNA CWLSS CS-CISecS > > 847-235-3308 > > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > > turn to sand, Like a drop in the ocean > > ________________________________________ > > From: sawall [mailto: sawall at gmail.com] > > Sent: Friday, March 09, 2007 9:01 AM > > To: Todd Heide > > Cc: Rancid-discuss at shrubbery.net > > Subject: Re: [rancid] Re: PIX authentication > > > > are you using the default clogin files? i am backing up 60+ pix > > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any > > problems at all. > > > > have you run clogin manually to see how it's connecting to the pix and > > > to see if that works. > > > > chris > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > > I found a second issue, another pix I log into, if I type enable it > > hangs! > > > > Thanks > > Todd Heide > > Equivoice Inc. > > > > CCNA CWLSS CS-CISecS > > 847-235-3308 > > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > > turn to sand, Like a drop in the ocean -----Original Message----- > > From: rancid-discuss-bounces at shrubbery.net [mailto: > > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > > Sent: Friday, March 09, 2007 8:49 AM > > To: Rancid-discuss at shrubbery.net > > Subject: [rancid] PIX authentication > > > > I have been wondering why I never get an update when trying to get > > rancid to pull a config from a PIX and discovered that when Rancid > > logs in, it doesn't put in enable and password, so the device times > > out. > > Where can I fix that? > > > > Thanks > > Todd > > > > > > CCNA CWLSS CS-CISecS > > > > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > > turn to sand, Like a drop in the ocean > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/c0ff2553/attachment.html From mashcraft at omniture.com Fri Mar 9 21:06:53 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Fri, 9 Mar 2007 14:06:53 -0700 Subject: [rancid] Re: PIX authentication In-Reply-To: <870bf9090703091250r3e6e49a0x558eeacae70616b2@mail.gmail.com> References: <2036820397BC8048A6A6A17F421DBC8703CD30CF@EXCHANGE.orm.omniture.com> <082FEA82DC985B4F8A6B412D5AC4E2205B6D29@exchange.Equivoice.local> <870bf9090703091250r3e6e49a0x558eeacae70616b2@mail.gmail.com> Message-ID: <2036820397BC8048A6A6A17F421DBC8703CD312E@EXCHANGE.orm.omniture.com> Chris, Because Todd is using tacacs+ for authentication, he set autoenable to 1 to get all the cisco routers/switches working. The hostname glob he used for this setting also matched his PIX causing this problem. As autoenable needs to be 0 [the default] for a PIX to work, you don't need to set it. Mike ________________________________ From: sawall [mailto:sawall at gmail.com] Sent: Friday, March 09, 2007 1:51 PM To: Todd Heide Cc: Mike Ashcraft; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication The weird thing, I think, is that I don't have autoenable set in my cloginrc file and it's working great with all of my firewalls. not that todd shouldn't try it. i'm just confused.... chris On 3/9/07, Todd Heide wrote: DOH Helps to read the instructions. I added autoenable, but didn't put the ip of the device in. It is working from bin.clogin now. Lets see if it pulss the config this time. Thanks for everyone who helped! Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 09, 2007 12:49 PM To: Todd Heide Cc: Rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: PIX authentication Todd, clogin IPADDRESS is 'hanging' because it is waiting for the pix to return an enabled prompt. While you can type at the user prompt, the clogin program is still in control and will not pass your keystrokes on to the PIX. Notice that after the timeout, your 'en' is entered at the shell prompt. Setting autoenable to 0 will tell clogin that it will have to use the enable command to get the enabled prompt. Unlike other Cisco devices, the PIX will not allow a tacacs+ authenticated user to go straight to enable mode. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide Sent: Friday, March 09, 2007 10:33 AM To: Manuel Noriega Cc: Rancid-discuss at shrubbery.net Subject: [rancid] Re: PIX authentication OK, I didn't have the autoenable in there, I will see if that helps, but I am still puzzled as to why it is hanging when I try clogin IPADDRESS to the pix' Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Manuel Noriega [mailto:mnoriega at amnetcorp.com] Sent: Friday, March 09, 2007 11:19 AM To: Todd Heide Cc: sawall; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication Are you using autoenable? I had troule at the beginning. This is what I have in my .clogonrc file. add autoenable pix* 0 add method pixsps ssh add cyphertype pixsps des add user pixsps pix add password pixsps vtypassword enablepassword Regards, Manuel On Mar 9, 2007, at 10:45 AM, Todd Heide wrote: > Yep, the logs indicate basically the same thing that running clogin > does, error: TIMEOUT reached. It is hanging when trying to get to > privileged exec mode on the PIX. All the routers work fine with ssh, > so I am not sure what the problem is, and why it hangs, but I can ssh > to the pix from the command prompt and get all the way in. > > > > > > Nothing ever goes as planned, Its a hell of a notion, > > Even pharaohs turn to sand, Like a drop in the ocean > > From: sawall [mailto: sawall at gmail.com ] > Sent: Friday, March 09, 2007 10:25 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > > > sorry. i'm not the greatest rancid guy. i modified my bin/rancid and > bin/clogin files slightly. and i'm not having any issues. > > what if you run "bin/rancid -d {fw ip addr}" > > should show some debug. > > > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > > > > add user 67.1x.x.x rancid > add password 67.1x.x.x {********} {*********} > add method 67.1x.x.x ssh > > > This login setup works fine on a router, all our routers use Tacacs > + as > well. > ________________________________________ > From: sawall [mailto: sawall at gmail.com ] > Sent: Friday, March 09, 2007 10:10 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does your cloginrc file look like? > > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x > > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:50 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what version of pix? does the user "rancid" have rights to call > enable? > > just trying to figure out your issue.... > > > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x > -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password: > Type help or '?' for a list of available commands. > pixfirewall> > pixfirewall> en > > Error: TIMEOUT reached > [rancid at server ~]$ en > > Thanks > Toddc. > > > CCNA CWLSS CS-CISecS > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto:sawall at gmail.com ] > Sent: Friday, March 09, 2007 9:39 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does the output look like when you try it manually. below is what > i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i > could limit the commands that could run for this user). > > # su - rancid > > > clogin pixver63 > pixver63 > spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: > Type help or '?' for a list of available commands. > pixver63> > pixver63> enable 5 > Password: ******* > pixver63# > pixver63# exit > > Logoff > > Connection to pixver63 closed. > > > > clogin pixver72 > pixver72 > spawn ssh -c 3des -x -l pixbkup pixver72 > pixbkup at pixver72 's password: > Type help or '?' for a list of available commands. > pixcof01p> enable 5 > Password: ******* > pixcof01p# > pixcof01p# exit > > Logoff > > Connection to pixver72 closed. > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > Running it manually is when I found the problem. It hangs when I enter > enable, then times out. > > Thanks > Todd Heide > Equivoice Inc. > > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:01 AM > To: Todd Heide > Cc: Rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: PIX authentication > > are you using the default clogin files? i am backing up 60+ pix > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any > problems at all. > > have you run clogin manually to see how it's connecting to the pix and > to see if that works. > > chris > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > I found a second issue, another pix I log into, if I type enable it > hangs! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 8:49 AM > To: Rancid-discuss at shrubbery.net > Subject: [rancid] PIX authentication > > I have been wondering why I never get an update when trying to get > rancid to pull a config from a PIX and discovered that when Rancid > logs in, it doesn't put in enable and password, so the device times > out. > Where can I fix that? > > Thanks > Todd > > > CCNA CWLSS CS-CISecS > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/5f39ab09/attachment.html From Todd at equivoice.com Sat Mar 10 01:13:24 2007 From: Todd at equivoice.com (Todd Heide) Date: Fri, 9 Mar 2007 19:13:24 -0600 Subject: [rancid] Re: PIX authentication In-Reply-To: <2036820397BC8048A6A6A17F421DBC8703CD312E@EXCHANGE.orm.omniture.com> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E2205B6D65@exchange.Equivoice.local> Yes it is working finally, both of the Pix' I have in there are now drawing the configuration down, I finally have backups of them. Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean ________________________________ From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 09, 2007 3:07 PM To: sawall; Todd Heide Cc: Rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: PIX authentication Chris, Because Todd is using tacacs+ for authentication, he set autoenable to 1 to get all the cisco routers/switches working. The hostname glob he used for this setting also matched his PIX causing this problem. As autoenable needs to be 0 [the default] for a PIX to work, you don't need to set it. Mike ________________________________ From: sawall [mailto:sawall at gmail.com] Sent: Friday, March 09, 2007 1:51 PM To: Todd Heide Cc: Mike Ashcraft; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication The weird thing, I think, is that I don't have autoenable set in my cloginrc file and it's working great with all of my firewalls. not that todd shouldn't try it. i'm just confused.... chris On 3/9/07, Todd Heide wrote: DOH Helps to read the instructions. I added autoenable, but didn't put the ip of the device in. It is working from bin.clogin now. Lets see if it pulss the config this time. Thanks for everyone who helped! Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Friday, March 09, 2007 12:49 PM To: Todd Heide Cc: Rancid-discuss at shrubbery.net Subject: RE: [rancid] Re: PIX authentication Todd, clogin IPADDRESS is 'hanging' because it is waiting for the pix to return an enabled prompt. While you can type at the user prompt, the clogin program is still in control and will not pass your keystrokes on to the PIX. Notice that after the timeout, your 'en' is entered at the shell prompt. Setting autoenable to 0 will tell clogin that it will have to use the enable command to get the enabled prompt. Unlike other Cisco devices, the PIX will not allow a tacacs+ authenticated user to go straight to enable mode. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide Sent: Friday, March 09, 2007 10:33 AM To: Manuel Noriega Cc: Rancid-discuss at shrubbery.net Subject: [rancid] Re: PIX authentication OK, I didn't have the autoenable in there, I will see if that helps, but I am still puzzled as to why it is hanging when I try clogin IPADDRESS to the pix' Thanks Todd Heide Equivoice Inc. CCNA CWLSS CS-CISecS 847-235-3308 Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn to sand, Like a drop in the ocean -----Original Message----- From: Manuel Noriega [mailto:mnoriega at amnetcorp.com] Sent: Friday, March 09, 2007 11:19 AM To: Todd Heide Cc: sawall; Rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: PIX authentication Are you using autoenable? I had troule at the beginning. This is what I have in my .clogonrc file. add autoenable pix* 0 add method pixsps ssh add cyphertype pixsps des add user pixsps pix add password pixsps vtypassword enablepassword Regards, Manuel On Mar 9, 2007, at 10:45 AM, Todd Heide wrote: > Yep, the logs indicate basically the same thing that running clogin > does, error: TIMEOUT reached. It is hanging when trying to get to > privileged exec mode on the PIX. All the routers work fine with ssh, > so I am not sure what the problem is, and why it hangs, but I can ssh > to the pix from the command prompt and get all the way in. > > > > > > Nothing ever goes as planned, Its a hell of a notion, > > Even pharaohs turn to sand, Like a drop in the ocean > > From: sawall [mailto: sawall at gmail.com ] > Sent: Friday, March 09, 2007 10:25 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > > > sorry. i'm not the greatest rancid guy. i modified my bin/rancid and > bin/clogin files slightly. and i'm not having any issues. > > what if you run "bin/rancid -d {fw ip addr}" > > should show some debug. > > > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > > > > add user 67.1x.x.x rancid > add password 67.1x.x.x {********} {*********} > add method 67.1x.x.x ssh > > > This login setup works fine on a router, all our routers use Tacacs > + as > well. > ________________________________________ > From: sawall [mailto: sawall at gmail.com ] > Sent: Friday, March 09, 2007 10:10 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does your cloginrc file look like? > > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x > > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:50 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what version of pix? does the user "rancid" have rights to call > enable? > > just trying to figure out your issue.... > > > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x > -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password: > Type help or '?' for a list of available commands. > pixfirewall> > pixfirewall> en > > Error: TIMEOUT reached > [rancid at server ~]$ en > > Thanks > Toddc. > > > CCNA CWLSS CS-CISecS > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto:sawall at gmail.com ] > Sent: Friday, March 09, 2007 9:39 AM > To: Todd Heide > Subject: Re: [rancid] Re: PIX authentication > > what does the output look like when you try it manually. below is what > i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i > could limit the commands that could run for this user). > > # su - rancid > > > clogin pixver63 > pixver63 > spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: > Type help or '?' for a list of available commands. > pixver63> > pixver63> enable 5 > Password: ******* > pixver63# > pixver63# exit > > Logoff > > Connection to pixver63 closed. > > > > clogin pixver72 > pixver72 > spawn ssh -c 3des -x -l pixbkup pixver72 > pixbkup at pixver72 's password: > Type help or '?' for a list of available commands. > pixcof01p> enable 5 > Password: ******* > pixcof01p# > pixcof01p# exit > > Logoff > > Connection to pixver72 closed. > > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote: > Running it manually is when I found the problem. It hangs when I enter > enable, then times out. > > Thanks > Todd Heide > Equivoice Inc. > > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > ________________________________________ > From: sawall [mailto: sawall at gmail.com] > Sent: Friday, March 09, 2007 9:01 AM > To: Todd Heide > Cc: Rancid-discuss at shrubbery.net > Subject: Re: [rancid] Re: PIX authentication > > are you using the default clogin files? i am backing up 60+ pix > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any > problems at all. > > have you run clogin manually to see how it's connecting to the pix and > to see if that works. > > chris > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote: > I found a second issue, another pix I log into, if I type enable it > hangs! > > Thanks > Todd Heide > Equivoice Inc. > > CCNA CWLSS CS-CISecS > 847-235-3308 > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide > Sent: Friday, March 09, 2007 8:49 AM > To: Rancid-discuss at shrubbery.net > Subject: [rancid] PIX authentication > > I have been wondering why I never get an update when trying to get > rancid to pull a config from a PIX and discovered that when Rancid > logs in, it doesn't put in enable and password, so the device times > out. > Where can I fix that? > > Thanks > Todd > > > CCNA CWLSS CS-CISecS > > > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs > turn to sand, Like a drop in the ocean > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/430ccabc/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1450 bytes Desc: image001.jpg Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/430ccabc/attachment.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 3203 bytes Desc: image002.gif Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/430ccabc/attachment.gif From lists.fcu at no-way.org Fri Mar 16 15:28:57 2007 From: lists.fcu at no-way.org (Flavio Curti) Date: Fri, 16 Mar 2007 16:28:57 +0100 Subject: [rancid] Backing up Routers behind Cisco Router in VRF instance Message-ID: <20070316152857.GL5414@no-way.org> Hello I'm trying to backup cisco-routers behind another cisco router. This should work using the usercmd patch. However I have two problems: - The routers are in vrf instances on the router, so i have to login like this: telnet routerip /vrf vrfinstance - the routers have the same internal ip-addresses, so i can have a router on 192.168.0.1 in vrf "one" and vrf "two" Can I do this using the usercmd command? Do I have to make a public dns entry for every router I have? Thank you for your help and kind regards Flavio Curti -- http://no-way.org/~fcu/ From mstefani at redhat.com Fri Mar 16 16:14:45 2007 From: mstefani at redhat.com (Michael Stefaniuc) Date: Fri, 16 Mar 2007 17:14:45 +0100 Subject: [rancid] Re: Backing up Routers behind Cisco Router in VRF instance In-Reply-To: <20070316152857.GL5414@no-way.org> References: <20070316152857.GL5414@no-way.org> Message-ID: <45FAC275.5040407@redhat.com> Flavio Curti wrote: > Hello > > I'm trying to backup cisco-routers behind another cisco router. This > should work using the usercmd patch. However I have two problems: > > - The routers are in vrf instances on the router, so i have to login > like this: telnet routerip /vrf vrfinstance > > - the routers have the same internal ip-addresses, so i can have a > router on 192.168.0.1 in vrf "one" and vrf "two" > > Can I do this using the usercmd command? Do I have to make a public dns Yes; put that in the usercmd_chat command. Something like the below should do: add usercmd_chat 192.168.0.1 {>} {telnet 192.168.0.1 /vrf one\r} {User Access Verification\r} {} > entry for every router I have? Dosn't need to be a public IP, but you need to be able unambiguously identify your devices. You could do that by virtually assigning other IP addresses to the devices in the vrfinstance "two". E.g.: 192.168.255.1 for 192.168.0.1. add usercmd_chat 192.168.255.1 {>} {telnet 192.168.0.1 /vrf two\r} {User Access Verification\r} {} bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From jluintel at gmail.com Fri Mar 16 16:19:28 2007 From: jluintel at gmail.com (Jayendra Luintel) Date: Fri, 16 Mar 2007 12:19:28 -0400 Subject: [rancid] limiting diff email's content Message-ID: <122e2f740703160919w7d37464cp35ae0563af9e7d0e@mail.gmail.com> Currently I am running rancid-2.3.1_1 on freebsd 6.1. It is great tools and I am loving it. With current setup rancid tells what configuration changes have been made over the emails. Would it be possible to limit rancid's email to just tell me where the configuration changes has occured. I do not want to know the details of changes in email. Just want to know where the changes have occured will suffice for my purpose. I noticed there is some patch written about it here: http://www.shrubbery.net/pipermail/rancid-discuss/2005-April/000975.html But I am having difficulty using this patch. Basically I want to make rancid less smart so that I do not get details of change over email. I just want to get in what routers/switches changes have occured. Any direction or help will be appreciated. Thanks, Jayendra -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070316/c8c58365/attachment.html From nduda at VistaPrint.com Tue Mar 20 19:13:02 2007 From: nduda at VistaPrint.com (Nick Duda) Date: Tue, 20 Mar 2007 15:13:02 -0400 Subject: [rancid] Rancid and Last Config changes in Cisco gear Message-ID: Is there any way to add the "Last configuration change" section to rancid for Cisco gear? We run rancid, but also have to run a custom script (which prett much does the exact same thing as rancid) side by side. All it does is give us the following line: ! ! Last configuration change at 14:58:54 EST Mon Mar 19 2007 by UserX ! ! NVRAM config last updated at 14:59:03 EST Mon Mar 19 2007 by UserX If we could have rancid get this data also (and email it with the alerts) things would be great. Regards, Nick From mashcraft at omniture.com Tue Mar 20 20:20:31 2007 From: mashcraft at omniture.com (Mike Ashcraft) Date: Tue, 20 Mar 2007 14:20:31 -0600 Subject: [rancid] Re: Rancid and Last Config changes in Cisco gear In-Reply-To: References: Message-ID: <2036820397BC8048A6A6A17F421DBC8703CD3D7F@EXCHANGE.orm.omniture.com> Nick, In bin/rancid, the following code segment handles this: # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(1) if /Line has invalid autocommand /; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); next if (/^([%!].*|\s*)$/); The lastline listed above strips out comments and blank lines at the top of the 'show running configuration' output. Modify or remove it to retain your desired information. You will have to repeat this if you upgrade rancid. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nick Duda Sent: Tuesday, March 20, 2007 1:13 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Rancid and Last Config changes in Cisco gear Is there any way to add the "Last configuration change" section to rancid for Cisco gear? We run rancid, but also have to run a custom script (which prett much does the exact same thing as rancid) side by side. All it does is give us the following line: ! ! Last configuration change at 14:58:54 EST Mon Mar 19 2007 by UserX ! ! NVRAM config last updated at 14:59:03 EST Mon Mar 19 2007 by UserX If we could have rancid get this data also (and email it with the alerts) things would be great. Regards, Nick _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From nduda at VistaPrint.com Wed Mar 21 12:36:48 2007 From: nduda at VistaPrint.com (Nick Duda) Date: Wed, 21 Mar 2007 08:36:48 -0400 Subject: [rancid] Re: Rancid and Last Config changes in Cisco gear In-Reply-To: <2036820397BC8048A6A6A17F421DBC8703CD3D7F@EXCHANGE.orm.omniture.com> References: <2036820397BC8048A6A6A17F421DBC8703CD3D7F@EXCHANGE.orm.omniture.com> Message-ID: I commented out that line and still don't get the last configured by in the rancid alerts..etc. - Nick -----Original Message----- From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Tuesday, March 20, 2007 4:21 PM To: Nick Duda; rancid-discuss at shrubbery.net Subject: RE: [rancid] Rancid and Last Config changes in Cisco gear Nick, In bin/rancid, the following code segment handles this: # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(1) if /Line has invalid autocommand /; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); next if (/^([%!].*|\s*)$/); The lastline listed above strips out comments and blank lines at the top of the 'show running configuration' output. Modify or remove it to retain your desired information. You will have to repeat this if you upgrade rancid. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nick Duda Sent: Tuesday, March 20, 2007 1:13 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Rancid and Last Config changes in Cisco gear Is there any way to add the "Last configuration change" section to rancid for Cisco gear? We run rancid, but also have to run a custom script (which prett much does the exact same thing as rancid) side by side. All it does is give us the following line: ! ! Last configuration change at 14:58:54 EST Mon Mar 19 2007 by UserX ! ! NVRAM config last updated at 14:59:03 EST Mon Mar 19 2007 by UserX If we could have rancid get this data also (and email it with the alerts) things would be great. Regards, Nick _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From nduda at VistaPrint.com Wed Mar 21 12:43:01 2007 From: nduda at VistaPrint.com (Nick Duda) Date: Wed, 21 Mar 2007 08:43:01 -0400 Subject: [rancid] Re: Rancid and Last Config changes in Cisco gear In-Reply-To: References: <2036820397BC8048A6A6A17F421DBC8703CD3D7F@EXCHANGE.orm.omniture.com> Message-ID: FYI, so this is what my rancid file looks like: # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(-1) if (/command authorization failed/i); return(1) if /(Invalid input detected|Type help or )/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); # next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nick Duda Sent: Wednesday, March 21, 2007 8:37 AM To: Mike Ashcraft; rancid-discuss at shrubbery.net Subject: [rancid] Re: Rancid and Last Config changes in Cisco gear I commented out that line and still don't get the last configured by in the rancid alerts..etc. - Nick -----Original Message----- From: Mike Ashcraft [mailto:mashcraft at omniture.com] Sent: Tuesday, March 20, 2007 4:21 PM To: Nick Duda; rancid-discuss at shrubbery.net Subject: RE: [rancid] Rancid and Last Config changes in Cisco gear Nick, In bin/rancid, the following code segment handles this: # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(1) if /Line has invalid autocommand /; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); next if (/^([%!].*|\s*)$/); The lastline listed above strips out comments and blank lines at the top of the 'show running configuration' output. Modify or remove it to retain your desired information. You will have to repeat this if you upgrade rancid. Mike -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nick Duda Sent: Tuesday, March 20, 2007 1:13 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Rancid and Last Config changes in Cisco gear Is there any way to add the "Last configuration change" section to rancid for Cisco gear? We run rancid, but also have to run a custom script (which prett much does the exact same thing as rancid) side by side. All it does is give us the following line: ! ! Last configuration change at 14:58:54 EST Mon Mar 19 2007 by UserX ! ! NVRAM config last updated at 14:59:03 EST Mon Mar 19 2007 by UserX If we could have rancid get this data also (and email it with the alerts) things would be great. Regards, Nick _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From wmuriithi at iwayafrica.com Wed Mar 21 14:21:30 2007 From: wmuriithi at iwayafrica.com (kihara Muriithi) Date: Wed, 21 Mar 2007 17:21:30 +0300 Subject: [rancid] Packeteer's packetshaper configuration Message-ID: <1174486890.2986.18.camel@test4.afsat.com> Hi all, I have a working installation of rancid backing up cisco equipments configurations. I am trying to configure rancid to back up packetshapers configuration. Packetshaper is running version 7 software. Though I have seem articles of people mentioning that they have managed this feat, I can't find anything on packeteer's packetshaper configuration. Does anybody have a pointer on where I can get this information? Have anybody here managed to d it? I would be very grateful for any assistance Thanks William From lists.fcu at no-way.org Thu Mar 22 00:15:13 2007 From: lists.fcu at no-way.org (Flavio Curti) Date: Thu, 22 Mar 2007 01:15:13 +0100 Subject: [rancid] passwords on cisco router keep changing Message-ID: <20070322001513.GM5414@no-way.org> Hello I understand this is not a rancid question, but maybe someone made the same observation and has a hint: I have several Cisco routers I backup including passwords. So far so good. Now some routers have l2tp-classes using a cisco "7" password defined. The "encrypted" values of those passwords change on every "show run" which spams me with changed emails. All other cisco "7" passwords do not show that behaviour only the l2tp-class passwords... l2tp-class TESTCLASS authentication password 7 SOMETHING next rancid run: l2tp-class TESTCLASS authentication password 7 DIFFERENT-SOMETHING I'd like to disable that feature as the cisco "7" passwords are not really hard to decrypt anyway, so I doubt this brings anything rg. security. Thank you for your help and kind regards Flavio Curti -- http://no-way.org/~fcu/ From fcu at no-way.org Fri Mar 16 15:28:31 2007 From: fcu at no-way.org (Flavio Curti) Date: Fri, 16 Mar 2007 16:28:31 +0100 Subject: [rancid] Backing up Routers behind Cisco Router in VRF instance Message-ID: <20070316152831.GK5414@no-way.org> Hello I'm trying to backup cisco-routers behind another cisco router. This should work using the usercmd patch. However I have two problems: - The routers are in vrf instances on the router, so i have to login like this: telnet routerip /vrf vrfinstance - the routers have the same internal ip-addresses, so i can have a router on 192.168.0.1 in vrf "one" and vrf "two" Can I do this using the usercmd command? Do I have to make a public dns entry for every router I have? Thank you for your help and kind regards Flavio Curti -- http://no-way.org/~fcu/ From eravin at panix.com Thu Mar 22 15:27:55 2007 From: eravin at panix.com (Ed Ravin) Date: Thu, 22 Mar 2007 11:27:55 -0400 Subject: [rancid] Re: Backing up Routers behind Cisco Router in VRF instance In-Reply-To: <20070316152831.GK5414@no-way.org> References: <20070316152831.GK5414@no-way.org> Message-ID: <20070322152755.GC16112@panix.com> On Fri, Mar 16, 2007 at 04:28:31PM +0100, Flavio Curti wrote: > I'm trying to backup cisco-routers behind another cisco router. This > should work using the usercmd patch. However I have two problems: > > - The routers are in vrf instances on the router, so i have to login > like this: telnet routerip /vrf vrfinstance That's easy, just put the /vrf option in the usercmd_chat variable for the instance. > - the routers have the same internal ip-addresses, so i can have a > router on 192.168.0.1 in vrf "one" and vrf "two" Ouch. This is such a bad idea, for this and many other reasons. But if you insist on having duplicate IP in your network, it can be supported with the usercmd patches. You need to use names for the routers in cloginrc rather than IP addresses, and "translate" the names in the usercmd_chat entries. For example: add method vrf_NYC_192.168.0.1 usercmd add usercmd vrf_NYC_192.168.0.1 {clogin} {GATEWAY-ROUTER} add usercmd_chat vrf_NYC_192.168.0.1 {>} {telnet 192.168.0.1 /vrf VRF-INSTANCE\r} {User Access Verification\r} {} And then add an entry for another city: add method vrf_Chicago_192.168.0.1 usercmd add usercmd vrf_Chicago_192.168.0.1 {clogin} {GATEWAY-ROUTER} add usercmd_chat vrf_Chicago_192.168.0.1 {>} {telnet 192.168.0.1 /vrf VRF-INSTANCE\r} {User Access Verification\r} {} Naturally, you'll need the right values for "GATEWAY-ROUTER" and "VRF-INSTANCE" for your environment. My examples above also assume that you've already got clogin working for "GATEWAY-ROUTER". This will be a bit tricky to set up. Suggest you think long and hard about how to name everything so you will be able to maintain your settings as you add new routers to this scheme. And think of whoever takes over your job several years from now - they're probably already tossing in their sleep muttering nasty things about the network numbering scheme they're going to inherit. > Do I have to make a public dns > entry for every router I have? I don't think you have to if you don't want to. My examples above do not depend on DNS - the "vrf_CITY_IP-address" names never get resolved. There's not much point to using DNS when you have duplicate IP addresses, since the context, not the DNS name, controls which host you see. From Regis.Calmejane at insa-toulouse.fr Fri Mar 23 09:14:45 2007 From: Regis.Calmejane at insa-toulouse.fr (=?ISO-8859-1?Q?R=E9gis_Calm=E9jane?=) Date: Fri, 23 Mar 2007 10:14:45 +0100 Subject: [rancid] help with mktop Message-ID: <46039A85.7070503@insa-toulouse.fr> I want to put on mktop a detection for hp switch (like mktop does for Cisco and Juniper) but I'm not a programmer at all. Please help ! thanks From yuvalba at netvision.net.il Sat Mar 24 23:22:23 2007 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Sun, 25 Mar 2007 01:22:23 +0200 Subject: [rancid] Re: limiting diff email's content References: <122e2f740703160919w7d37464cp35ae0563af9e7d0e@mail.gmail.com> Message-ID: <58D14E53A4F69C4EAF4D29171C447CC401968322@NTX-CL.forest.netvision.net.il> it sounds to me that you don't really need rancid for that how about simply monitoring logs for %SYS-5-CONFIG_I event and send an alert ? can be done in various ways ... ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Jayendra Luintel Sent: Friday, March 16, 2007 6:19 PM To: rancid-discuss at shrubbery.net Subject: [rancid] limiting diff email's content Currently I am running rancid-2.3.1_1 on freebsd 6.1. It is great tools and I am loving it. With current setup rancid tells what configuration changes have been made over the emails. Would it be possible to limit rancid's email to just tell me where the configuration changes has occured. I do not want to know the details of changes in email. Just want to know where the changes have occured will suffice for my purpose. I noticed there is some patch written about it here: http://www.shrubbery.net/pipermail/rancid-discuss/2005-April/000975.html But I am having difficulty using this patch. Basically I want to make rancid less smart so that I do not get details of change over email. I just want to get in what routers/switches changes have occured. Any direction or help will be appreciated. Thanks, Jayendra -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070325/6d990778/attachment.html From jeff at ocjtech.us Sun Mar 25 23:48:55 2007 From: jeff at ocjtech.us (Jeffrey C. Ollie) Date: Sun, 25 Mar 2007 18:48:55 -0500 Subject: [rancid] Public CVS/SVN for RANCID Source Code? Message-ID: <1174866535.21755.174.camel@lt21223.campus.dmacc.edu> Is there a public CVS or SVN repository for the RANCID source code? Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070325/225ffd52/attachment.bin From rancid at gheek.net Mon Mar 26 05:30:37 2007 From: rancid at gheek.net (Lance) Date: Sun, 25 Mar 2007 22:30:37 -0700 Subject: [rancid] Re: Public CVS/SVN for RANCID Source Code? Message-ID: <20070325223037.8e114e4890519e5179c192e02d6bca26.cbfe98ca6b.wbe@email.secureserver.net> Jeff, viewvc cvsweb > -------- Original Message -------- > Subject: [rancid] Public CVS/SVN for RANCID Source Code? > From: "Jeffrey C. Ollie" > Date: Sun, March 25, 2007 4:48 pm > To: rancid-discuss at shrubbery.net > > Is there a public CVS or SVN repository for the RANCID source code? > > Jeff
_______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net From saku+rancid at ytti.fi Mon Mar 26 05:35:49 2007 From: saku+rancid at ytti.fi (Saku Ytti) Date: Mon, 26 Mar 2007 08:35:49 +0300 Subject: [rancid] Re: Public CVS/SVN for RANCID Source Code? In-Reply-To: <20070325223037.8e114e4890519e5179c192e02d6bca26.cbfe98ca6b.wbe@email.secureserver.net> References: <20070325223037.8e114e4890519e5179c192e02d6bca26.cbfe98ca6b.wbe@email.secureserver.net> Message-ID: <20070326053549.GA20658@mx.ytti.net> On (2007-03-25 22:30 -0700), Lance wrote: > Jeff, > > viewvc cvsweb I think what Jeffrey wanted was read access to RCS where rancid is being developed. But sorry, I have no idea of such RCS. > > -------- Original Message -------- > > Subject: [rancid] Public CVS/SVN for RANCID Source Code? > > From: "Jeffrey C. Ollie" > > Date: Sun, March 25, 2007 4:48 pm > > To: rancid-discuss at shrubbery.net > > > > Is there a public CVS or SVN repository for the RANCID source code? > > > > Jeff
_______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- ++ytti From wmuriithi at afsat-af.com Mon Mar 26 13:58:24 2007 From: wmuriithi at afsat-af.com (kihara Muriithi) Date: Mon, 26 Mar 2007 16:58:24 +0300 Subject: [rancid] Config backup clarification Message-ID: <1174917504.3130.34.camel@test4.afsat.com> Hi all, I am not sure I have grasped how rancid saves the configuration. From the information I have gathered on line, it looks like the configuration is saved in /usr/local/rancid/var/networking/configs/ directory. There, I can find two copies of the config, for example 10.0.0.2 and 10.0.0.2.new. There is also CVS directory, but it has nothing. Now our plan is to keep the configuration for at least 12 months. After a week of running rancid, I can't seem to find any configuration backup more than 2 days old. Have I mis-configured something or where specifically should I be looking? The log file don't have an error message by the way I will be grateful for any assistance. Thanks William From justin at justinshore.com Mon Mar 26 15:02:36 2007 From: justin at justinshore.com (Justin Shore) Date: Mon, 26 Mar 2007 10:02:36 -0500 Subject: [rancid] Pulling down context configs from a Cisco FWSM Message-ID: <4607E08C.3060808@justinshore.com> Does anyone have any tricks for using RANCID to pull down Cisco firewall (Pix/ASA or FWSM) contexts to stuff them into CVS? I don't know when a contexts has been added so I would expect the script would have to connect to the admin context, changeto the system context and then run "show contexts" and parse the output of the first column to find out what contexts are available. It would then have to changeto each context, pull down the data and move on to the next context. For that matter I'd like to get the content of the system context as well. Does anyone have any tricks for working with firewalls that have more than one context? I'm guessing that I'm not the only person with such a beast. :-) Thanks Justin From rancid at gheek.net Mon Mar 26 15:49:26 2007 From: rancid at gheek.net (Lance) Date: Mon, 26 Mar 2007 08:49:26 -0700 Subject: [rancid] Re: Config backup clarification Message-ID: <20070326084925.8e114e4890519e5179c192e02d6bca26.fd3645081d.wbe@email.secureserver.net> William, Everything is kept in a CVS/SVN repository. So changes can go back years. Just put a nice frontend (viewvc,cvsweb,etc) on it if you are not familiar with CVS/SVN. -Lance > -------- Original Message -------- > Subject: [rancid] Config backup clarification > From: kihara Muriithi > Date: Mon, March 26, 2007 6:58 am > To: rancid-discuss at shrubbery.net > > Hi all, > I am not sure I have grasped how rancid saves the configuration. From > the information I have gathered on line, it looks like the configuration > is saved in /usr/local/rancid/var/networking/configs/ directory. There, > I can find two copies of the config, for example 10.0.0.2 and > 10.0.0.2.new. There is also CVS directory, but it has nothing. > Now our plan is to keep the configuration for at least 12 months. > After a week of running rancid, I can't seem to find any configuration > backup more than 2 days old. Have I mis-configured something or where > specifically should I be looking? The log file don't have an error > message by the way > I will be grateful for any assistance. > > Thanks > William > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at gheek.net Mon Mar 26 15:54:48 2007 From: rancid at gheek.net (Lance) Date: Mon, 26 Mar 2007 08:54:48 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070326085447.8e114e4890519e5179c192e02d6bca26.41364e6c96.wbe@email.secureserver.net> Justin, Great idea. To add to it, you don't want to include the admin context. Any others including system which does not show up in a "show contexts". I am not sure how the config looks for the admin view with multiple contexts, but we have only the admin and system contexts and the configs are the same that I can tell. act/hq-pix-1/admin# show context Context Name Class Interfaces URL *admin default GigabitEthernet0/0, disk0:/admin.cfg GigabitEthernet0/1, GigabitEthernet0/2, GigabitEthernet1/0, GigabitEthernet1/1, Management0/0 > -------- Original Message -------- > Subject: [rancid] Pulling down context configs from a Cisco FWSM > From: Justin Shore > Date: Mon, March 26, 2007 8:02 am > To: rancid-discuss at shrubbery.net > > Does anyone have any tricks for using RANCID to pull down Cisco firewall > (Pix/ASA or FWSM) contexts to stuff them into CVS? I don't know when a > contexts has been added so I would expect the script would have to > connect to the admin context, changeto the system context and then run > "show contexts" and parse the output of the first column to find out > what contexts are available. It would then have to changeto each > context, pull down the data and move on to the next context. For that > matter I'd like to get the content of the system context as well. > > Does anyone have any tricks for working with firewalls that have more > than one context? I'm guessing that I'm not the only person with such a > beast. :-) > > Thanks > Justin > > > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From lance at gheek.net Mon Mar 26 15:53:13 2007 From: lance at gheek.net (Lance Vermilion) Date: Mon, 26 Mar 2007 08:53:13 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070326085313.8e114e4890519e5179c192e02d6bca26.d4c36c87c3.wbe@email.secureserver.net> Justin, Great idea. To add to it, you don't want to include the admin context. Any others including system which does not show up in a "show contexts". I am not sure how the config looks for the admin view with multiple contexts, but we have only the admin and system contexts and the configs are the same that I can tell. act/hq-pix-1/admin# show context Context Name Class Interfaces URL *admin default GigabitEthernet0/0, disk0:/admin.cfg GigabitEthernet0/1, GigabitEthernet0/2, GigabitEthernet1/0, GigabitEthernet1/1, Management0/0 > -------- Original Message -------- > Subject: [rancid] Pulling down context configs from a Cisco FWSM > From: Justin Shore > Date: Mon, March 26, 2007 8:02 am > To: rancid-discuss at shrubbery.net > > Does anyone have any tricks for using RANCID to pull down Cisco firewall > (Pix/ASA or FWSM) contexts to stuff them into CVS? I don't know when a > contexts has been added so I would expect the script would have to > connect to the admin context, changeto the system context and then run > "show contexts" and parse the output of the first column to find out > what contexts are available. It would then have to changeto each > context, pull down the data and move on to the next context. For that > matter I'd like to get the content of the system context as well. > > Does anyone have any tricks for working with firewalls that have more > than one context? I'm guessing that I'm not the only person with such a > beast. :-) > > Thanks > Justin > > > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at veggiechinese.net Mon Mar 26 19:14:07 2007 From: rancid at veggiechinese.net (William Yardley) Date: Mon, 26 Mar 2007 12:14:07 -0700 Subject: [rancid] flip-flopping device diff Message-ID: <20070326191407.GA19386@mitch.veggiechinese.net> I have a device which is flip-flopping every time rancid runs... to me, the two versions look exactly the same. To the best of my knowledge, nothing has changed in our setup. It's been going back and forth for 24 hours at least. $ cvs diff -r 1.47 -u devicename Index: devicename =================================================================== RCS file: /cvs/cvsroot/rancid/configs/devicename,v retrieving revision 1.47 retrieving revision 1.48 diff -u -r1.47 -r1.48 --- devicename 26 Mar 2007 11:05:22 -0000 1.47 +++ devicename 26 Mar 2007 19:05:18 -0000 1.48 @@ -55,8 +55,6 @@ ! !Slot 1: type 100BaseTX-ISL, 1 ports !Slot 1: hvers 1.4 rev B0 -!Slot 1: hvers 1.4 rev B0 -!Slot 1: part 73-1688-05, serial 17841895 !Slot 1: part 73-1688-05, serial 17841895 ! !Slot 3: type T3 PA, 1 ports I used "cat -v" and "od -c" to try and see if there were any obvous $ cvs diff -r 1.47 -u devicename | cat -v -e Index: devicename$ ===================================================================$ RCS file: /cvs/cvsroot/rancid/configs/devicename,v$ retrieving revision 1.47$ retrieving revision 1.48$ diff -u -r1.47 -r1.48$ --- devicename 26 Mar 2007 11:05:22 -0000 1.47$ +++ devicename 26 Mar 2007 19:05:18 -0000 1.48$ @@ -55,8 +55,6 @@$ !$ !Slot 1: type 100BaseTX-ISL, 1 ports$ !Slot 1: hvers 1.4 rev B0$ -!Slot 1: hvers 1.4 rev B0$ -!Slot 1: part 73-1688-05, serial 17841895$ !Slot 1: part 73-1688-05, serial 17841895$ !$ !Slot 3: type T3 PA, 1 ports$ $ cat /tmp/diff !Slot 1: hvers 1.4 rev B0 !Slot 1: hvers 1.4 rev B0 $ od -c /tmp/diff 0000000 ! S l o t 1 : h v e r s 1 0000020 . 4 r e v B 0 \n ! S l o t 0000040 1 : h v e r s 1 . 4 r e v 0000060 B 0 \n 0000064 From jeff at ocjtech.us Tue Mar 27 03:54:19 2007 From: jeff at ocjtech.us (Jeffrey C. Ollie) Date: Mon, 26 Mar 2007 22:54:19 -0500 Subject: [rancid] Re: Public CVS/SVN for RANCID Source Code? In-Reply-To: <1174866535.21755.174.camel@lt21223.campus.dmacc.edu> References: <1174866535.21755.174.camel@lt21223.campus.dmacc.edu> Message-ID: <1174967659.3742.9.camel@lt21223.campus.dmacc.edu> On Sun, 2007-03-25 at 18:48 -0500, Jeffrey C. Ollie wrote: > Is there a public CVS or SVN repository for the RANCID source code? Since there doesn't seem to be one, I've synthesized a Git repository using all of the tarballs from the FTP server. You can see the results here: http://git.ocjtech.us/rancid Happy hacking! Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070326/337e7947/attachment.bin From rob at techniumcast.com Tue Mar 27 10:24:29 2007 From: rob at techniumcast.com (Rob Shepherd) Date: Tue, 27 Mar 2007 11:24:29 +0100 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <20070326085313.8e114e4890519e5179c192e02d6bca26.d4c36c87c3.wbe@email.secureserver.net> References: <20070326085313.8e114e4890519e5179c192e02d6bca26.d4c36c87c3.wbe@email.secureserver.net> Message-ID: <4608F0DD.6050003@techniumcast.com> Lance Vermilion wrote: > Justin, > > Great idea. [...] I am not sure how the config looks for the admin view with > multiple contexts, but we have only the admin and system contexts and > the configs are the same that I can tell. > Here is the output from my system with multiple contexts. > cast-tec-mr2-c5-fsm1/cast# changeto system > cast-tec-mr2-c5-fsm1# show context > Context Name Class Interfaces URL > *cast cast vlan3,164,501,511 disk:/cast.cfg > university university vlan216,316,416,501,511 disk:/university.cfg > inspired-broadcast inspired-b vlan217,317,417,501,511 disk:/inspired-broadcast.cfg > bdex default vlan218,318,418,501,511 disk:/bdex.cfg > cast-shared-servers cast vlan102,511 disk:/cast-shared-servers.cfg > alcatel-ipt alcatel-ip vlan511,601,616-626,632 disk:/alcatel-ipt.cfg > netability netability vlan219,319,419,501,511 disk:/netability.cfg > etl etl vlan223,323,423,501,511 disk:/etl.cfg > celeritas celeritas vlan220,320,420,501,511 disk:/celeritas.cfg > brandsauce brandsauce vlan221,321,421,501,511 disk:/brandsauce.cfg > eon eon vlan222,322,422,501,511 disk:/eon.cfg > neat3d neat3d vlan224,324,424,501,511 disk:/neat3d.cfg > lightwave-technologies lightwave- vlan225,325,425,501,511 disk:/lightwave-technologies.cfg > guest-networks guest-netw vlan426,501,504-505,508,511 disk:/guest-networks.cfg > event-networks event-netw vlan501,506-507,511 disk:/event-networks.cfg > wag wag vlan226,326,501,511 disk:/wag.cfg > > Total active Security Contexts: 16 > cast-tec-mr2-c5-fsm1# So, in through system context (*)..... login enable changeto system show context | awk '{print $1}' | sed -e 's/\*//g' | while read CTXT do changeto context $CTXT // normal RANCID operations changeto system done I would be very interested in having this functionality. I would also be interested in helping to code up the changes necessary. However I've never coded in perl, so I can't understand most of rancid. Does somebody who knows the architecture have the time to block diagram the required changes? And mock up the process by which multiple context outputs can go to different files in the repository, just like separate hosts. I'm eager to get a reliable backup system for my multi context FWSMs. I've also got Standby-Failover FWSMs, but that a headache for another day..... Cheers Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com rob at techniumcast.com | 01248 675024 | 077988 72480 From rancid at gheek.net Tue Mar 27 14:55:40 2007 From: rancid at gheek.net (Lance) Date: Tue, 27 Mar 2007 07:55:40 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070327075540.8e114e4890519e5179c192e02d6bca26.ec785cf5b2.wbe@email.secureserver.net> In my opinion it shouldn't be too hard. The hardest part would be looking at the output from "show contexts" and substringing or delimiting the line via expect and then dynamically changing to each one and doing the commands needed needed. The perl part I would like to think would be the easy part. With some work I am sure I could come up with something. I am just wrapped up in another project with IP Plan. Once I finish that I would love to attempt this. Ed Ravin should be able to code something pretty quick. He has solid coding skills and should be able to do this in a matter of a few hours max I would think. That is up to him though. Other options are Austin Schutz and John Heasley. I know their work is solid as well. -Lance > -------- Original Message -------- > Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM > From: Rob Shepherd > Date: Tue, March 27, 2007 3:24 am > To: rancid-discuss at shrubbery.net > > Lance Vermilion wrote: > > Justin, > > > > Great idea. [...] I am not sure how the config looks for the admin view with > > multiple contexts, but we have only the admin and system contexts and > > the configs are the same that I can tell. > > > > Here is the output from my system with multiple contexts. > > > cast-tec-mr2-c5-fsm1/cast# changeto system > > cast-tec-mr2-c5-fsm1# show context > > Context Name Class Interfaces URL > > *cast cast vlan3,164,501,511 disk:/cast.cfg > > university university vlan216,316,416,501,511 disk:/university.cfg > > inspired-broadcast inspired-b vlan217,317,417,501,511 disk:/inspired-broadcast.cfg > > bdex default vlan218,318,418,501,511 disk:/bdex.cfg > > cast-shared-servers cast vlan102,511 disk:/cast-shared-servers.cfg > > alcatel-ipt alcatel-ip vlan511,601,616-626,632 disk:/alcatel-ipt.cfg > > netability netability vlan219,319,419,501,511 disk:/netability.cfg > > etl etl vlan223,323,423,501,511 disk:/etl.cfg > > celeritas celeritas vlan220,320,420,501,511 disk:/celeritas.cfg > > brandsauce brandsauce vlan221,321,421,501,511 disk:/brandsauce.cfg > > eon eon vlan222,322,422,501,511 disk:/eon.cfg > > neat3d neat3d vlan224,324,424,501,511 disk:/neat3d.cfg > > lightwave-technologies lightwave- vlan225,325,425,501,511 disk:/lightwave-technologies.cfg > > guest-networks guest-netw vlan426,501,504-505,508,511 disk:/guest-networks.cfg > > event-networks event-netw vlan501,506-507,511 disk:/event-networks.cfg > > wag wag vlan226,326,501,511 disk:/wag.cfg > > > > Total active Security Contexts: 16 > > cast-tec-mr2-c5-fsm1# > > So, in through system context (*)..... > > login > enable > changeto system > show context | awk '{print $1}' | sed -e 's/\*//g' | while read CTXT > do > changeto context $CTXT > // normal RANCID operations > changeto system > done > > I would be very interested in having this functionality. > I would also be interested in helping to code up the changes necessary. However I've never coded in perl, so I can't understand most of rancid. > > Does somebody who knows the architecture have the time to block diagram the required changes? And mock up the process by which multiple context > outputs can go to different files in the repository, just like separate hosts. > > I'm eager to get a reliable backup system for my multi context FWSMs. > > I've also got Standby-Failover FWSMs, but that a headache for another day..... > > Cheers > > Rob > > > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > rob at techniumcast.com | 01248 675024 | 077988 72480 > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From eravin at panix.com Tue Mar 27 15:45:12 2007 From: eravin at panix.com (Ed Ravin) Date: Tue, 27 Mar 2007 11:45:12 -0400 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <20070327075540.8e114e4890519e5179c192e02d6bca26.ec785cf5b2.wbe@email.secureserver.net> References: <20070327075540.8e114e4890519e5179c192e02d6bca26.ec785cf5b2.wbe@email.secureserver.net> Message-ID: <20070327154512.GD472@panix.com> On Tue, Mar 27, 2007 at 07:55:40AM -0700, Lance wrote: > In my opinion it shouldn't be too hard. The hardest part would be > looking at the output from "show contexts" and substringing or > delimiting the line via expect and then dynamically changing to each > one and doing the commands needed needed. The problem is that we're asking the *login scripts to do something that is outside their model - normally the *rancid scripts send the list of exact commands to run, the *login scripts run them and put the output in a file, and then the *rancid scripts parse the output. There's just no hook for dynamic / interactive commands, or returning multiple files. You've got the ability to "plugin" an external script, maybe that would be the place to start, to write a TCL script that can be called with the "-s" option to clogin, that would deliver the individual files for each context. But then we have to get the files into the *rancid program. It would be nice to do this without some ugly hack, like the ones I usually code to get around RANCID's limitations. > Ed Ravin should be able to code something pretty quick. He has solid > coding skills and should be able to do this in a matter of a few hours > max I would think. That is up to him though. Thanks for the flowers, but you are being awfully generous with my time! I have a suspicion that Austin and John are also otherwise engaged. From rancid at gheek.net Tue Mar 27 17:09:00 2007 From: rancid at gheek.net (Lance) Date: Tue, 27 Mar 2007 10:09:00 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070327100900.8e114e4890519e5179c192e02d6bca26.7e2f3c6bb8.wbe@email.secureserver.net> Ed, I am sure you are busy like everyone else. I know you have a very solid grasp on rancid's files and might be able to offer some insight. Maybe a "hack" method might be to have clogin do its normal collection but add "show context" to the commands and then after it evaluates the output it will login and gather additional information. The addition information could then be added to the same file that was originally created. An Expect approach would be to read a line at a time from "show context" and do a substring or split on that line and create another array of the show context commands. I was thinking something like this to capture the contexts. I basically just created an array out of the lines that were posted. set source(0) "cast cast vlan3,164,501,511 disk:/cast.cfg" set source(1) "university university vlan216,316,416,501,511 disk:/university.cfg" set source(2) "inspired-broadcast inspired-b vlan217,317,417,501,511 disk:/inspired-broadcast.cfg" set source(3) "bdex default vlan218,318,418,501,511 disk:/bdex.cfg" set source(4) "cast-shared-servers cast vlan102,511 disk:/cast-shared-servers.cfg" set source(5) "alcatel-ipt alcatel-ip vlan511,601,616-626,632 disk:/alcatel-ipt.cfg" set source(6) "netability netability vlan219,319,419,501,511 disk:/netability.cfg" set source(7) "etl etl vlan223,323,423,501,511 disk:/etl.cfg" set source(8) "celeritas celeritas vlan220,320,420,501,511 disk:/celeritas.cfg" set source(9) "brandsauce brandsauce vlan221,321,421,501,511 disk:/brandsauce.cfg" set source(10) "eon eon vlan222,322,422,501,511 disk:/eon.cfg" set source(11) "heat3d neat3d vlan224,324,424,501,511 disk:/neat3d.cfg" set source(12) "lightwave-technologies lightwave- vlan225,325,425,501,511 disk:/lightwave-technologies.cfg" set source(13) "guest-networks guest-netw vlan426,501,504-505,508,511 disk:/guest-networks.cfg" set source(14) "event-networks event-netw vlan501,506-507,511 disk:/event-networks.cfg" set source(15) "wag wag vlan226,326,501,511 disk:/wag.cfg" foreach {key value} [array get source] { set line [split $value] set context [lindex $line 0] puts $context } Output: $/usr/local/bin/expect split.exp cast university inspired-broadcast bdex cast-shared-servers alcatel-ipt netability etl celeritas brandsauce eon heat3d lightwave-technologies guest-networks event-networks wag -lance > -------- Original Message -------- > Subject: Re: [rancid] Re: Pulling down context configs from a Cisco > FWSM > From: Ed Ravin > Date: Tue, March 27, 2007 8:45 am > To: Lance > Cc: Rob Shepherd , rancid-discuss at shrubbery.net > > On Tue, Mar 27, 2007 at 07:55:40AM -0700, Lance wrote: > > In my opinion it shouldn't be too hard. The hardest part would be > > looking at the output from "show contexts" and substringing or > > delimiting the line via expect and then dynamically changing to each > > one and doing the commands needed needed. > > The problem is that we're asking the *login scripts to do something > that is outside their model - normally the *rancid scripts send the > list of exact commands to run, the *login scripts run them and put the > output in a file, and then the *rancid scripts parse the output. > > There's just no hook for dynamic / interactive commands, or returning > multiple files. You've got the ability to "plugin" an external script, > maybe that would be the place to start, to write a TCL script that can > be called with the "-s" option to clogin, that would deliver the > individual files for each context. > > But then we have to get the files into the *rancid program. It > would be nice to do this without some ugly hack, like the ones I > usually code to get around RANCID's limitations. > > > Ed Ravin should be able to code something pretty quick. He has solid > > coding skills and should be able to do this in a matter of a few hours > > max I would think. That is up to him though. > > Thanks for the flowers, but you are being awfully generous with my time! > I have a suspicion that Austin and John are also otherwise engaged. From justin at justinshore.com Wed Mar 28 03:06:43 2007 From: justin at justinshore.com (Justin Shore) Date: Tue, 27 Mar 2007 22:06:43 -0500 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <20070327075540.8e114e4890519e5179c192e02d6bca26.ec785cf5b2.wbe@email.secureserver.net> References: <20070327075540.8e114e4890519e5179c192e02d6bca26.ec785cf5b2.wbe@email.secureserver.net> Message-ID: <4609DBC3.9040408@justinshore.com> Lance wrote: > In my opinion it shouldn't be too hard. The hardest part would be > looking at the output from "show contexts" and substringing or > delimiting the line via expect and then dynamically changing to each > one and doing the commands needed needed. The perl part I would like to > think would be the easy part. With some work I am sure I could come up > with something. I am just wrapped up in another project with IP Plan. > Once I finish that I would love to attempt this. > > Ed Ravin should be able to code something pretty quick. He has solid > coding skills and should be able to do this in a matter of a few hours > max I would think. That is up to him though. > > > Other options are Austin Schutz and John Heasley. I know their work is > solid as well. I would volunteer but my coding skills are lacking as well. When I get tired of repeatedly doing something day in and day out I'll spend a weekend writing a shell script to do it for me. The next weekend I'll rewrite it in Perl. I'll spend the following week debugging that script only to get it just right, discover it's now 10x slower and ultimately revert back to my Bash script. I've done this more times than I care to admit. :-) I should have paid more attention back in my college CS courses. I can however test scripts on my FWSMs. I have 2 in separate chassis in a A/S configuration. This code should also work or go a long ways towards being able to do the same thing on Pixs/ASAs. I can also provide moral support to the person that takes this task on. :-) Justin From rob at techniumcast.com Wed Mar 28 10:16:52 2007 From: rob at techniumcast.com (Rob Shepherd) Date: Wed, 28 Mar 2007 11:16:52 +0100 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <20070327154512.GD472@panix.com> References: <20070327075540.8e114e4890519e5179c192e02d6bca26.ec785cf5b2.wbe@email.secureserver.net> <20070327154512.GD472@panix.com> Message-ID: <460A4094.9090601@techniumcast.com> Ed Ravin wrote: > On Tue, Mar 27, 2007 at 07:55:40AM -0700, Lance wrote: >> In my opinion it shouldn't be too hard. The hardest part would be >> looking at the output from "show contexts" and substringing or >> delimiting the line via expect and then dynamically changing to each >> one and doing the commands needed needed. > > The problem is that we're asking the *login scripts to do something > that is outside their model - normally the *rancid scripts send the > list of exact commands to run, the *login scripts run them and put the > output in a file, and then the *rancid scripts parse the output. > > There's just no hook for dynamic / interactive commands, or returning > multiple files. You've got the ability to "plugin" an external script, > maybe that would be the place to start, to write a TCL script that can > be called with the "-s" option to clogin, that would deliver the > individual files for each context. > > But then we have to get the files into the *rancid program. It > would be nice to do this without some ugly hack, like the ones I > usually code to get around RANCID's limitations. > >> Ed Ravin should be able to code something pretty quick. He has solid >> coding skills and should be able to do this in a matter of a few hours >> max I would think. That is up to him though. > > Thanks for the flowers, but you are being awfully generous with my time! > I have a suspicion that Austin and John are also otherwise engaged. 1) An option would be to have a seperate component for discovering the contexts and laying them out in a file like hosts are at present. I'd be happy to do this manually as I only add contexts every 3-4 months anyway. 2) An additional command, after "enable" select the correct context. ...would this be a variation of clogin? I guess clogin can perform the enable command... and enter the password. Does it detect the change in prompt? to decide if it's in enable mode? The prompt changes also when in context mode.... Here's the output of a login session. it goes straight to the admin context, then I switch to the system context, then to another context. > rob at penguin:/tmp >ssh 172.16.3.254 > rob at 172.16.3.254's password: > Type help or '?' for a list of available commands. > cast-tec-mr2-c5-fsm1/cast> > cast-tec-mr2-c5-fsm1/cast> enable > Password: **** > cast-tec-mr2-c5-fsm1/cast# changeto system > cast-tec-mr2-c5-fsm1# changeto context etl > cast-tec-mr2-c5-fsm1/etl# Would this be a case of entending clogin to perform a context switch? Cheers Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com rob at techniumcast.com | 01248 675024 | 077988 72480 From rancid at gheek.net Wed Mar 28 14:19:19 2007 From: rancid at gheek.net (Lance) Date: Wed, 28 Mar 2007 07:19:19 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070328071919.8e114e4890519e5179c192e02d6bca26.762d7b1375.wbe@email.secureserver.net> Rob, When you do a "show run" after changing contexts does it give you a slightly different config or an entirely different config. Unfortunately at my place of business we only have a need to run 2 basic contexts, the default admin and system. So I don't work with them. I don't intend on this being a context session 101, but why do you create contexts for each customer you have (as it appears to me)? You might enlighten me and I might switch to such a model. :-D -Lance > -------- Original Message -------- > Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM > From: Rob Shepherd > Date: Wed, March 28, 2007 3:16 am > To: rancid-discuss at shrubbery.net > > Ed Ravin wrote: > > On Tue, Mar 27, 2007 at 07:55:40AM -0700, Lance wrote: > >> In my opinion it shouldn't be too hard. The hardest part would be > >> looking at the output from "show contexts" and substringing or > >> delimiting the line via expect and then dynamically changing to each > >> one and doing the commands needed needed. > > > > The problem is that we're asking the *login scripts to do something > > that is outside their model - normally the *rancid scripts send the > > list of exact commands to run, the *login scripts run them and put the > > output in a file, and then the *rancid scripts parse the output. > > > > There's just no hook for dynamic / interactive commands, or returning > > multiple files. You've got the ability to "plugin" an external script, > > maybe that would be the place to start, to write a TCL script that can > > be called with the "-s" option to clogin, that would deliver the > > individual files for each context. > > > > But then we have to get the files into the *rancid program. It > > would be nice to do this without some ugly hack, like the ones I > > usually code to get around RANCID's limitations. > > > >> Ed Ravin should be able to code something pretty quick. He has solid > >> coding skills and should be able to do this in a matter of a few hours > >> max I would think. That is up to him though. > > > > Thanks for the flowers, but you are being awfully generous with my time! > > I have a suspicion that Austin and John are also otherwise engaged. > > 1) An option would be to have a seperate component for discovering the contexts and laying them out in a file like hosts are at present. > > I'd be happy to do this manually as I only add contexts every 3-4 months anyway. > > 2) An additional command, after "enable" select the correct context. > > ...would this be a variation of clogin? > > I guess clogin can perform the enable command... and enter the password. Does it detect the change in prompt? to decide if it's in enable mode? > > The prompt changes also when in context mode.... > > Here's the output of a login session. it goes straight to the admin context, then I switch to the system context, then to another context. > > > rob at penguin:/tmp >ssh 172.16.3.254 > > rob at 172.16.3.254's password: > > Type help or '?' for a list of available commands. > > cast-tec-mr2-c5-fsm1/cast> > > cast-tec-mr2-c5-fsm1/cast> enable > > Password: **** > > cast-tec-mr2-c5-fsm1/cast# changeto system > > cast-tec-mr2-c5-fsm1# changeto context etl > > cast-tec-mr2-c5-fsm1/etl# > > Would this be a case of entending clogin to perform a context switch? > > Cheers > > Rob > > > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > rob at techniumcast.com | 01248 675024 | 077988 72480 > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rob at techniumcast.com Wed Mar 28 14:30:46 2007 From: rob at techniumcast.com (Rob Shepherd) Date: Wed, 28 Mar 2007 15:30:46 +0100 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <20070328071919.8e114e4890519e5179c192e02d6bca26.762d7b1375.wbe@email.secureserver.net> References: <20070328071919.8e114e4890519e5179c192e02d6bca26.762d7b1375.wbe@email.secureserver.net> Message-ID: <460A7C16.10700@techniumcast.com> Lance wrote: > Rob, > > When you do a "show run" after changing contexts does it give you a > slightly different config or an entirely different config. It's an entirely different config. Each context is like a virtual PIX. (until you get down to feature completeness and command compatability that is :) ) > Unfortunately at my place of business we only have a need to run 2 > basic contexts, the default admin and system. So I don't work with > them. > > I don't intend on this being a context session 101, but why do you > create contexts for each customer you have (as it appears to me)? You > might enlighten me and I might switch to such a model. :-D > I do this because it permits me to hand off control of a context to a particular customer, if they want to do the config themselves. They can then SSH or PDM independently. Also there is some limitations with things like DNS/DHCP. I havn't found a way to have different DNS server options outputted by the dhcpd service on different interfaces. Same for extra options, like vendor specific 43, which different for each customer, for Alcatel AVA. I'm really eager to get the context's + system backed up automatically by rancid. I do it manually at present. :( If there's anything I can do to progress the development of such a feature, somebody please enlighten me. I'm not a perl devel though, but there's one sat next to me, who isn't a network engineer however. If I know what to code I can help get it done..... But i need the input from somebody who knows the architecture of rancid.... Cheers Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com rob at techniumcast.com | 01248 675024 | 077988 72480 From rancid at gheek.net Wed Mar 28 17:38:42 2007 From: rancid at gheek.net (Lance) Date: Wed, 28 Mar 2007 10:38:42 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070328103842.8e114e4890519e5179c192e02d6bca26.845637013a.wbe@email.secureserver.net> Rob, I am not sure the best method would be to make a config that large as it would be hard to report on the changes and know where the changes where other than on that asa/pix. The way I would think about doing it would be to create a config for the pix/asa using system/admin then create a series of config files for each context but name it something like this "ops-pix-01-context-timewarner.conf". This would allow you to be notified of each one being updated etc and keep the config file from getting huge. The way I would go about doing this would be to use the addon that Ed Ravin published a while back. I would specify a custom portion in bin/rancid-fe for ASA/Pixes (that use contexts) and then collect the config like normal but also collect information on "show context" so that I can parse it after the config is collected. Then log into the device via and issue a change to each context and log each output to a new file. Another file would need to be updated as well, this being bin/clogin. The file would need to be updated to know it has to modify the file it creates to reflect the context name. It is possible to do it another way such as creating host entries in your /etc/host file for each context on each firewall, but that would be a great idea as it wouldn't scale well and wouldn't be completely dynamic as we like to have things these days. I will see if I can take a stab at it this weekend. No promises. -lance > -------- Original Message -------- > Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM > From: Rob Shepherd > Date: Wed, March 28, 2007 7:30 am > To: rancid-discuss at shrubbery.net > > Lance wrote: > > Rob, > > > > When you do a "show run" after changing contexts does it give you a > > slightly different config or an entirely different config. > > It's an entirely different config. Each context is like a virtual PIX. > (until you get down to feature completeness and command compatability > that is :) ) > > > Unfortunately at my place of business we only have a need to run 2 > > basic contexts, the default admin and system. So I don't work with > > them. > > > > I don't intend on this being a context session 101, but why do you > > create contexts for each customer you have (as it appears to me)? You > > might enlighten me and I might switch to such a model. :-D > > > > I do this because it permits me to hand off control of a context to a > particular customer, if they want to do the config themselves. > > They can then SSH or PDM independently. > > Also there is some limitations with things like DNS/DHCP. I havn't found > a way to have different DNS server options outputted by the dhcpd > service on different interfaces. Same for extra options, like vendor > specific 43, which different for each customer, for Alcatel AVA. > > I'm really eager to get the context's + system backed up automatically > by rancid. I do it manually at present. :( > > If there's anything I can do to progress the development of such a > feature, somebody please enlighten me. I'm not a perl devel though, but > there's one sat next to me, who isn't a network engineer however. If I > know what to code I can help get it done..... > But i need the input from somebody who knows the architecture of rancid.... > > Cheers > > Rob > > > > > > > > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > rob at techniumcast.com | 01248 675024 | 077988 72480 > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From eravin at panix.com Wed Mar 28 19:18:16 2007 From: eravin at panix.com (Ed Ravin) Date: Wed, 28 Mar 2007 15:18:16 -0400 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <20070328103842.8e114e4890519e5179c192e02d6bca26.845637013a.wbe@email.secureserver.net> References: <20070328103842.8e114e4890519e5179c192e02d6bca26.845637013a.wbe@email.secureserver.net> Message-ID: <20070328191816.GB10356@panix.com> On Wed, Mar 28, 2007 at 10:38:42AM -0700, Lance wrote: > It is possible to do it another way such as creating host entries in > your /etc/host file for each context on each firewall, but that would > be a great idea as it wouldn't scale well and wouldn't be completely > dynamic as we like to have things these days. How about creating a whole new RANCID group for the contexts of a particular firewall? Then your scripts could manage the router.db for that group, adding entries when new contexts are discovered, and create the appropriate config files for each context so that RANCID's version control scripts think each context is a separate router config, and do all the diffs and archiving the usual way. You'd need new "contextrancid" and "contextlogin" scripts. You'd also need a parent script that would run "contextlogin" to get a list of contexts on the router, then manage routers.db as needed. Maybe that script could be built into "contextrancid", and it would just have to keep a statefile somewhere so it could figure out that it's being invoked multiple times for the same router. Oh yeah, and you'd need to use either my rancid-fe patches for configurable device types (see the list archives for my hp4000m or ciscorsh scripts), or hard-code a new device type in rancid-fe. From justin at justinshore.com Thu Mar 29 02:47:38 2007 From: justin at justinshore.com (Justin Shore) Date: Wed, 28 Mar 2007 21:47:38 -0500 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <460A7C16.10700@techniumcast.com> References: <20070328071919.8e114e4890519e5179c192e02d6bca26.762d7b1375.wbe@email.secureserver.net> <460A7C16.10700@techniumcast.com> Message-ID: <460B28CA.5040106@justinshore.com> Rob Shepherd wrote: > Lance wrote: >> I don't intend on this being a context session 101, but why do you >> create contexts for each customer you have (as it appears to me)? You >> might enlighten me and I might switch to such a model. :-D >> > > I do this because it permits me to hand off control of a context to a > particular customer, if they want to do the config themselves. > > They can then SSH or PDM independently. > > Also there is some limitations with things like DNS/DHCP. I havn't found > a way to have different DNS server options outputted by the dhcpd > service on different interfaces. Same for extra options, like vendor > specific 43, which different for each customer, for Alcatel AVA. That's one of the main reasons for us. We fully expect some customers to want to control their own context. This way we can just hand it off to them. It also gives us the option of putting these customers in VRFs which afford a better layer of security between customers than simple VLANs. Customers that tunnel to us can have their own IGP in their VRF, can have IP subnets that would otherwise conflict with another customer's, etc. MPLS VRF affords hide the underlying network components from the VRF itself. It's really quite slick and very complex (I don't pretend to fully understand it but I'm getting better). Justin From kadamski at akn.ca Wed Mar 28 14:51:14 2007 From: kadamski at akn.ca (Krzysztof Adamski) Date: Wed, 28 Mar 2007 10:51:14 -0400 (EDT) Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: <460A7C16.10700@techniumcast.com> Message-ID: I should start this email by saying I have not ever used context on the ASA. Now saying this, if you are allowing users to SSH into individual context, maybe you can backup the context separately by having each context listed in the rancid database as separate PIXes. You will need to have a username for rancid in each context, this may be a show stopper. K On Wed, 28 Mar 2007, Rob Shepherd wrote: > Lance wrote: > > Rob, > > > > When you do a "show run" after changing contexts does it give you a > > slightly different config or an entirely different config. > > It's an entirely different config. Each context is like a virtual PIX. > (until you get down to feature completeness and command compatability > that is :) ) > > > Unfortunately at my place of business we only have a need to run 2 > > basic contexts, the default admin and system. So I don't work with > > them. > > > > I don't intend on this being a context session 101, but why do you > > create contexts for each customer you have (as it appears to me)? You > > might enlighten me and I might switch to such a model. :-D > > > > I do this because it permits me to hand off control of a context to a > particular customer, if they want to do the config themselves. > > They can then SSH or PDM independently. > > Also there is some limitations with things like DNS/DHCP. I havn't found > a way to have different DNS server options outputted by the dhcpd > service on different interfaces. Same for extra options, like vendor > specific 43, which different for each customer, for Alcatel AVA. > > I'm really eager to get the context's + system backed up automatically > by rancid. I do it manually at present. :( > > If there's anything I can do to progress the development of such a > feature, somebody please enlighten me. I'm not a perl devel though, but > there's one sat next to me, who isn't a network engineer however. If I > know what to code I can help get it done..... > But i need the input from somebody who knows the architecture of rancid.... > > Cheers > > Rob > > > > > > > > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > rob at techniumcast.com | 01248 675024 | 077988 72480 > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Thu Mar 29 20:55:54 2007 From: rancid at gheek.net (Lance) Date: Thu, 29 Mar 2007 13:55:54 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070329135554.8e114e4890519e5179c192e02d6bca26.346a452e17.wbe@email.secureserver.net> I guess if you can actually do as you think they can, then that is a much better approach. > -------- Original Message -------- > Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM > From: Krzysztof Adamski > Date: Wed, March 28, 2007 7:51 am > To: Rob Shepherd > Cc: rancid-discuss at shrubbery.net > > I should start this email by saying I have not ever used context on the ASA. > > Now saying this, if you are allowing users to SSH into individual context, maybe > you can backup the context separately by having each context listed in the rancid > database as separate PIXes. You will need to have a username for rancid in each > context, this may be a show stopper. > > K > > On Wed, 28 Mar 2007, Rob Shepherd wrote: > > > Lance wrote: > > > Rob, > > > > > > When you do a "show run" after changing contexts does it give you a > > > slightly different config or an entirely different config. > > > > It's an entirely different config. Each context is like a virtual PIX. > > (until you get down to feature completeness and command compatability > > that is :) ) > > > > > Unfortunately at my place of business we only have a need to run 2 > > > basic contexts, the default admin and system. So I don't work with > > > them. > > > > > > I don't intend on this being a context session 101, but why do you > > > create contexts for each customer you have (as it appears to me)? You > > > might enlighten me and I might switch to such a model. :-D > > > > > > > I do this because it permits me to hand off control of a context to a > > particular customer, if they want to do the config themselves. > > > > They can then SSH or PDM independently. > > > > Also there is some limitations with things like DNS/DHCP. I havn't found > > a way to have different DNS server options outputted by the dhcpd > > service on different interfaces. Same for extra options, like vendor > > specific 43, which different for each customer, for Alcatel AVA. > > > > I'm really eager to get the context's + system backed up automatically > > by rancid. I do it manually at present. :( > > > > If there's anything I can do to progress the development of such a > > feature, somebody please enlighten me. I'm not a perl devel though, but > > there's one sat next to me, who isn't a network engineer however. If I > > know what to code I can help get it done..... > > But i need the input from somebody who knows the architecture of rancid.... > > > > Cheers > > > > Rob > > > > > > > > > > > > > > > > -- > > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > > Technium CAST | LL57 4HJ | http://www.techniumcast.com > > rob at techniumcast.com | 01248 675024 | 077988 72480 > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From justin at justinshore.com Thu Mar 29 22:17:52 2007 From: justin at justinshore.com (Justin Shore) Date: Thu, 29 Mar 2007 17:17:52 -0500 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM In-Reply-To: References: Message-ID: <460C3B10.2000109@justinshore.com> That's always a possibility though it would require a userid like you mentioned as well as allowing SSH into the context from the outside. This would likely freak out some security-paranoid customers, even though you really aren't compromising security if the ACL is set up in a sane manner. It's a thought but it could present additional problems. Our SME last week did mention something about a way to have a common DMZ in each context, though he said it was extremely difficult and would of course compromise security if that machine was ever rooted. Justin Krzysztof Adamski wrote: > I should start this email by saying I have not ever used context on the ASA. > > Now saying this, if you are allowing users to SSH into individual context, maybe > you can backup the context separately by having each context listed in the rancid > database as separate PIXes. You will need to have a username for rancid in each > context, this may be a show stopper. > > K > > On Wed, 28 Mar 2007, Rob Shepherd wrote: > >> Lance wrote: >>> Rob, >>> >>> When you do a "show run" after changing contexts does it give you a >>> slightly different config or an entirely different config. >> It's an entirely different config. Each context is like a virtual PIX. >> (until you get down to feature completeness and command compatability >> that is :) ) >> >>> Unfortunately at my place of business we only have a need to run 2 >>> basic contexts, the default admin and system. So I don't work with >>> them. >>> >>> I don't intend on this being a context session 101, but why do you >>> create contexts for each customer you have (as it appears to me)? You >>> might enlighten me and I might switch to such a model. :-D >>> >> I do this because it permits me to hand off control of a context to a >> particular customer, if they want to do the config themselves. >> >> They can then SSH or PDM independently. >> >> Also there is some limitations with things like DNS/DHCP. I havn't found >> a way to have different DNS server options outputted by the dhcpd >> service on different interfaces. Same for extra options, like vendor >> specific 43, which different for each customer, for Alcatel AVA. >> >> I'm really eager to get the context's + system backed up automatically >> by rancid. I do it manually at present. :( >> >> If there's anything I can do to progress the development of such a >> feature, somebody please enlighten me. I'm not a perl devel though, but >> there's one sat next to me, who isn't a network engineer however. If I >> know what to code I can help get it done..... >> But i need the input from somebody who knows the architecture of rancid.... >> >> Cheers >> >> Rob >> >> >> >> >> >> >> >> -- >> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd >> Technium CAST | LL57 4HJ | http://www.techniumcast.com >> rob at techniumcast.com | 01248 675024 | 077988 72480 >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From rancid at gheek.net Thu Mar 29 22:24:26 2007 From: rancid at gheek.net (Lance) Date: Thu, 29 Mar 2007 15:24:26 -0700 Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM Message-ID: <20070329152426.8e114e4890519e5179c192e02d6bca26.cdeecfcbbc.wbe@email.secureserver.net> True, True. BTW, how would you access each context? By way of ssh to each IP? -lance > -------- Original Message -------- > Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM > From: Justin Shore > Date: Thu, March 29, 2007 3:17 pm > To: Krzysztof Adamski > Cc: rancid-discuss at shrubbery.net > > That's always a possibility though it would require a userid like you > mentioned as well as allowing SSH into the context from the outside. > This would likely freak out some security-paranoid customers, even > though you really aren't compromising security if the ACL is set up in a > sane manner. It's a thought but it could present additional problems. > > Our SME last week did mention something about a way to have a common DMZ > in each context, though he said it was extremely difficult and would of > course compromise security if that machine was ever rooted. > > Justin > > > Krzysztof Adamski wrote: > > I should start this email by saying I have not ever used context on the ASA. > > > > Now saying this, if you are allowing users to SSH into individual context, maybe > > you can backup the context separately by having each context listed in the rancid > > database as separate PIXes. You will need to have a username for rancid in each > > context, this may be a show stopper. > > > > K > > > > On Wed, 28 Mar 2007, Rob Shepherd wrote: > > > >> Lance wrote: > >>> Rob, > >>> > >>> When you do a "show run" after changing contexts does it give you a > >>> slightly different config or an entirely different config. > >> It's an entirely different config. Each context is like a virtual PIX. > >> (until you get down to feature completeness and command compatability > >> that is :) ) > >> > >>> Unfortunately at my place of business we only have a need to run 2 > >>> basic contexts, the default admin and system. So I don't work with > >>> them. > >>> > >>> I don't intend on this being a context session 101, but why do you > >>> create contexts for each customer you have (as it appears to me)? You > >>> might enlighten me and I might switch to such a model. :-D > >>> > >> I do this because it permits me to hand off control of a context to a > >> particular customer, if they want to do the config themselves. > >> > >> They can then SSH or PDM independently. > >> > >> Also there is some limitations with things like DNS/DHCP. I havn't found > >> a way to have different DNS server options outputted by the dhcpd > >> service on different interfaces. Same for extra options, like vendor > >> specific 43, which different for each customer, for Alcatel AVA. > >> > >> I'm really eager to get the context's + system backed up automatically > >> by rancid. I do it manually at present. :( > >> > >> If there's anything I can do to progress the development of such a > >> feature, somebody please enlighten me. I'm not a perl devel though, but > >> there's one sat next to me, who isn't a network engineer however. If I > >> know what to code I can help get it done..... > >> But i need the input from somebody who knows the architecture of rancid.... > >> > >> Cheers > >> > >> Rob > >> > >> > >> > >> > >> > >> > >> > >> -- > >> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > >> Technium CAST | LL57 4HJ | http://www.techniumcast.com > >> rob at techniumcast.com | 01248 675024 | 077988 72480 > >> _______________________________________________ > >> Rancid-discuss mailing list > >> Rancid-discuss at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > >> > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From jeff at ocjtech.us Fri Mar 30 11:53:38 2007 From: jeff at ocjtech.us (Jeffrey C. Ollie) Date: Fri, 30 Mar 2007 06:53:38 -0500 Subject: [rancid] [PATCH] Use Git to store configs Message-ID: <1175255618.5608.29.camel@lt21223.campus.dmacc.edu> Here's a patch that I've been working on that allows you to store your configs in a Git[1] repository. Adding a third RCS system necessitated a little bit of code reorganization, so I may have inadvertantly broken something (I haven't tested CVS or Subversion repositories with the patch applied). The other big differences are: 1) When using CVS and Subversion, RANCID is working on local checkouts (located in $BASEDIR) of a repository that is located elsewhere on disk ($CVSROOT). Git works differently, so $BASEDIR is the complete repository and $CVSROOT isn't really necessary. 2) Since there could be multiple processes acting simultaneously on the same repository (with CVS and Subversion RANCID had a separate checkout for each group) I guard all operations on the repository using flock(1). flock(1) does not operate over NFS. I've attached the patch, or you can follow progress on my web site[2]. Jeff [1] http://www.kernel.org/pub/software/scm/git/docs/git.html [2] http://git.ocjtech.us/rancid.git -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-2.3.2a7-git-2.patch Type: text/x-patch Size: 11318 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070330/d16292cf/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070330/d16292cf/attachment-0001.bin From tex at off.org Fri Mar 30 21:19:12 2007 From: tex at off.org (Austin Schutz) Date: Fri, 30 Mar 2007 14:19:12 -0700 Subject: [rancid] Re: [PATCH] Use Git to store configs In-Reply-To: <1175255618.5608.29.camel@lt21223.campus.dmacc.edu> References: <1175255618.5608.29.camel@lt21223.campus.dmacc.edu> Message-ID: <20070330211912.GH30664@gblx.net> On Fri, Mar 30, 2007 at 06:53:38AM -0500, Jeffrey C. Ollie wrote: > Here's a patch that I've been working on that allows you to store your > configs in a Git[1] repository. > I like the change to case() where the syntax differs. Comments inline. > Adding a third RCS system necessitated a little bit of code > reorganization, so I may have inadvertantly broken something (I haven't > tested CVS or Subversion repositories with the patch applied). The > other big differences are: > > 1) When using CVS and Subversion, RANCID is working on local checkouts > (located in $BASEDIR) of a repository that is located elsewhere on disk > ($CVSROOT). Git works differently, so $BASEDIR is the complete > repository and $CVSROOT isn't really necessary. $BASEDIR is the dir into which all groups go. If you put a generic lockfile here you will make it so multiple groups can't be polled at one time. Typically a temp dir is used where the file includes the group name so there is no stepping on of toes, and stale lockfiles aren't left in unexpected places. > > 2) Since there could be multiple processes acting simultaneously on the > same repository (with CVS and Subversion RANCID had a separate checkout > for each group) I guard all operations on the repository using flock(1). > flock(1) does not operate over NFS. > IMO that's a problem: flock isn't available on all platforms, and dealing with nfs support could be annoying. I have a perl based lock script which uses fcntl (works w/ nfs) and should be reasonably cross platform, if that's useful (no other dependencies). Rancid's existing lockfile support is fairly dumb (simple). I get stale hangs sometimes after a reboot, myself- though it generally doesn't have to be that smart because it doesn't run that often. > I've attached the patch, or you can follow progress on my web site[2]. > ... > fi > @@ -138,6 +138,7 @@ then > rm -f .cvsignore > cat >.cvsignore < .cvsignore > +.gitignore ^^^^^^^^^^^ this seems a little funky to me. Seems like there should be an if/then or switch/case for git here and in the surrounding code. > @@ -265,21 +280,27 @@ then > cd $DIR/configs > > # Add new routers to the CVS structure. > - for router in `comm -13 $DIR/routers.up $DIR/routers.up.new` > + for router in `comm -13 $DIR/routers.up $DIR/routers.up.new | cut -d: -f1` If there are other bugs you might want to submit them independent of the git changes. > + case $RCSSYS in > + cvs ) > + cvs status $router | grep -i 'status: unknown' > /dev/null 2>&1 > + if [ $? -eq 0 ]; then > + touch $router > + cvs add -ko $router > + echo "$RCSSYS added missing router $router" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This doesn't need to be repeated for each case statement. > + fi > + ;; > + svn ) > + svn status $router | grep '^?' > /dev/null 2>&1 > + if [ $? -eq 0 ]; then > + touch $router > + svn add $router > + echo "$RCSSYS added missing router $router" > + fi > + ;; > + git ) > + git ls-files $router > /dev/null 2>&1 > + if [ $? -eq 1 ]; then > + touch $router > + ( > + flock -x 200 > + git add $router > + git commit -m "added missing router $router" > + ) 200>$BASEDIR/.lockfile > + echo "$RCSSYS added missing router $router" > + fi > + ;; > + esac > done > echo Otherwise looks like a nice bit of code. Austin From jeff at ocjtech.us Sat Mar 31 02:17:02 2007 From: jeff at ocjtech.us (Jeffrey C. Ollie) Date: Fri, 30 Mar 2007 21:17:02 -0500 Subject: [rancid] Re: [PATCH] Use Git to store configs In-Reply-To: <20070330211912.GH30664@gblx.net> References: <1175255618.5608.29.camel@lt21223.campus.dmacc.edu> <20070330211912.GH30664@gblx.net> Message-ID: <1175307422.3810.17.camel@lt21223.campus.dmacc.edu> On Fri, 2007-03-30 at 14:19 -0700, Austin Schutz wrote: > On Fri, Mar 30, 2007 at 06:53:38AM -0500, Jeffrey C. Ollie wrote: > > Here's a patch that I've been working on that allows you to store your > > configs in a Git[1] repository. > > I like the change to case() where the syntax differs. Yeah, switching to case will make it much easier to add other revision control systems in the future. > > Adding a third RCS system necessitated a little bit of code > > reorganization, so I may have inadvertantly broken something (I haven't > > tested CVS or Subversion repositories with the patch applied). The > > other big differences are: > > > > 1) When using CVS and Subversion, RANCID is working on local checkouts > > (located in $BASEDIR) of a repository that is located elsewhere on disk > > ($CVSROOT). Git works differently, so $BASEDIR is the complete > > repository and $CVSROOT isn't really necessary. > > $BASEDIR is the dir into which all groups go. If you put a generic > lockfile here you will make it so multiple groups can't be polled at one > time. Typically a temp dir is used where the file includes the group name > so there is no stepping on of toes, and stale lockfiles aren't left in > unexpected places. The locks shouldn't slow down polling, the lock is only held when making commits to the Git repository which shouldn't happen during polling (unless I'm misunderstanding something about the code). I needed the locks because I need to run a series of git commands atomically or changes from other groups might become part of the wrong commit. > > 2) Since there could be multiple processes acting simultaneously on the > > same repository (with CVS and Subversion RANCID had a separate checkout > > for each group) I guard all operations on the repository using flock(1). > > flock(1) does not operate over NFS. > > > IMO that's a problem: flock isn't available on all platforms, and > dealing with nfs support could be annoying. I have a perl based lock > script which uses fcntl (works w/ nfs) and should be reasonably cross > platform, if that's useful (no other dependencies). Rancid's existing lockfile > support is fairly dumb (simple). I get stale hangs sometimes after a reboot, > myself- though it generally doesn't have to be that smart because it doesn't > run that often. Yeah, that too bad that flock isn't widely available, since it works perfectly for what I needed. Does your script work in a similar method? > > fi > > @@ -138,6 +138,7 @@ then > > rm -f .cvsignore > > cat >.cvsignore < > .cvsignore > > +.gitignore > ^^^^^^^^^^^ this seems a little funky to me. Seems like there should be > an if/then or switch/case for git here and in the surrounding code. Yeah, the .cvsignore should probably be special-cased as well, and for Subversion there probably shouldn't be a file at all. I think I have something in mind, I'll see if I can get around to coding it up. > > @@ -265,21 +280,27 @@ then > > cd $DIR/configs > > > > # Add new routers to the CVS structure. > > - for router in `comm -13 $DIR/routers.up $DIR/routers.up.new` > > + for router in `comm -13 $DIR/routers.up $DIR/routers.up.new | cut -d: -f1` > > If there are other bugs you might want to submit them independent of > the git changes. > > > + case $RCSSYS in > > + cvs ) > > + cvs status $router | grep -i 'status: unknown' > /dev/null 2>&1 > > + if [ $? -eq 0 ]; then > > + touch $router > > + cvs add -ko $router > > + echo "$RCSSYS added missing router $router" > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > This doesn't need to be repeated for each case statement. I'll look into refactoring that. Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070330/c0b8ed47/attachment.bin From wmuriithi at afsat-af.com Sat Mar 31 10:01:54 2007 From: wmuriithi at afsat-af.com (kihara Muriithi) Date: Sat, 31 Mar 2007 13:01:54 +0300 Subject: [rancid] CVS and rancid content or should I say configuration issues Message-ID: <1175335314.31815.70.camel@test4.afsat.com> Hi all, I have been running rancid for several weeks, but not sure if I haven't set up rancid properly or its just that I don't know how to use CVS to retrieve the configuration. What I can currently find is the most recent cisco configurations under the directory /usr/local/rancid/var/cisco/configs/ I do believe we have cvs for saving multiple version of these configuration. However when I try to check out the cvs contents, it don't see anything resembling these configuration. This is how I am doing it cvs -d /usr/local/rancid/var/CVS checkout XXX This works, but there is nothing important. There is only three folder under that directory, namely CVROOT, Entries.Log and cisco. cisco is a directory and under it I have cisco -> configs/ CVS/ router.db routers.all routers.down routers.failed routers.up How can one conclusively tell rancid is feeding cvs any data and how does one retrieve it from CVS? Any advice is highly appreciated. Thanks in advance William