From bryce at gis2.com Tue Dec 7 19:45:36 2004 From: bryce at gis2.com (Bryce Edwards) Date: Tue, 7 Dec 2004 13:45:36 -0600 Subject: Alteon SSL and Dell PowerConnect Message-ID: <01f701c4dc95$5296f840$c8320a0a@gis2.com> I was hoping you could point me in the right direction for using RANCID on a couple of devices it doesn't seem to currently support. I'd like to customize it to be able to get configs for Alteon iSD SSL device as well as Dell PowerConnect switches. Please point me in the right direction of how I should do that. I assume I need to copy a script and edit the Expect to use the correct dialog for those devices, which would be very similar to the existing Alteon and Cisco scripts. I would be happy to provide session logs if that helps get support for these devices into the official version. Thanks! -- Bryce From faron.hopper at capgemini.com Wed Dec 8 17:27:44 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Wed, 8 Dec 2004 12:27:44 -0500 Subject: add method * {telnet} {ssh} not working Message-ID: <0D9EF3454D8EFC4B8BFFD2B8629416815625E7@caonmastxm03.na.capgemini.com> Hello,\ I have configured RANCID (v2.3) on a FreeBSD box. It seems to be working for some devices. When I look at the log file I see that it is trying ssh to devices even though I have added a method stating that I want telnet first. I have 2 devices in my router.db file that accept ssh, and they are the only 2 that are working. I am using a TACACS+ username to login to all Cisco devices. Any ideas what the problem might be? Thanks Faron .cloginrc ===================================== add autoenable * {1} add enauser * {net\-cfg\-bak} add password * {password} add method * {telnet} {ssh} log file: ===================================== Getting missed routers: round 4. 10.153.207.197 clogin error: Error: Connection Refused (ssh): 10.153.207.197 10.153.207.197: missed cmd(s): show bootvar,show redundancy secondary,dir /all sup-microcode:,show boot,dir /all slaveslot1:,show vlan,dir /all harddiskb:,dir /all slot1:,show rsp chassis-info,show diag,dir /all slavedisk1:,dir /all sec-slot1:,dir /all disk1:,show vtp status,show controllers,dir /all bootflash:,dir /all sec-disk1:,show diagbus,show flash,dir /all slaveslot0:,dir /all slavenvram:,dir /all harddiska:,dir /all slaveslot2:,dir /all slot0:,show c7200,show module,write term,dir /all nvram:,dir /all sup-bootflash:,dir /all slot2:,dir /all slavedisk0:,dir /all sec-slot0:,show version,show controllers cbus,dir /all harddisk:,dir /all sec-nvram:,dir /all slavedisk2:,dir /all sec-slot2:,show env all,dir /all disk0:,dir /all disk2:,show variables boot,show gsr chassis,dir /all sec-disk0:,show idprom backplane,show spe version,dir /all slavesup-bootflash:,dir /all sec-disk2:,dir /all slavebootflash:,dir /all sec-bootflash:,show running-config,show install active 10.153.207.197: End of run not found ! 10.153.207.200 clogin error: Error: Connection Refused (ssh): 10.153.207.200 10.153.207.200: missed cmd(s): show bootvar,show redundancy secondary,dir /all sup-microcode:,show boot,dir /all slaveslot1:,show vlan,dir /all harddiskb:,dir /all slot1:,show rsp chassis-info,show diag,dir /all slavedisk1:,dir /all sec-slot1:,dir /all disk1:,show vtp status,show controllers,dir /all bootflash:,dir /all sec-disk1:,show diagbus,show flash,dir /all slaveslot0:,dir /all slavenvram:,dir /all harddiska:,dir /all slaveslot2:,dir /all slot0:,show c7200,show module,write term,dir /all nvram:,dir /all sup-bootflash:,dir /all slot2:,dir /all slavedisk0:,dir /all sec-slot0:,show version,show controllers cbus,dir /all harddisk:,dir /all sec-nvram:,dir /all slavedisk2:,dir /all sec-slot2:,show env all,dir /all disk0:,dir /all disk2:,show variables boot,show gsr chassis,dir /all sec-disk0:,show idprom backplane,show spe version,dir /all slavesup-bootflash:,dir /all sec-disk2:,dir /all slavebootflash:,dir /all sec-bootflash:,show running-config,show install active 10.153.207.200: End of run not found From asp at partan.com Wed Dec 8 20:46:20 2004 From: asp at partan.com (Andrew Partan) Date: Wed, 8 Dec 2004 15:46:20 -0500 Subject: add method * {telnet} {ssh} not working In-Reply-To: <0D9EF3454D8EFC4B8BFFD2B8629416815625E7@caonmastxm03.na.capgemini.com> References: <0D9EF3454D8EFC4B8BFFD2B8629416815625E7@caonmastxm03.na.capgemini.com> Message-ID: <20041208204620.GA68626@partan.com> On Wed, Dec 08, 2004 at 12:27:44PM -0500, Hopper, Faron W. wrote: > I have configured RANCID (v2.3) on a FreeBSD box. It seems to be > working for some devices. When I look at the log file I see that > it is trying ssh to devices even though I have added a method stating > that I want telnet first. I have 2 devices in my router.db file > that accept ssh, and they are the only 2 that are working. I am > using a TACACS+ username to login to all Cisco devices. Any ideas > what the problem might be? It could be that both telnet and ssh are failing. clogin typically only logs the final error when it can't reach some device. --asp From dpfleger at pfleger.org Wed Dec 8 22:42:08 2004 From: dpfleger at pfleger.org (Dan Pfleger) Date: Wed, 08 Dec 2004 14:42:08 -0800 Subject: Alteon SSL and Dell PowerConnect In-Reply-To: <01f701c4dc95$5296f840$c8320a0a@gis2.com> Message-ID: <5.1.1.5.2.20041208142943.02fab4d8@mail.pfleger.org> > Dell PowerConnect switches <...> > assume I need to copy a script and edit the Expect to use > the correct dialog for those devices, which would be very > similar to the existing Alteon and Cisco scripts. Hi Bryce, I had done made dlogin/drancid stuff from the default Cisco scripts for the Power Connects when then came out about 18 months back (original 3000/3200/5000 series). It was a pretty quick change in the original files, but sadly within 6 weeks/months Dell changed the firmware, commands, prompts changed drastically. When I asked the sales rep, he said that was "part of the strategy because they out-sourced various platforms to different OEM manufacturers to get me the lowest price." Also, the terminal emulation was not 100% consistent and would hang about once couple weeks, so be forgiving in your pattern-matching. I lost interest in continuing to maintaining them for even personal use because it was a real pain keeping up with their changing syntax per platform/version/HW-revision/hangs. Shouldn't be too tough to get something that will be functional, but making something for the main distribution would be a headache to test and maintain. Best of luck, Dan From faron.hopper at capgemini.com Thu Dec 16 21:32:14 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Thu, 16 Dec 2004 16:32:14 -0500 Subject: question about lgform.cgi Message-ID: <0D9EF3454D8EFC4B8BFFD2B862941681576A89@caonmastxm03.na.capgemini.com> I have installed rancid on FreeBSD. I also installed the looking glass software. When I bring up the webpage http://server/cgi-bin/lgform.cgi, it loads the front end, but it is not populating the routers on the page. When I looked at the code, it appeared to me that it is supposed to pull its info from the rancid cvs file router.db. Do I have to configure lgform.cgi to know where these files are? It wasn't very clear in the file what needs to be done. Thanks, Faron Hopper Capgemini Network Engineering Kansas City, MO 64116 816.459.5139 From asp at partan.com Thu Dec 16 23:12:09 2004 From: asp at partan.com (Andrew Partan) Date: Thu, 16 Dec 2004 18:12:09 -0500 Subject: question about lgform.cgi In-Reply-To: <0D9EF3454D8EFC4B8BFFD2B862941681576A89@caonmastxm03.na.capgemini.com> References: <0D9EF3454D8EFC4B8BFFD2B862941681576A89@caonmastxm03.na.capgemini.com> Message-ID: <20041216231209.GB19295@partan.com> On Thu, Dec 16, 2004 at 04:32:14PM -0500, Hopper, Faron W. wrote: > I have installed rancid on FreeBSD. I also installed the looking > glass software. When I bring up the webpage > http://server/cgi-bin/lgform.cgi, it loads the front end, but it > is not populating the routers on the page. When I looked at the > code, it appeared to me that it is supposed to pull its info from > the rancid cvs file router.db. Do I have to configure lgform.cgi > to know where these files are? It wasn't very clear in the file > what needs to be done. Yes, in lg.conf, set LG_ROUTERDB to the location of router.db. See the comments in etc/lg.conf.sample. --asp From faron.hopper at capgemini.com Fri Dec 17 15:53:20 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Fri, 17 Dec 2004 10:53:20 -0500 Subject: question about lgform.cgi Message-ID: <0D9EF3454D8EFC4B8BFFD2B862941681576A8C@caonmastxm03.na.capgemini.com> Andrew, You are right, I see the wisdom of it now. It would help if I were to look at that file, instead of directly at the cgi script. Thank you for pointing that out. I have another question. If I set the LG_ROUTERDB var to the following, #$LG_ROUTERDB="/usr/local/etc/rancid//router.db"; $LG_ROUTERDB="/usr/local/var/rancid//router.db"; I don't see any of my group configured routers. If I change the // to a group name it works fine, but only for that group. For example, $LG_ROUTERDB="/usr/local/var/rancid/cg/router.db"; works fine. The help for that variable states # LG_ROUTERDB is the router.db in rancid's router.db format, listing # the routers and their platform that should be available to # the looking glass. if defined, the LG will use this variable # to find the router.db. if not defined, it will look for it # at //router.db. if it does not exist, it # will build the list from /*/router.db (i.e.: the # router.db's from all your groups). note that if you choose # this last option; the group directories and router.db files' # modes may have to be changed, depending upon the UID/GID of # the user your server (httpd) runs under, since rancid's default # mask is 007 (see etc/rancid.conf). routers not marked 'up' are # skipped. # This varilable was not defined before started to mess lg.conf, so I don't think that it is looking in the /usr/local/var/rancid directory for this information. How do I get it to use 1) a prefix that is /usr/local/var/rancid, or 2) configure the variable to use the group subdir's under /usr/local/var/rancid? For example, /usr/local/var/rancid/group1 /usr/local/var/rancid/group2 /usr/local/var/rancid/group3 /usr/local/var/rancid/group4 . . . etc Thank you in advance for helping a very slow learner. Faron Hopper Capgemini Network Engineering Kansas City, MO 64116 816.459.5139 -----Original Message----- From: Andrew Partan [mailto:asp at partan.com] Sent: Thursday, December 16, 2004 5:12 PM To: Hopper, Faron W. Cc: rancid-discuss at shrubbery.net Subject: Re: question about lgform.cgi On Thu, Dec 16, 2004 at 04:32:14PM -0500, Hopper, Faron W. wrote: > I have installed rancid on FreeBSD. I also installed the looking > glass software. When I bring up the webpage > http://server/cgi-bin/lgform.cgi, it loads the front end, but it is > not populating the routers on the page. When I looked at the code, it > appeared to me that it is supposed to pull its info from the rancid > cvs file router.db. Do I have to configure lgform.cgi to know where > these files are? It wasn't very clear in the file what needs to be > done. Yes, in lg.conf, set LG_ROUTERDB to the location of router.db. See the comments in etc/lg.conf.sample. --asp From heas at shrubbery.net Fri Dec 17 16:46:02 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 17 Dec 2004 08:46:02 -0800 Subject: question about lgform.cgi In-Reply-To: <0D9EF3454D8EFC4B8BFFD2B862941681576A8C@caonmastxm03.na.capgemini.com> References: <0D9EF3454D8EFC4B8BFFD2B862941681576A8C@caonmastxm03.na.capgemini.com> Message-ID: <20041217164602.GD8746@shrubbery.net> Fri, Dec 17, 2004 at 10:53:20AM -0500, Hopper, Faron W.: > > Andrew, > You are right, I see the wisdom of it now. It would help if I were to look at that file, instead of directly at the cgi script. Thank you for pointing that out. > > I have another question. If I set the LG_ROUTERDB var to the following, > > #$LG_ROUTERDB="/usr/local/etc/rancid//router.db"; > $LG_ROUTERDB="/usr/local/var/rancid//router.db"; /usr/local/etc/rancid is an odd directory as far as rancid's autoconf is concerned. Assuming a --prefix of /usr/local, I'd expect that path to be /usr/local/etc/router.db. lg.conf does not provide a way to reconfigure the LOCALSTATEDIR, which is used as the directory which it searches for the list of routers. Its value is determined by autoconf. If LG_ROUTERDB is specified, it's value is treated solely as a file, a router.db file. No reason that could not be treated as a directory when it is one. Try this patch. Index: lg.cgi.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/lg.cgi.in,v retrieving revision 1.51 diff -d -u -r1.51 lg.cgi.in --- lg.cgi.in 19 May 2004 22:59:18 -0000 1.51 +++ lg.cgi.in 17 Dec 2004 16:42:08 -0000 @@ -125,7 +125,13 @@ local(*RTR); if (defined($LG_ROUTERDB)) { - $rtrdb = $LG_ROUTERDB; + # if LG_ROUTERDB is a directory, replace LOCALSTATEDIR with its value + # and search it for router.dbs. + if (-d "$LG_ROUTERDB") { + $LOCALSTATEDIR = $LG_ROUTERDB; + } else { + $rtrdb = $LG_ROUTERDB; + } } else { $rtrdb = "$SYSCONFDIR/router.db"; } Index: lgform.cgi.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/lgform.cgi.in,v retrieving revision 1.29 diff -d -u -r1.29 lgform.cgi.in --- lgform.cgi.in 3 Sep 2004 18:41:25 -0000 1.29 +++ lgform.cgi.in 17 Dec 2004 16:42:53 -0000 @@ -116,7 +116,13 @@ local(*RTR); if (defined($LG_ROUTERDB)) { - $rtrdb = $LG_ROUTERDB; + # if LG_ROUTERDB is a directory, replace LOCALSTATEDIR with its value + # and search it for router.dbs. + if (-d "$LG_ROUTERDB") { + $LOCALSTATEDIR = $LG_ROUTERDB; + } else { + $rtrdb = $LG_ROUTERDB; + } } else { $rtrdb = "$SYSCONFDIR/router.db"; } > I don't see any of my group configured routers. If I change the // to a group name it works fine, but And, you probably have error messages in your log about the file not existing. > only for that group. For example, > > $LG_ROUTERDB="/usr/local/var/rancid/cg/router.db"; > > works fine. > > The help for that variable states > > # LG_ROUTERDB is the router.db in rancid's router.db format, listing > # the routers and their platform that should be available to > # the looking glass. if defined, the LG will use this variable > # to find the router.db. if not defined, it will look for it > # at //router.db. if it does not exist, it > # will build the list from /*/router.db (i.e.: the > # router.db's from all your groups). note that if you choose > # this last option; the group directories and router.db files' > # modes may have to be changed, depending upon the UID/GID of > # the user your server (httpd) runs under, since rancid's default > # mask is 007 (see etc/rancid.conf). routers not marked 'up' are > # skipped. > # > > This varilable was not defined before started to mess lg.conf, so I don't think that it is looking in the > /usr/local/var/rancid directory for this information. How do I get it to use 1) a prefix that is /usr/local/var/rancid, or 2) configure the variable to use the group subdir's under /usr/local/var/rancid? > > For example, > > /usr/local/var/rancid/group1 > /usr/local/var/rancid/group2 > /usr/local/var/rancid/group3 > /usr/local/var/rancid/group4 > . > . > . > etc > > Thank you in advance for helping a very slow learner. > Faron Hopper > Capgemini > Network Engineering > Kansas City, MO 64116 > 816.459.5139 > > > -----Original Message----- > From: Andrew Partan [mailto:asp at partan.com] > Sent: Thursday, December 16, 2004 5:12 PM > To: Hopper, Faron W. > Cc: rancid-discuss at shrubbery.net > Subject: Re: question about lgform.cgi > > > On Thu, Dec 16, 2004 at 04:32:14PM -0500, Hopper, Faron W. wrote: > > I have installed rancid on FreeBSD. I also installed the looking > > glass software. When I bring up the webpage > > http://server/cgi-bin/lgform.cgi, it loads the front end, but it is > > not populating the routers on the page. When I looked at the code, it > > appeared to me that it is supposed to pull its info from the rancid > > cvs file router.db. Do I have to configure lgform.cgi to know where > > these files are? It wasn't very clear in the file what needs to be > > done. > > Yes, in lg.conf, set LG_ROUTERDB to the location of router.db. See the comments in etc/lg.conf.sample. > --asp > From faron.hopper at capgemini.com Fri Dec 17 17:37:52 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Fri, 17 Dec 2004 12:37:52 -0500 Subject: question about lgform.cgi Message-ID: <0D9EF3454D8EFC4B8BFFD2B862941681576A8F@caonmastxm03.na.capgemini.com> John, Thanks for the patch. I have applied it and it said that the patch was successful. When I access lgform.cgi, It still doesn't give me any of routers out of the group subdir's. I did notice an error message (in /var/log/http-error.log) that states, Undefined subroutine &main::strftime called at /usr/local/www/cgi-bin/lgform.cgi line 67. It was occuring before the patch, so I don't think that has anything to do with it, though. In your email you mentioned an assumption of --prefix=/usr/local. All I did was download the Software and extract it. I didn't have to do a ../configure, make, etc--just move it to /usr/local Just to make sure, I have set LG_ROUTERDB to $LG_ROUTERDB="/usr/local/var/rancid//router.db"; Is this the correct way to do this after the patch? Thanks, Faron Hopper Capgemini Network Engineering Kansas City, MO 64116 816.459.5139 -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 17, 2004 10:46 AM To: Hopper, Faron W. Cc: Andrew Partan; rancid-discuss at shrubbery.net Subject: Re: question about lgform.cgi Fri, Dec 17, 2004 at 10:53:20AM -0500, Hopper, Faron W.: > > Andrew, > You are right, I see the wisdom of it now. It would help if I were > to look at that file, instead of directly at the cgi script. Thank > you for pointing that out. > > I have another question. If I set the LG_ROUTERDB var to the > following, > > #$LG_ROUTERDB="/usr/local/etc/rancid//router.db"; > $LG_ROUTERDB="/usr/local/var/rancid//router.db"; /usr/local/etc/rancid is an odd directory as far as rancid's autoconf is concerned. Assuming a --prefix of /usr/local, I'd expect that path to be /usr/local/etc/router.db. lg.conf does not provide a way to reconfigure the LOCALSTATEDIR, which is used as the directory which it searches for the list of routers. Its value is determined by autoconf. If LG_ROUTERDB is specified, it's value is treated solely as a file, a router.db file. No reason that could not be treated as a directory when it is one. Try this patch. Index: lg.cgi.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/lg.cgi.in,v retrieving revision 1.51 diff -d -u -r1.51 lg.cgi.in --- lg.cgi.in 19 May 2004 22:59:18 -0000 1.51 +++ lg.cgi.in 17 Dec 2004 16:42:08 -0000 @@ -125,7 +125,13 @@ local(*RTR); if (defined($LG_ROUTERDB)) { - $rtrdb = $LG_ROUTERDB; + # if LG_ROUTERDB is a directory, replace LOCALSTATEDIR with its value + # and search it for router.dbs. + if (-d "$LG_ROUTERDB") { + $LOCALSTATEDIR = $LG_ROUTERDB; + } else { + $rtrdb = $LG_ROUTERDB; + } } else { $rtrdb = "$SYSCONFDIR/router.db"; } Index: lgform.cgi.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/lgform.cgi.in,v retrieving revision 1.29 diff -d -u -r1.29 lgform.cgi.in --- lgform.cgi.in 3 Sep 2004 18:41:25 -0000 1.29 +++ lgform.cgi.in 17 Dec 2004 16:42:53 -0000 @@ -116,7 +116,13 @@ local(*RTR); if (defined($LG_ROUTERDB)) { - $rtrdb = $LG_ROUTERDB; + # if LG_ROUTERDB is a directory, replace LOCALSTATEDIR with its value + # and search it for router.dbs. + if (-d "$LG_ROUTERDB") { + $LOCALSTATEDIR = $LG_ROUTERDB; + } else { + $rtrdb = $LG_ROUTERDB; + } } else { $rtrdb = "$SYSCONFDIR/router.db"; } > I don't see any of my group configured routers. If I change the // to > a group name it works fine, but And, you probably have error messages in your log about the file not existing. > only for that group. For example, > > $LG_ROUTERDB="/usr/local/var/rancid/cg/router.db"; > > works fine. > > The help for that variable states > > # LG_ROUTERDB is the router.db in rancid's router.db format, listing > # the routers and their platform that should be available to > # the looking glass. if defined, the LG will use this variable > # to find the router.db. if not defined, it will look for it > # at //router.db. if it does not exist, it > # will build the list from /*/router.db (i.e.: the > # router.db's from all your groups). note that if you choose > # this last option; the group directories and router.db files' > # modes may have to be changed, depending upon the UID/GID of > # the user your server (httpd) runs under, since rancid's default > # mask is 007 (see etc/rancid.conf). routers not marked 'up' are > # skipped. > # > > This varilable was not defined before started to mess lg.conf, so I > don't think that it is looking in the /usr/local/var/rancid directory > for this information. How do I get it to use 1) a prefix that is > /usr/local/var/rancid, or 2) configure the variable to use the group > subdir's under /usr/local/var/rancid? > > For example, > > /usr/local/var/rancid/group1 > /usr/local/var/rancid/group2 > /usr/local/var/rancid/group3 > /usr/local/var/rancid/group4 > . > . > . > etc > > Thank you in advance for helping a very slow learner. > Faron Hopper > Capgemini > Network Engineering > Kansas City, MO 64116 > 816.459.5139 > > > -----Original Message----- > From: Andrew Partan [mailto:asp at partan.com] > Sent: Thursday, December 16, 2004 5:12 PM > To: Hopper, Faron W. > Cc: rancid-discuss at shrubbery.net > Subject: Re: question about lgform.cgi > > > On Thu, Dec 16, 2004 at 04:32:14PM -0500, Hopper, Faron W. wrote: > > I have installed rancid on FreeBSD. I also installed the looking > > glass software. When I bring up the webpage > > http://server/cgi-bin/lgform.cgi, it loads the front end, but it is > > not populating the routers on the page. When I looked at the code, > > it appeared to me that it is supposed to pull its info from the > > rancid cvs file router.db. Do I have to configure lgform.cgi to > > know where these files are? It wasn't very clear in the file what > > needs to be done. > > Yes, in lg.conf, set LG_ROUTERDB to the location of router.db. See the comments in etc/lg.conf.sample. > --asp > From heas at shrubbery.net Fri Dec 17 17:38:46 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 17 Dec 2004 09:38:46 -0800 Subject: question about lgform.cgi In-Reply-To: <0D9EF3454D8EFC4B8BFFD2B862941681576A8F@caonmastxm03.na.capgemini.com> References: <0D9EF3454D8EFC4B8BFFD2B862941681576A8F@caonmastxm03.na.capgemini.com> Message-ID: <20041217173846.GM8746@shrubbery.net> Fri, Dec 17, 2004 at 12:37:52PM -0500, Hopper, Faron W.: > > John, > Thanks for the patch. I have applied it and it said that the patch was successful. When I access lgform.cgi, It still doesn't give me any of routers out of the group subdir's. > > > I did notice an error message (in /var/log/http-error.log) that states, > > Undefined subroutine &main::strftime called at /usr/local/www/cgi-bin/lgform.cgi line 67. > > It was occuring before the patch, so I don't think that has anything to do with it, though. > > In your email you mentioned an assumption of --prefix=/usr/local. All I did was download the Software and extract it. I didn't have to do a ../configure, make, etc--just move it to /usr/local > > Just to make sure, I have set LG_ROUTERDB to > > $LG_ROUTERDB="/usr/local/var/rancid//router.db"; > > Is this the correct way to do this after the patch? make it $LG_ROUTERDB="/usr/local/var/rancid"; From faron.hopper at capgemini.com Fri Dec 17 19:51:44 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Fri, 17 Dec 2004 14:51:44 -0500 Subject: question about lgform.cgi Message-ID: <0D9EF3454D8EFC4B8BFFD2B862941681576A91@caonmastxm03.na.capgemini.com> John, That change, setting the LG_ROUTERDB var, gives me the same result, a blank field for routers. When I change LG_ROUTERDB to point to a particular group directory, that still works.... Any other ideas? Is there a way to view the script's debugging output to help me pinpoint what it is looking for? Thanks Faron Hopper Capgemini Network Engineering Kansas City, MO 64116 816.459.5139 -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 17, 2004 11:39 AM To: Hopper, Faron W. Cc: john heasley; rancid-discuss at shrubbery.net Subject: Re: question about lgform.cgi Fri, Dec 17, 2004 at 12:37:52PM -0500, Hopper, Faron W.: > > John, > Thanks for the patch. I have applied it and it said that the > patch was successful. When I access lgform.cgi, It still doesn't give > me any of routers out of the group subdir's. > > > I did notice an error message (in /var/log/http-error.log) that > states, > > Undefined subroutine &main::strftime called at > /usr/local/www/cgi-bin/lgform.cgi line 67. > > It was occuring before the patch, so I don't think that has anything > to do with it, though. > > In your email you mentioned an assumption of --prefix=/usr/local. All > I did was download the Software and extract it. I didn't have to do a > ../configure, make, etc--just move it to /usr/local > > Just to make sure, I have set LG_ROUTERDB to > > $LG_ROUTERDB="/usr/local/var/rancid//router.db"; > > Is this the correct way to do this after the patch? make it $LG_ROUTERDB="/usr/local/var/rancid"; From faron.hopper at capgemini.com Fri Dec 17 21:46:04 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Fri, 17 Dec 2004 16:46:04 -0500 Subject: question about lgform.cgi Message-ID: <0D9EF3454D8EFC4B8BFFD2B862941681576A93@caonmastxm03.na.capgemini.com> John, I have made a discovery. I was not setting the $LG_CACHE_DIR var, thus taking the default. As soon as I removed the #, and hit the web interface, viola, up popped all of my routers. Thank you so much! It must Not have been able to create the tmp file due to a permission problem in the /usr/local/www/data/lg dir.... Thank you again, Faron Hopper Capgemini Network Engineering Kansas City, MO 64116 816.459.5139 -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Friday, December 17, 2004 1:55 PM To: Hopper, Faron W. Subject: Re: question about lgform.cgi Fri, Dec 17, 2004 at 02:51:44PM -0500, Hopper, Faron W.: > > John, > That change, setting the LG_ROUTERDB var, gives me the same > result, a blank field for routers. When I change LG_ROUTERDB to point > to a particular group directory, that still works.... > > > Any other ideas? the log is in the cache dir. see LG_CACHE_DIR config variable. > Is there a way to view the script's debugging output to help me > pinpoint what it is looking for? > > > Undefined subroutine &main::strftime called at > > /usr/local/www/cgi-bin/lgform.cgi line 67. you need to run h2ph. From cstave at gmail.com Fri Dec 17 22:23:24 2004 From: cstave at gmail.com (Chris Stave) Date: Fri, 17 Dec 2004 17:23:24 -0500 Subject: Support for clusters Message-ID: <5471c93d0412171423223907c1@mail.gmail.com> I recently got rancid set up and running, and after a few hurdles it seems to generally be working fine. Issues I'm experiencing/have experienced/lessons learned/things I've noticed: **clogin is great for adding commands to every switch. Our network has the switches set up between 10.0.0.1 and 10.0.0.80, so a script with a simple loop (10.0.0.i for 1 to 80) and reference to a command list textfile makes it easy to apply commands globally, such as changing from uptime to datetime for logging, or for issuing a show interface and then writing the results to a file that can then be examined (for a port description, to check if a VLAN is in use, or other uses) **we are logging messages locally, so the flash directory was always changing... so I changed rancid to skip the flash directory (by uncommenting the code to return(1) if $type matched the things it was supposed to skip and put in 35 so it would skip the 3500s and 3550s that it was having problems with **one thing I noticed while running a show interface on all of the switches was that there was no way to do anything with cluster members -- sending an "rcommand 1" does not wait for the new prompt to come up, does anyone know of a way to use clogin while addressing cluster members, or indeed to add support for rancid's hourly run? my initial thought on this would be to add another piece of information to the router.db signifying how many cluster members there are and then running through the rancid script once for each one Overall, Rancid has shown itself to be very nice, and being able to send commands to all the switches automatically is a big bonus! Chris Stave Computing and Network Services Drew University From heas at shrubbery.net Fri Dec 17 23:41:21 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 17 Dec 2004 15:41:21 -0800 Subject: Support for clusters In-Reply-To: <5471c93d0412171423223907c1@mail.gmail.com> References: <5471c93d0412171423223907c1@mail.gmail.com> Message-ID: <20041217234121.GV8746@shrubbery.net> Fri, Dec 17, 2004 at 05:23:24PM -0500, Chris Stave: > **one thing I noticed while running a show interface on all of the > switches was that there was no way to do anything with cluster members > -- sending an "rcommand 1" does not wait for the new prompt to come > up, does anyone know of a way to use clogin while addressing cluster > members, or indeed to add support for rancid's hourly run? my initial > thought on this would be to add another piece of information to the > router.db signifying how many cluster members there are and then > running through the rancid script once for each one i am not familiar with clusters. if you wanted that stuff in the rancid collection, support would have to be added to both rancid an clogin. i'd lean toward clogin and just adding a second (third, etc) router.db entry for cluster members....but, i dont what the interface looks like. you'd have to provide examples. From justin at grote.name Fri Dec 17 23:55:50 2004 From: justin at grote.name (Justin Grote) Date: Fri, 17 Dec 2004 16:55:50 -0700 Subject: Support for clusters Message-ID: <315220020.20041217165550@grote.name> >>Overall, Rancid has shown itself to be very nice, and being able to >>send commands to all the switches automatically is a big bonus! Glad you like it. I'm not part of the dev team but it's great to hear others finding use out of it :) In regards to clusters (I assume the Catalyst kind), this is something I have considered looking into but it was never high on my priority list. I'll give it a shot and let you know what I come up with I have a subversion patch floating around that lets Rancid use Subversion as a backend instead of CVS, which is useful if you want to have multiple rancid agents at different sites that commit to a centralized repository, want to move/rename a switch and preserve its history, etc. _______________ Justin Grote From jmccarty at scoe.org Tue Dec 21 01:53:39 2004 From: jmccarty at scoe.org (Joe McCarty) Date: Mon, 20 Dec 2004 17:53:39 -0800 Subject: No subject Message-ID: I have installed RANCID on a Fedora Core 2 box. RANCID can log into my devices, get the configs, increment versions, and email diffs. CVSWeb, however, reports while trying to load the /home/rancid/var/rancid/CVS repository, "Error: No valid CVS roots found!." log/httpd/error_log states, "Root '/home/rancid/var/rancid/CVS' defined in @CVSrepositories is not a directory." I tried "cvs status -d /home/rancid/var/rancid/CVS group/device_name," and I'm informed that the device isn't defined. The CVS directories have been set up by rancid-cvs exclusively, per FAQ and INSTALL instructions. Ideas appreciated. Notice to Recipient: Information contained in this message may be privileged, confidential and protected from disclosure. If you are not an intended recipient, it is strictly prohibited to use, disseminate or copy this communication. If you have received this in error, please reply to the sender and then delete the message. Thank you. From heas at shrubbery.net Tue Dec 21 06:44:25 2004 From: heas at shrubbery.net (john heasley) Date: Mon, 20 Dec 2004 22:44:25 -0800 Subject: your mail In-Reply-To: References: Message-ID: <20041221064425.GG7200@shrubbery.net> Mon, Dec 20, 2004 at 05:53:39PM -0800, Joe McCarty: > I have installed RANCID on a Fedora Core 2 box. RANCID can log into my > devices, get the configs, increment versions, and email diffs. if it emails diffs, then cvs is fine. > CVSWeb, however, reports while trying to load the > /home/rancid/var/rancid/CVS repository, "Error: No valid CVS roots > found!." log/httpd/error_log states, "Root '/home/rancid/var/rancid/CVS' > defined in @CVSrepositories is not a directory." > > I tried "cvs status -d /home/rancid/var/rancid/CVS group/device_name," and > I'm informed that the device isn't defined. > > The CVS directories have been set up by rancid-cvs exclusively, per FAQ > and INSTALL instructions. > > Ideas appreciated. WAG, your httpd can't read some part of the path, likely due to permissions but could be related to chroot(2). From cstave at gmail.com Tue Dec 21 15:28:14 2004 From: cstave at gmail.com (Chris Stave) Date: Tue, 21 Dec 2004 10:28:14 -0500 Subject: your mail In-Reply-To: References: Message-ID: <5471c93d0412210728440878e3@mail.gmail.com> I'm not sure if you've got the same directory structure as I do, but I'd agree with the last respondent and say that you should check your directory structure. I know my setup is at /home/rancid/var/CVS (rather than /home/rancid/var/rancid/cvs) ... so check out what's around and look for cvs directories. Chris On Mon, 20 Dec 2004 17:53:39 -0800, Joe McCarty wrote: > I have installed RANCID on a Fedora Core 2 box. RANCID can log into my > devices, get the configs, increment versions, and email diffs. > > CVSWeb, however, reports while trying to load the > /home/rancid/var/rancid/CVS repository, "Error: No valid CVS roots > found!." log/httpd/error_log states, "Root '/home/rancid/var/rancid/CVS' > defined in @CVSrepositories is not a directory." > > I tried "cvs status -d /home/rancid/var/rancid/CVS group/device_name," and > I'm informed that the device isn't defined. > > The CVS directories have been set up by rancid-cvs exclusively, per FAQ > and INSTALL instructions. > > Ideas appreciated. > > Notice to Recipient: > Information contained in this message may be privileged, confidential and > protected from disclosure. If you are not an intended recipient, it is > strictly prohibited to use, disseminate or copy this communication. If you > have received this in error, please reply to the sender and then delete the > message. > Thank you. > > From dpz at berkeley.edu Thu Dec 23 22:48:59 2004 From: dpz at berkeley.edu (David Paul Zimmerman) Date: Thu, 23 Dec 2004 14:48:59 -0800 Subject: Looking for field experience with platform choice Message-ID: Hi, all. New rancid maintainer here. I've been told to go spec a platform to migrate our rancid installation to, and the choices I've come to are the Sun Fire V210 w/Solaris 9 and the Dell 2650 w/FreeBSD 5.3. Is there any common wisdom on which of the two would be a happier home for rancid and its various dependencies? dp From heas at shrubbery.net Thu Dec 23 22:57:07 2004 From: heas at shrubbery.net (john heasley) Date: Thu, 23 Dec 2004 14:57:07 -0800 Subject: Looking for field experience with platform choice In-Reply-To: References: Message-ID: <20041223225707.GY25029@shrubbery.net> Thu, Dec 23, 2004 at 02:48:59PM -0800, David Paul Zimmerman: > Hi, all. New rancid maintainer here. I've been told to go spec a > platform to migrate our rancid installation to, and the choices I've > come to are the Sun Fire V210 w/Solaris 9 and the Dell 2650 w/FreeBSD > 5.3. Is there any common wisdom on which of the two would be a happier > home for rancid and its various dependencies? > > dp no M$. otherwise, smoke whatever you want. free memory is useful for those fat perl/expect processes. my cvs repository is ~300m at the moment; thats roughly 700 devices over ~3 years w/ sporadic polling (avg 1/week). From dpz at berkeley.edu Thu Dec 23 23:50:53 2004 From: dpz at berkeley.edu (David Paul Zimmerman) Date: Thu, 23 Dec 2004 15:50:53 -0800 Subject: Looking for field experience with platform choice In-Reply-To: <20041223225707.GY25029@shrubbery.net> References: <20041223225707.GY25029@shrubbery.net> Message-ID: <7B7A80F6-553D-11D9-B9CD-000D93CA194C@berkeley.edu> Thanks for the thoughts; I had no intention of smoking anything from Redmond :-) I'm going for a 1GB unit, whichever one I end up with. I presume that'll be fine, if not terribly extravagant these days. On the storage side, since I'm inheriting an existing installation, that should be pretty easy to determine. dp On Dec 23, 2004, at 2:57 PM, john heasley wrote: > Thu, Dec 23, 2004 at 02:48:59PM -0800, David Paul Zimmerman: >> Hi, all. New rancid maintainer here. I've been told to go spec a >> platform to migrate our rancid installation to, and the choices I've >> come to are the Sun Fire V210 w/Solaris 9 and the Dell 2650 w/FreeBSD >> 5.3. Is there any common wisdom on which of the two would be a >> happier >> home for rancid and its various dependencies? >> >> dp > > no M$. otherwise, smoke whatever you want. free memory is useful for > those > fat perl/expect processes. > > my cvs repository is ~300m at the moment; thats roughly 700 devices > over ~3 > years w/ sporadic polling (avg 1/week). From faron.hopper at capgemini.com Tue Dec 28 17:19:19 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Tue, 28 Dec 2004 12:19:19 -0500 Subject: Does RANCID handle Cisco PIX devices? Message-ID: <0D9EF3454D8EFC4B8BFFD2B86294168160EE59@caonmastxm03.na.capgemini.com> Hello all, I am still exploring RANCID's capabilities. Does it have the ablility to back up Cisco PIX configs? I have added the one of our PIX's names to the router.db file and set the type to pixhq:cat5:up pixhq2:cat5:up thinking that it would be closer to the catOS command line. This is not successful. I am using TACACS+ on the PIX, and here is an example of what I get if I manually ssh into it. $ ssh -l net\-cfg\-bak 10.1.1.1 net-cfg-bak at 10.1.1.1's password: Type help or '?' for a list of available commands. PIXHQ> PIXHQ> en Password: ******** PIXHQ# in my dead.letter file this is the message I get for the 2 PIXes configured From: Network Config Backup Message-Id: <200412282250.iBSMoOnX027862 at netdisco.capgemini.com> To: rancid-fi Subject: config fetcher problems - fi Precedence: bulk The following routers have not been successfully contacted for more than 4 hours. -rw-r----- 1 net-cfg-bak wheel 0 Dec 13 16:23 pixhq -rw-r----- 1 net-cfg-bak wheel 0 Dec 13 16:23 pixhq2 If I use the clogin program, I can get the level 1 login prompt, but it is not executing my show version. This makes me think that it is waiting on some type of prompt character that is not defined (just guessing). $ /usr/local/libexec/rancid/clogin -c "show version" -f /home/net-cfg-bak/.cloginrc 10.1.1.1 10.1.1.1 spawn telnet 10.1.1.1 Trying 10.1.1.1... telnet: connect to address 10.1.1.1: Connection refused telnet: Unable to connect to remote host spawn ssh -c 3des -x -l net-cfg-bak 10.1.1.1 net-cfg-bak at 10.1.1.1's password: Type help or '?' for a list of available commands. PIXHQ> PIXHQ> Error: TIMEOUT reached my .cloginrc file is as follows add method * {telnet} {ssh} add autoenable * {1} add enauser * {net\-cfg\-bak} add user * {net-cfg-bak} add password * {pass} # set ssh encryption type, dflt: 3des add cyphertype * {3des} My goal is to back up my PIX configs, does anyone have any ideas? Can RANCID do it? Thanks, Faron Hopper Capgemini Network Engineering 3315 North Oak Trafficway Kansas City, MO 64116 816.459.5139 Capgemini Logo From jejs+rancid at sahala.org Tue Dec 28 17:34:35 2004 From: jejs+rancid at sahala.org (joshua sahala) Date: Tue, 28 Dec 2004 12:34:35 -0500 Subject: Does RANCID handle Cisco PIX devices? In-Reply-To: <0D9EF3454D8EFC4B8BFFD2B86294168160EE59@caonmastxm03.na.capgemini.com> References: <0D9EF3454D8EFC4B8BFFD2B86294168160EE59@caonmastxm03.na.capgemini.com> Message-ID: <20041228173435.GB9193@aurvandil.sahala.org> On (28/12/04 12:19), Hopper, Faron W. wrote: > > Hello all, I am still exploring RANCID's capabilities. Does it have > the ablility to back up Cisco PIX configs? I have added the one of our > PIX's names to the router.db file and set the type to > > pixhq:cat5:up > pixhq2:cat5:up > use cisco...pix runs ios not catos i've used rancid with varios models of pix and they all work fine, with or without tac+ for aaa. /joshua -- What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? - Mohandas Karamchand (Mahatma) Gandhi - From faron.hopper at capgemini.com Tue Dec 28 20:13:30 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Tue, 28 Dec 2004 15:13:30 -0500 Subject: Does RANCID handle Cisco PIX devices? Message-ID: <0D9EF3454D8EFC4B8BFFD2B86294168160EE97@caonmastxm03.na.capgemini.com> I have tried setting these devices to cisco from cat5. There is no change. Rancid is not able to log into my PIXes. The PIX's don't have telnet enabled, but this shouldn't be a big deal for RANCID. Could the problem be in how I have setup the .cloginrc file? my .cloginrc file is as follows add method * {telnet} {ssh} add autoenable * {1} add enauser * {net\-cfg\-bak} add user * {net-cfg-bak} add password * {pass} # set ssh encryption type, dflt: 3des add cyphertype * {3des} The other thought that I had is that something might be configured differently (misconfigured?) on TACACAS. My TACACS+ username is net-cfg-bak aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15 aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15 aaa-server RADIUS protocol radius aaa-server LOCAL protocol tacacs+ aaa-server local protocol tacacs+ aaa authentication ssh console TACACS+ aaa authentication telnet console TACACS+ aaa authentication enable console TACACS+ Any thoughts? Thanks, Faron -----Original Message----- From: joshua sahala [mailto:jejs+rancid at sahala.org] Sent: Tuesday, December 28, 2004 11:35 AM To: Hopper, Faron W. Cc: rancid-discuss at shrubbery.net Subject: Re: Does RANCID handle Cisco PIX devices? On (28/12/04 12:19), Hopper, Faron W. wrote: > > Hello all, I am still exploring RANCID's capabilities. Does it have > the ablility to back up Cisco PIX configs? I have added the one of > our PIX's names to the router.db file and set the type to > > pixhq:cat5:up > pixhq2:cat5:up > use cisco...pix runs ios not catos i've used rancid with varios models of pix and they all work fine, with or without tac+ for aaa. /joshua -- What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? - Mohandas Karamchand (Mahatma) Gandhi - From faron.hopper at capgemini.com Wed Dec 29 21:25:23 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Wed, 29 Dec 2004 16:25:23 -0500 Subject: Does RANCID handle Cisco PIX devices? Message-ID: <0D9EF3454D8EFC4B8BFFD2B86294168160EFBB@caonmastxm03.na.capgemini.com> Aaron, If I remove the autoenable line, I can use clogin to log into the PIX (see below). However, my rancid-run process now takes forever to complete (it is taking hours instead of minutes; it used to run about 20 minutes....) This, is probably due to my lack of understanding in how to setup the .cloginrc file .....anyway, when that rancid-run process finishes, I do not have any updates in the cvs database. (cvsweb.cgi lists the rev as 1.1) I have run the rancid-run process 2-3 times since removing the autoenable and the dead.letter file now has many devices that it can't contact....more stuff to work on. Anyway, is there any reason why it would not update the pixhq device? (it is not listed in the dead.letter file....)? Thanks, Faron $ /usr/local/libexec/rancid/clogin -c "show version" -f .cloginrc pixhq pixhq spawn telnet pixhq Trying 10.1.1.1... telnet: connect to address 10.1.1.1: Connection refused telnet: Unable to connect to remote host spawn ssh -c 3des -x -l net-cfg-bak pixhq net-cfg-bak at pixhq's password: Type help or '?' for a list of available commands. PIXHQ> PIXHQ> enable Another session is writing configuration to memory, please wait a moment for it to finish... Password: ******** PIXHQ# PIXHQ# term length 0 Type help or '?' for a list of available commands. PIXHQ# show version Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 2.1(1) Compiled on Wed 13-Aug-03 13:55 by morlee KCSCAFW1 up 87 days 2 hours Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 0005.9bca.350f, irq 10 1: ethernet1: address is 0005.9bca.3511, irq 11 2: ethernet2: address is 00e0.b604.fb6b, irq 11 3: ethernet3: address is 00e0.b604.fb6a, irq 10 4: ethernet4: address is 00e0.b604.fb69, irq 9 5: ethernet5: address is 00e0.b604.fb68, irq 5 6: gb-ethernet0: address is 0003.4725.3a71, irq 5 7: gb-ethernet1: address is 0003.4725.38e5, irq 11 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 8 Maximum Interfaces: 12 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has an Unrestricted (UR) license. Serial Number: 405200333 (0x1826ddcd) Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871 Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec 29 2004 PIXHQ#exit Logoff Connection to pixhq closed. -----Original Message----- From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov] Sent: Tuesday, December 28, 2004 3:40 PM To: Hopper, Faron W. Subject: RE: Does RANCID handle Cisco PIX devices? Try it without the autoenable line...you still have to enter enable on the PIX. (I'm running rancid w/PIXs right now, so it should work.) Can you clogin to any of the PIXs directly? That's the common test I use to see if rancid will be okay (and often tells me what error actually occurs). Aaron --------------------- Aaron Gee-Clough NIH/CIT/DNST/NEB/NSS Contractor, geek, etc Never try to teach a pig to sing. It wastes your time and annoys the pig. > -----Original Message----- > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com] > Sent: Tuesday, December 28, 2004 3:14 PM > To: joshua sahala > Cc: rancid-discuss at shrubbery.net > Subject: RE: Does RANCID handle Cisco PIX devices? > > > > > > I have tried setting these devices to cisco from cat5. There is no > change. > Rancid is not able to log into my PIXes. The PIX's don't have telnet > enabled, > > but this shouldn't be a big deal for RANCID. Could the problem be in > how > > I have setup the .cloginrc file? > > my .cloginrc file is as follows > > add method * {telnet} {ssh} > add autoenable * {1} > add enauser * {net\-cfg\-bak} > add user * {net-cfg-bak} > add password * {pass} > > > # set ssh encryption type, dflt: 3des > add cyphertype * {3des} > > The other thought that I had is that something might be configured > > differently (misconfigured?) on TACACAS. > > > My TACACS+ username is net-cfg-bak > > > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15 > aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15 > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol tacacs+ > aaa-server local protocol tacacs+ > aaa authentication ssh console TACACS+ > aaa authentication telnet console TACACS+ > aaa authentication enable console TACACS+ > > Any thoughts? > > Thanks, > Faron > -----Original Message----- > From: joshua sahala [mailto:jejs+rancid at sahala.org] > > Sent: Tuesday, December 28, 2004 11:35 AM > To: Hopper, Faron W. > Cc: rancid-discuss at shrubbery.net > Subject: Re: Does RANCID handle Cisco PIX devices? > > On (28/12/04 12:19), Hopper, Faron W. wrote: > > > > > Hello all, I am still exploring RANCID's capabilities. > Does it have > > > the ablility to back up Cisco PIX configs? I have added the one of > > > our PIX's names to the router.db file and set the type to > > > > > pixhq:cat5:up > > pixhq2:cat5:up > > > > > use cisco...pix runs ios not catos > > i've used rancid with varios models of pix and they all work fine, > with or without tac+ for aaa. > > /joshua > -- > What difference does it make to the dead, the orphans, and the > homeless, whether the mad destruction is wrought under the name of > totalitarianism or the holy name of liberty and democracy? > - Mohandas Karamchand (Mahatma) Gandhi - > > From geecla at mail.nih.gov Wed Dec 29 21:28:39 2004 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Wed, 29 Dec 2004 16:28:39 -0500 Subject: Does RANCID handle Cisco PIX devices? Message-ID: <64BC9A2B18FC5843BA0DE93548F745F335EB9363@nihexchange3.nih.gov> Does the account you're logging in as have the rights to run all the commands rancid wants to do on the PIX? I supsect that the rancid run is taking forever because it's trying to run a whole list of things, and one of them (write term, perhaps?) is being refused....rancid then hangs, and the connection only dies when it times out. Aaron --------------------- Aaron Gee-Clough NIH/CIT/DNST/NEB/NSS Contractor, geek, etc Never try to teach a pig to sing. It wastes your time and annoys the pig. > -----Original Message----- > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com] > Sent: Wednesday, December 29, 2004 4:25 PM > To: Gee-clough, Aaron (NIH/CIT) > Cc: rancid-discuss at shrubbery.net > Subject: RE: Does RANCID handle Cisco PIX devices? > > > > Aaron, > > If I remove the autoenable line, I can use clogin to log into the > PIX (see below). > However, my rancid-run process now takes forever to complete (it is > taking > hours instead of minutes; it used to run about 20 minutes....) This, > > is probably due to my lack of understanding in how to setup the > .cloginrc file > .....anyway, when that rancid-run process finishes, I do not have any > updates > in the cvs database. (cvsweb.cgi lists the rev as 1.1) I > have run the > rancid-run process 2-3 times since removing the autoenable and the > dead.letter > file now has many devices that it can't contact....more stuff to work > on. > Anyway, is there any reason why it would not update the pixhq device? > (it is > > not listed in the dead.letter file....)? > > Thanks, > Faron > > > $ /usr/local/libexec/rancid/clogin -c "show version" -f > .cloginrc pixhq > pixhq > > spawn telnet pixhq > Trying 10.1.1.1... > telnet: connect to address 10.1.1.1: Connection refused > telnet: Unable to connect to remote host > spawn ssh -c 3des -x -l net-cfg-bak pixhq > net-cfg-bak at pixhq's password: > Type help or '?' for a list of available commands. > PIXHQ> > PIXHQ> enable > Another session is writing configuration to memory, > please wait a moment for it to finish... > Password: ******** > PIXHQ# > PIXHQ# term length 0 > Type help or '?' for a list of available commands. > PIXHQ# show version > > Cisco PIX Firewall Version 6.3(3) > Cisco PIX Device Manager Version 2.1(1) > > Compiled on Wed 13-Aug-03 13:55 by morlee > > KCSCAFW1 up 87 days 2 hours > > Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz > Flash E28F128J3 @ 0x300, 16MB > BIOS Flash AM29F400B @ 0xfffd8000, 32KB > > 0: ethernet0: address is 0005.9bca.350f, irq 10 > 1: ethernet1: address is 0005.9bca.3511, irq 11 > 2: ethernet2: address is 00e0.b604.fb6b, irq 11 > 3: ethernet3: address is 00e0.b604.fb6a, irq 10 > 4: ethernet4: address is 00e0.b604.fb69, irq 9 > 5: ethernet5: address is 00e0.b604.fb68, irq 5 > 6: gb-ethernet0: address is 0003.4725.3a71, irq 5 > 7: gb-ethernet1: address is 0003.4725.38e5, irq 11 > Licensed Features: > Failover: Enabled > VPN-DES: Enabled > VPN-3DES-AES: Enabled > Maximum Physical Interfaces: 8 > Maximum Interfaces: 12 > Cut-through Proxy: Enabled > Guards: Enabled > URL-filtering: Enabled > Inside Hosts: Unlimited > Throughput: Unlimited > IKE peers: Unlimited > > This PIX has an Unrestricted (UR) license. > > Serial Number: 405200333 (0x1826ddcd) > Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871 > Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec > 29 2004 > PIXHQ#exit > > Logoff > > Connection to pixhq closed. > > > -----Original Message----- > From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov] > > Sent: Tuesday, December 28, 2004 3:40 PM > To: Hopper, Faron W. > Subject: RE: Does RANCID handle Cisco PIX devices? > > Try it without the autoenable line...you still have to enter enable on > the PIX. (I'm running rancid w/PIXs right now, so it should work.) > > Can you clogin to any of the PIXs directly? That's the common test I > use to see if rancid will be okay (and often tells me what error > actually occurs). > > Aaron > --------------------- > Aaron Gee-Clough > NIH/CIT/DNST/NEB/NSS > Contractor, geek, etc > Never try to teach a pig to sing. > > It wastes your time and annoys the pig. > > > -----Original Message----- > > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com] > > Sent: Tuesday, December 28, 2004 3:14 PM > > To: joshua sahala > > Cc: rancid-discuss at shrubbery.net > > Subject: RE: Does RANCID handle Cisco PIX devices? > > > > > > > > > > > > > > > > > I have tried setting these devices to cisco from cat5. There is no > > > change. > > Rancid is not able to log into my PIXes. The PIX's don't > have telnet > > > enabled, > > > > > but this shouldn't be a big deal for RANCID. Could the > problem be in > > > how > > > > > I have setup the .cloginrc file? > > > > > my .cloginrc file is as follows > > > > > add method * {telnet} {ssh} > > add autoenable * {1} > > add enauser * {net\-cfg\-bak} > > add user * {net-cfg-bak} > > add password * {pass} > > > > > > > > # set ssh encryption type, dflt: 3des > > add cyphertype * {3des} > > > > > The other thought that I had is that something might be configured > > > > > differently (misconfigured?) on TACACAS. > > > > > > > > > My TACACS+ username is net-cfg-bak > > > > > > > > aaa-server TACACS+ protocol tacacs+ > > aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15 > > aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15 > > aaa-server RADIUS protocol radius > > aaa-server LOCAL protocol tacacs+ > > aaa-server local protocol tacacs+ > > aaa authentication ssh console TACACS+ > > aaa authentication telnet console TACACS+ > > aaa authentication enable console TACACS+ > > > > > Any thoughts? > > > > > Thanks, > > Faron > > -----Original Message----- > > From: joshua sahala [mailto:jejs+rancid at sahala.org] > > > > > Sent: Tuesday, December 28, 2004 11:35 AM > > To: Hopper, Faron W. > > Cc: rancid-discuss at shrubbery.net > > Subject: Re: Does RANCID handle Cisco PIX devices? > > > > > On (28/12/04 12:19), Hopper, Faron W. wrote: > > > > > > > > > Hello all, I am still exploring RANCID's capabilities. > > > Does it have > > > > > > the ablility to back up Cisco PIX configs? I have added > the one of > > > > > > our PIX's names to the router.db file and set the type to > > > > > > > > > pixhq:cat5:up > > > pixhq2:cat5:up > > > > > > > > > > > use cisco...pix runs ios not catos > > > > > i've used rancid with varios models of pix and they all work fine, > > > with or without tac+ for aaa. > > > > > /joshua > > -- > > What difference does it make to the dead, the orphans, and the > > > homeless, whether the mad destruction is wrought under the name of > > > totalitarianism or the holy name of liberty and democracy? > > - Mohandas Karamchand (Mahatma) Gandhi - > > From faron.hopper at capgemini.com Wed Dec 29 21:37:39 2004 From: faron.hopper at capgemini.com (Hopper, Faron W.) Date: Wed, 29 Dec 2004 16:37:39 -0500 Subject: Does RANCID handle Cisco PIX devices? Message-ID: <0D9EF3454D8EFC4B8BFFD2B86294168160EFBF@caonmastxm03.na.capgemini.com> That is a good idea, I will check into it. I thought that the account had level 15, but I will verify it. -----Original Message----- From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov] Sent: Wednesday, December 29, 2004 3:29 PM To: Hopper, Faron W. Cc: rancid-discuss at shrubbery.net Subject: RE: Does RANCID handle Cisco PIX devices? Does the account you're logging in as have the rights to run all the commands rancid wants to do on the PIX? I supsect that the rancid run is taking forever because it's trying to run a whole list of things, and one of them (write term, perhaps?) is being refused....rancid then hangs, and the connection only dies when it times out. Aaron --------------------- Aaron Gee-Clough NIH/CIT/DNST/NEB/NSS Contractor, geek, etc Never try to teach a pig to sing. It wastes your time and annoys the pig. > -----Original Message----- > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com] > Sent: Wednesday, December 29, 2004 4:25 PM > To: Gee-clough, Aaron (NIH/CIT) > Cc: rancid-discuss at shrubbery.net > Subject: RE: Does RANCID handle Cisco PIX devices? > > > > Aaron, > > If I remove the autoenable line, I can use clogin to log into the > PIX (see below). > However, my rancid-run process now takes forever to complete (it is > taking hours instead of minutes; it used to run about 20 minutes....) > This, > > is probably due to my lack of understanding in how to setup the > .cloginrc file .....anyway, when that rancid-run process finishes, I > do not have any updates in the cvs database. (cvsweb.cgi lists the > rev as 1.1) I have run the rancid-run process 2-3 times since > removing the autoenable and the dead.letter file now has many devices > that it can't contact....more stuff to work on. > Anyway, is there any reason why it would not update the pixhq device? > (it is > > not listed in the dead.letter file....)? > > Thanks, > Faron > > > $ /usr/local/libexec/rancid/clogin -c "show version" -f .cloginrc > pixhq > pixhq > > spawn telnet pixhq > Trying 10.1.1.1... > telnet: connect to address 10.1.1.1: Connection refused > telnet: Unable to connect to remote host spawn ssh -c 3des -x -l > net-cfg-bak pixhq net-cfg-bak at pixhq's password: > Type help or '?' for a list of available commands. > PIXHQ> > PIXHQ> enable > Another session is writing configuration to memory, please wait a > moment for it to finish... > Password: ******** > PIXHQ# > PIXHQ# term length 0 > Type help or '?' for a list of available commands. > PIXHQ# show version > > Cisco PIX Firewall Version 6.3(3) > Cisco PIX Device Manager Version 2.1(1) > > Compiled on Wed 13-Aug-03 13:55 by morlee > > KCSCAFW1 up 87 days 2 hours > > Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz > Flash E28F128J3 @ 0x300, 16MB > BIOS Flash AM29F400B @ 0xfffd8000, 32KB > > 0: ethernet0: address is 0005.9bca.350f, irq 10 > 1: ethernet1: address is 0005.9bca.3511, irq 11 > 2: ethernet2: address is 00e0.b604.fb6b, irq 11 > 3: ethernet3: address is 00e0.b604.fb6a, irq 10 > 4: ethernet4: address is 00e0.b604.fb69, irq 9 > 5: ethernet5: address is 00e0.b604.fb68, irq 5 > 6: gb-ethernet0: address is 0003.4725.3a71, irq 5 > 7: gb-ethernet1: address is 0003.4725.38e5, irq 11 Licensed Features: > Failover: Enabled > VPN-DES: Enabled > VPN-3DES-AES: Enabled > Maximum Physical Interfaces: 8 > Maximum Interfaces: 12 > Cut-through Proxy: Enabled > Guards: Enabled > URL-filtering: Enabled > Inside Hosts: Unlimited > Throughput: Unlimited > IKE peers: Unlimited > > This PIX has an Unrestricted (UR) license. > > Serial Number: 405200333 (0x1826ddcd) > Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871 > Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec > 29 2004 > PIXHQ#exit > > Logoff > > Connection to pixhq closed. > > > -----Original Message----- > From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov] > > Sent: Tuesday, December 28, 2004 3:40 PM > To: Hopper, Faron W. > Subject: RE: Does RANCID handle Cisco PIX devices? > > Try it without the autoenable line...you still have to enter enable on > the PIX. (I'm running rancid w/PIXs right now, so it should work.) > > Can you clogin to any of the PIXs directly? That's the common test I > use to see if rancid will be okay (and often tells me what error > actually occurs). > > Aaron > --------------------- > Aaron Gee-Clough > NIH/CIT/DNST/NEB/NSS > Contractor, geek, etc > Never try to teach a pig to sing. > > It wastes your time and annoys the pig. > > > -----Original Message----- > > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com] > > Sent: Tuesday, December 28, 2004 3:14 PM > > To: joshua sahala > > Cc: rancid-discuss at shrubbery.net > > Subject: RE: Does RANCID handle Cisco PIX devices? > > > > > > > > > > > > > > > > > I have tried setting these devices to cisco from cat5. There is no > > > change. > > Rancid is not able to log into my PIXes. The PIX's don't > have telnet > > > enabled, > > > > > but this shouldn't be a big deal for RANCID. Could the > problem be in > > > how > > > > > I have setup the .cloginrc file? > > > > > my .cloginrc file is as follows > > > > > add method * {telnet} {ssh} > > add autoenable * {1} > > add enauser * {net\-cfg\-bak} > > add user * {net-cfg-bak} > > add password * {pass} > > > > > > > > # set ssh encryption type, dflt: 3des > > add cyphertype * {3des} > > > > > The other thought that I had is that something might be configured > > > > > differently (misconfigured?) on TACACAS. > > > > > > > > > My TACACS+ username is net-cfg-bak > > > > > > > > aaa-server TACACS+ protocol tacacs+ > > aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15 > > aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15 > > aaa-server RADIUS protocol radius > > aaa-server LOCAL protocol tacacs+ > > aaa-server local protocol tacacs+ > > aaa authentication ssh console TACACS+ > > aaa authentication telnet console TACACS+ > > aaa authentication enable console TACACS+ > > > > > Any thoughts? > > > > > Thanks, > > Faron > > -----Original Message----- > > From: joshua sahala [mailto:jejs+rancid at sahala.org] > > > > > Sent: Tuesday, December 28, 2004 11:35 AM > > To: Hopper, Faron W. > > Cc: rancid-discuss at shrubbery.net > > Subject: Re: Does RANCID handle Cisco PIX devices? > > > > > On (28/12/04 12:19), Hopper, Faron W. wrote: > > > > > > > > > Hello all, I am still exploring RANCID's capabilities. > > > Does it have > > > > > > the ablility to back up Cisco PIX configs? I have added > the one of > > > > > > our PIX's names to the router.db file and set the type to > > > > > > > > > pixhq:cat5:up > > > pixhq2:cat5:up > > > > > > > > > > > use cisco...pix runs ios not catos > > > > > i've used rancid with varios models of pix and they all work fine, > > > with or without tac+ for aaa. > > > > > /joshua > > -- > > What difference does it make to the dead, the orphans, and the > > > homeless, whether the mad destruction is wrought under the name of > > > totalitarianism or the holy name of liberty and democracy? > > - Mohandas Karamchand (Mahatma) Gandhi - From alitzinger at visto.com Thu Dec 30 22:24:20 2004 From: alitzinger at visto.com (Andy Litzinger) Date: Thu, 30 Dec 2004 14:24:20 -0800 Subject: Rancid and Netscalers Message-ID: <6E494551E68B574688EB0D7E9B7169C98D808A@ex2000-c.vistocorp.com> Hi, I'm having trouble using the netscaler code for rancid. Has anyone had any success with it, especially with some of the newer nescaler code? I have my .cloginrc line set up similar to: add user netscaler.foo.com nsroot #note that I only supplied a vty password because netscaler is FreeBSD based and does not use enable add password netscaler.foo.com password add method netscaler.foo.com ssh router.db netscaler.foo.com:netscaler:up When I test with nslogin netscaler.foo.com it connects to the netscaler and logs in(you get the login message and prompt >), but then you can't enter any commands and eventually the expect script times out and disconnects. I'm not sure what the expect script is trying to do at this point. I believe some of the netscaler commands may have changed in recent versions and I'm not sure when the nslogin/nsrancid scripts were last tested. FYI I am running NS5.2 Build 50.17. Anyone have any suggestions? Thanks! Andy