[rancid] Re: Oddities with Cisco ASA

Lance rancid at gheek.net
Wed Jan 16 01:53:32 UTC 2008 

Jethro,

I was running rancid on 7.1(2) at a previous job if I am not mistaken.
None the less I have yet to find any issues with running rancid on the
ASAs. The extra commands can be run and a message is displayed but that
should not stop rancid from continueing.

You might want to check the most recent alpha to see if it includes the
same versions that you have and the same lines. Other than that it
sounds like you have a fix for your issue.

-lance

> -------- Original Message --------
> Subject: [rancid]  Oddities with Cisco ASA
> From: Jethro R Binks <jethro.binks at strath.ac.uk>
> Date: Tue, January 15, 2008 5:17 pm
> To: rancid-discuss at shrubbery.net
> Despite reports on the list of people having no problems with Cisco ASAs, 
> I am having some problems.  This with code 7.1(2).  Two problems are 
> described here, forgive the length of this.
> My main issue at the moment is that rancid (2.3.1), does not check in the 
> new config into CVS because it does not believe that a clean run has 
> happened.  I have run in debugging mode, and I can see the expected 
> content for both "show running-config" and "write term" in the .raw file.
> I think my concern is with this line:
>     while (/#\s*($cmds_regexp)\s*$/) {
> in the main part of the 'rancid' code (line 1625 for rancid.in 1.174) 
> which tries to match an executed command after the prompt symbol.  
> Unfortunately, for my ASA, in the raw output from clogin, I see the 
> following:
> ...
> privilege clear level 3 mode configure command aaa-server
> Cryptochecksum:14ed48d4686a8722efaf076dcd4d820c
> : end
> asa5500-cu#term
> : Saved
> :
> ASA Version 7.1(2)
> ...
> This is the end of "show running-config", and the start of "write term".  
> But see that only "term" is at the prompt, the rest has been swallowed 
> somewhere; rancid does not find a match for the command, and so it decides 
> that this is not a clean run.
> Anyone else seen this behaviour?
> Here is a related query.  A little further on in 'rancid', there is this 
> code:
> ...
>         $rval = &{$commands{$cmd}};
>         delete($commands{$cmd});
>         if ($rval == -1) {
>             $clean_run = 0;
>             last TOP;
> ...
> Should that really be 'last'?  I am finding on my ASA that for some of the 
> subroutines executed for commands that are not appropriate for this 
> platform (many of the "dir" commands, "show env all", and so on) return 
> -1, and it bails out at this point and does not process output from later 
> commands.
> When I change 'last' to 'next', it carries on processing output from 
> subsequent commands.  Is the retval of -1 supposed to be a fatal 'cannot 
> continue' indicator?  In which case, I have a problem with the frequent 
> occurences of:
>         return(-1) if (/command authorization failed/i);
> as the ASA seems to say this anyway even for subcommands that it doesn't 
> understand (see below for notes on privilege level of the user):
> asa5500-cu# show rubbish
>                    ^
> ERROR: % Invalid input detected at '^' marker.
> ERROR: Command authorization failed
> I may of course be completely misunderstanding what is supposed to be 
> happening here, but this is the nearest explanation I have got after 
> several evenings of squinting - however I find it odd that no-one else has 
> noticed this.
> Other information:
> FreeBSD 6.1, SMP kernel, expect-5.44.1.4 from lang/expect-devel, I have 
> read http://www.freebsd.org/cgi/query-pr.cgi?pr=118452
> Cisco Adaptive Security Appliance Software Version 7.1(2)
> Device Manager Version 5.1(2)
> Hardware:   ASA5550, 3968 MB RAM, CPU Pentium 4 3000 MHz
> The user on the ASA is privilege level 7, and I have set the following:
> privilege cmd level 7 mode exec command dir
> privilege cmd level 7 mode exec command write
> privilege cmd level 7 mode exec command terminal
> privilege show level 7 mode exec command running-config
> privilege show level 7 mode exec command version
> privilege show level 7 mode exec command bootvar
> privilege show level 7 mode exec command vlan
> privilege show level 7 mode exec command module
> which seem to be sufficient.  I don't get different results with a user of 
> priv level 15, for what it is worth.
> Thanks for any comments,
> Jethro.
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list