[rancid] Update configs by an external means
Alex DEKKER
rancid at ale.cx
Fri Oct 6 12:40:44 UTC 2017
I was starting from a base of 3.6.2.
alexd
On 06/10/17 13:32, Piegorsch, Weylin William wrote:
> I had the same problem with rancid v1.x using a custom script (written by my predecessor for NX-OS). It cleared up when we migrated to v3.4.1, which had native NX-OS so it’s not clear to me if dumping the custom config fixed the issue or if it were a rancid version issue.
>
> Are you using a current version?
>
> weylin
>
> -----Original Message-----
> From: Alex DEKKER <rancid at ale.cx>
> Date: Thursday, October 5, 2017 at 05:08
> To: <rancid-discuss at shrubbery.net>
> Subject: Re: [rancid] Update configs by an external means
>
> On 04/10/17 21:50, Dan Anderson wrote:
> > Rather than using a file that's been transferred onto the system, you
> > may be able to have RANCID log in via SSH and run "config\rshow
> > current-config" to dump the config. I'm guessing that there's some
> > other commands that may be useful, but "show current-config" from
> > config mode is how I typically get config copies from Sonicwall
> > firewalls when I'm doing firewall migrations for my customers.
>
> I have started a snwlrancid based on the Mikrotik config fetcher. I
> guess I should just throw it up somewhere for others to have a look at.
> One thing I've noticed is that the obscured encryption keys in VPN
> tunnels change *every time* the config is polled:
>
>
> < shared-secret
> 4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
> ---
> > shared-secret
> 4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba
>
> So long as it works when it's pasted back in to the firewall then great,
> but obviously this is going to be absurdly noisy unless it's replaced
> with a placeholder with some post-processing. If it's replaced with a
> placeholder then the resulting config cannot be put back in to the
> firewall without some tweaking. Personally, working in a team of people
> who manage Sonicwalls, partial-RANCID is better than no RANCID at all.
>
> The main roadblock I hit was that the word "exit" just seems to move
> around at random, and it's not the same "exit" that does this, there are
> loads of exits in the config and any one of them can apparently do it:
>
> Index: configs/barkminisonic.rancid
> ===================================================================
> retrieving revision 1.21
> diff -u -4 -r1.21 minisonic.rancid
> @@ -5,8 +5,9 @@
> rom-version 5.0.5.6
> model "NSA 220"
> serial-number C0EA-E42D-XXXX
> last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
> + exit
> administration
> firewall-name MiniSonic
> no auto-append-suffix
> admin-name admin
> @@ -20,9 +21,9 @@
> password constraints-apply-to limited-admins
> password constraints-apply-to local-users
> idle-logout-time 25
> no user-lockout
> - admin-preempt-action goto-non-configexit
> + admin-preempt-action goto-non-config
> admin-preempt-inactivity-timeout 10
> no inter-admin-messaging
> no web-management allow-http
> web-management https-port 443
>
>
> I don't have time to work on this at the moment but I will try and make
> some time to put what I've done so far on Github or similar.
>
> alexd
>
>
>
>
More information about the Rancid-discuss
mailing list