[rancid] ASAs with multiple contexts

Hagen, Skye (skyeh@uidaho.edu) skyeh at uidaho.edu
Thu May 11 20:41:20 UTC 2017 

It sounds like it might work. The tricky part could the fact the prompt might change.

With a multi-context ASA, one of the contexts will be an admin context. It does not have to be named ‘admin’, but anTo get a context configuration, there are two choices. You can login to each context, or login to the admin context, and changeto a different context. A standard ‘show run’ will get you the config, with passwords automatically blanked. In addition, there is a system context, which you cannot log into directly, it can only be accessed by doing a ‘changeto system’ command from the admin context. (To change between contexts, the command is ‘changeto context <context name>’.)

When changing between contexts, the prompt may change. The format of the prompt is in the system context. I’ve included a snippet showing parts of the system context. A single ‘exit’ command will log you off the ASA.

I’m running an old copy of RANCID, and using the usercmd patch to backup the system context on my ASA. Here’s how I did it.

add method asa-system.its.uidaho.edu {usercmd}
add usercmd asa-system.its.uidaho.edu {clogin} {fw1.its.uidaho.edu}
add usercmd_chat asa-system.its.uidaho.edu {#} {changeto system\r} {#} {terminal pager 0\r}

Skye.

-----
lib-asa1/FW1/act/pri> en
Password: ****************
lib-asa1/FW1/act/pri# changeto system     < Here’s the ‘changeto system’ command, note the prompt change on the next line.
lib-asa1/act/pri# show run
: Saved
:
!
interface GigabitEthernet0/3
 description ** crlk xxxborder Gi1/20 **
 channel-group 13 mode active
!
interface Port-channel13
 description ** Quad 1Gbps xxxborder crlk **
!
interface Port-channel13.47
 vlan 47
!
admin-context FW1      < here’s where the admin context is defined.
context FW1
  allocate-interface Port-channel33.35 
  config-url disk0:/FW1
!
context admin
  allocate-interface Management0/0 
  config-url disk0:/admin.cfg
!
prompt hostname context state priority      < Here’s where the format of the prompt is set. This applies to all contexts.
Cryptochecksum:1308a3bcb393b090191708a6cb9b6d0f
: end
lib-asa1/act/pri# exit

Logoff

Connection to asa1-FW1 closed.
-----


On 5/11/17, 12:19 PM, "Rancid-discuss on behalf of heasley" <rancid-discuss-bounces at shrubbery.net on behalf of heas at shrubbery.net> wrote:

    Wed, Apr 19, 2017 at 04:43:08PM -0500, Mark Felder:
    > It seems this horse has been beaten to death for many years, but no
    > single solution exists that I've been able to locate. Even the Oxidized
    > folks haven't solved it yet, but they have a patch in progress. [1]
    > 
    > Is there a solution for RANCID users yet or are people still hacking
    > away at the code to make it work for their specific
    > environments/devices?
    
    I thought that one of these caught the contexts of the ASA:
    
    cisco;command;ios::WriteTerm;more system:running-config;ASA/PIX
    cisco;command;ios::WriteTerm;show running-config view full;workaround for role-based CLI
    
    Others have used separate router.db entries for each context on the PIX.
    
    And, the a10 has some similar configuration that is apparently (I do not
    have one and am not familiar with it) not dumped with the rest of the
    config.  To collect that, a10login had some weird stuff, which was buggy,
    that attempt to parse the output from one of the commands in the command
    list for a10 and insert other commands into the output.
    
    To do that more generically - and not in tcl, i started adding a way to
    insert commands.  eg:
    
     a10;command;acos::ShowAflex;show aflex all-partitions
    +a10;precommand;acos::AflexCmds;show aflex;#requires the command above
     a10;command;acos::ShowRunningConfig;show running-config all-partitions
    
    rancid would run the precommand(s), which could insert commands into
    the command list or a postcommand list to collect output for each of
    the configured partitions.  It does mean multiple logins, but feh.
    
    Is this appealing for the ASA (another platform I have little experience
    with) problem?
    
    > Thanks!
    > 
    > [1] https://github.com/ytti/oxidized/pull/479
    > 
    > -- 
    >   Mark Felder
    >   feld at feld.me
    > 
    
    _______________________________________________
    Rancid-discuss mailing list
    Rancid-discuss at shrubbery.net
    http://www.shrubbery.net/mailman/listinfo/rancid-discuss

More information about the Rancid-discuss mailing list