[rancid] Update configs by an external means

Piegorsch, Weylin William weylin at bu.edu
Fri Oct 6 12:32:51 UTC 2017 

I had the same problem with rancid v1.x using a custom script (written by my predecessor for NX-OS).  It cleared up when we migrated to v3.4.1, which had native NX-OS so it’s not clear to me if dumping the custom config fixed the issue or if it were a rancid version issue.

Are you using a current version?

weylin

-----Original Message-----
From: Alex DEKKER <rancid at ale.cx>
Date: Thursday, October 5, 2017 at 05:08
To: <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] Update configs by an external means

    On 04/10/17 21:50, Dan Anderson wrote:
    > Rather than using a file that's been transferred onto the system, you 
    > may be able to have RANCID log in via SSH and run "config\rshow 
    > current-config" to dump the config. I'm guessing that there's some 
    > other commands that may be useful, but "show current-config" from 
    > config mode is how I typically get config copies from Sonicwall 
    > firewalls when I'm doing firewall migrations for my customers.
    
    I have started a snwlrancid based on the Mikrotik config fetcher. I 
    guess I should just throw it up somewhere for others to have a look at. 
    One thing I've noticed is that the obscured encryption keys in VPN 
    tunnels change *every time* the config is polled:
    
    
    <         shared-secret 
    4,c99c5ca7b2d0907883e8c6eacb251bfc189265ff041f4941cfaca1a3f3371511611bef8ee56affb2e091204a7c93f8c0d976d2cb3d251b4b940b0fafdb0d8f6812b8c067e1d1d3683db2f6d1247cf5c670171ba6f72e6bc1b62de89b79d23512ee6abf58b5f6ed6dcfb492a4a9d1800f9234e12899b2bc7f7eb4ccf865b478244f0b1a80ffd91035
    ---
     >         shared-secret 
    4,aa138a1f3e053d8fe0efbc3089e2be854a1a9d31fc6e3c26165674b26823f2e32c2e2ecf57fd16e74af093c9e6d35923be216133728061756144089c6ef3cfefc4f1f7bd270e41010e765b1afaed41f2d3e07950c3a3bf9a96264bbf7d9e17ad4280062cbdf2fa1f8b1071423186d5bb232e4424f50493c3ef64b34c7645305a56669a379d5abbba
    
    So long as it works when it's pasted back in to the firewall then great, 
    but obviously this is going to be absurdly noisy unless it's replaced 
    with a placeholder with some post-processing. If it's replaced with a 
    placeholder then the resulting config cannot be put back in to the 
    firewall without some tweaking. Personally, working in a team of people 
    who manage Sonicwalls, partial-RANCID is better than no RANCID at all.
    
    The main roadblock I hit was that the word "exit" just seems to move 
    around at random, and it's not the same "exit" that does this, there are 
    loads of exits in the config and any one of them can apparently do it:
    
    Index: configs/barkminisonic.rancid
    ===================================================================
    retrieving revision 1.21
    diff -u -4 -r1.21 minisonic.rancid
    @@ -5,8 +5,9 @@
       rom-version 5.0.5.6
       model "NSA 220"
       serial-number C0EA-E42D-XXXX
       last-modified-by "admin 192.168.253.16:X0 UI 2017/09/10 16:07:22"
    + exit
       administration
           firewall-name MiniSonic
           no auto-append-suffix
           admin-name admin
    @@ -20,9 +21,9 @@
           password constraints-apply-to limited-admins
           password constraints-apply-to local-users
           idle-logout-time 25
           no user-lockout
    -     admin-preempt-action goto-non-configexit
    +     admin-preempt-action goto-non-config
           admin-preempt-inactivity-timeout 10
           no inter-admin-messaging
           no web-management allow-http
           web-management https-port 443
    
    
    I don't have time to work on this at the moment but I will try and make 
    some time to put what I've done so far on Github or similar.
    
    alexd

More information about the Rancid-discuss mailing list