[rancid] Oddities with Cisco ASA

Wed Jan 16 00:17:30 UTC 2008

Despite reports on the list of people having no problems with Cisco ASAs, 
I am having some problems.  This with code 7.1(2).  Two problems are 
described here, forgive the length of this.

My main issue at the moment is that rancid (2.3.1), does not check in the 
new config into CVS because it does not believe that a clean run has 
happened.  I have run in debugging mode, and I can see the expected 
content for both "show running-config" and "write term" in the .raw file.

I think my concern is with this line:

    while (/#\s*($cmds_regexp)\s*$/) {

in the main part of the 'rancid' code (line 1625 for rancid.in 1.174) 
which tries to match an executed command after the prompt symbol.  
Unfortunately, for my ASA, in the raw output from clogin, I see the 
following:

...
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:14ed48d4686a8722efaf076dcd4d820c
: end
asa5500-cu#term
: Saved
:
ASA Version 7.1(2)
...

This is the end of "show running-config", and the start of "write term".  
But see that only "term" is at the prompt, the rest has been swallowed 
somewhere; rancid does not find a match for the command, and so it decides 
that this is not a clean run.

Anyone else seen this behaviour?

Here is a related query.  A little further on in 'rancid', there is this 
code:

...
        $rval = &{$commands{$cmd}};
        delete($commands{$cmd});
        if ($rval == -1) {
            $clean_run = 0;
            last TOP;
...

Should that really be 'last'?  I am finding on my ASA that for some of the 
subroutines executed for commands that are not appropriate for this 
platform (many of the "dir" commands, "show env all", and so on) return 
-1, and it bails out at this point and does not process output from later 
commands.

When I change 'last' to 'next', it carries on processing output from 
subsequent commands.  Is the retval of -1 supposed to be a fatal 'cannot 
continue' indicator?  In which case, I have a problem with the frequent 
occurences of:

        return(-1) if (/command authorization failed/i);

as the ASA seems to say this anyway even for subcommands that it doesn't 
understand (see below for notes on privilege level of the user):

asa5500-cu# show rubbish
                   ^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed

I may of course be completely misunderstanding what is supposed to be 
happening here, but this is the nearest explanation I have got after 
several evenings of squinting - however I find it odd that no-one else has 
noticed this.

Other information:

FreeBSD 6.1, SMP kernel, expect-5.44.1.4 from lang/expect-devel, I have 
read http://www.freebsd.org/cgi/query-pr.cgi?pr=118452

Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
Hardware:   ASA5550, 3968 MB RAM, CPU Pentium 4 3000 MHz

The user on the ASA is privilege level 7, and I have set the following:

privilege cmd level 7 mode exec command dir
privilege cmd level 7 mode exec command write
privilege cmd level 7 mode exec command terminal
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command version
privilege show level 7 mode exec command bootvar
privilege show level 7 mode exec command vlan
privilege show level 7 mode exec command module

which seem to be sufficient.  I don't get different results with a user of 
priv level 15, for what it is worth.

Thanks for any comments,

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK