[rancid] Panrancid with PAN 6.0

Hughes, Doug Douglas.Hughes at DEShawResearch.com
Wed Jun 18 17:14:38 UTC 2014


EatCommand just takes care of registering and aligning for the next command since that command doesn’t produce any ouput, but you still need to do something with what echoes back to expect.

Your below panlogin to firewallv5 worked perfectly.
You can see it repeating each word and building until cli scripting-mode is on, and then everything after that works ok.

Yet it didn’t work for firewallv6. This seems like a bug. I’d open a case with support.paloaltonetworks.com to see what’s going on. Something weird is causing the cli scripting-mode on to fail.


From: Chip Pleasants [mailto:wpleasants at gmail.com]
Sent: Wednesday, June 18, 2014 12:12 PM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Panrancid with PAN 6.0

I think I see what you are talking about now.  Here are the two examples.  One from a version 6 and one from a  version 5.  Now the odd part is when I perform this test manually turning on  'set cli scripting-mode on' it doesn't auto-complete on versions 6.0.2 or 5.0.11.  Would there be a difference with the EatCommand portion of the script?  Thanks for taking the time to work with me Doug.


[rancid at cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d FIREWALLV5.domain.com<http://FIREWALLV5.domain.com>
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" FIREWALLV5.domain.com<http://FIREWALLV5.domain.com>
line: FIREWALLV5.domain.com<http://FIREWALLV5.domain.com>
line: rancid at FIREWALLV5(active)>
line: rancid at FIREWALLV5(active)> set rancid at FIREWALLV5(active)> set cli rancid at FIREWALLV5(active)> set cli scripting-mode rancid at FIREWALLV5(active)> set cli scripting-mode on
PROMPT MATCH: rancid at FIREWALLV5\(active\)[#>]
HIT COMMAND:rancid at FIREWALLV5(active)> set rancid at FIREWALLV5(active)> set cli rancid at FIREWALLV5(active)> set cli scripting-mode rancid at FIREWALLV5(active)> set cli scripting-mode on

COMMAND is: set cli scripting-mode on|EatCommand
HIT COMMAND:rancid at FIREWALLV5(active)> set cli pager off

COMMAND is: set cli pager off|EatCommand
HIT COMMAND:rancid at FIREWALLV5(active)> show system info

COMMAND is: show system info|ShowInfo
    In ShowInfo:: rancid at FIREWALLV5(active)> show system info
HIT COMMAND:rancid at FIREWALLV5(active)> show config running

COMMAND is: show config running|ShowConfig
    In ShowConfig: rancid at FIREWALLV5(active)> show config running
line:
exiting
[rancid at cmh1vlobs01 rancid]$



[rancid at cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>
line: FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>
line: rancid at FIREWALLV6(active)>
line: rancid at FIREWALLV6(active)> set rancid at FIREWALLV6(active)> set cli rancid at FIREWALLV6(active)> set cli scripting-mode rancid at FIREWALLV6(active)> set cli scripting-mode on
PROMPT MATCH: rancid at FIREWALLV6\(active\)[#>]
HIT COMMAND:rancid at FIREWALLV6(active)> set rancid at FIREWALLV6(active)> set cli rancid at FIREWALLV6(active)> set cli scripting-mode rancid at FIREWALLV6(active)> set cli scripting-mode on

COMMAND is: set cli scripting-mode on|EatCommand
HIT COMMAND:rancid at FIREWALLV6(active)> set rancid at FIREWALLV6(active)> set cli rancid at FIREWALLV6(active)> set cli pager rancid at FIREWALLV6(active)> set cli pager off

COMMAND is: set cli pager off|EatCommand
HIT COMMAND:rancid at FIREWALLV6(active)> show rancid at FIREWALLV6(active)> show system rancid at FIREWALLV6(active)> show system info

COMMAND is: show system info|ShowInfo
    In ShowInfo:: rancid at FIREWALLV6(active)> show rancid at FIREWALLV6(active)> show system rancid at FIREWALLV6(active)> show system info
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: missed cmd(s): show config running
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: missed cmd(s): show config running
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: End of run not found
FIREWALLV6.domain.com<http://FIREWALLV6.domain.com>: End of run not found
#
[rancid at cmh1vlobs01 rancid]$ !



 -Chip


On Wed, Jun 18, 2014 at 11:35 AM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
It doesn’t look like it is from your very first debugging output:
COMMAND is: show system info|ShowInfo
    In ShowInfo:: rancid at FIREWALL(active)> show rancid at FIREWALL(active)> show system rancid at FIREWALL(active)> show system info

if scripting-mode was on, we wouldn’t see the stuff in red. (html mode on to read). The fact that the extra prompts show up indicates that it is intercepting the spaces and attempting to do ‘helpful command completion’.



From: Chip Pleasants [mailto:wpleasants at gmail.com<mailto:wpleasants at gmail.com>]
Sent: Wednesday, June 18, 2014 8:52 AM

To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0

It doesn't appear to be a bug, because I think its operating as you describe.  When I turn on  'set cli scripting-mode on' it doesn't autocomplete on versions 6.0.2 or 5.0.11. Any other thoughts what could be going on?

Thanks,
Chip




On Tue, Jun 17, 2014 at 3:34 PM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
Hrm. Yes, I had it correct the first time. (oof, busy day)

‘on’ is needed to prevent this ‘feature’:
line: rancid at FIREWALL(active)> set rancid at FIREWALL(active)> set cli rancid at FIREWALL(active)> set cli pager rancid at FIREWALL(active)> set cli pager off
After each space, it does essentially a rewrite of the line as it tried to ‘auto-correct’ you from typing the wrong thing. This gets in the way of parsing with expect quite heavily, so I attempt to disable it as soon as possible. If set cli scripting-mode on does not cause this to stop (and it looks like it doesn’t), then that appears to be a bug. You can also see this by using type script:

Here’s how it looks at the command line:
Drdgpfs0002:/tmp$ script
drdgpfs0002:/tmp$ ssh -l admin paloalto.en
admin at paloalto.en's<mailto:admin at paloalto.en's> password:
Last login: Tue Jun 17 15:05:06 2014 from drdbcntl.en.desres.deshaw.com<http://drdbcntl.en.desres.deshaw.com>
Welcome admin.
admin at paloalto.en<mailto:admin at paloalto.en>> set cli scripting-mode on
admin at paloalto.en<mailto:admin at paloalto.en>> set cli ? <ENTER here>

Invalid syntax.
admin at paloalto.en<mailto:admin at paloalto.en>> exit


Here's how it looks in the corresponding typescript file:
i Script started on Tue 17 Jun 2014 03:25:13 PM EDT
drdgpfs0002:/tmp$ ssh -l admin paloalto
admin at paloalto.en's<mailto:admin at paloalto.en's> password: ^M
Last login: Tue Jun 17 15:05:06 2014 from drdbcntl.en.desres.deshaw.com<http://drdbcntl.en.desres.deshaw.com>^M^M
Welcome admin.^M
admin at paloalto.en<mailto:admin at paloalto.en>> set ^M^[[Kadmin at paloalto.en> set cli ^M^[[Kadmin at paloalto.en>
 set cli scripting-mode ^M^[[Kadmin at paloalto.en> set cli scripting-mode on^M
admin at paloalto.en<mailto:admin at paloalto.en>> set cli ?^M
^M
Invalid syntax.^M
admin at paloalto.en<mailto:admin at paloalto.en>> exit^M
Connection to paloalto.en closed.^M^M
drdgpfs0002:/tmp$ exit^M^M
exit^M

Script done on Tue 17 Jun 2014 03:25:34 PM EDT

If 'set cli scripting-mode on' doesn't disable the 'space' feature, then the rest of the expect is very iffy at best and difficult to manage

Here's another way to confirm the behavior

Type config <space>

If it autocompletes to 'configure', then cli scripting-mode is not on and results *will* vary.
Disabling the pager is also important since it disables the --more-- when show config is running.

I am running 6.0.2 but no HA on PA-3020 and PA-2050



From: Chip Pleasants [mailto:wpleasants at gmail.com<mailto:wpleasants at gmail.com>]
Sent: Tuesday, June 17, 2014 3:21 PM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0

Tried it on both versions.  Seems like they both yield the same result.  Doesn't the script turn cli scripting-mode on? Or do we don't really care that's its on or off?




user at FIREWALLV6(active)> set cli scripting-mode off
user at FIREWALLV6(active)> set cli scripting-mode
  off   off
  on    on

user at FIREWALLV6(active)> set cli scripting-mode






user at FIREWALLV5(active)> set cli scripting-mode off
user at FIREWALLV5(active)> set cli scripting-mode
  off   off
  on    on

user at FIREWALLV5(active)> set cli scripting-mode



-Chip


On Tue, Jun 17, 2014 at 3:10 PM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
Sorry, I meant ‘off’, you need to set it to off and then try the ? test.

From: Chip Pleasants [mailto:wpleasants at gmail.com<mailto:wpleasants at gmail.com>]
Sent: Tuesday, June 17, 2014 2:48 PM

To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0

Here's what I get. I get the same result from a version 5.x PA. I removed the "set cli scripting-mode on" from the script to test. Version 5.x PA works and version 6.x PA end up with the same result.


user at FIREWALL(active)> set cli scripting-mode on
user at FIREWALL(active)> set cli scripting-mode ?
? is not one of <on|off>

Invalid syntax.
user at FIREWALL(active)>



line: rancid at FIREWALL(active)> set rancid at FIREWALL(active)> set cli rancid at FIREWALL(active)> set cli pager rancid at FIREWALL(active)> set cli pager off
PROMPT MATCH: rancid at FIREWALL\(active\)[#>]
HIT COMMAND:rancid at FIREWALL(active)> set rancid at FIREWALL(active)> set cli rancid at FIREWALL(active)> set cli pager rancid at FIREWALL(active)> set cli pager off

COMMAND is: set cli pager off|EatCommand
HIT COMMAND:rancid at FIREWALL(active)> show rancid at FIREWALL(active)> show system rancid at FIREWALL(active)> show system info

COMMAND is: show system info|ShowInfo
    In ShowInfo:: rancid at FIREWALL(active)> show rancid at FIREWALL(active)> show system rancid at FIREWALL(active)> show system info
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: missed cmd(s): show config running
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: missed cmd(s): show config running
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: End of run not found
FIREWALL.dswinc.net<http://FIREWALL.dswinc.net>: End of run not found
#
[rancid at server rancid]$




On Tue, Jun 17, 2014 at 2:28 PM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
Ah, you are running in HA mode I see. That could be throwing things off, but I think I fixed that in 2013 sometime.
(I don’t run any in HA)

It looks to me like ‘set cli scripting-mode on’ is failing

To confirm this, login to the PA at command line, then type set cli scripting-mode on

Now type “set cli scripting-mode ?”

If you get any sort of command completion, the cli scripting mode setting is not working and needs to be turned into a PA bug report. That is what it looks like it is happening by looking at the command staggering for subsequent lines.

From: Chip Pleasants [mailto:wpleasants at gmail.com<mailto:wpleasants at gmail.com>]
Sent: Tuesday, June 17, 2014 1:39 PM
To: Hughes, Doug
Cc: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Panrancid with PAN 6.0

Thanks Doug. I am running the most recent version, but for grins I replaced them anyway.  Still seeing the issue on two sets. The others seem to work fine. Anything I provide that help find the trouble?

-Chip


On Mon, Jun 16, 2014 at 4:37 PM, Hughes, Doug <Douglas.Hughes at deshawresearch.com<mailto:Douglas.Hughes at deshawresearch.com>> wrote:
Yes, it’s working for me. Are you using the latest? (attached)


From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net<mailto:rancid-discuss-bounces at shrubbery.net>] On Behalf Of Chip Pleasants
Sent: Monday, June 16, 2014 2:01 PM
To: rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>
Subject: [rancid] Panrancid with PAN 6.0

Does anyone have Panrancid working with PAN version 6.0.2?  I have four sets running PAN version 5.0.11 without an issues.  Once I upgraded one set the script times out. Below is a debug. Let me know if you have any questions.

Cheers,

Chip


[rancid at cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager off;show system info;show config running" cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
line: cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
line: spawn ssh -c 3des -x -l rancid cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com>
line:                                 NOTICE TO USERS
line:   This is an official computer system and is the property of POOP Incorporated.
line:   It is for authorized users only.  Unauthorized  users are prohibited.
line:   Users (authorized or unauthorized) have no  explicit or implicit expectation of
line:   privacy.  Any or all uses of this system may be subject to one or more of the
line:   following actions:  interception, monitoring, recording, auditing, inspection and
line:   disclosing to security personnel and law enforcement personnel, as well as
line:   authorized officials of other agencies, both domestic and foreign. By using this
line:   system, the user consents to these actions.  Unauthorized or improper use of
line:   this system may result in administrative disciplinary action and civil and criminal
line:   penalties.  By accessing this system you indicate your awareness of and
line:   consent to these terms and conditions of use. Discontinue access immediately
line:   if you do not agree to the conditions stated in this notice.
line:
line: Password:
line: Last login: Mon Jun 16 08:00:00 2014 from cmh1vlobs01.domain.com<http://cmh1vlobs01.domain.com>
line: Welcome rancid.
line:
line: rancid at CMH1-Z4-F01(active)>
line: rancid at CMH1-Z4-F01(active)>
line: rancid at CMH1-Z4-F01(active)> set rancid at CMH1-Z4-F01(active)> set cli rancid at CMH1-Z4-F01(active)> set cli scripting-mode rancid at CMH1-Z4-F01(active)> set cli scripting-mode on
PROMPT MATCH: rancid at CMH1-Z4-F01\(active\)[#>]
HIT COMMAND:rancid at CMH1-Z4-F01(active)> set rancid at CMH1-Z4-F01(active)> set cli rancid at CMH1-Z4-F01(active)> set cli scripting-mode rancid at CMH1-Z4-F01(active)> set cli scripting-mode on

COMMAND is: set cli scripting-mode on|EatCommand
HIT COMMAND:rancid at CMH1-Z4-F01(active)> set rancid at CMH1-Z4-F01(active)> set cli rancid at CMH1-Z4-F01(active)> set cli pager rancid at CMH1-Z4-F01(active)> set cli pager off

COMMAND is: set cli pager off|EatCommand
HIT COMMAND:rancid at CMH1-Z4-F01(active)> show rancid at CMH1-Z4-F01(active)> show system rancid at CMH1-Z4-F01(active)> show system info

COMMAND is: show system info|ShowInfo
    In ShowInfo:: rancid at CMH1-Z4-F01(active)> show rancid at CMH1-Z4-F01(active)> show system rancid at CMH1-Z4-F01(active)> show system info
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : missed cmd(s): show config running
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : missed cmd(s): show config running
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : End of run not found
cmh1-z4-f01.domain.com<http://cmh1-z4-f01.domain.com> : End of run not found





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20140618/491c98f8/attachment-0001.html>


More information about the Rancid-discuss mailing list