Does RANCID handle Cisco PIX devices?

Gee-clough, Aaron (NIH/CIT) geecla at mail.nih.gov
Wed Dec 29 21:28:39 UTC 2004 

Does the account you're logging in as have the rights to run all the
commands rancid wants to do on the PIX?  I supsect that the rancid run is
taking forever because it's trying to run a whole list of things, and one of
them (write term, perhaps?) is being refused....rancid then hangs, and the
connection only dies when it times out.

Aaron
---------------------
Aaron Gee-Clough
NIH/CIT/DNST/NEB/NSS
Contractor, geek, etc
Never try to teach a pig to sing.  It wastes your time and annoys the pig.

> -----Original Message-----
> From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com] 
> Sent: Wednesday, December 29, 2004 4:25 PM
> To: Gee-clough, Aaron (NIH/CIT)
> Cc: rancid-discuss at shrubbery.net
> Subject: RE: Does RANCID handle Cisco PIX devices?
> 
> 
> 
> Aaron,
> 
>     If I remove the autoenable line, I can use clogin to log into the
> PIX (see below).
> However, my rancid-run process now takes forever to complete (it is
> taking
> hours instead of minutes; it used to run about 20 minutes....)  This,
> 
> is probably due to my lack of understanding in how to setup the
> .cloginrc file
> .....anyway, when that rancid-run process finishes, I do not have any
> updates
> in the cvs database.  (cvsweb.cgi lists the rev as 1.1)  I 
> have run the
> rancid-run process 2-3 times since removing the autoenable and the
> dead.letter
> file now has many devices that it can't contact....more stuff to work
> on.
> Anyway, is there any reason why it would not update the pixhq device?
> (it is
> 
> not listed in the dead.letter file....)?
> 
> Thanks,
> Faron
> 
> 
> $ /usr/local/libexec/rancid/clogin -c "show version" -f 
> .cloginrc pixhq
> pixhq	
> 
> spawn telnet pixhq
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1: Connection refused
> telnet: Unable to connect to remote host
> spawn ssh -c 3des -x -l net-cfg-bak pixhq
> net-cfg-bak at pixhq's password:
> Type help or '?' for a list of available commands.
> PIXHQ>
> PIXHQ> enable
> Another session is writing configuration to memory,
> please wait a moment for it to finish...
> Password: ********
> PIXHQ#
> PIXHQ# term length 0
> Type help or '?' for a list of available commands.
> PIXHQ#  show version
> 
> Cisco PIX Firewall Version 6.3(3)
> Cisco PIX Device Manager Version 2.1(1)
> 
> Compiled on Wed 13-Aug-03 13:55 by morlee
> 
> KCSCAFW1 up 87 days 2 hours
> 
> Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
> Flash E28F128J3 @ 0x300, 16MB
> BIOS Flash AM29F400B @ 0xfffd8000, 32KB
> 
> 0: ethernet0: address is 0005.9bca.350f, irq 10
> 1: ethernet1: address is 0005.9bca.3511, irq 11
> 2: ethernet2: address is 00e0.b604.fb6b, irq 11
> 3: ethernet3: address is 00e0.b604.fb6a, irq 10
> 4: ethernet4: address is 00e0.b604.fb69, irq 9
> 5: ethernet5: address is 00e0.b604.fb68, irq 5
> 6: gb-ethernet0: address is 0003.4725.3a71, irq 5
> 7: gb-ethernet1: address is 0003.4725.38e5, irq 11
> Licensed Features:
> Failover:                    Enabled
> VPN-DES:                     Enabled
> VPN-3DES-AES:                Enabled
> Maximum Physical Interfaces: 8
> Maximum Interfaces:          12
> Cut-through Proxy:           Enabled
> Guards:                      Enabled
> URL-filtering:               Enabled
> Inside Hosts:                Unlimited
> Throughput:                  Unlimited
> IKE peers:                   Unlimited
> 
> This PIX has an Unrestricted (UR) license.
> 
> Serial Number: 405200333 (0x1826ddcd)
> Running Activation Key: 0xa94bffde 0x802610c9 0x25221732 0x585f4871
> Configuration last modified by net-cfg-bak at 14:44:44.067 UTC Wed Dec
> 29 2004
> PIXHQ#exit
> 
> Logoff
> 
> Connection to pixhq closed.
> 
> 
> -----Original Message-----
> From: Gee-clough, Aaron (NIH/CIT) [mailto:geecla at mail.nih.gov]
> 
> Sent: Tuesday, December 28, 2004 3:40 PM
> To: Hopper, Faron W.
> Subject: RE: Does RANCID handle Cisco PIX devices?
> 
> Try it without the autoenable line...you still have to enter enable on
> the PIX.  (I'm running rancid w/PIXs right now, so it should work.)
> 
> Can you clogin to any of the PIXs directly?  That's the common test I
> use to see if rancid will be okay (and often tells me what error
> actually occurs).
> 
> Aaron
> ---------------------
> Aaron Gee-Clough
> NIH/CIT/DNST/NEB/NSS
> Contractor, geek, etc
> Never try to teach a pig to sing. 
> 
> It wastes your time and annoys the pig.
> 
> > -----Original Message-----
> > From: Hopper, Faron W. [mailto:faron.hopper at capgemini.com]
> > Sent: Tuesday, December 28, 2004 3:14 PM
> > To: joshua sahala
> > Cc: rancid-discuss at shrubbery.net
> > Subject: RE: Does RANCID handle Cisco PIX devices?
> >
> 
> >
> 
> >
> 
> >
> 
> >
> 
> > I have tried setting these devices to cisco from cat5.  There is no
> 
> > change.
> > Rancid is not able to log into my PIXes.  The PIX's don't 
> have telnet
> 
> > enabled,
> >
> 
> > but this shouldn't be a big deal for RANCID.  Could the 
> problem be in
> 
> > how
> >
> 
> > I have setup the .cloginrc file?
> >
> 
> > my .cloginrc file is as follows
> >
> 
> >     add method              *     {telnet} {ssh}
> >     add autoenable          *     {1}
> >     add enauser             *     {net\-cfg\-bak}
> >     add user                *     {net-cfg-bak}
> >     add password            *     {pass}
> >
> 
> >
> 
> >     # set ssh encryption type, dflt: 3des
> >     add cyphertype *                {3des}
> >
> 
> > The other thought that I had is that something might be configured
> >
> 
> > differently (misconfigured?) on TACACAS.
> 
> >
> 
> >
> 
> > My TACACS+ username is net-cfg-bak
> >
> 
> >
> 
> > 	aaa-server TACACS+ protocol tacacs+
> > 	aaa-server TACACS+ (outside) host 10.2.1.61 key timeout 15
> > 	aaa-server TACACS+ (outside) host 10.2.1.62 key timeout 15
> > 	aaa-server RADIUS protocol radius
> > 	aaa-server LOCAL protocol tacacs+
> > 	aaa-server local protocol tacacs+
> > 	aaa authentication ssh console TACACS+
> > 	aaa authentication telnet console TACACS+
> > 	aaa authentication enable console TACACS+
> >
> 
> > Any thoughts?
> >
> 
> > Thanks,
> > Faron
> > -----Original Message-----
> > From: joshua sahala [mailto:jejs+rancid at sahala.org]
> >
> 
> > Sent: Tuesday, December 28, 2004 11:35 AM
> > To: Hopper, Faron W.
> > Cc: rancid-discuss at shrubbery.net
> > Subject: Re: Does RANCID handle Cisco PIX devices?
> >
> 
> > On (28/12/04 12:19), Hopper, Faron  W. wrote:
> > >
> >
> 
> > > Hello all,  I am still exploring RANCID's capabilities. 
> 
> > Does it have
> >
> 
> > > the ablility to back up Cisco PIX configs?  I have added 
> the one of
> >
> 
> > > our PIX's names to the router.db file and set the type to
> > >
> >
> 
> > >     pixhq:cat5:up
> > >     pixhq2:cat5:up
> > >
> >
> 
> >
> 
> > use cisco...pix runs ios not catos
> >
> 
> > i've used rancid with varios models of pix and they all work fine,
> 
> > with or without tac+ for aaa.
> >
> 
> > /joshua
> > --
> > What difference does it make to the dead, the orphans, and the
> 
> > homeless, whether the mad destruction is wrought under the name of
> 
> > totalitarianism or the holy name of liberty and democracy?
> > 	- Mohandas Karamchand (Mahatma) Gandhi -
> >

More information about the Rancid-discuss mailing list