From Mark.Duling at biola.edu Thu Jul 3 03:12:18 2003 From: Mark.Duling at biola.edu (Mark Duling) Date: Wed, 02 Jul 2003 20:12:18 -0700 Subject: RANCID on OS X (Darwin) Message-ID: Hello All, It turns out that RANCID runs on Mac OS X with no modifications. I did something wrong the first time and I'm not sure what but I didn't know what I was doing at first so who knows. The install and configuration went without a hitch the second time around. I have an unfinished howto that gives the pre-requisites for non-Unix savvy people like myself. Tcl/tk and expect are installed together as a binary. And I included "cheat" instructions for those who don't want to deal with sendmail. The rest is as described in the instructions or Chris Boyd's howto for BSD. In case it helps another Mac user I am pasting the first 4 steps of my howto for OS X in case it helps anyone else. Mark -------------------------------------------------------------------- 1) Install the Developer Tools ? You can use the CD that came with OS X if you have it or download it from Apple's developer web site. This is required to compile and run open source software. 2) Configure OS X to send email from the command line ? You may configure sendmail but it is challenging to configure. Most UNIX commercial email software supports sendmail emulation such as Communigate Pro from Stalker Software or Post.Office from Tenon systems. Both are simpler to get up and running than sendmail and they have free unlicensed demo versions that will support a few users or aliases which is all RANCID needs. The install program for each sets up sendmail emulation automatically. To check this, after the install type: ls ?l /usr/sbin/sendmail and observe if sendmail has the correct symbolic link (output abbrev) lrwxr-xr-x /usr/sbin/sendmail -> /usr/sbin/CommuniGatePro/sendmail (for CGPro) lrwxr-xr-x /usr/sbin/sendmail -> /usr/local/post.office/bin/sendmail (for Post.Office) Test the email server by sending a test message from the command line: mail [ mailto:joe at exp.com ]joe at exp.com (enter a subject, some body text, terminate message with Control-D) 3) Install tcl/tk and expect - RANCID requires a program called expect which in turn requires the scripting language tcl/tk. The tcl/tkAqua "Batteries Included" OS X package includes both of these two items. Download and install the package. It can be found at Source.Forge.net or Apple's site. Here is the link on Apple?s site: http://www.apple.com/downloads/macosx/unix_open_source/tcltkaqua.html Install RANCID 4) Add /usr/local/bin to the path (so RANCID can find expect during install) Type the following command: PATH $PATH ?:usr/local/bin? From Mark.Duling at biola.edu Wed Jul 9 03:02:03 2003 From: Mark.Duling at biola.edu (Mark Duling) Date: Tue, 08 Jul 2003 20:02:03 -0700 Subject: Cisco Catalyst 6000, 4000, 1900 Message-ID: Hello All, I cannot get RANCID to get configs on some of our Cisco catalyst switches. 1) Is there anyway to get RANCID to get a config on a 1900? They have the menu driven interface and I can't find a way to turn it off. One can exit to the command line but I presume RANCID cannot do that. 2) Also, RANCID cannot get configs for our 6000 and 4000 series catalyst's either. It can login. The error message is at the bottom of this message. I read what the FAQ says about 6500's and I tried runnning the cat5rancid file script but it doesn't seem to be getting it still but maybe I'm not using it right. The same for the 4000's. They both have enable prompts like this: prompt> (enable) Any help is greatly appreciated. Mark -------------------------------------------------- I didn't think I was running CatOS but here is the version info for the 6000: WS-C6006 Software, Version NmpSW: 7.2(2) Copyright (c) 1995-2002 by Cisco Systems NMP S/W compiled on Apr 25 2002, 12:37:52 And the RANCID log info: 10.10.10.4: missed cmd(s): show bootvar,dir /all sup-microcode:,show boot,show vlan,dir /all slot0:,show c7200,show module,dir /all slot1:,write term,dir /all sup-bootflash:,dir /all nvram:,dir /all slot2:,show diag,show version,show controllers cbus,show env all,dir /all disk0:,dir /all disk1:,show vtp status,dir /all disk2:,show gsr chassis,show variables boot,show controllers,dir /all bootflash:,show diagbus,show flash,show install active 10.10.10.4: End of run not found ! From afort at choqolat.org Wed Jul 9 07:23:18 2003 From: afort at choqolat.org (Andrew Fort) Date: Wed, 09 Jul 2003 17:23:18 +1000 Subject: Riverstone Router (and Enterasys 8600s, anyone?) In-Reply-To: References: Message-ID: <3F0BC2E6.6060003@choqolat.org> listuser at numbnuts.net wrote: >Their router OS's CLI would be quite familar to anyone familar with >Cisco's IOS. The verb and noun have been switched to stave off Cisco >lawsuit threats for using something similar to their CLI. Other than that >it's quite close to the feel of IOS. You won't get anything out of their >swtiches though. They are all menu driven. I never have been able to >work out and expect script to manipulate it. > > yeah.. we have a number of 8600s, and mostly 2200s and VHs that need collection. you could capture all the output of a script fumbling through the menus, then strip all the evil escape chars, and place the information into the repository.. not great, but better than nothing, perhaps. we have a script to gather the information, just not parse it into something suitable for the repository at this stage. Are folks out there using the rivlogin (from 2.3-eft) successfully with version 8 software on SSR8600s? -afort From KevinC at Kgex.com.tw Wed Jul 9 09:23:08 2003 From: KevinC at Kgex.com.tw (KEVINC) Date: Wed, 9 Jul 2003 17:23:08 +0800 Subject: Riverstone Router (and Enterasys 8600s, anyone?) Message-ID: I have some experience on Enterasys 8600 with Rancid 2.3 some tip I can share with you ! 1.use short router name 2.use "system set terminal rows 0 " command Yikuo Chan. From afort at choqolat.org Wed Jul 9 09:50:56 2003 From: afort at choqolat.org (Andrew Fort) Date: Wed, 09 Jul 2003 19:50:56 +1000 Subject: Riverstone Router (and Enterasys 8600s, anyone?) In-Reply-To: References: Message-ID: <3F0BE580.3030807@choqolat.org> KEVINC wrote: > I have some experience on Enterasys 8600 with Rancid 2.3 > some tip I can share with you ! > > 1.use short router name > 2.use "system set terminal rows 0 " command > > Thanks for your notes Kevin, I've patched the provided rivlogin to perform "cli set terminal rows 0" initially. Is this the same as "system set terminal rows 0", or different? Either way, 'cli set term row 0' seems to work OK in that regard (it's per session, not a configuration setting, which is the same as clogin using "term length 0" on IOS). The problem we're having is due to the annoying escaping the OS does when completion occurs. Disabling completion doesn't appear to stop the box from spitting out control characters, though. The regexp's in the rivlogin code to take care of this situation (ignore the line, print the contents of the command back to the system so that rivrancid notices this rather than a munged set of escape characters) doesn't work for us, but I haven't quite worked out why yet. Why did you need to shorten the router name? -afort From fjordan at hcs.net Wed Jul 9 14:36:42 2003 From: fjordan at hcs.net (Fred Jordan) Date: Wed, 09 Jul 2003 10:36:42 -0400 Subject: Problems getting config when not enable mode Message-ID: <3F0C287A.1070609@hcs.net> We are collecting cisco router config files from some of our customers. Problems is we do not have enable mode access to the routers. What we have is the ability to do "show config" at the default privledge level that we log in with. I have tried multiple permutations of autoenable/noenable and still cannot get clogin to run the commands to collect the configs. Here are examples of telneting into the router as well as running clogin as user rancid with various .cloginrc permutations. Any help is greatly appreciated. Thanks Much, Fred ============================================================== = First try = .cloginrc parameters =add user 1.2.3.4 ranuser =add password 1.2.3.4 {ranpass} {ranpass} =add noenable 1.2.3.4 =add autoenable 1.2.3.4 0 = Note: this fails to run the commands passed to clogin = $ clogin -c 'show version; show diag' 1.2.3.4 1.2.3.4 spawn telnet 1.2.3.4 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. User Access Verification Username: Kerberos: No default realm defined for Kerberos! ranuser Password: router>enable Password: % Access denied router> Error: Check your Enable passwd $ ============================================================== = Second try = .cloginrc parameters =add user 1.2.3.4 ranuser =add password 1.2.3.4 {ranpass} {ranpass} =add noenable 1.2.3.4 =add autoenable 1.2.3.4 1 = Note: this fails to run the commands and timesout = $ clogin -c 'show version; show diag' 1.2.3.4 1.2.3.4 spawn telnet 1.2.3.4 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. User Access Verification Username: Kerberos: No default realm defined for Kerberos! ranuser Password: router> Error: TIMEOUT reached $ ============================================================== = Third try = .cloginrc parameters =add user 1.2.3.4 ranuser =add password 1.2.3.4 {ranpass} {ranpass} =add noenable 1.2.3.4 $ clogin -c 'show version; show diag' 1.2.3.4 1.2.3.4 spawn telnet 1.2.3.4 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. User Access Verification Username: Kerberos: No default realm defined for Kerberos! ranuser Password: router>enable Password: % Access denied router> Error: Check your Enable passwd $ ============================================================== = Fourth try = .cloginrc parameters =add user 1.2.3.4 ranuser =add password 1.2.3.4 {ranpass} =add noenable 1.2.3.4 $ clogin -c 'show version; show diag' 1.2.3.4 1.2.3.4 Error: no enable password for 1.2.3.4 in /usr/local/rancid/.cloginrc. $ From heas at shrubbery.net Wed Jul 9 16:46:39 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 9 Jul 2003 09:46:39 -0700 Subject: Problems getting config when not enable mode In-Reply-To: <3F0C287A.1070609@hcs.net> References: <3F0C287A.1070609@hcs.net> Message-ID: <20030709164639.GZ10819@shrubbery.net> Wed, Jul 09, 2003 at 10:36:42AM -0400, Fred Jordan: > We are collecting cisco router config files from some of our customers. > Problems is we do not have enable mode access to the routers. > What we have is the ability to do "show config" at the default > privledge level that we log in with. > > I have tried multiple permutations of autoenable/noenable and still > cannot get clogin to run the commands to collect the configs. > > Here are examples of telneting into the router as well as running > clogin as user rancid with various .cloginrc permutations. > Any help is greatly appreciated. w/o creative AAA, you have to have enable to get the config, so rancid expects that, ie: a prompt ending in #. That will be one problem, that will need to be (for the moment) hacked in rancid. there may other cmds run by rancid that also require privs. > ============================================================== > = First try > = .cloginrc parameters > =add user 1.2.3.4 ranuser > =add password 1.2.3.4 {ranpass} {ranpass} > =add noenable 1.2.3.4 ^ you need a value here for the config parser, 1. sorry, the manpage is wrong and the code doesnt handle this well --- added to the todo list. From fjordan at hcs.net Wed Jul 9 17:13:19 2003 From: fjordan at hcs.net (Fred Jordan) Date: Wed, 09 Jul 2003 13:13:19 -0400 Subject: Problems getting config when not enable mode References: <3F0C287A.1070609@hcs.net> <20030709164639.GZ10819@shrubbery.net> Message-ID: <3F0C4D2F.6060601@hcs.net> John, Thanks for the reply. We do have creative AAA statements that do allow us to type "show config" and we can see the startup-config file. Really this is where I am headed. At the privilege level we log in , which is less than 15; we can do almost all of the show commands. With that, I was hoping we would be able to either get the default clogin to work by creating the proper entry in the .cloginrc file for these hosts; OR would I need to hack a xlogin and/or xrancid to get this to work. From your email, sounds like I will have to have a modified xlogin and/or xrancid and I don't know if I need the first, the second or both. Again, any help is greatly appreciated. Thanks Much, Fred john heasley wrote: >Wed, Jul 09, 2003 at 10:36:42AM -0400, Fred Jordan: > > >>We are collecting cisco router config files from some of our customers. >>Problems is we do not have enable mode access to the routers. >>What we have is the ability to do "show config" at the default >>privledge level that we log in with. >> >>I have tried multiple permutations of autoenable/noenable and still >>cannot get clogin to run the commands to collect the configs. >> >>Here are examples of telneting into the router as well as running >>clogin as user rancid with various .cloginrc permutations. >>Any help is greatly appreciated. >> >> > >w/o creative AAA, you have to have enable to get the config, so >rancid expects that, ie: a prompt ending in #. That will be one >problem, that will need to be (for the moment) hacked in rancid. > >there may other cmds run by rancid that also require privs. > > > >>============================================================== >>= First try >>= .cloginrc parameters >>=add user 1.2.3.4 ranuser >>=add password 1.2.3.4 {ranpass} {ranpass} >>=add noenable 1.2.3.4 >> >> > ^ you need a value here for the config parser, 1. > sorry, the manpage is wrong and the code doesnt > handle this well --- added to the todo list. > > From heas at shrubbery.net Wed Jul 9 17:24:06 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 9 Jul 2003 10:24:06 -0700 Subject: Problems getting config when not enable mode In-Reply-To: <3F0C4D2F.6060601@hcs.net> References: <3F0C287A.1070609@hcs.net> <20030709164639.GZ10819@shrubbery.net> <3F0C4D2F.6060601@hcs.net> Message-ID: <20030709172406.GA20112@shrubbery.net> Wed, Jul 09, 2003 at 01:13:19PM -0400, Fred Jordan: > John, > Thanks for the reply. We do have creative AAA statements that > do allow us to type "show config" and we can see the > startup-config file. Really this is where I am headed. At the > privilege level we log in , which is less than 15; we can do almost > all of the show commands. With that, I was hoping we would be able to > either get the default clogin to work by creating the proper entry in the > .cloginrc file for these hosts; This is something we're aiming to do (more configurable), but it will be after 2.3 which I hope to push out next week sometime. > OR would I need to hack a xlogin > and/or xrancid to get this to work. From your email, sounds like > I will have to have a modified xlogin and/or xrancid and I don't know > if I need the first, the second or both. xlogin/xrancid are not for the cisco. From Mark.Duling at biola.edu Wed Jul 9 19:47:31 2003 From: Mark.Duling at biola.edu (Mark Duling) Date: Wed, 09 Jul 2003 12:47:31 -0700 Subject: Catalyst 1900 Message-ID: I resolved the problem with the 6000's and 4000's. Cat5 instead of Cisco was the correct type to use in the router.db. Is there any way to get RANCID working with a Catalyst 1900? Is it possible to hack a "recorded" expect session with a 1900 that gets me to the command line into a RANCID script so that it can work? Mark From andre at is.co.za Thu Jul 10 10:46:20 2003 From: andre at is.co.za (Andre van der Merwe) Date: Thu, 10 Jul 2003 12:46:20 +0200 Subject: Catalyst 1900 In-Reply-To: ; from Mark.Duling@biola.edu on Wed, Jul 09, 2003 at 12:47:31PM -0700 References: Message-ID: <20030710124620.B2507@is.co.za> Hi Running TACACS+ makes things easier... All you then have to do is insert the 'K' before username and password at the "Enter Selection:" prompt. Hacking the clogin to do this is quite straight forward.. admin 16% /usr/local/rancid/bin/clogin grumpy ... Catalyst 1900 Management Console Copyright (c) Cisco Systems, Inc. 1993-1998 All rights reserved. Enterprise Edition Software ... ------------------------------------------------- 2 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line Enter Selection: K Authentication using TACACS+ is in progress. User Access Verification Username: rancid Password: ********** CLI session with the switch is open. To end the CLI session, enter [Exit]. grumpy>enable Enter password: ******** grumpy# Hope this helps. -Andr? On Wed, Jul 09, 2003 at 12:47:31PM -0700, Mark Duling wrote: > I resolved the problem with the 6000's and 4000's. Cat5 instead of Cisco > was the correct type to use in the router.db. > > Is there any way to get RANCID working with a Catalyst 1900? Is it > possible to hack a "recorded" expect session with a 1900 that gets me to > the command line into a RANCID script so that it can work? > > Mark From KevinC at Kgex.com.tw Fri Jul 11 04:52:33 2003 From: KevinC at Kgex.com.tw (KEVINC) Date: Fri, 11 Jul 2003 12:52:33 +0800 Subject: Riverstone Router (and Enterasys 8600s, anyone?) Message-ID: hi afort : yes it's very strange , why I need shorten router name ! this is a result when we use longer router name , but shorten name is ok .... retrieving revision 1.1 diff -u -4 -r1.1 10.1.1.7 @@ -0,0 +1,5 @@ + !RANCID-CONTENT-TYPE: riverstone + ! + ! + ! + ! by the way , "system set terminal rows 0 " command can let router don't display "--- More: m, --- Quit: q --- One line: ---" at end of each page.. before I use this command ,the configure that rancid fatch is very strange link this "+ 19 : acl rfc1918 deny ip 192.168.0.0/16 any any any " Kevin Chan From klaus.hoedl at degussa.com Fri Jul 11 11:20:51 2003 From: klaus.hoedl at degussa.com (klaus.hoedl at degussa.com) Date: Fri, 11 Jul 2003 13:20:51 +0200 Subject: Rancid 2.2.2 Problem with CatOS Switches Message-ID: Hi all, that's the first time i write to a mailing-list, i hope that will work and everything is correct... With rancid on native IOS routers and switches, everything works perfect! I have problems running rancid 2.2.2 with Cisco CatOS Switches. Rancid does not recognize the prompt correctly, even there are some lines in the perl code which try to handle the native IOS and CatOS differences. The script seems to send a "set term length 0" command, even this is a nativeIOS command which does not work on CatOS. Autoenable is set, because i have a priv 15 user. With the inf0201> (enable) prompt, nothing happens. No command is send from the rancid clogin script. When i change the prompt to inf0201# (enable) , the clogin script tries to send native IOS commands like "set term length 0". That command is not supported, and the script times out ? Since my knowledge with the rancid scripts is not very good, it would be great if there is a workaround.. Thanks for your support Klaus The original Switch-Prompt looks like this: Cisco Systems, Inc. Console ****************************************************** * inf0201 * * c a t a l y s t 4 0 0 6 * * F r a n k f u r t D C R a u m 3 2 * ****************************************************** Username: hoedl Password: inf0201> (enable) From arnold at nipper.de Fri Jul 11 12:12:34 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Fri, 11 Jul 2003 14:12:34 +0200 Subject: Fw: Rancid 2.2.2 Problem with CatOS Switches Message-ID: <028401c347a5$b61d5f20$6790a8c0@nipper.de> How does your entry in router.db look like? Should be someting like your_catos_switch:cat5:up That does at least work fine for me on cat 6509. The only problem I have that I can't get the config always. But I couldn't yet figure out where the problem is. Maybe it's related to ssh which takes a catos switch a long time to reply to, Arnold On Friday, July 11, 2003 1:20 PM, klaus.hoedl at degussa.com wrote: > Hi all, > that's the first time i write to a mailing-list, i hope that will work and > everything is correct... > > With rancid on native IOS routers and switches, everything works perfect! > > I have problems running rancid 2.2.2 with Cisco CatOS Switches. > > Rancid does not recognize the prompt correctly, even there are some lines > in the perl code which try to handle the native IOS and CatOS differences. > The script seems to send a "set term length 0" command, even this is a > nativeIOS command which does not work on CatOS. > Autoenable is set, because i have a priv 15 user. > > With the inf0201> (enable) prompt, nothing happens. No command is send from > the rancid clogin script. > When i change the prompt to inf0201# (enable) , the clogin script tries to > send native IOS commands like "set term length 0". > That command is not supported, and the script times out ? > > Since my knowledge with the rancid scripts is not very good, it would be > great if there is a workaround.. > > Thanks for your support > Klaus > > > > > > The original Switch-Prompt looks like this: > > Cisco Systems, Inc. Console > > > > ****************************************************** > * inf0201 * > * c a t a l y s t 4 0 0 6 * > * F r a n k f u r t D C R a u m 3 2 * > ****************************************************** > > > > Username: hoedl > > Password: > inf0201> (enable) From heas at shrubbery.net Mon Jul 14 22:47:09 2003 From: heas at shrubbery.net (john heasley) Date: Mon, 14 Jul 2003 22:47:09 +0000 Subject: Catalyst 1900 In-Reply-To: <20030710124620.B2507@is.co.za> References: <20030710124620.B2507@is.co.za> Message-ID: <20030714224709.GI25282@shrubbery.net> Thu, Jul 10, 2003 at 12:46:20PM +0200, Andre van der Merwe: > > Hi > > Running TACACS+ makes things easier... > All you then have to do is insert the 'K' before > username and password at the "Enter Selection:" prompt. > Hacking the clogin to do this is quite straight forward.. > I do not have a 1900, but someone mentioned to me that with an enterprise s/w release, you could get the cli w/o any goofy menu system. that would be the optimal solution. From klaus.hoedl at degussa.com Tue Jul 15 14:16:41 2003 From: klaus.hoedl at degussa.com (klaus.hoedl at degussa.com) Date: Tue, 15 Jul 2003 16:16:41 +0200 Subject: Major faults in Rancid 2.2.2 during login to cisco CatOS Switches Message-ID: ----- Weitergeleitet von Klaus Hoedl/Degussa AG/DE am 15.07.2003 16:16 ----- |---------+---------------------------> | | Klaus Hoedl | | | | | | 15.07.2003 16:10| | | | |---------+---------------------------> >-------------------------------------------------------------------------------------------------------------------------------| | | | An: rancid at shrubbery.net | | Kopie: majordomo at shrubbery.net | | Thema: Major faults in Rancid 2.2.2 during login to cisco CatOS Switches | >-------------------------------------------------------------------------------------------------------------------------------| Hello together, after several days of troubleshooting and reading the code, let me explain why rancid 2.2.2 simply CANNOT successfully login into a Cisco cat-os Switch in a specific environment: Here is my environment: Catalyst 4000, Cat-OS Users are authenticated via TACACS, the user "test" has priviledge 15 rights and enters the enable mode automatically autoenable in rancid is set to 1 (YES) The enable prompt on the Cisco Cat4k is : switchname> (enable) "Screenshot": Trying 10.1.1.1... Connected to switchname. Escape character is '^]'. Cisco Systems, Inc. Console ****************************************************** * switchname * * c a t a l y s t 4 0 0 6 * * * ****************************************************** Username: test Password: switchname> (enable) SIMPLE ERROR DESCRIPTION: When autoenabled = 1 on a CatOS Switch, rancid automatically internally sets the prompt to "#". It now expects an "#" on the commandline which is not the default enable prompt on a catalyst switch. Even when you manually set the prompt to "switchname# (enable)" on the switch, rancid is not able to determine the correct OS type, is not able to see the "(enable)" string an identification to be a catOS switch. Rancid then send the wrong "term length" command (native IOS) and times out. DETAIL: rancid 2.2.2, clogin line 567: # in the Main-Loop: # Figure out prompt. # Since autoenable is off by default, if we have it defined, it # was done on the command line. If it is not specifically set on the # command line, check the password file. if $autoenable { set prompt "#" } else { set ae [find autoenable $router] if { "$ae" == "1" } { set autoenable 1 set enable 0 set prompt "#" } else { set autoenable 0 set prompt ">" >>>> Rancid sets the enable prompt to "#" each time autoenable is 1. It cannot handle the ">" enable prompt on CatOS Switch. No option for catOS here !! clogin, line 673: # we are logged in, now figure out the full prompt send "\r" expect { -re "\[\r\n]+" { exp_continue; } -re "^(.+:)1 $prompt" { # stoopid extreme cmd-line numbers and # prompt based on state of config changes set junk $expect_out(1,string) regsub -all "^\\\* " $expect_out(1,string) {} junk set prompt ".? ?$junk\[0-9]+ $prompt"; set platform "extreme" } -re "^.+$prompt" { set junk $expect_out(0,string); regsub -all "\[\]\[]" $junk {\\&} prompt; } -re "^.+> \\\(enable\\\)" { set junk $expect_out(0,string); regsub -all "\[\]\[]" $junk {\\&} prompt; } >>>> There is definetely a bug in the matter, the prompt is checked: >>>> Rancid is now not able to determine the correct enable prompt, because the third expression ALWAYS matches in my environment !! >> -re "^. +$prompt" <<< >>>> The 4th expression >> -re "^.+> \\\(enable\\\)" <<< which may be able to find out the correct prompt is never executed in my CatOS environment !!!!! I think this is the same situation in the procedure "proc run_commands". So the cisco login is successful, but rancid waits for the correct prompt to appear, hangs and times out. I tried to manually change the prompt on my catalyst switch to "inf0201# (enable)". This has the following effect: The login procedure works now (because $prompt is now "#"), but again rancid is not able to find out the correct OS type, because the ">" sign is hardcoeded in the regular expression : # If the prompt is (enable), then we are on a switch and the # command is "set length 0"; otherwise its "term length 0". if [ regexp -- ".*> .*enable" "$prompt" ] { send "set length 0\r" send "set logging session disable\r" } else { send "term length 0\r" } expect -re $prompt {} source $sfile So the nativeIOS command "set term length 0" is executed on a catOS switch, and that fails. So the combination: autoenabled=yes, OS is catOS, and the enable prompt is "switchname> (enable)" CANNOT work here. What runs without trouble is the following combination: The user does not get priviledge 15 rights during logon autoenable is set to 0 (off) rancid logs into the Switch and enables with the enable password given in .cloginrc (Good to have tacacs+ with a single, central enable password for all switches, otherwise that would create a very very large .cloginrc..... ) Would be great if that could be fixed and the catOS support could be enhanced.. For further questions and support you with some tests, you can contact me via mail. Best regards, Klaus From eric at atlantech.net Tue Jul 15 14:47:45 2003 From: eric at atlantech.net (Eric Van Tol) Date: Tue, 15 Jul 2003 10:47:45 -0400 Subject: CatOS Problem Message-ID: <4CBD2D346320D541AB8BF4C0140EF7CD40D830@staq7.hq.atlantech.net> Hi all, I recently installed Rancid 2.2 on a FreeBSD 4.8 server and am having troubles getting it to work with CatOS. I have two 6509 switches running CatOS that Rancid will not work with. I have the following specified in my router.db: catswitch01:cat5:up catswitch02:cat5:up When I run the 'do-diffs', the following is what I receive: starting: Mon Jul 14 21:45:07 EDT 2003 Trying to get all of the configs. ! catswitch01 clogin error: Error: TIMEOUT reached catswitch01: missed cmd(s): dir sup-bootflash:,write term,dir sup-microcode:, dir slot0:,dir bootflash:,dir slot1:,show port ifindex,show boot,show module,show flash,show version catswitch01: End of run not found ! catswitch02 clogin error: Error: TIMEOUT reached catswitch02: missed cmd(s): dir sup-bootflash:,write term,dir sup-microcode:, dir slot0:,dir bootflash:,dir slot1:,show port ifindex,show boot,show module,show flash,show version catswitch02: End of run not found I have tried using both the 'clogin' and 'cat5rancid' scripts to run commands in the switches, but nothing happens when it logs in. It gets to the 'catswitch01> (enable)' prompt and just times out. I am running CatOS 6.3.1 on both switches and using telnet to access them. I tried searching through the archives and found several users with somewhat similar problems, but most of their issues were resolved by using 'cat5' in the router.db file. Any ideas? thanks, eric From heas at shrubbery.net Tue Jul 15 19:22:10 2003 From: heas at shrubbery.net (john heasley) Date: Tue, 15 Jul 2003 12:22:10 -0700 Subject: Major faults in Rancid 2.2.2 during login to cisco CatOS Switches In-Reply-To: References: Message-ID: <20030715192210.GO28080@shrubbery.net> this is a known issue and is one of two issues to resolve before 2.3, but I have only a partial fix for it at the moment. Tue, Jul 15, 2003 at 04:16:41PM +0200, klaus.hoedl at degussa.com: > Hello together, > after several days of troubleshooting and reading the code, let me explain > why rancid 2.2.2 simply CANNOT successfully login into a Cisco cat-os > Switch in a specific environment: > > Here is my environment: > > Catalyst 4000, Cat-OS > Users are authenticated via TACACS, > the user "test" has priviledge 15 rights and enters the enable mode > automatically > autoenable in rancid is set to 1 (YES) > The enable prompt on the Cisco Cat4k is : switchname> (enable) > > "Screenshot": > > Trying 10.1.1.1... > Connected to switchname. > Escape character is '^]'. > > > Cisco Systems, Inc. Console > > > > ****************************************************** > * switchname * > * c a t a l y s t 4 0 0 6 * > * * > ****************************************************** > > > > Username: test > > Password: > switchname> (enable) > > > SIMPLE ERROR DESCRIPTION: When autoenabled = 1 on a CatOS Switch, rancid > automatically internally sets the prompt to "#". It now expects an "#" on > the commandline which is not the default enable prompt on a catalyst > switch. > Even when you manually set the prompt to "switchname# (enable)" on the > switch, rancid is not able to determine the correct OS type, is not able > to see the "(enable)" string an identification to be a catOS switch. Rancid > then send the wrong "term length" command (native IOS) and times out. > > DETAIL: > > rancid 2.2.2, clogin line 567: > > # in the Main-Loop: > > # Figure out prompt. > # Since autoenable is off by default, if we have it defined, it > # was done on the command line. If it is not specifically set on the > # command line, check the password file. > if $autoenable { > set prompt "#" > } else { > set ae [find autoenable $router] > if { "$ae" == "1" } { > set autoenable 1 > set enable 0 > set prompt "#" > } else { > set autoenable 0 > set prompt ">" > > >>>> Rancid sets the enable prompt to "#" each time autoenable is 1. It > cannot handle the ">" enable prompt on CatOS Switch. No option for catOS > here !! > > > clogin, line 673: > > # we are logged in, now figure out the full prompt > send "\r" > expect { > -re "\[\r\n]+" { exp_continue; } > -re "^(.+:)1 $prompt" { # stoopid extreme cmd-line numbers and > # prompt based on state of config changes > set junk $expect_out(1,string) > regsub -all "^\\\* " > $expect_out(1,string) {} junk > set prompt ".? ?$junk\[0-9]+ $prompt"; > set platform "extreme" > } > -re "^.+$prompt" { set junk $expect_out(0,string); > regsub -all "\[\]\[]" $junk {\\&} prompt; > } > -re "^.+> \\\(enable\\\)" { set junk $expect_out(0,string); > regsub -all "\[\]\[]" $junk {\\&} > prompt; } > > >>>> There is definetely a bug in the matter, the prompt is checked: > >>>> Rancid is now not able to determine the correct enable prompt, because > the third expression ALWAYS matches in my environment !! >> -re "^. > +$prompt" <<< > >>>> The 4th expression >> -re "^.+> \\\(enable\\\)" <<< which may be > able to find out the correct prompt is never executed in my CatOS > environment !!!!! > > I think this is the same situation in the procedure "proc run_commands". > > So the cisco login is successful, but rancid waits for the correct prompt > to appear, hangs and times out. > > I tried to manually change the prompt on my catalyst switch to "inf0201# > (enable)". This has the following effect: The login procedure works now > (because $prompt is now "#"), but again rancid is not able to find out the > correct OS type, because the ">" sign is hardcoeded in the regular > expression : > > # If the prompt is (enable), then we are on a switch and the > # command is "set length 0"; otherwise its "term length 0". > if [ regexp -- ".*> .*enable" "$prompt" ] { > send "set length 0\r" > send "set logging session disable\r" > } else { > send "term length 0\r" > } > expect -re $prompt {} > source $sfile > > > So the nativeIOS command "set term length 0" is executed on a catOS switch, > and that fails. > > So the combination: autoenabled=yes, OS is catOS, and the enable prompt is > "switchname> (enable)" CANNOT work here. > > What runs without trouble is the following combination: > > The user does not get priviledge 15 rights during logon > autoenable is set to 0 (off) > rancid logs into the Switch and enables with the enable password given in > .cloginrc > (Good to have tacacs+ with a single, central enable password for all > switches, otherwise that would create a very very large .cloginrc..... ) > > > > Would be great if that could be fixed and the catOS support could be > enhanced.. > For further questions and support you with some tests, you can contact me > via mail. > > Best regards, > Klaus > > > > > From eric at atlantech.net Tue Jul 15 19:29:35 2003 From: eric at atlantech.net (Eric Van Tol) Date: Tue, 15 Jul 2003 15:29:35 -0400 Subject: Major faults in Rancid 2.2.2 during login to cisco CatOS Switches Message-ID: <4CBD2D346320D541AB8BF4C0140EF7CD4C06BD@staq7.hq.atlantech.net> Yes, another user pointed it out to me. His explanation was a bit clearer than the one on the archives. By removing 'autoenable' from these switches and making a small modification to 'cat5rancid', I was able to get it working. Thanks, eric From imac at netstatz.com Thu Jul 17 01:45:51 2003 From: imac at netstatz.com (Ian B. MacDonald) Date: 16 Jul 2003 21:45:51 -0400 Subject: AS5300's and VoIP Dial Peers Message-ID: <1058406351.1628.117.camel@IBM-MAIN> Hey guys, I have just joined the list, having reviewed some of the rancid-discuss archives and read thru the FAQ.gz and README. I am looking at using this tool to do-diffs and do-globalconfigchanges on a group of Cisco devices. Within that group are about 30 Cisco AS5300 routers performing VoIP operations. A normal 'sh run' will give you the config, however there are several hundred/thousand dial peers. These are big configs, as I recall some will only 'wr mem' with compression on. Does anyone know what I can expect with RANCID and these huge configs? I am assuming one of a few things might happen, 1) Rancid works with 5300s, time-to-diff is related to the number of peers. 2) Rancid only reads what it understands, skips the Voip Peers and sticks to the core Cisco goods. 3) Rancid would work, however the router timesout the sh run command, sort of like what I encountered with SNMP+OpenNMS before applying proper snmp-views to the giant interface table. 4) Some modification to the script would allow Rancid to skip the Voip stuff.. break out of the sh run after main config and operate like 1) cheers, imac. From heas at shrubbery.net Thu Jul 17 16:47:00 2003 From: heas at shrubbery.net (john heasley) Date: Thu, 17 Jul 2003 09:47:00 -0700 Subject: AS5300's and VoIP Dial Peers In-Reply-To: <1058406351.1628.117.camel@IBM-MAIN> References: <1058406351.1628.117.camel@IBM-MAIN> Message-ID: <20030717164700.GJ13521@shrubbery.net> Wed, Jul 16, 2003 at 09:45:51PM -0400, Ian B. MacDonald: > Hey guys, > > I have just joined the list, having reviewed some of the rancid-discuss > archives and read thru the FAQ.gz and README. > > I am looking at using this tool to do-diffs and do-globalconfigchanges > on a group of Cisco devices. Within that group are about 30 Cisco AS5300 > routers performing VoIP operations. A normal 'sh run' will give you the > config, however there are several hundred/thousand dial peers. > > These are big configs, as I recall some will only 'wr mem' with > compression on. this issue is likely that the (saved) config will not fit in nvram w/o compression, not that it will not be displayed (which is always uncompressed). > Does anyone know what I can expect with RANCID and these huge configs? I > am assuming one of a few things might happen, assuming there are no special commands to display voip stuffs, it should work. i expect there are likely things that ought to be filtered for security or reduce diffs from config goop that changes automatically (such as ntp drift or uptime). Those would be welcome patches. > 1) Rancid works with 5300s, time-to-diff is related to the number of > peers. > 2) Rancid only reads what it understands, skips the Voip Peers and > sticks to the core Cisco goods. > 3) Rancid would work, however the router timesout the sh run command, > sort of like what I encountered with SNMP+OpenNMS before applying proper > snmp-views to the giant interface table. > 4) Some modification to the script would allow Rancid to skip the Voip > stuff.. break out of the sh run after main config and operate like 1) > > cheers, > imac. > > From asp at partan.com Thu Jul 17 18:03:28 2003 From: asp at partan.com (Andrew Partan) Date: Thu, 17 Jul 2003 14:03:28 -0400 Subject: AS5300's and VoIP Dial Peers In-Reply-To: <20030717164700.GJ13521@shrubbery.net> References: <1058406351.1628.117.camel@IBM-MAIN> <20030717164700.GJ13521@shrubbery.net> Message-ID: <20030717180327.GC40674@partan.com> On Thu, Jul 17, 2003 at 09:47:00AM -0700, john heasley wrote: > > 3) Rancid would work, however the router timesout the sh run command, You might hit this; default timeout is 90 seconds, but give it a shot & let us know. --asp From saro at arizona.edu Tue Jul 22 06:31:20 2003 From: saro at arizona.edu (Saro Hayan) Date: Mon, 21 Jul 2003 23:31:20 -0700 Subject: Problem with CatOS 7.6.2 Message-ID: Hello, Ever since a recent upgrade to CatOS 7.6.2 on some of our Cat switches, it seems I can no longer get clogin to log into these switches. Clogin attemps to enable as opposed to sending the user/pass identified in the .cloginrc file. This seems to work fine for any switch running 7.2.2 and below. Anyone else run into this? Saro From afort at choqolat.org Wed Jul 23 11:32:32 2003 From: afort at choqolat.org (Andrew Fort) Date: Wed, 23 Jul 2003 21:32:32 +1000 Subject: expect question Message-ID: <3F1E7250.8020302@choqolat.org> A question for the expect clueful lurking.. Can one perform a regsub on the data returning from the telnet/ssh/etc session? I'd like to escape out an RE of terminal control characters that are intermingled in the stream before being passed to the expect clause. From heas at shrubbery.net Wed Jul 23 18:51:46 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Jul 2003 11:51:46 -0700 Subject: expect question In-Reply-To: <3F1E7250.8020302@choqolat.org> References: <3F1E7250.8020302@choqolat.org> Message-ID: <20030723185146.GN1334@shrubbery.net> Wed, Jul 23, 2003 at 09:32:32PM +1000, Andrew Fort: > A question for the expect clueful lurking.. > > Can one perform a regsub on the data returning from the telnet/ssh/etc > session? > I'd like to escape out an RE of terminal control characters that are > intermingled in the stream before being passed to the expect clause. > i do not know of any way to do this. ultimately, expect_before { "esc-match" { rewrite_w/o push back exp_continue } } afaik, your only option is to match the curses junk, strip it, and continue. when working on hrancid, i could not get this to work properly. i bagged it and hence hpfilter. From richardt at midgard.net Wed Jul 23 18:59:24 2003 From: richardt at midgard.net (Richard Threadgill) Date: Wed, 23 Jul 2003 11:59:24 -0700 Subject: expect question In-Reply-To: <20030723185146.GN1334@shrubbery.net> References: <3F1E7250.8020302@choqolat.org> Message-ID: <21542.1058986764@wonderlan.midgard.net> In message <20030723185146.GN1334 at shrubbery.net>john heasley writes >Wed, Jul 23, 2003 at 09:32:32PM +1000, Andrew Fort: >> A question for the expect clueful lurking.. >> >> Can one perform a regsub on the data returning from the telnet/ssh/etc >> session? >> I'd like to escape out an RE of terminal control characters that are >> intermingled in the stream before being passed to the expect clause. >> > >i do not know of any way to do this. ultimately, > > expect_before { > "esc-match" { rewrite_w/o > push back > exp_continue > } > } > >afaik, your only option is to match the curses junk, strip it, and continue. > >when working on hrancid, i could not get this to work properly. i bagged >it and hence hpfilter. Yeah, that's what's supposed to work. I've used it once or twice in some extreme cases with some other tcl apps, but its tricky. The O'Reilly tcl book actually gives an example of doing basically this, but I haven't had a chance to look at the rancid code at where it would need to be shoe-horned in. John - was there any chance that the reason things weren't working were that you weren't in the line mode you thought you were in? Or that you were trying to trap control chars when you needed to be trying to trap telnet glyphs? One of the nasty things we encountered while working with delivery drivers for Ponte was that we needed more of telnet in the driver than we expected, to deal with session backup, and disconnect, etc - basically, we (programmers) always were thinking about the session as being in line mode when in fact its in character mode. This normally doesn't matter, but when you're trying to strip out terminal control noise it becomes really important. Also, keep in mind that in many circumstances the human is thinking 'and now the terminal is sending a when what's actually happening is that the far end is sending a telnet protocol-glyph for and the expect session is recieving that glyph instead of . RichardT From heas at shrubbery.net Wed Jul 23 19:15:42 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 23 Jul 2003 12:15:42 -0700 Subject: expect question In-Reply-To: <21542.1058986764@wonderlan.midgard.net> References: <3F1E7250.8020302@choqolat.org> <21542.1058986764@wonderlan.midgard.net> Message-ID: <20030723191542.GR1334@shrubbery.net> Wed, Jul 23, 2003 at 11:59:24AM -0700, Richard Threadgill: > In message <20030723185146.GN1334 at shrubbery.net>john heasley writes > >Wed, Jul 23, 2003 at 09:32:32PM +1000, Andrew Fort: > >> A question for the expect clueful lurking.. > >> > >> Can one perform a regsub on the data returning from the telnet/ssh/etc > >> session? > >> I'd like to escape out an RE of terminal control characters that are > >> intermingled in the stream before being passed to the expect clause. > >> > > > >i do not know of any way to do this. ultimately, > > > > expect_before { > > "esc-match" { rewrite_w/o > > push back > > exp_continue > > } > > } > > > >afaik, your only option is to match the curses junk, strip it, and continue. > > > >when working on hrancid, i could not get this to work properly. i bagged > >it and hence hpfilter. > > Yeah, that's what's supposed to work. I've used it once or twice in > some extreme cases with some other tcl apps, but its tricky. The > O'Reilly tcl book actually gives an example of doing basically > this, but I haven't had a chance to look at the rancid code at > where it would need to be shoe-horned in. page? what's the variable you modify to get it to consider it as part of the next expect (i forget)? > John - was there any chance that the reason things weren't > working were that you weren't in the line mode you thought you > were in? Or that you were trying to trap control chars when you > needed to be trying to trap telnet glyphs? shouldnt matter. i was just looking for escape and/or escap sequences (curses crap). expect should read in chars and try to match, or repeat until match. \e would never match. while hpfilter basically does the same thing, but works. > One of the nasty things we encountered while working > with delivery drivers for Ponte was that we needed more of telnet > in the driver than we expected, to deal with session backup, and > disconnect, etc - basically, we (programmers) always were > thinking about the session as being in line mode when in fact its > in character mode. This normally doesn't matter, but when you're > trying to strip out terminal control noise it becomes really > important. Also, keep in mind that in many circumstances the > human is thinking 'and now the terminal is sending a > when what's actually happening is that the far end is sending a > telnet protocol-glyph for and the expect session > is recieving that glyph instead of . well, rusty on telnet protocol, but is that not dependant upon 7/8 bit and/or options? of course, hpfilter only tries to deal with curses stuff.