From heas at shrubbery.net Tue Sep 5 14:32:19 2017 From: heas at shrubbery.net (heasley) Date: Tue, 5 Sep 2017 14:32:19 +0000 Subject: [rancid] New HP/Aruba Switch Error In-Reply-To: <9201f0d8-3079-f40a-6501-f2997fefce15@chalmers.se> References: <20170720125414.GB63334@shrubbery.net> <9201f0d8-3079-f40a-6501-f2997fefce15@chalmers.se> Message-ID: <20170905143219.GA82120@shrubbery.net> Wed, Aug 23, 2017 at 06:20:40AM +0200, Per-Olof Olsson: > New HP/Aruba software need updates in hpuifilter.c to handle new ESC-codes. > Look for Subject "rancid with hp5412 J8697A or hp5406" posted on this list mars 24 2017. > or grab hpuifilter.c from alpha version. that is already in the alpha version. From emagutu at gmail.com Thu Sep 7 01:11:33 2017 From: emagutu at gmail.com (Eric Magutu) Date: Thu, 7 Sep 2017 04:11:33 +0300 Subject: [rancid] Device support error - Huawei Message-ID: Hi, I am trying to configure backups for my Huawei devices and getting the following error exec(hurancid) failed router manufacturer huawei: No such file or directory exec(hurancid) failed router manufacturer huawei: No such file or directory ===================================== Version as below rancid rancid 3.6.2 expect expect version 5.45 OS DISTRIB_ID=UbuntuDISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" I followed the below instructions http://jira.observium.org/browse/OBSERVIUM-2020 Any pointers on how I can get this to work would be appreciated. -- Regards, Eric Magutu -------------- next part -------------- An HTML attachment was scrubbed... URL: From Thomas.Eichhorn at klinikum-nuernberg.de Thu Sep 7 06:49:51 2017 From: Thomas.Eichhorn at klinikum-nuernberg.de (Eichhorn, Thomas) Date: Thu, 7 Sep 2017 06:49:51 +0000 Subject: [rancid] Device support error - Huawei In-Reply-To: References: Message-ID: Hi Eric, >exec(hurancid) failed router manufacturer huawei: No such file or directory >exec(hurancid) failed router manufacturer huawei: No such file or directory It seems that there is no ?hurancid? file in your RANCIDBASE/bin directory. Can you confirm that? I think you have to ?configure?, ?make? and ?make install? to create the ?hurancid? file after you place these files in your ??/rancid/bin? directory. Please try this in a testing environment first. I?ve never worked with rancid and Huawei products so I don?t know for sure if I can help you but I found a (maybe) helpful link: http://www.inet9.net/rancid-for-hp-h3c-huawei-switches/ Best regards, Thomas ________________________________ Klinikum N?rnberg, Sitz: N?rnberg, Amtsgericht N?rnberg -Registergericht- HRA 14190, Vorstand: Prof. Dr. Achim Jockwig (Vorsitzender), Dr. Andreas Becke, Univ.-Prof. Dr. Dr. Gu?nter Niklewski, Peter Schuh -------------- next part -------------- An HTML attachment was scrubbed... URL: From jethro.binks at strath.ac.uk Thu Sep 7 08:18:58 2017 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu, 7 Sep 2017 09:18:58 +0100 (BST) Subject: [rancid] Device support error - Huawei In-Reply-To: References: Message-ID: On Thu, 7 Sep 2017, Eichhorn, Thomas wrote: > Hi Eric, ... > I?ve never worked with rancid and Huawei products so I don?t know for sure if I can help you but I found a (maybe) helpful link: > http://www.inet9.net/rancid-for-hp-h3c-huawei-switches/ > > Best regards, > Thomas Can't tell you if they've been subsequently modified, but the h3clogin and h3crancid were originally written by me, based on some earlier work of others, and published here: https://sites.google.com/site/jrbinks/code/rancid/h3c I then had to make a lot of changes, and modified for rancid 3, producing: https://sites.google.com/site/jrbinks/code/rancid/cmwrancid The versions I run locally are advanced from these, but I've no idea of whether they are in a state to be published - I have practically zero development time these days. But if I do, I will mention here. I only have access to 3Com/HP Comware 3 devices, HP/H3C Comware 5 and HP(E) Comware 7 devices. I have no Huawei, but a few people who have tried some models and reported some success, or fed back further changes. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From Wayne.Eisenberg at CarolinasIT.com Mon Sep 11 05:47:38 2017 From: Wayne.Eisenberg at CarolinasIT.com (Wayne Eisenberg) Date: Mon, 11 Sep 2017 05:47:38 +0000 Subject: [rancid] ASA IOS 9.8(2) support? Message-ID: Hi, I have an ASA firewall running version 9.8(2), and the clogin script is missing something in the sequence such that I don't get to the enable mode properly. [rancid3]$ bin/clogin asa spawn ssh -c aes256-cbc -x -l asa @asa's password: User logged in to ASA Logins over the last 4 days: 28. Last login: 22:33:20 UTC Sep 10 2017 from x.y.z.a Failed logins since the last login: 0. Last failed login: 06:03:53 UTC Sep 8 2017 from x.y.z.a Type help or '?' for a list of available commands. ASA> ^ ERROR: % Invalid input detected at '^' marker. Error: Unrecognized command, check your enable command ASA> ^ ERROR: % Invalid input detected at '^' marker. ASA> enable Password: Password: And that is where it stops (never tries to type in the enable password). If I manually input the enable password that I have in .clogin, it lets me into enable mode. Other ASA's with older versions work fine, the .clogin file is properly written for this device. Could upgrading to the current version of rancid solve this (currently on v3.1)? Thanks, Wayne ________________________________ The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cgauthier at comscore.com Mon Sep 11 14:36:16 2017 From: cgauthier at comscore.com (Gauthier, Chris) Date: Mon, 11 Sep 2017 14:36:16 +0000 Subject: [rancid] ASA IOS 9.8(2) support? Message-ID: Chris GauthierSenior Network Engineer | comScore, Inc. o +1 503-331-2704cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR97204 ............................................................................................................................................................................................................................ From: Rancid-discuss on behalf of Wayne Eisenberg Date: Sunday, September 10, 2017 at 10:48 PM To: "'rancid-discuss at shrubbery.net'" Subject: [rancid] ASA IOS 9.8(2) support? Hi, I have an ASA firewall running version 9.8(2), and the clogin script is missing something in the sequence such that I don?t get to the enable mode properly. [rancid3]$ bin/clogin asa spawn ssh -c aes256-cbc -x -l asa @asa's password: User logged in to ASA Logins over the last 4 days: 28. Last login: 22:33:20 UTC Sep 10 2017 from x.y.z.a Failed logins since the last login: 0. Last failed login: 06:03:53 UTC Sep 8 2017 from x.y.z.a Type help or '?' for a list of available commands. ASA> ^ ERROR: % Invalid input detected at '^' marker. Error: Unrecognized command, check your enable command ASA> ^ ERROR: % Invalid input detected at '^' marker. ASA> enable Password: Password: And that is where it stops (never tries to type in the enable password). If I manually input the enable password that I have in .clogin, it lets me into enable mode. Other ASA?s with older versions work fine, the .clogin file is properly written for this device. Could upgrading to the current version of rancid solve this (currently on v3.1)? This sounds like it could be related to the .clogrinrc file. What does it look like (obviously obfuscating credentials)? Thanks, Wayne --Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rwest at zyedge.com Mon Sep 11 17:17:12 2017 From: rwest at zyedge.com (Ryan West) Date: Mon, 11 Sep 2017 17:17:12 +0000 Subject: [rancid] ASA IOS 9.8(2) support? In-Reply-To: References: Message-ID: <36a333032a194950a10d8c2b1bb1a6a7@zy-colo-mbx1.zyedge.local> On Mon, Sep 11, 2017 at 01:47:38, Wayne Eisenberg wrote: > Subject: [rancid] ASA IOS 9.8(2) support? > > Hi, > > > > I have an ASA firewall running version 9.8(2), and the clogin script > is missing something in the sequence such that I don't get to the > enable mode properly. Hi Wayne, Try this - no aaa authentication login-history The alternative is that clogin itself needs to be updated to ignore the new : that shows up in the login banner. And yet another alternative is this - aaa authorization exec LOCAL auto-enable That assumes you are using the local database and that the user has exec privs, but it skips the need for enable and behaves like more like a router. -ryan From Bob.Brunette at cdw.com Mon Sep 11 18:09:07 2017 From: Bob.Brunette at cdw.com (Bob Brunette) Date: Mon, 11 Sep 2017 18:09:07 +0000 Subject: [rancid] ASA IOS 9.8(2) support? Message-ID: <6A2D2E29-FE40-4B8D-9EF4-26249A84699D@cdw.com> If you're authenticating to a server, you can use this to skip the enable: aaa authorization exec authentication-server auto-enable For both this and the 'LOCAL' version, remember to change the autoenable value to '1' in your .cloginrc file. Bob On 9/11/17, 12:17 PM, "Rancid-discuss on behalf of Ryan West" wrote: On Mon, Sep 11, 2017 at 01:47:38, Wayne Eisenberg wrote: > Subject: [rancid] ASA IOS 9.8(2) support? > > Hi, > > > > I have an ASA firewall running version 9.8(2), and the clogin script > is missing something in the sequence such that I don't get to the > enable mode properly. Hi Wayne, Try this - no aaa authentication login-history The alternative is that clogin itself needs to be updated to ignore the new : that shows up in the login banner. And yet another alternative is this - aaa authorization exec LOCAL auto-enable That assumes you are using the local database and that the user has exec privs, but it skips the need for enable and behaves like more like a router. -ryan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net https://urldefense.proofpoint.com/v2/url?u=http-3A__www.shrubbery.net_mailman_listinfo_rancid-2Ddiscuss&d=DwICAg&c=PzM68gSF_5r1R7BCE75oeA&r=gYZeMiDUCUw52JdC5NN6jRS7tkNrkCJCnDUS2Hz0h_k&m=qKVjsk6S0s9KMitnliPTMBpfw2NbvapsEL_YebvDvWo&s=5VuBKvS1NQeKW4_v_1FjASKqvISL0jEmnsPYVn5gi0c&e= From weylin at bu.edu Mon Sep 11 20:51:34 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Mon, 11 Sep 2017 20:51:34 +0000 Subject: [rancid] ASA Config for Rancid Message-ID: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> Cisco question, that I?m having a devil of a time getting a Cisco answer to. I have several ASAs ? some locally connected, some connected at the far end of an IPSec tunnel. In nearly all cases, I can?t get rancid to archive their config. For reasons that don?t relate to the ASA (has to do with the larger network as a whole), I need telnet to be the first method, with SSH backup. But, the ASAs drop the telnet request, they don?t send a TCP RST packet. As a consequence, rancid times out and considers it an unreachable device. I?m trying to find a mechanism that doesn?t require specifying custom rancid configs for ASAs that are different than anything else. Has anyone run into this problem? weylin From rwest at zyedge.com Mon Sep 11 20:56:12 2017 From: rwest at zyedge.com (Ryan West) Date: Mon, 11 Sep 2017 20:56:12 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> Message-ID: <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> On Mon, Sep 11, 2017 at 16:51:34, Piegorsch, Weylin William wrote: > Subject: [rancid] ASA Config for Rancid > > Cisco question, that I?m having a devil of a time getting a Cisco answer to. > > I have several ASAs ? some locally connected, some connected at the far end > of an IPSec tunnel. In nearly all cases, I can?t get rancid to archive their > config. For reasons that don?t relate to the ASA (has to do with the larger > network as a whole), I need telnet to be the first method, with SSH backup. > But, the ASAs drop the telnet request, they don?t send a TCP RST packet. As > a consequence, rancid times out and considers it an unreachable device. > > I?m trying to find a mechanism that doesn?t require specifying custom rancid > configs for ASAs that are different than anything else. > Try to allow telnet access from the remote network as sourced from inside and then use 'management-access inside' and you should be able to telnet to the inside address from across a VPN tunnel. -ryan From dan.w.anderson at gmail.com Mon Sep 11 21:01:26 2017 From: dan.w.anderson at gmail.com (Dan Anderson) Date: Mon, 11 Sep 2017 21:01:26 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> Message-ID: You can set the method for the ASAs to be {ssh,telnet} in your .cloginrc file. I'm on my phone and don't have the exact syntax handy but it's pretty straightforward. On Mon, Sep 11, 2017 at 4:56 PM Ryan West wrote: > On Mon, Sep 11, 2017 at 16:51:34, Piegorsch, Weylin William wrote: > > Subject: [rancid] ASA Config for Rancid > > > > Cisco question, that I?m having a devil of a time getting a Cisco answer > to. > > > > I have several ASAs ? some locally connected, some connected at the far > end > > of an IPSec tunnel. In nearly all cases, I can?t get rancid to archive > their > > config. For reasons that don?t relate to the ASA (has to do with the > larger > > network as a whole), I need telnet to be the first method, with SSH > backup. > > But, the ASAs drop the telnet request, they don?t send a TCP RST > packet. As > > a consequence, rancid times out and considers it an unreachable device. > > > > I?m trying to find a mechanism that doesn?t require specifying custom > rancid > > configs for ASAs that are different than anything else. > > > > Try to allow telnet access from the remote network as sourced from inside > and then use 'management-access inside' and you should be able to telnet to > the inside address from across a VPN tunnel. > > -ryan > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss -- Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Wayne.Eisenberg at CarolinasIT.com Tue Sep 12 04:06:35 2017 From: Wayne.Eisenberg at CarolinasIT.com (Wayne Eisenberg) Date: Tue, 12 Sep 2017 04:06:35 +0000 Subject: [rancid] ASA IOS 9.8(2) support? In-Reply-To: References: Message-ID: Here?s the relevant section of .cloginrc: add method asa {ssh} add user asa {username} add password asa {pw_here} {pw_here} add cyphertype asa {aes256-cbc} add autoenable asa {0} Pretty much the same pattern everything else in the file has. I might be able to try the no login-history command, I don?t think I will be allowed to do the others. (auto-enable) Isn?t there a verbose mode for one of the rancid commands, like a ?vvv or something like that? Is that in clogin? Is this fixed in the current version of rancid? ............................................................................................................................................................................................................................ From: Rancid-discuss > on behalf of Wayne Eisenberg > Date: Sunday, September 10, 2017 at 10:48 PM To: "'rancid-discuss at shrubbery.net'" > Subject: [rancid] ASA IOS 9.8(2) support? Hi, I have an ASA firewall running version 9.8(2), and the clogin script is missing something in the sequence such that I don?t get to the enable mode properly. [rancid3]$ bin/clogin asa spawn ssh -c aes256-cbc -x -l asa @asa's password: User logged in to ASA Logins over the last 4 days: 28. Last login: 22:33:20 UTC Sep 10 2017 from x.y.z.a Failed logins since the last login: 0. Last failed login: 06:03:53 UTC Sep 8 2017 from x.y.z.a Type help or '?' for a list of available commands. ASA> ^ ERROR: % Invalid input detected at '^' marker. Error: Unrecognized command, check your enable command ASA> ^ ERROR: % Invalid input detected at '^' marker. ASA> enable Password: Password: And that is where it stops (never tries to type in the enable password). If I manually input the enable password that I have in .clogin, it lets me into enable mode. Other ASA?s with older versions work fine, the .clogin file is properly written for this device. Could upgrading to the current version of rancid solve this (currently on v3.1)? This sounds like it could be related to the .clogrinrc file. What does it look like (obviously obfuscating credentials)? Thanks, Wayne --Chris ________________________________ The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cgauthier at comscore.com Tue Sep 12 15:09:23 2017 From: cgauthier at comscore.com (Gauthier, Chris) Date: Tue, 12 Sep 2017 15:09:23 +0000 Subject: [rancid] ASA IOS 9.8(2) support? In-Reply-To: References: Message-ID: <60F06543-CEF8-4873-9BE0-FC1C8DF1D8D3@comscore.com> Chris GauthierSenior Network Engineer | comScore, Inc. o +1 503-331-2704cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR97204 ............................................................................................................................................................................................................................ From: Wayne Eisenberg Date: Monday, September 11, 2017 at 9:06 PM To: "Gauthier, Chris" , "'rancid-discuss at shrubbery.net'" Subject: RE: [rancid] ASA IOS 9.8(2) support? Here?s the relevant section of .cloginrc: add method asa {ssh} add user asa {username} add password asa {pw_here} {pw_here} add cyphertype asa {aes256-cbc} add autoenable asa {0} Pretty much the same pattern everything else in the file has. I might be able to try the no login-history command, I don?t think I will be allowed to do the others. (auto-enable) Isn?t there a verbose mode for one of the rancid commands, like a ?vvv or something like that? Is that in clogin? On CentOS7: export NOPIPE=YES rancid ?d ?t cisco $DeviceFQDN Look for the $DeviceFQDN.raw and $DeviceFQDN.new files to help with debugging info. Obviously, substitute your device?s FQDN for $DeviceFQDN. When done, clear the NOPIPE variable. Is this fixed in the current version of rancid? ............................................................................................................................................................................................................................ From: Rancid-discuss > on behalf of Wayne Eisenberg > Date: Sunday, September 10, 2017 at 10:48 PM To: "'rancid-discuss at shrubbery.net'" > Subject: [rancid] ASA IOS 9.8(2) support? Hi, I have an ASA firewall running version 9.8(2), and the clogin script is missing something in the sequence such that I don?t get to the enable mode properly. [rancid3]$ bin/clogin asa spawn ssh -c aes256-cbc -x -l asa @asa's password: User logged in to ASA Logins over the last 4 days: 28. Last login: 22:33:20 UTC Sep 10 2017 from x.y.z.a Failed logins since the last login: 0. Last failed login: 06:03:53 UTC Sep 8 2017 from x.y.z.a Type help or '?' for a list of available commands. ASA> ^ ERROR: % Invalid input detected at '^' marker. Error: Unrecognized command, check your enable command ASA> ^ ERROR: % Invalid input detected at '^' marker. ASA> enable Password: Password: And that is where it stops (never tries to type in the enable password). If I manually input the enable password that I have in .clogin, it lets me into enable mode. Other ASA?s with older versions work fine, the .clogin file is properly written for this device. Could upgrading to the current version of rancid solve this (currently on v3.1)? This sounds like it could be related to the .clogrinrc file. What does it look like (obviously obfuscating credentials)? Thanks, Wayne --Chris ________________________________ The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rwest at zyedge.com Tue Sep 12 19:16:30 2017 From: rwest at zyedge.com (Ryan West) Date: Tue, 12 Sep 2017 19:16:30 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> Message-ID: <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> On Tue, Sep 12, 2017 at 15:06:20, Piegorsch, Weylin William wrote: > > Thanks Ryan. I?m unable to concretely determine a device is an ASA from it?s > domain name, unless I populate .cloginrc with every ASA I have. I used to do > that, but it became cumbersome and at somepoint it was clear it would no > longer scale. For a while I also went down the path of having a .cloginrc-asa > that had the ASA-specific methods and then included .cloginrc, but for similar > manageability reasons I had to abandon that approach as well. > > > > Is there a way to do that by some other means? > Not sure how many devices you're supporting, but I leverage an internal only DNS view that has a location and device type with number, then you can have a catch all in your .cloginrc that identifies them - ## Firewalls connect this way add user *fw* {username} add password *fw* {password} {en_password} add method *fw* ssh telnet add autoenable *fw* 0 -ryan From rwest at zyedge.com Tue Sep 12 19:19:43 2017 From: rwest at zyedge.com (Ryan West) Date: Tue, 12 Sep 2017 19:19:43 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <6D1F0A13-8FD4-495F-B19D-7C224339E0BF@bu.edu> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <6D1F0A13-8FD4-495F-B19D-7C224339E0BF@bu.edu> Message-ID: On Tue, Sep 12, 2017 at 15:14:37, Piegorsch, Weylin William wrote: > > Thanks Ryan. I hadn?t considered that; largely I?m trying to get away from > telnet but it?s an approach that might actually work. > > I?ve tried going down the path of ?reset outside? on the ASA, but that?s not > working as I expect it to :-( > > Something I was poking around at. I did a packet capture, and noted that > telnet send a SYN, 3sec later another SYN, and so forth at 3, 6, 12, 24, and 48 > seconds, before finally timing out at 95 seconds or so. Rancid times out at 90 > seconds; is there a way to increase this timeout to perhaps 100sec? Is that > something what can be done in .cloginrc, or perhaps types.conf? I found > some reference to bin/rancid and bin/clogin, but I?m trying to avoid > modifying those (or anything in bin). I'm only aware of the bin/clogin modification, mine is set to 45 seconds. -ryan From weylin at bu.edu Tue Sep 12 19:06:20 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Tue, 12 Sep 2017 19:06:20 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> Message-ID: Thanks Ryan. I?m unable to concretely determine a device is an ASA from it?s domain name, unless I populate .cloginrc with every ASA I have. I used to do that, but it became cumbersome and at somepoint it was clear it would no longer scale. For a while I also went down the path of having a .cloginrc-asa that had the ASA-specific methods and then included .cloginrc, but for similar manageability reasons I had to abandon that approach as well. Is there a way to do that by some other means? weylin From: Dan Anderson Date: Monday, September 11, 2017 at 17:01 To: Weylin Piegorsch , Ryan West , "rancid-discuss at shrubbery.net" Subject: Re: [rancid] ASA Config for Rancid You can set the method for the ASAs to be {ssh,telnet} in your .cloginrc file. I'm on my phone and don't have the exact syntax handy but it's pretty straightforward. On Mon, Sep 11, 2017 at 4:56 PM Ryan West > wrote: On Mon, Sep 11, 2017 at 16:51:34, Piegorsch, Weylin William wrote: > Subject: [rancid] ASA Config for Rancid > > Cisco question, that I?m having a devil of a time getting a Cisco answer to. > > I have several ASAs ? some locally connected, some connected at the far end > of an IPSec tunnel. In nearly all cases, I can?t get rancid to archive their > config. For reasons that don?t relate to the ASA (has to do with the larger > network as a whole), I need telnet to be the first method, with SSH backup. > But, the ASAs drop the telnet request, they don?t send a TCP RST packet. As > a consequence, rancid times out and considers it an unreachable device. > > I?m trying to find a mechanism that doesn?t require specifying custom rancid > configs for ASAs that are different than anything else. > Try to allow telnet access from the remote network as sourced from inside and then use 'management-access inside' and you should be able to telnet to the inside address from across a VPN tunnel. -ryan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -- Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From weylin at bu.edu Tue Sep 12 19:14:37 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Tue, 12 Sep 2017 19:14:37 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> Message-ID: <6D1F0A13-8FD4-495F-B19D-7C224339E0BF@bu.edu> Thanks Ryan. I hadn?t considered that; largely I?m trying to get away from telnet but it?s an approach that might actually work. I?ve tried going down the path of ?reset outside? on the ASA, but that?s not working as I expect it to :-( Something I was poking around at. I did a packet capture, and noted that telnet send a SYN, 3sec later another SYN, and so forth at 3, 6, 12, 24, and 48 seconds, before finally timing out at 95 seconds or so. Rancid times out at 90 seconds; is there a way to increase this timeout to perhaps 100sec? Is that something what can be done in .cloginrc, or perhaps types.conf? I found some reference to bin/rancid and bin/clogin, but I?m trying to avoid modifying those (or anything in bin). weylin -----Original Message----- From: Ryan West Date: Monday, September 11, 2017 at 16:56 To: Weylin Piegorsch , "rancid-discuss at shrubbery.net" Subject: RE: ASA Config for Rancid On Mon, Sep 11, 2017 at 16:51:34, Piegorsch, Weylin William wrote: > Subject: [rancid] ASA Config for Rancid > > Cisco question, that I?m having a devil of a time getting a Cisco answer to. > > I have several ASAs ? some locally connected, some connected at the far end > of an IPSec tunnel. In nearly all cases, I can?t get rancid to archive their > config. For reasons that don?t relate to the ASA (has to do with the larger > network as a whole), I need telnet to be the first method, with SSH backup. > But, the ASAs drop the telnet request, they don?t send a TCP RST packet. As > a consequence, rancid times out and considers it an unreachable device. > > I?m trying to find a mechanism that doesn?t require specifying custom rancid > configs for ASAs that are different than anything else. > Try to allow telnet access from the remote network as sourced from inside and then use 'management-access inside' and you should be able to telnet to the inside address from across a VPN tunnel. -ryan From weylin at bu.edu Tue Sep 12 19:40:52 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Tue, 12 Sep 2017 19:40:52 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> Message-ID: <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> Thanks Ryan. We used to do exactly that, but it got to the point that ASAs were doing far more than merely firewall ? to name a few: VPN ... well ok these are just ASAs Firewall PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a CheckPoint somewhere we haven?t yet replaced NAT ASA, ASR1k, Catalyst6k, 7301, 3825 Routing Oh let me count the ways.... BGP Service Advertisement Nexus7k, ASR9k, ASR1k, 7301, ASA Since the devices performing a function are so varied, the naming standard cannot take model into account, merely function. It got to the point where I was essentially starting to list every ASA by specific name; after a few of these it became clear this approach wouldn?t scale. And to answer the other question ? somewhere around 20,000 devices; 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of everything else (though largely only that last are needed in rancid). weylin -----Original Message----- From: Ryan West Date: Tuesday, September 12, 2017 at 15:17 To: Weylin Piegorsch , Dan Anderson , "rancid-discuss at shrubbery.net" Subject: RE: [rancid] ASA Config for Rancid On Tue, Sep 12, 2017 at 15:06:20, Piegorsch, Weylin William wrote: > > Thanks Ryan. I?m unable to concretely determine a device is an ASA from it?s > domain name, unless I populate .cloginrc with every ASA I have. I used to do > that, but it became cumbersome and at somepoint it was clear it would no > longer scale. For a while I also went down the path of having a .cloginrc-asa > that had the ASA-specific methods and then included .cloginrc, but for similar > manageability reasons I had to abandon that approach as well. > > > > Is there a way to do that by some other means? > Not sure how many devices you're supporting, but I leverage an internal only DNS view that has a location and device type with number, then you can have a catch all in your .cloginrc that identifies them - ## Firewalls connect this way add user *fw* {username} add password *fw* {password} {en_password} add method *fw* ssh telnet add autoenable *fw* 0 -ryan From rwest at zyedge.com Tue Sep 12 20:41:54 2017 From: rwest at zyedge.com (Ryan West) Date: Tue, 12 Sep 2017 20:41:54 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> Message-ID: <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote: > > Thanks Ryan. We used to do exactly that, but it got to the point that ASAs > were doing far more than merely firewall ? to name a few: > > VPN > ... well ok these are just ASAs > > Firewall > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a > CheckPoint somewhere we haven?t yet replaced > > NAT > ASA, ASR1k, Catalyst6k, 7301, 3825 > > Routing > Oh let me count the ways.... > > BGP Service Advertisement > Nexus7k, ASR9k, ASR1k, 7301, ASA > > Since the devices performing a function are so varied, the naming standard > cannot take model into account, merely function. It got to the point where I > was essentially starting to list every ASA by specific name; after a few of > these it became clear this approach wouldn?t scale. > > And to answer the other question ? somewhere around 20,000 devices; > 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of everything > else (though largely only that last are needed in rancid). > Sounds like a fun problem to have. There are some open source NMS products out there that integrate with RANCID and can probably write out the file for you, otherwise you would need to modify how RANCID works and have it switch to the type of device after login with a show ver command or something similar. Let us know if you come up with anything though, I like the idea of having the device login decide the type, or at least a discovery mechanism for RANCID that would write out the proper lines to .cloginrc. -ryan From cgauthier at comscore.com Tue Sep 12 21:23:13 2017 From: cgauthier at comscore.com (Gauthier, Chris) Date: Tue, 12 Sep 2017 21:23:13 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> Message-ID: Zenoss is a tool that has RANCiD integration/pluin connectivity. Chris GauthierSenior Network Engineer | comScore, Inc. o +1 503-331-2704cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR97204 ............................................................................................................................................................................................................................ On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West" wrote: On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote: > > Thanks Ryan. We used to do exactly that, but it got to the point that ASAs > were doing far more than merely firewall ? to name a few: > > VPN > ... well ok these are just ASAs > > Firewall > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a > CheckPoint somewhere we haven?t yet replaced > > NAT > ASA, ASR1k, Catalyst6k, 7301, 3825 > > Routing > Oh let me count the ways.... > > BGP Service Advertisement > Nexus7k, ASR9k, ASR1k, 7301, ASA > > Since the devices performing a function are so varied, the naming standard > cannot take model into account, merely function. It got to the point where I > was essentially starting to list every ASA by specific name; after a few of > these it became clear this approach wouldn?t scale. > > And to answer the other question ? somewhere around 20,000 devices; > 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of everything > else (though largely only that last are needed in rancid). > Sounds like a fun problem to have. There are some open source NMS products out there that integrate with RANCID and can probably write out the file for you, otherwise you would need to modify how RANCID works and have it switch to the type of device after login with a show ver command or something similar. Let us know if you come up with anything though, I like the idea of having the device login decide the type, or at least a discovery mechanism for RANCID that would write out the proper lines to .cloginrc. -ryan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From weylin at bu.edu Thu Sep 14 11:53:14 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Thu, 14 Sep 2017 11:53:14 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> Message-ID: Hmm... https://www.zenoss.com/product/zenpacks/rancid-integration-community We are in fact using ZenOSS for monitoring/alerting (free version, we can?t afford the licensed version). Now THAT is something interesting to evaluate. I?ll ask someone on my team to evaluate that. Allowing telnet is another possibility. We had also considered shifting everything into PRIME Insfrastructure (which we will anyway for other reasons than config backups - we did get enough licensing for that at least), but RANCiD has some capabilities that I like that PRIME doesn?t do so well - consider all the hijinks you can do in Linux, like aggregating certain parameters occurs across a subset of devices by doing something like... I don?t know if I have the syntax right, this is just quickly off the top of my head ?echo $[`for $(find ?name ?exec egrep ?L \{} \; ) do grep | awk ?{print $3}? ; done | tr ?\n? ?+? | sed ?s/+$//?`]? . We haven?t yet found a good way to do that in PRIME. Thanks everyone for the help! weylin From: "Gauthier, Chris" Date: Tuesday, September 12, 2017 at 17:23 To: Ryan West , Weylin Piegorsch , Dan Anderson , "rancid-discuss at shrubbery.net" Subject: Re: [rancid] ASA Config for Rancid Zenoss is a tool that has RANCiD integration/pluin connectivity. Chris Gauthier Senior Network Engineer | comScore, Inc. o +1 503-331-2704 cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR 97204 ............................................................................................................................................................................................................................ On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West" wrote: On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote: > > Thanks Ryan. We used to do exactly that, but it got to the point that ASAs > were doing far more than merely firewall ? to name a few: > > VPN > ... well ok these are just ASAs > > Firewall > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a > CheckPoint somewhere we haven?t yet replaced > > NAT > ASA, ASR1k, Catalyst6k, 7301, 3825 > > Routing > Oh let me count the ways.... > > BGP Service Advertisement > Nexus7k, ASR9k, ASR1k, 7301, ASA > > Since the devices performing a function are so varied, the naming standard > cannot take model into account, merely function. It got to the point where I > was essentially starting to list every ASA by specific name; after a few of > these it became clear this approach wouldn?t scale. > > And to answer the other question ? somewhere around 20,000 devices; > 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of everything > else (though largely only that last are needed in rancid). > Sounds like a fun problem to have. There are some open source NMS products out there that integrate with RANCID and can probably write out the file for you, otherwise you would need to modify how RANCID works and have it switch to the type of device after login with a show ver command or something similar. Let us know if you come up with anything though, I like the idea of having the device login decide the type, or at least a discovery mechanism for RANCID that would write out the proper lines to .cloginrc. -ryan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From cgauthier at comscore.com Thu Sep 14 15:41:12 2017 From: cgauthier at comscore.com (Gauthier, Chris) Date: Thu, 14 Sep 2017 15:41:12 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> Message-ID: I just read the info page and am actually not impressed. It?s not upgradable. It does not run a ?standard? installation of RANCiD?it compiles its own binaries and installs itself customized for Zenoss. It only works with SVN, so no CVS or GitHub support. Since the version is from 2015, I expect it?s probably on RANCiD 2.3.2 or some old version like that. --Chris Chris GauthierSenior Network Engineer | comScore, Inc. o +1 503-331-2704cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR97204 ............................................................................................................................................................................................................................ From: "Piegorsch, Weylin William" Date: Thursday, September 14, 2017 at 4:53 AM To: "Gauthier, Chris" , Ryan West , Dan Anderson , "rancid-discuss at shrubbery.net" Subject: Re: [rancid] ASA Config for Rancid Hmm... https://www.zenoss.com/product/zenpacks/rancid-integration-community We are in fact using ZenOSS for monitoring/alerting (free version, we can?t afford the licensed version). Now THAT is something interesting to evaluate. I?ll ask someone on my team to evaluate that. Allowing telnet is another possibility. We had also considered shifting everything into PRIME Insfrastructure (which we will anyway for other reasons than config backups - we did get enough licensing for that at least), but RANCiD has some capabilities that I like that PRIME doesn?t do so well - consider all the hijinks you can do in Linux, like aggregating certain parameters occurs across a subset of devices by doing something like... I don?t know if I have the syntax right, this is just quickly off the top of my head ?echo $[`for $(find ?name ?exec egrep ?L \{} \; ) do grep | awk ?{print $3}? ; done | tr ?\n? ?+? | sed ?s/+$//?`]? . We haven?t yet found a good way to do that in PRIME. Thanks everyone for the help! weylin From: "Gauthier, Chris" Date: Tuesday, September 12, 2017 at 17:23 To: Ryan West , Weylin Piegorsch , Dan Anderson , "rancid-discuss at shrubbery.net" Subject: Re: [rancid] ASA Config for Rancid Zenoss is a tool that has RANCiD integration/pluin connectivity. Chris Gauthier Senior Network Engineer | comScore, Inc. o +1 503-331-2704 cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR 97204 ............................................................................................................................................................................................................................ On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West" wrote: On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote: > > Thanks Ryan. We used to do exactly that, but it got to the point that ASAs > were doing far more than merely firewall ? to name a few: > > VPN > ... well ok these are just ASAs > > Firewall > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a > CheckPoint somewhere we haven?t yet replaced > > NAT > ASA, ASR1k, Catalyst6k, 7301, 3825 > > Routing > Oh let me count the ways.... > > BGP Service Advertisement > Nexus7k, ASR9k, ASR1k, 7301, ASA > > Since the devices performing a function are so varied, the naming standard > cannot take model into account, merely function. It got to the point where I > was essentially starting to list every ASA by specific name; after a few of > these it became clear this approach wouldn?t scale. > > And to answer the other question ? somewhere around 20,000 devices; > 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of everything > else (though largely only that last are needed in rancid). > Sounds like a fun problem to have. There are some open source NMS products out there that integrate with RANCID and can probably write out the file for you, otherwise you would need to modify how RANCID works and have it switch to the type of device after login with a show ver command or something similar. Let us know if you come up with anything though, I like the idea of having the device login decide the type, or at least a discovery mechanism for RANCID that would write out the proper lines to .cloginrc. -ryan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From danletkeman at gmail.com Fri Sep 22 16:13:34 2017 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 22 Sep 2017 11:13:34 -0500 Subject: [rancid] Can't update router.db Message-ID: Hello, I have a rancid install on centos. It appears to all be working however, if I replace the contents of the router.db file with the new devices it still connects to the old ones. I have deleted the file and created a new one with only the new device ip addresses and it still continues to try and get configs from the old devices??? Where is it getting this from? I am able to clogin to any of the new devices without trouble, so its not a connection issue, but somehow the old router.db file is cached? drwxr-x---. 2 rancid rancid 24 Sep 22 11:11 configs -rw-r--r--. 1 rancid rancid 2069 Sep 22 10:48 router.db 10.10.10.1;cisco;up 10.10.10.14;cisco;up 10.10.10.194;cisco;up 10.10.10.5;cisco;up 10.100.104.11;mikrotik;up 10.100.104.12;mikrotik;up 10.100.207.3;mikrotik;up 10.100.207.4;mikrotik;up 10.100.4.10;cisco;up 10.100.4.6;cisco;up 10.104.0.1;cisco;up 10.104.1.11;cisco;up 10.104.12.11;cisco;up 10.105.50.1;cisco;up 10.16.0.1;cisco;up 10.16.1.21;cisco;up 10.16.1.31;cisco;up 10.16.12.11;cisco;up 10.168.0.1;cisco;up 10.168.1.11;cisco;up 10.168.1.21;cisco;up 10.168.1.31;cisco;up 10.168.1.41;cisco;up 10.168.1.51;cisco;up 10.168.12.11;cisco;up 10.175.0.3;mikrotik;up 10.175.0.4;mikrotik;up etc...... Any help would be appreciated. Thanks, Dan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From weylin at bu.edu Mon Sep 25 00:37:18 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Mon, 25 Sep 2017 00:37:18 +0000 Subject: [rancid] Can't update router.db In-Reply-To: References: Message-ID: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> What rancid group is your cron job passing to do-diffs? Is it the same group that you?ve modified, or a different one? Did you update the router.db file of the group that do-diffs is executing? weylin From: Dan Letkeman Date: Friday, September 22, 2017 at 12:13 To: rancid-discuss Subject: [rancid] Can't update router.db Hello, I have a rancid install on centos. It appears to all be working however, if I replace the contents of the router.db file with the new devices it still connects to the old ones. I have deleted the file and created a new one with only the new device ip addresses and it still continues to try and get configs from the old devices??? Where is it getting this from? I am able to clogin to any of the new devices without trouble, so its not a connection issue, but somehow the old router.db file is cached? drwxr-x---. 2 rancid rancid 24 Sep 22 11:11 configs -rw-r--r--. 1 rancid rancid 2069 Sep 22 10:48 router.db 10.10.10.1;cisco;up 10.10.10.14;cisco;up 10.10.10.194;cisco;up 10.10.10.5;cisco;up 10.100.104.11;mikrotik;up 10.100.104.12;mikrotik;up 10.100.207.3;mikrotik;up 10.100.207.4;mikrotik;up 10.100.4.10;cisco;up 10.100.4.6;cisco;up 10.104.0.1;cisco;up 10.104.1.11;cisco;up 10.104.12.11;cisco;up 10.105.50.1;cisco;up 10.16.0.1;cisco;up 10.16.1.21;cisco;up 10.16.1.31;cisco;up 10.16.12.11;cisco;up 10.168.0.1;cisco;up 10.168.1.11;cisco;up 10.168.1.21;cisco;up 10.168.1.31;cisco;up 10.168.1.41;cisco;up 10.168.1.51;cisco;up 10.168.12.11;cisco;up 10.175.0.3;mikrotik;up 10.175.0.4;mikrotik;up etc...... Any help would be appreciated. Thanks, Dan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From danletkeman at gmail.com Mon Sep 25 13:19:53 2017 From: danletkeman at gmail.com (Dan Letkeman) Date: Mon, 25 Sep 2017 08:19:53 -0500 Subject: [rancid] Can't update router.db In-Reply-To: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> Message-ID: I'm not to familiar with using groups. Cron job looks like this: SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/var/rancid # Run config differ every day at 00:30am 30 00 * * * rancid /usr/libexec/rancid/rancid-run But, I think I may have found an issue with my OS updates that might be part of the problem. Running CentOS 7. When I did a yum update I recieved this: --> Finished Dependency Resolution Error: Package: rancid-3.2-2.el7.x86_64 (@epel) Requires: perl(newgetopt.pl) Removing: perl-Perl4-CoreLibs-0.001-291.el7.noarch (@base) perl(newgetopt.pl) Updated By: perl-Perl4-CoreLibs-0.003-7.el7.noarch (base) Not found You could try using --skip-broken to work around the problem Thanks, Dan. On Sun, Sep 24, 2017 at 7:37 PM, Piegorsch, Weylin William wrote: > What rancid group is your cron job passing to do-diffs? Is it the same > group that you?ve modified, or a different one? Did you update the > router.db file of the group that do-diffs is executing? > > weylin > > > > *From: *Dan Letkeman > *Date: *Friday, September 22, 2017 at 12:13 > *To: *rancid-discuss > *Subject: *[rancid] Can't update router.db > > > > Hello, > > > > I have a rancid install on centos. It appears to all be working however, > if I replace the contents of the router.db file with the new devices it > still connects to the old ones. I have deleted the file and created a new > one with only the new device ip addresses and it still continues to try and > get configs from the old devices??? Where is it getting this from? > > > > I am able to clogin to any of the new devices without trouble, so its not > a connection issue, but somehow the old router.db file is cached? > > > > drwxr-x---. 2 rancid rancid 24 Sep 22 11:11 configs > > -rw-r--r--. 1 rancid rancid 2069 Sep 22 10:48 router.db > > > > > > 10.10.10.1;cisco;up > > 10.10.10.14;cisco;up > > 10.10.10.194;cisco;up > > 10.10.10.5;cisco;up > > 10.100.104.11;mikrotik;up > > 10.100.104.12;mikrotik;up > > 10.100.207.3;mikrotik;up > > 10.100.207.4;mikrotik;up > > 10.100.4.10;cisco;up > > 10.100.4.6;cisco;up > > 10.104.0.1;cisco;up > > 10.104.1.11;cisco;up > > 10.104.12.11;cisco;up > > 10.105.50.1;cisco;up > > 10.16.0.1;cisco;up > > 10.16.1.21;cisco;up > > 10.16.1.31;cisco;up > > 10.16.12.11;cisco;up > > 10.168.0.1;cisco;up > > 10.168.1.11;cisco;up > > 10.168.1.21;cisco;up > > 10.168.1.31;cisco;up > > 10.168.1.41;cisco;up > > 10.168.1.51;cisco;up > > 10.168.12.11;cisco;up > > 10.175.0.3;mikrotik;up > > 10.175.0.4;mikrotik;up > > > > etc...... > > > > > > Any help would be appreciated. > > > > Thanks, > > Dan. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Sep 26 03:33:59 2017 From: heas at shrubbery.net (heasley) Date: Tue, 26 Sep 2017 03:33:59 +0000 Subject: [rancid] Can't update router.db In-Reply-To: References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> Message-ID: <20170926033359.GD6257@shrubbery.net> Mon, Sep 25, 2017 at 08:19:53AM -0500, Dan Letkeman: > I'm not to familiar with using groups. Cron job looks like this: > > SHELL=/bin/bash > PATH=/sbin:/bin:/usr/sbin:/usr/bin > MAILTO=root > HOME=/var/rancid > # Run config differ every day at 00:30am > 30 00 * * * rancid /usr/libexec/rancid/rancid-run > > > But, I think I may have found an issue with my OS updates that might be > part of the problem. Running CentOS 7. When I did a yum update I recieved > this: > > --> Finished Dependency Resolution > Error: Package: rancid-3.2-2.el7.x86_64 (@epel) > Requires: perl(newgetopt.pl) > Removing: perl-Perl4-CoreLibs-0.001-291.el7.noarch (@base) > perl(newgetopt.pl) > Updated By: perl-Perl4-CoreLibs-0.003-7.el7.noarch (base) > Not found > You could try using --skip-broken to work around the problem there is only one thing that requires that lib and it is an example script; if you are not using rtrfilter, you can force that installation. > On Sun, Sep 24, 2017 at 7:37 PM, Piegorsch, Weylin William > wrote: > > > What rancid group is your cron job passing to do-diffs? Is it the same > > group that you?ve modified, or a different one? Did you update the > > router.db file of the group that do-diffs is executing? While rancid-run can take a rancid group as an argument, the groups normally come from LIST_OF_GROUPS in rancid.conf. I am more suspicious that you have more than one rancid group (/var/rancid/) and you've updated one but not another with the same devices. another possibility is that permissions are incorrect on files/directories in the rancid group's directory, presumably: chown -R rancid /var/rancid Also, look at the rancid logs for given group. > > weylin > > > > > > > > *From: *Dan Letkeman > > *Date: *Friday, September 22, 2017 at 12:13 > > *To: *rancid-discuss > > *Subject: *[rancid] Can't update router.db > > > > > > > > Hello, > > > > > > > > I have a rancid install on centos. It appears to all be working however, > > if I replace the contents of the router.db file with the new devices it > > still connects to the old ones. I have deleted the file and created a new > > one with only the new device ip addresses and it still continues to try and > > get configs from the old devices??? Where is it getting this from? > > > > > > > > I am able to clogin to any of the new devices without trouble, so its not > > a connection issue, but somehow the old router.db file is cached? > > > > > > > > drwxr-x---. 2 rancid rancid 24 Sep 22 11:11 configs > > > > -rw-r--r--. 1 rancid rancid 2069 Sep 22 10:48 router.db > > > > > > > > > > > > 10.10.10.1;cisco;up > > > > 10.10.10.14;cisco;up > > > > 10.10.10.194;cisco;up > > > > 10.10.10.5;cisco;up > > > > 10.100.104.11;mikrotik;up > > > > 10.100.104.12;mikrotik;up > > > > 10.100.207.3;mikrotik;up > > > > 10.100.207.4;mikrotik;up > > > > 10.100.4.10;cisco;up > > > > 10.100.4.6;cisco;up > > > > 10.104.0.1;cisco;up > > > > 10.104.1.11;cisco;up > > > > 10.104.12.11;cisco;up > > > > 10.105.50.1;cisco;up > > > > 10.16.0.1;cisco;up > > > > 10.16.1.21;cisco;up > > > > 10.16.1.31;cisco;up > > > > 10.16.12.11;cisco;up > > > > 10.168.0.1;cisco;up > > > > 10.168.1.11;cisco;up > > > > 10.168.1.21;cisco;up > > > > 10.168.1.31;cisco;up > > > > 10.168.1.41;cisco;up > > > > 10.168.1.51;cisco;up > > > > 10.168.12.11;cisco;up > > > > 10.175.0.3;mikrotik;up > > > > 10.175.0.4;mikrotik;up > > > > > > > > etc...... > > > > > > > > > > > > Any help would be appreciated. > > > > > > > > Thanks, > > > > Dan. > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss From dhcp at bjerg.info Tue Sep 26 06:41:52 2017 From: dhcp at bjerg.info (dhcp) Date: Tue, 26 Sep 2017 08:41:52 +0200 Subject: [rancid] ASA system context problem In-Reply-To: References: Message-ID: export NOPIPE=YES rancid ?d ?t asa /asa01-system are creating the right file asa01-system.new but rancid-run don't create the right file in folder configs??? how to debug this problem? / On 08/31/2017 03:20 PM, dhcp wrote: > I try to backup my ASA system context > > My rancid.types.conf > > asa;script;rancid -t cisco > asa;login;clogin > asa;module;ios > asa;inloop;ios::inloop > asa;command;ios::WriteTerm;changeto system > asa;command;ios::WriteTerm;more system:running-config;ASA/PIX > > router.db > asa-system;asa;up > > i only get the admin config and not the system config :-( > > ############ > > rancid 3.6.2 > > > clogin -c "changeto system; show running-config"? asa-ip > > this command show the system config > > /Kennet > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From azheramin at gmail.com Tue Sep 26 04:12:03 2017 From: azheramin at gmail.com (Azher) Date: Mon, 25 Sep 2017 21:12:03 -0700 Subject: [rancid] config files are not fetched Message-ID: Hello, I just installed rancid on CentOS7 however 'rancid-run' does not fetch the configuration from the devices, it does create a new log file as below. Manually clogin can login to a device. I am not sure if routers.up needs to be populated or not. Any suggestions ? Installation directory: /var/opt/rancid -bash-4.2$ more var/logs/cisco.20170925.210157 starting: Mon Sep 25 21:01:57 PDT 2017 cvs commit: Examining . cvs commit: Examining configs ending: Mon Sep 25 21:01:57 PDT 2017 # -bash-4.2$ ls -la var total 24 drwxr-xr-x. 8 rancid netadm 147 Sep 24 21:58 . drwxrwxr-x. 8 rancid netadm 132 Sep 25 05:39 .. drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 arista -rw-r--r--. 1 rancid netadm 1199 Sep 24 20:57 arista.db drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 cisco -rw-r--r--. 1 rancid netadm 143 Sep 24 21:51 cisco.db drwxrwxr-x. 7 rancid netadm 93 Sep 24 21:58 CVS drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 extreme -rw-r--r--. 1 rancid netadm 8228 Sep 24 07:14 extreme.db drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 hpe -rw-r--r--. 1 rancid netadm 1876 Sep 24 07:06 hpe.db drwxr-x---. 2 rancid netadm 123 Sep 25 21:01 logs -bash-4.2$ more var/arista.db adm-7050-bd1:arista:up -bash-4.2$ more var/arista/ configs/ CVS/ .cvsignore router.db routers.all routers.down routers.up -bash-4.2$ more var/arista/routers.up -bash-4.2$ more var/arista/router.db -bash-4.2$ more var/arista/routers.down -bash-4.2$ ls var/arista/configs/ CVS/ .cvsignore -bash-4.2$ more var/arista/configs/CVS/ Entries Repository Root Thanks -aam -------------- next part -------------- An HTML attachment was scrubbed... URL: From danletkeman at gmail.com Tue Sep 26 13:42:27 2017 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 26 Sep 2017 08:42:27 -0500 Subject: [rancid] Can't update router.db In-Reply-To: <20170926033359.GD6257@shrubbery.net> References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> <20170926033359.GD6257@shrubbery.net> Message-ID: Looks like there is only one group and the permissions look correct to me. [root at observium /]# cd /var/rancid/ [root at observium rancid]# ls logs observium SVN [root at observium rancid]# cd logs [root at observium logs]# ls [root at observium logs]# cd .. [root at observium rancid]# cd observium/ [root at observium observium]# ls configs old router.db routers.all routers.down routers.up [root at observium observium]# ls -l total 16 drwxr-x---. 2 rancid rancid 24 Sep 22 11:41 configs drwxrwxr-x. 2 rancid rancid 75 Sep 22 11:05 old -rw-rw----. 1 rancid rancid 2069 Sep 22 10:48 router.db -rw-r-----. 1 rancid rancid 1719 Sep 22 11:25 routers.all -rw-r-----. 1 rancid rancid 1 Sep 22 11:25 routers.down -rw-r-----. 1 rancid rancid 1718 Sep 22 11:25 routers.up [root at observium observium]# It doesn't work at all anymore. I found this at the end of the logs: rancid observium hung on observium.gvsd.ca? Old lockfile still exists: -rw-r-----. 1 rancid rancid 0 Sep 22 11:25 /tmp/.observium.run.lock Dan. On Mon, Sep 25, 2017 at 10:33 PM, heasley wrote: > Mon, Sep 25, 2017 at 08:19:53AM -0500, Dan Letkeman: > > I'm not to familiar with using groups. Cron job looks like this: > > > > SHELL=/bin/bash > > PATH=/sbin:/bin:/usr/sbin:/usr/bin > > MAILTO=root > > HOME=/var/rancid > > # Run config differ every day at 00:30am > > 30 00 * * * rancid /usr/libexec/rancid/rancid-run > > > > > > But, I think I may have found an issue with my OS updates that might be > > part of the problem. Running CentOS 7. When I did a yum update I > recieved > > this: > > > > --> Finished Dependency Resolution > > Error: Package: rancid-3.2-2.el7.x86_64 (@epel) > > Requires: perl(newgetopt.pl) > > Removing: perl-Perl4-CoreLibs-0.001-291.el7.noarch (@base) > > perl(newgetopt.pl) > > Updated By: perl-Perl4-CoreLibs-0.003-7.el7.noarch (base) > > Not found > > You could try using --skip-broken to work around the problem > > there is only one thing that requires that lib and it is an example > script; if you are not using rtrfilter, you can force that installation. > > > On Sun, Sep 24, 2017 at 7:37 PM, Piegorsch, Weylin William < > weylin at bu.edu> > > wrote: > > > > > What rancid group is your cron job passing to do-diffs? Is it the same > > > group that you?ve modified, or a different one? Did you update the > > > router.db file of the group that do-diffs is executing? > > While rancid-run can take a rancid group as an argument, the groups > normally > come from LIST_OF_GROUPS in rancid.conf. > > I am more suspicious that you have more than one rancid group > (/var/rancid/) and you've updated one but not another with the > same devices. another possibility is that permissions are incorrect on > files/directories in the rancid group's directory, presumably: > chown -R rancid /var/rancid > > Also, look at the rancid logs for given group. > > > > weylin > > > > > > > > > > > > *From: *Dan Letkeman > > > *Date: *Friday, September 22, 2017 at 12:13 > > > *To: *rancid-discuss > > > *Subject: *[rancid] Can't update router.db > > > > > > > > > > > > Hello, > > > > > > > > > > > > I have a rancid install on centos. It appears to all be working > however, > > > if I replace the contents of the router.db file with the new devices it > > > still connects to the old ones. I have deleted the file and created a > new > > > one with only the new device ip addresses and it still continues to > try and > > > get configs from the old devices??? Where is it getting this from? > > > > > > > > > > > > I am able to clogin to any of the new devices without trouble, so its > not > > > a connection issue, but somehow the old router.db file is cached? > > > > > > > > > > > > drwxr-x---. 2 rancid rancid 24 Sep 22 11:11 configs > > > > > > -rw-r--r--. 1 rancid rancid 2069 Sep 22 10:48 router.db > > > > > > > > > > > > > > > > > > 10.10.10.1;cisco;up > > > > > > 10.10.10.14;cisco;up > > > > > > 10.10.10.194;cisco;up > > > > > > 10.10.10.5;cisco;up > > > > > > 10.100.104.11;mikrotik;up > > > > > > 10.100.104.12;mikrotik;up > > > > > > 10.100.207.3;mikrotik;up > > > > > > 10.100.207.4;mikrotik;up > > > > > > 10.100.4.10;cisco;up > > > > > > 10.100.4.6;cisco;up > > > > > > 10.104.0.1;cisco;up > > > > > > 10.104.1.11;cisco;up > > > > > > 10.104.12.11;cisco;up > > > > > > 10.105.50.1;cisco;up > > > > > > 10.16.0.1;cisco;up > > > > > > 10.16.1.21;cisco;up > > > > > > 10.16.1.31;cisco;up > > > > > > 10.16.12.11;cisco;up > > > > > > 10.168.0.1;cisco;up > > > > > > 10.168.1.11;cisco;up > > > > > > 10.168.1.21;cisco;up > > > > > > 10.168.1.31;cisco;up > > > > > > 10.168.1.41;cisco;up > > > > > > 10.168.1.51;cisco;up > > > > > > 10.168.12.11;cisco;up > > > > > > 10.175.0.3;mikrotik;up > > > > > > 10.175.0.4;mikrotik;up > > > > > > > > > > > > etc...... > > > > > > > > > > > > > > > > > > Any help would be appreciated. > > > > > > > > > > > > Thanks, > > > > > > Dan. > > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Sep 26 14:49:50 2017 From: heas at shrubbery.net (heasley) Date: Tue, 26 Sep 2017 14:49:50 +0000 Subject: [rancid] config files are not fetched In-Reply-To: References: Message-ID: <20170926144950.GA71319@shrubbery.net> Mon, Sep 25, 2017 at 09:12:03PM -0700, Azher: > Hello, > > I just installed rancid on CentOS7 however 'rancid-run' does not fetch the > configuration from the devices, it does create a new log file as below. > Manually clogin can login to a device. I am not sure if routers.up needs to > be populated or not. Any suggestions ? > > > Installation directory: /var/opt/rancid > > -bash-4.2$ more var/logs/cisco.20170925.210157 > starting: Mon Sep 25 21:01:57 PDT 2017 > > > cvs commit: Examining . > cvs commit: Examining configs > > ending: Mon Sep 25 21:01:57 PDT 2017 > # > > -bash-4.2$ ls -la var > total 24 > drwxr-xr-x. 8 rancid netadm 147 Sep 24 21:58 . > drwxrwxr-x. 8 rancid netadm 132 Sep 25 05:39 .. > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 arista > -rw-r--r--. 1 rancid netadm 1199 Sep 24 20:57 arista.db > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 cisco > -rw-r--r--. 1 rancid netadm 143 Sep 24 21:51 cisco.db > drwxrwxr-x. 7 rancid netadm 93 Sep 24 21:58 CVS > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 extreme > -rw-r--r--. 1 rancid netadm 8228 Sep 24 07:14 extreme.db > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 hpe > -rw-r--r--. 1 rancid netadm 1876 Sep 24 07:06 hpe.db > drwxr-x---. 2 rancid netadm 123 Sep 25 21:01 logs > > > -bash-4.2$ more var/arista.db > adm-7050-bd1:arista:up > > -bash-4.2$ more var/arista/ > configs/ CVS/ .cvsignore router.db routers.all > routers.down routers.up > -bash-4.2$ more var/arista/routers.up > -bash-4.2$ more var/arista/router.db this file must be be populated; see routers.db(5). > -bash-4.2$ more var/arista/routers.down > -bash-4.2$ ls var/arista/configs/ > CVS/ .cvsignore > > -bash-4.2$ more var/arista/configs/CVS/ > Entries Repository Root > > Thanks > -aam > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss From weylin at bu.edu Tue Sep 26 14:39:00 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Tue, 26 Sep 2017 14:39:00 +0000 Subject: [rancid] ASA Config for Rancid In-Reply-To: References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> Message-ID: I finally got it working for ASA post-8.3. I thought I?d share my findings. For refresher, I historically had an ASA-specific .cloginrc that overrode the ?method? field and then called the primary .cloginrc. This was for rancid-1.x - we started with rancid sometime around 2001 or 2002 - where I just copied clogin and rancid as clogin-asa and rancid-asa and change the one line from ?rancid? to ?rancid ?f cloginrc-asa? (a few other small tweaks, but you get the point). When the 15yr-old-server finally died, we moved to a VM running rancid-v3.x; rather than try to figure out how to make it work, I just set about trying to figure out how to make ASAs work the way they?re supposed to. The kicker? I need telnet as the first method to support my bulk deployment of really old Cisco Catalysts that don?t support SSH and cause rancid to timeout on that, but that was causing timeout errors for ASAs. Yes, I could have fixed the SSH problem instead, or even raised RANCiD?s timeout, but I?m trying to avoid server-side customizations - since I head a network shop that only uses servers where I need to, Cisco configs are easier to manage policy and compliance rules than server configs. How to fix ASAs to work with rancid, without enabling telnet: 1. Apply the global config ?service resetoutside? This tells the ASA to send a TCP RST packet if a connection request is denied, but only when the IP destination is the ASA itself. By default, the ASA silently discards the TCP SYN when the connection is denied. Without the RST, telnet times out before returning control back to the shell. Unfortunately, the telnet timeout was longer than rancid?s timeout. 2. Do not apply the global configs ?service resetinbout? or ?service resetoutbound? I never figured out why this was necessary, but under some conditions the three commands together weren?t playing nice with each other. Feel free to play with this if you need it. 3. Do not allow telnet to the least-secure interface from anywhere. if telnet is allowed to the least-secure interface, AKA the interface with the lowest security-level (check with packet-tracer, you?ll see it at the end despite all the ?ALLOW? results), and if your telnet connection attempt is trying to connect to that interface, the ASA silently drops the connection request despite the resetoutside command. Personally I think it?s a bug to override the ?resetoutside? command, though I never confirmed it. I also didn?t experiment with any interface except the least-secure interface. weylin From: Weylin Piegorsch Date: Thursday, September 14, 2017 at 07:53 To: "Gauthier, Chris" , Ryan West , Dan Anderson , "rancid-discuss at shrubbery.net" Subject: Re: [rancid] ASA Config for Rancid Hmm... https://www.zenoss.com/product/zenpacks/rancid-integration-community We are in fact using ZenOSS for monitoring/alerting (free version, we can?t afford the licensed version). Now THAT is something interesting to evaluate. I?ll ask someone on my team to evaluate that. Allowing telnet is another possibility. We had also considered shifting everything into PRIME Insfrastructure (which we will anyway for other reasons than config backups - we did get enough licensing for that at least), but RANCiD has some capabilities that I like that PRIME doesn?t do so well - consider all the hijinks you can do in Linux, like aggregating certain parameters occurs across a subset of devices by doing something like... I don?t know if I have the syntax right, this is just quickly off the top of my head ?echo $[`for $(find ?name ?exec egrep ?L \{} \; ) do grep | awk ?{print $3}? ; done | tr ?\n? ?+? | sed ?s/+$//?`]? . We haven?t yet found a good way to do that in PRIME. Thanks everyone for the help! weylin From: "Gauthier, Chris" Date: Tuesday, September 12, 2017 at 17:23 To: Ryan West , Weylin Piegorsch , Dan Anderson , "rancid-discuss at shrubbery.net" Subject: Re: [rancid] ASA Config for Rancid Zenoss is a tool that has RANCiD integration/pluin connectivity. Chris Gauthier Senior Network Engineer | comScore, Inc. o +1 503-331-2704 cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR 97204 ............................................................................................................................................................................................................................ On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West" wrote: On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote: > > Thanks Ryan. We used to do exactly that, but it got to the point that ASAs > were doing far more than merely firewall ? to name a few: > > VPN > ... well ok these are just ASAs > > Firewall > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a > CheckPoint somewhere we haven?t yet replaced > > NAT > ASA, ASR1k, Catalyst6k, 7301, 3825 > > Routing > Oh let me count the ways.... > > BGP Service Advertisement > Nexus7k, ASR9k, ASR1k, 7301, ASA > > Since the devices performing a function are so varied, the naming standard > cannot take model into account, merely function. It got to the point where I > was essentially starting to list every ASA by specific name; after a few of > these it became clear this approach wouldn?t scale. > > And to answer the other question ? somewhere around 20,000 devices; > 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of everything > else (though largely only that last are needed in rancid). > Sounds like a fun problem to have. There are some open source NMS products out there that integrate with RANCID and can probably write out the file for you, otherwise you would need to modify how RANCID works and have it switch to the type of device after login with a show ver command or something similar. Let us know if you come up with anything though, I like the idea of having the device login decide the type, or at least a discovery mechanism for RANCID that would write out the proper lines to .cloginrc. -ryan _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Sep 26 14:58:55 2017 From: heas at shrubbery.net (heasley) Date: Tue, 26 Sep 2017 14:58:55 +0000 Subject: [rancid] Can't update router.db In-Reply-To: <03E5542E-6BCF-4F4C-A644-AB97F2CF77CA@bu.edu> References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> <20170926033359.GD6257@shrubbery.net> <03E5542E-6BCF-4F4C-A644-AB97F2CF77CA@bu.edu> Message-ID: <20170926145855.GB71319@shrubbery.net> Tue, Sep 26, 2017 at 02:34:16PM +0000, Piegorsch, Weylin William: > Hi Dan, > > Run the command ?ps aux?. you?ll probably find rancid being stuck on some device or another. You can log in to that device and kill the telnet/ssh session from there, or you can kill the ssh session on the Linux CLI (kill -9- ). rancid should not hang like that. Please see the expect hack on the rancid webpage if you are having this problem. From doug.hughes at keystonenap.com Tue Sep 26 14:56:11 2017 From: doug.hughes at keystonenap.com (Doug Hughes) Date: Tue, 26 Sep 2017 10:56:11 -0400 Subject: [rancid] ASA Config for Rancid In-Reply-To: References: <42209A82-6578-4DC2-B7C0-A56F38FD599C@bu.edu> <58e769d0c47643b9b99c4ad87c8cadf5@zy-colo-mbx1.zyedge.local> <62ec49b5b84f4bcd898ec9c1733f47ae@zy-colo-mbx1.zyedge.local> <9056F2A0-1870-4F33-A124-B447846AF593@bu.edu> <5b708a5287814b71b6e7dce0cd3f5994@zy-colo-mbx1.zyedge.local> Message-ID: Nice summary. thanks! On 9/26/2017 10:39 AM, Piegorsch, Weylin William wrote: > > I finally got it working for ASA post-8.3.? I thought I?d share my > findings. > > ? > > For refresher, I historically had an ASA-specific .cloginrc that > overrode the ?method? field and then called the primary .cloginrc.? > This was for rancid-1.x - we started with rancid sometime around 2001 > or 2002 - where I just copied clogin and rancid as clogin-asa and > rancid-asa and change the one line from ?rancid? to ?rancid ?f > cloginrc-asa? (a few other small tweaks, but you get the point).? When > the 15yr-old-server finally died, we moved to a VM running > rancid-v3.x; rather than try to figure out how to make it work, I just > set about trying to figure out how to make ASAs work the way they?re > supposed to. > > ? > > The kicker? I need telnet as the first method to support my bulk > deployment of really old Cisco Catalysts that don?t support SSH and > cause rancid to timeout on that, but that was causing timeout errors > for ASAs.? Yes, I could have fixed the SSH problem instead, or even > raised RANCiD?s timeout, but I?m trying to avoid server-side > customizations - since I head a network shop that only uses servers > where I need to, Cisco configs are easier to manage policy and > compliance rules than server configs. > > ? > > How to fix ASAs to work with rancid, without enabling telnet: > > ? > > 1. Apply the global config ?service resetoutside? > > This tells the ASA to send a TCP RST packet if a connection request is > denied, but only when the IP destination is the ASA itself.??By > default, the ASA silently discards the TCP SYN when the connection is > denied.??Without the RST, telnet times out before returning control > back to the shell.??Unfortunately, the telnet timeout was longer than > rancid?s timeout. > > ? > > 2. Do not apply the global configs ?service resetinbout? or ?service > resetoutbound? > > I never figured out why this was necessary, but under some conditions > the three commands together weren?t playing nice with each > other.??Feel free to play with this if you need it. > > ? > > 3. Do not allow telnet to the least-secure interface from anywhere. > > if telnet is allowed to the least-secure interface, AKA the interface > with the lowest security-level (check with packet-tracer, you?ll see > it at the end despite all the ?ALLOW? results), and if your telnet > connection attempt is trying to connect to that interface, the ASA > silently drops the connection request despite the resetoutside > command.? Personally I think it?s a bug to override the ?resetoutside? > command, though I never confirmed it.? I also didn?t experiment with > any interface except the least-secure interface. > > ? > > weylin > > ? > > *From: *Weylin Piegorsch > *Date: *Thursday, September 14, 2017 at 07:53 > *To: *"Gauthier, Chris" , Ryan West > , Dan Anderson , > "rancid-discuss at shrubbery.net" > *Subject: *Re: [rancid] ASA Config for Rancid > > ? > > Hmm... > > https://www.zenoss.com/product/zenpacks/rancid-integration-community > > ? > > We are in fact using ZenOSS for monitoring/alerting (free version, we > can?t afford the licensed version).? Now THAT is something interesting > to evaluate.? I?ll ask someone on my team to evaluate that.? Allowing > telnet is another possibility.? We had also considered > shifting everything into PRIME Insfrastructure (which we will anyway > for other reasons than config backups - we did get enough licensing > for that at least), but RANCiD has some capabilities that I like that > PRIME doesn?t do so well - consider all the hijinks you can do in > Linux, like aggregating certain parameters occurs across a subset of > devices by doing something like... I don?t know if I have the syntax > right, this is just quickly off the top of my head ?echo $[`for $(find > ?name ?exec egrep ?L \{} \; ) do? grep > ?? |? ?awk ?{print $3}? ??;?? done? |? ?tr ?\n? ?+? | > sed ?s/+$//?`]? . We haven?t yet found a good way to do that in PRIME. > > ? > > Thanks everyone for the help! > > ? > > weylin > > ? > > *From: *"Gauthier, Chris" > *Date: *Tuesday, September 12, 2017 at 17:23 > *To: *Ryan West , Weylin Piegorsch , > Dan Anderson , > "rancid-discuss at shrubbery.net" > *Subject: *Re: [rancid] ASA Config for Rancid > > ? > > Zenoss is a tool that has RANCiD integration/pluin connectivity. > > > ? > > *Chris?Gauthier* > > > > ?? > > > > Senior?Network?Engineer > > > > ?|? > > > > comScore,?Inc. > > o?+1? > > > > *503-331-2704* > > > > ?? > > > > *cgauthier at comscore.com* > > 317?SW?Alder?St,?Suite?500?|?Portland?|?OR?97204 > > ............................................................................................................................................................................................................................ > > > ? > > On 9/12/17, 1:42 PM, "Rancid-discuss on behalf of Ryan West" > > wrote: > > On Tue, Sep 12, 2017 at 15:40:52, Piegorsch, Weylin William wrote: > > > > Thanks Ryan. We used to do exactly that, but it got to the point > that ASAs > > were doing far more than merely firewall ? to name a few: > > > > VPN > > ... well ok these are just ASAs > > > > Firewall > > PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there?s a > > CheckPoint somewhere we haven?t yet replaced > > > > NAT > > ASA, ASR1k, Catalyst6k, 7301, 3825 > > > > Routing > > Oh let me count the ways.... > > > > BGP Service Advertisement > > Nexus7k, ASR9k, ASR1k, 7301, ASA > > > > Since the devices performing a function are so varied, the naming > standard > > cannot take model into account, merely function. It got to the point > where I > > was essentially starting to list every ASA by specific name; after a > few of > > these it became clear this approach wouldn?t scale. > > > > And to answer the other question ? somewhere around 20,000 devices; > > 11,000+ VoIP handsets, 6,000?7,000 access points, and 3,000+ of > everything > > else (though largely only that last are needed in rancid). > > > > Sounds like a fun problem to have. There are some open source NMS > products out there that integrate with RANCID and can probably write > out the file for you, otherwise you would need to modify how RANCID > works and have it switch to the type of device after login with a show > ver command or something similar. Let us know if you come up with > anything though, I like the idea of having the device login decide the > type, or at least a discovery mechanism for RANCID that would write > out the proper lines to .cloginrc. > > -ryan > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss -- Doug Hughes Keystone NAP Fairless Hills, PA 1.844.KEYBLOCK (539.2562) -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: keystone-nap.png Type: image/png Size: 3476 bytes Desc: not available URL: From cgauthier at comscore.com Tue Sep 26 17:16:34 2017 From: cgauthier at comscore.com (Gauthier, Chris) Date: Tue, 26 Sep 2017 17:16:34 +0000 Subject: [rancid] Can't update router.db In-Reply-To: <20170926145855.GB71319@shrubbery.net> References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> <20170926033359.GD6257@shrubbery.net> <03E5542E-6BCF-4F4C-A644-AB97F2CF77CA@bu.edu> <20170926145855.GB71319@shrubbery.net> Message-ID: <6A8DEBC0-4EA0-495A-BAD6-3DA6B4194E9F@comscore.com> I?m kind of curious if it really is the expect hack or not. I noticed he is using an old version of rancid (3.2.2) because that is what is packaged. I?m running CentOS 7 and rancid 3.6.4 with no issues or hangs. My only issues with getting rancid fully-deployed are internal politics. --Chris Chris GauthierSenior Network Engineer | comScore, Inc. o +1 503-331-2704cgauthier at comscore.com 317 SW Alder St, Suite 500 | Portland | OR97204 ............................................................................................................................................................................................................................ On 9/26/17, 7:59 AM, "Rancid-discuss on behalf of heasley" wrote: Tue, Sep 26, 2017 at 02:34:16PM +0000, Piegorsch, Weylin William: > Hi Dan, > > Run the command ?ps aux?. you?ll probably find rancid being stuck on some device or another. You can log in to that device and kill the telnet/ssh session from there, or you can kill the ssh session on the Linux CLI (kill -9- ). rancid should not hang like that. Please see the expect hack on the rancid webpage if you are having this problem. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Sep 26 17:42:03 2017 From: heas at shrubbery.net (heasley) Date: Tue, 26 Sep 2017 17:42:03 +0000 Subject: [rancid] Can't update router.db In-Reply-To: <6A8DEBC0-4EA0-495A-BAD6-3DA6B4194E9F@comscore.com> References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> <20170926033359.GD6257@shrubbery.net> <03E5542E-6BCF-4F4C-A644-AB97F2CF77CA@bu.edu> <20170926145855.GB71319@shrubbery.net> <6A8DEBC0-4EA0-495A-BAD6-3DA6B4194E9F@comscore.com> Message-ID: <20170926174203.GD53777@shrubbery.net> Tue, Sep 26, 2017 at 05:16:34PM +0000, Gauthier, Chris: > I?m kind of curious if it really is the expect hack or not. I noticed he is using an old version of rancid (3.2.2) because that is what is packaged. I?m running CentOS 7 and rancid 3.6.4 with no issues or hangs. My only issues with getting rancid fully-deployed are internal politics. More dependent upon the tcl and expect they have. Most expect coding errors of this sort lead to a timeout. since it is hanging rather than timing-out, i suspect the tcl bug. From weylin at bu.edu Tue Sep 26 14:34:16 2017 From: weylin at bu.edu (Piegorsch, Weylin William) Date: Tue, 26 Sep 2017 14:34:16 +0000 Subject: [rancid] Can't update router.db In-Reply-To: References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> <20170926033359.GD6257@shrubbery.net> Message-ID: <03E5542E-6BCF-4F4C-A644-AB97F2CF77CA@bu.edu> Hi Dan, Run the command ?ps aux?. you?ll probably find rancid being stuck on some device or another. You can log in to that device and kill the telnet/ssh session from there, or you can kill the ssh session on the Linux CLI (kill -9- ). weylin From: Dan Letkeman Date: Tuesday, September 26, 2017 at 09:43 To: heasley Cc: Weylin Piegorsch , rancid-discuss Subject: Re: [rancid] Can't update router.db Looks like there is only one group and the permissions look correct to me. [root at observium /]# cd /var/rancid/ [root at observium rancid]# ls logs observium SVN [root at observium rancid]# cd logs [root at observium logs]# ls [root at observium logs]# cd .. [root at observium rancid]# cd observium/ [root at observium observium]# ls configs old router.db routers.all routers.down routers.up [root at observium observium]# ls -l total 16 drwxr-x---. 2 rancid rancid 24 Sep 22 11:41 configs drwxrwxr-x. 2 rancid rancid 75 Sep 22 11:05 old -rw-rw----. 1 rancid rancid 2069 Sep 22 10:48 router.db -rw-r-----. 1 rancid rancid 1719 Sep 22 11:25 routers.all -rw-r-----. 1 rancid rancid 1 Sep 22 11:25 routers.down -rw-r-----. 1 rancid rancid 1718 Sep 22 11:25 routers.up [root at observium observium]# It doesn't work at all anymore. I found this at the end of the logs: rancid observium hung on observium.gvsd.ca? Old lockfile still exists: -rw-r-----. 1 rancid rancid 0 Sep 22 11:25 /tmp/.observium.run.lock Dan. On Mon, Sep 25, 2017 at 10:33 PM, heasley > wrote: Mon, Sep 25, 2017 at 08:19:53AM -0500, Dan Letkeman: > I'm not to familiar with using groups. Cron job looks like this: > > SHELL=/bin/bash > PATH=/sbin:/bin:/usr/sbin:/usr/bin > MAILTO=root > HOME=/var/rancid > # Run config differ every day at 00:30am > 30 00 * * * rancid /usr/libexec/rancid/rancid-run > > > But, I think I may have found an issue with my OS updates that might be > part of the problem. Running CentOS 7. When I did a yum update I recieved > this: > > --> Finished Dependency Resolution > Error: Package: rancid-3.2-2.el7.x86_64 (@epel) > Requires: perl(newgetopt.pl) > Removing: perl-Perl4-CoreLibs-0.001-291.el7.noarch (@base) > perl(newgetopt.pl) > Updated By: perl-Perl4-CoreLibs-0.003-7.el7.noarch (base) > Not found > You could try using --skip-broken to work around the problem there is only one thing that requires that lib and it is an example script; if you are not using rtrfilter, you can force that installation. > On Sun, Sep 24, 2017 at 7:37 PM, Piegorsch, Weylin William > > wrote: > > > What rancid group is your cron job passing to do-diffs? Is it the same > > group that you?ve modified, or a different one? Did you update the > > router.db file of the group that do-diffs is executing? While rancid-run can take a rancid group as an argument, the groups normally come from LIST_OF_GROUPS in rancid.conf. I am more suspicious that you have more than one rancid group (/var/rancid/) and you've updated one but not another with the same devices. another possibility is that permissions are incorrect on files/directories in the rancid group's directory, presumably: chown -R rancid /var/rancid Also, look at the rancid logs for given group. > > weylin > > > > > > > > *From: *Dan Letkeman > > > *Date: *Friday, September 22, 2017 at 12:13 > > *To: *rancid-discuss > > > *Subject: *[rancid] Can't update router.db > > > > > > > > Hello, > > > > > > > > I have a rancid install on centos. It appears to all be working however, > > if I replace the contents of the router.db file with the new devices it > > still connects to the old ones. I have deleted the file and created a new > > one with only the new device ip addresses and it still continues to try and > > get configs from the old devices??? Where is it getting this from? > > > > > > > > I am able to clogin to any of the new devices without trouble, so its not > > a connection issue, but somehow the old router.db file is cached? > > > > > > > > drwxr-x---. 2 rancid rancid 24 Sep 22 11:11 configs > > > > -rw-r--r--. 1 rancid rancid 2069 Sep 22 10:48 router.db > > > > > > > > > > > > 10.10.10.1;cisco;up > > > > 10.10.10.14;cisco;up > > > > 10.10.10.194;cisco;up > > > > 10.10.10.5;cisco;up > > > > 10.100.104.11;mikrotik;up > > > > 10.100.104.12;mikrotik;up > > > > 10.100.207.3;mikrotik;up > > > > 10.100.207.4;mikrotik;up > > > > 10.100.4.10;cisco;up > > > > 10.100.4.6;cisco;up > > > > 10.104.0.1;cisco;up > > > > 10.104.1.11;cisco;up > > > > 10.104.12.11;cisco;up > > > > 10.105.50.1;cisco;up > > > > 10.16.0.1;cisco;up > > > > 10.16.1.21;cisco;up > > > > 10.16.1.31;cisco;up > > > > 10.16.12.11;cisco;up > > > > 10.168.0.1;cisco;up > > > > 10.168.1.11;cisco;up > > > > 10.168.1.21;cisco;up > > > > 10.168.1.31;cisco;up > > > > 10.168.1.41;cisco;up > > > > 10.168.1.51;cisco;up > > > > 10.168.12.11;cisco;up > > > > 10.175.0.3;mikrotik;up > > > > 10.175.0.4;mikrotik;up > > > > > > > > etc...... > > > > > > > > > > > > Any help would be appreciated. > > > > > > > > Thanks, > > > > Dan. > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From danletkeman at gmail.com Tue Sep 26 19:53:22 2017 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 26 Sep 2017 14:53:22 -0500 Subject: [rancid] Can't update router.db In-Reply-To: <20170926174203.GD53777@shrubbery.net> References: <89A4E3DE-2428-4C28-AB89-83778D302B30@bu.edu> <20170926033359.GD6257@shrubbery.net> <03E5542E-6BCF-4F4C-A644-AB97F2CF77CA@bu.edu> <20170926145855.GB71319@shrubbery.net> <6A8DEBC0-4EA0-495A-BAD6-3DA6B4194E9F@comscore.com> <20170926174203.GD53777@shrubbery.net> Message-ID: It appears to be working now. I didn't change anything and its actually getting the configs from the correct devices. On Tue, Sep 26, 2017 at 12:42 PM, heasley wrote: > Tue, Sep 26, 2017 at 05:16:34PM +0000, Gauthier, Chris: > > I?m kind of curious if it really is the expect hack or not. I noticed > he is using an old version of rancid (3.2.2) because that is what is > packaged. I?m running CentOS 7 and rancid 3.6.4 with no issues or hangs. > My only issues with getting rancid fully-deployed are internal politics. > > More dependent upon the tcl and expect they have. Most expect coding > errors > of this sort lead to a timeout. since it is hanging rather than > timing-out, > i suspect the tcl bug. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From azheramin at gmail.com Wed Sep 27 02:15:39 2017 From: azheramin at gmail.com (Azher) Date: Tue, 26 Sep 2017 19:15:39 -0700 Subject: [rancid] config files are not fetched In-Reply-To: <20170926144950.GA71319@shrubbery.net> References: <20170926144950.GA71319@shrubbery.net> Message-ID: Thanks ... That fixed the problem. On Tue, Sep 26, 2017 at 7:49 AM, heasley wrote: > Mon, Sep 25, 2017 at 09:12:03PM -0700, Azher: > > Hello, > > > > I just installed rancid on CentOS7 however 'rancid-run' does not fetch > the > > configuration from the devices, it does create a new log file as below. > > Manually clogin can login to a device. I am not sure if routers.up needs > to > > be populated or not. Any suggestions ? > > > > > > Installation directory: /var/opt/rancid > > > > -bash-4.2$ more var/logs/cisco.20170925.210157 > > starting: Mon Sep 25 21:01:57 PDT 2017 > > > > > > cvs commit: Examining . > > cvs commit: Examining configs > > > > ending: Mon Sep 25 21:01:57 PDT 2017 > > # > > > > -bash-4.2$ ls -la var > > total 24 > > drwxr-xr-x. 8 rancid netadm 147 Sep 24 21:58 . > > drwxrwxr-x. 8 rancid netadm 132 Sep 25 05:39 .. > > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 arista > > -rw-r--r--. 1 rancid netadm 1199 Sep 24 20:57 arista.db > > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 cisco > > -rw-r--r--. 1 rancid netadm 143 Sep 24 21:51 cisco.db > > drwxrwxr-x. 7 rancid netadm 93 Sep 24 21:58 CVS > > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 extreme > > -rw-r--r--. 1 rancid netadm 8228 Sep 24 07:14 extreme.db > > drwxr-x---. 4 rancid netadm 124 Sep 25 21:01 hpe > > -rw-r--r--. 1 rancid netadm 1876 Sep 24 07:06 hpe.db > > drwxr-x---. 2 rancid netadm 123 Sep 25 21:01 logs > > > > > > -bash-4.2$ more var/arista.db > > adm-7050-bd1:arista:up > > > > -bash-4.2$ more var/arista/ > > configs/ CVS/ .cvsignore router.db routers.all > > routers.down routers.up > > -bash-4.2$ more var/arista/routers.up > > -bash-4.2$ more var/arista/router.db > > this file must be be populated; see routers.db(5). > > > -bash-4.2$ more var/arista/routers.down > > -bash-4.2$ ls var/arista/configs/ > > CVS/ .cvsignore > > > > -bash-4.2$ more var/arista/configs/CVS/ > > Entries Repository Root > > > > Thanks > > -aam > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From me at falz.net Fri Sep 29 12:28:27 2017 From: me at falz.net (Chris Wopat) Date: Fri, 29 Sep 2017 07:28:27 -0500 Subject: [rancid] Juniper 'last commit' + Fortigate whitespace + DB Message-ID: Hey folks, We recently updated to 3.7, a few comments/questions. * Juniper was updated to ignore 'last committed by' line. Changelog says 'useless last commit config line'. Curious what others think about this. We think it's quite valuable and is a nice way help correlate changes to accounts that made the change. For now we've manually restored it, which is easy enough. * We see the 'show chassis firmware' line come and go on some devices. This happened prior to 3.7 as well. This has been witnessed on MX running 15.1, QFX running 14.1X53-D45, and possibly other devices. + # show chassis firmware * Fortigate: Some change was made to fix an issue where there was artificial spacing/line wraps being detected on Fortigate ( http://www.shrubbery.net/pipermail/rancid-discuss/2017-May/009620.html). Just wanted to say thanks, this makes Fortigates 20x less chatty! * Fortigate suggestion: We manually add this to fnrancid still in GetSystem to keep the chatter down. This was previously mentioned in this thread as well: http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html, curious if others would like to see these added as well. next if (/^\s*IPS-ETDB: .*/); next if (/^\s*APP-DB: .*/); next if (/^\s*IPS Malicious URL Database: .*/); next if (/^\s*Botnet DB: .*/); Cheers, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.hughes at keystonenap.com Sat Sep 30 01:50:24 2017 From: doug.hughes at keystonenap.com (doug.hughes at keystonenap.com) Date: Fri, 29 Sep 2017 21:50:24 -0400 Subject: [rancid] Juniper 'last commit' + Fortigate whitespace + DB In-Reply-To: References: Message-ID: <745333c2-1f2d-447e-bae5-048de0d7abc2.maildroid@localhost> Sent from my android device. -----Original Message----- From: Chris Wopat To: rancid-discuss at shrubbery.net Sent: Fri, 29 Sep 2017 17:52 Subject: [rancid] Juniper 'last commit' + Fortigate whitespace + DB Hey folks, We recently updated to 3.7, a few comments/questions. >* Juniper was updated to ignore 'last committed by' line. Changelog says 'useless last commit config line'. Curious what others think about this. We think it's > quite valuable and is a nice way help correlate changes to accounts that made the change. For now we've manually restored it, which is easy enough. this sounds reasonable to me. >* We see the 'show chassis firmware' line come and go on some devices. This happened prior to 3.7 as well. This has been witnessed on MX running 15.1, > QFX running 14.1X53-D45, and possibly other devices. > > >+ # show chassis firmware sounds like a race in the expect matching. > > >* Fortigate suggestion: We manually add this to fnrancid still in GetSystem to keep the chatter down. This was previously mentioned in this thread as well: http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html, curious if others would like to see these added as well. > > > next if (/^\s*IPS-ETDB: .*/); > > next if (/^\s*APP-DB: .*/); > >next if (/^\s*IPS Malicious URL Database: .*/); > >next if (/^\s*Botnet DB: .*/); Sounds like a good contribution. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sat Sep 30 02:54:25 2017 From: heas at shrubbery.net (heasley) Date: Sat, 30 Sep 2017 02:54:25 +0000 Subject: [rancid] Juniper 'last commit' + Fortigate whitespace + DB In-Reply-To: References: Message-ID: <20170930025425.GH83414@shrubbery.net> Fri, Sep 29, 2017 at 07:28:27AM -0500, Chris Wopat: > Hey folks, > > We recently updated to 3.7, a few comments/questions. > > * Juniper was updated to ignore 'last committed by' line. Changelog > says 'useless > last commit config line'. Curious what others think about this. We think > it's quite valuable and is a nice way help correlate changes to accounts > that made the change. For now we've manually restored it, which is easy > enough. there is only one way that that token can be guaranteed - if rancid were guaranteed to collect the information before anyone else could run a commit. if folks really like that ... > * We see the 'show chassis firmware' line come and go on some devices. This > happened prior to 3.7 as well. This has been witnessed on MX running 15.1, > QFX running 14.1X53-D45, and possibly other devices. > > + # show chassis firmware hrm, what model MX? I've not seen this in the lab or production for mx or ptx. perhaps we can chat about whats different in your env. > * Fortigate: Some change was made to fix an issue where there was > artificial spacing/line wraps being detected on Fortigate ( > http://www.shrubbery.net/pipermail/rancid-discuss/2017-May/009620.html). > Just wanted to say thanks, this makes Fortigates 20x less chatty! sweet. > * Fortigate suggestion: We manually add this to fnrancid still in GetSystem > to keep the chatter down. This was previously mentioned in this thread as > well: > http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html, > curious if others would like to see these added as well. > > next if (/^\s*IPS-ETDB: .*/); > next if (/^\s*APP-DB: .*/); > next if (/^\s*IPS Malicious URL Database: .*/); > next if (/^\s*Botnet DB: .*/); sure; i have none of these boxes and have no idea about the syntax of these lines. opinion of other folks is??? Something that is useless or somthing that should be wrapped in "if ($rancid.conf:FILTER_OSC)"? From doug.hughes at keystonenap.com Sat Sep 30 03:14:13 2017 From: doug.hughes at keystonenap.com (doug.hughes at keystonenap.com) Date: Fri, 29 Sep 2017 23:14:13 -0400 Subject: [rancid] Juniper 'last commit' + Fortigate whitespace + DB In-Reply-To: <20170930025425.GH83414@shrubbery.net> References: <20170930025425.GH83414@shrubbery.net> Message-ID: Sent from my android device. -----Original Message----- From: heasley To: Chris Wopat Cc: rancid-discuss at shrubbery.net Sent: Fri, 29 Sep 2017 22:54 Subject: Re: [rancid] Juniper 'last commit' + Fortigate whitespace + DB Fri, Sep 29, 2017 at 07:28:27AM -0500, Chris Wopat: >> Hey folks, >> >> We recently updated to 3.7, a few comments/questions. >> >> * Juniper was updated to ignore 'last committed by' line. Changelog >> says 'useless >> last commit config line'. Curious what others think about this. We think >> it's quite valuable and is a nice way help correlate changes to accounts >> that made the change. For now we've manually restored it, which is easy >> enough. > >there is only one way that that token can be guaranteed - if rancid were >guaranteed to collect the information before anyone else could run a >commit. if folks really like that ... Since it doesn't show up without a commit, it actually does seem valuable to keep in since it won't generate noise. > * We see the 'show chassis firmware' line come and go on some devices. This > happened prior to 3.7 as well. This has been witnessed on MX running 15.1, > QFX running 14.1X53-D45, and possibly other devices. > > + # show chassis firmware hrm, what model MX? I've not seen this in the lab or production for mx or ptx. perhaps we can chat about whats different in your env. > * Fortigate: Some change was made to fix an issue where there was > artificial spacing/line wraps being detected on Fortigate ( > http://www.shrubbery.net/pipermail/rancid-discuss/2017-May/009620.html). > Just wanted to say thanks, this makes Fortigates 20x less chatty! sweet. >> * Fortigate suggestion: We manually add this to fnrancid still in GetSystem >> to keep the chatter down. This was previously mentioned in this thread as >> well: >> http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html, >> curious if others would like to see these added as well. >> >> next if (/^\s*IPS-ETDB: .*/); >> next if (/^\s*APP-DB: .*/); >> next if (/^\s*IPS Malicious URL Database: .*/); >> next if (/^\s*Botnet DB: .*/); > >sure; i have none of these boxes and have no idea about the syntax of >these lines. opinion of other folks is??? Something that is useless >or somthing that should be wrapped in "if ($rancid.conf:FILTER_OSC)"? since those are all content/feature based and not configurable, it seems reasonable. It may also be reasonable for somebody to want to see the changes, but I think the normal mode would be to want to ignore. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: