From ler762 at gmail.com Fri Jul 1 01:00:45 2011 From: ler762 at gmail.com (Lee) Date: Thu, 30 Jun 2011 21:00:45 -0400 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: On 6/28/11, Jethro R Binks wrote: > On Mon, 27 Jun 2011, Lee wrote: > >> After seeing that the regularly scheduled rancid run failed to get >> several F5 configs this morning I ran it manually: >> >> export NOPIPE=YES >> rancid-run F5 >> >> rancid collected all the configs & no errors in the log. Crontab >> kicked off the rancid run later in the day & several F5s showed up in >> the log with the >> missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls >> --full-time --color=never /config/ssl/ssl.key >> >> again, run rancid manually with NOPIPE=YES and everything works. >> >> Any thoughts on how to debug the problem would be appreciated since >> the standard debugging suggestion is to set NOPIPE and use the -d >> option. I have yet to see rancid fail to get an F5 config if nopipe >> is set > > In that case, in rancid.conf you can set NOPIPE permanently: > > # if NOPIPE is set, temp files will be used instead of a cmd pipe during > # collection from the router(s). > NOPIPE=YES; export NOPIPE Well!! It doesn't seem to depend on NOPIPE. rancid run manually to collect F5 configs works -- with NOPIPE set or clear. Rancid run from crontab sometimes works, sometimes not. Unless someone beats me to it (hint, hint :) I'll try to figure out next week if it's an env. variable setting missing from the crontab run that's causing the problem Regards, Lee From ler762 at gmail.com Fri Jul 1 01:02:46 2011 From: ler762 at gmail.com (Lee) Date: Thu, 30 Jun 2011 21:02:46 -0400 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: <8C59ABE7-0695-4DD9-9DB6-58D323F8F5F3@ripe.net> References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> <8C59ABE7-0695-4DD9-9DB6-58D323F8F5F3@ripe.net> Message-ID: > Again, it also works fine when run manually, just not when running normally. "normally" being run via a crontab entry - correct? Lee On 6/29/11, Ben O'Hara wrote: > > On 28 Jun 2011, at 09:36, Jethro R Binks wrote: > >> On Mon, 27 Jun 2011, Lee wrote: >> >>> After seeing that the regularly scheduled rancid run failed to get >>> several F5 configs this morning I ran it manually: >>> >>> export NOPIPE=YES >>> rancid-run F5 >>> >>> rancid collected all the configs & no errors in the log. Crontab >>> kicked off the rancid run later in the day & several F5s showed up in >>> the log with the >>> missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls >>> --full-time --color=never /config/ssl/ssl.key >>> >>> again, run rancid manually with NOPIPE=YES and everything works. >>> >>> Any thoughts on how to debug the problem would be appreciated since >>> the standard debugging suggestion is to set NOPIPE and use the -d >>> option. I have yet to see rancid fail to get an F5 config if nopipe >>> is set >> >> In that case, in rancid.conf you can set NOPIPE permanently: >> >> # if NOPIPE is set, temp files will be used instead of a cmd pipe during >> # collection from the router(s). >> NOPIPE=YES; export NOPIPE >> >> Does that help? >> > > We've been seeing the same problem with 2 f5s running 10.2.1 > > others running 10.2.0 are fine. > > Again, it also works fine when run manually, just not when running normally. > > Tried setting NOPIPE=yes but the problem still persists. > > Ben > > Ben O'Hara RIPE Network Coordination Center > Senior Systems Engineer Singel 258, Amsterdam, NL > http://www.ripe.net +31 20 535 4444 > PGP Fingerprint: 080A 52FF BF0A A7FB F176 E7DB 513D 9A3D E968 7DBC > > From bohara at ripe.net Fri Jul 1 09:25:09 2011 From: bohara at ripe.net (Ben O'Hara) Date: Fri, 1 Jul 2011 11:25:09 +0200 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> <8C59ABE7-0695-4DD9-9DB6-58D323F8F5F3@ripe.net> Message-ID: On 1 Jul 2011, at 03:02, Lee wrote: >> Again, it also works fine when run manually, just not when running normally. > > "normally" being run via a crontab entry - correct? > Yes, it fails when run from a crontab but not manualy. Ben > Lee > > > > On 6/29/11, Ben O'Hara wrote: >> >> On 28 Jun 2011, at 09:36, Jethro R Binks wrote: >> >>> On Mon, 27 Jun 2011, Lee wrote: >>> >>>> After seeing that the regularly scheduled rancid run failed to get >>>> several F5 configs this morning I ran it manually: >>>> >>>> export NOPIPE=YES >>>> rancid-run F5 >>>> >>>> rancid collected all the configs & no errors in the log. Crontab >>>> kicked off the rancid run later in the day & several F5s showed up in >>>> the log with the >>>> missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls >>>> --full-time --color=never /config/ssl/ssl.key >>>> >>>> again, run rancid manually with NOPIPE=YES and everything works. >>>> >>>> Any thoughts on how to debug the problem would be appreciated since >>>> the standard debugging suggestion is to set NOPIPE and use the -d >>>> option. I have yet to see rancid fail to get an F5 config if nopipe >>>> is set >>> >>> In that case, in rancid.conf you can set NOPIPE permanently: >>> >>> # if NOPIPE is set, temp files will be used instead of a cmd pipe during >>> # collection from the router(s). >>> NOPIPE=YES; export NOPIPE >>> >>> Does that help? >>> >> >> We've been seeing the same problem with 2 f5s running 10.2.1 >> >> others running 10.2.0 are fine. >> >> Again, it also works fine when run manually, just not when running normally. >> >> Tried setting NOPIPE=yes but the problem still persists. >> >> Ben >> >> Ben O'Hara RIPE Network Coordination Center >> Senior Systems Engineer Singel 258, Amsterdam, NL >> http://www.ripe.net +31 20 535 4444 >> PGP Fingerprint: 080A 52FF BF0A A7FB F176 E7DB 513D 9A3D E968 7DBC >> >> > -- Ben O'Hara RIPE Network Coordination Center Senior Systems Engineer Singel 258, Amsterdam, NL http://www.ripe.net +31 20 535 4444 PGP Fingerprint: 080A 52FF BF0A A7FB F176 E7DB 513D 9A3D E968 7DBC -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1731 bytes Desc: not available URL: From jethro.binks at strath.ac.uk Fri Jul 1 09:41:46 2011 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri, 1 Jul 2011 10:41:46 +0100 (BST) Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: On Thu, 30 Jun 2011, Lee wrote: > Well!! It doesn't seem to depend on NOPIPE. rancid run manually to > collect F5 configs works -- with NOPIPE set or clear. Rancid run from > crontab sometimes works, sometimes not. > > Unless someone beats me to it (hint, hint :) I'll try to figure out next > week if it's an env. variable setting missing from the crontab run > that's causing the problem If something works from crontab but not from the command line, then the classic explanation is that there is something in the environment that's different. You can simply run the "env" command from cron and examine the mail output to see what environment cron jobs run within. Then you can replicate that at the command line and see if that fixes the problem, and then further modify the environment to see what breaks. However, if it "sometimes" works from cron and sometimes not, then it is unlikely to be the environment I'd say. Maybe something else: any NFS automounting going on? Clashing with some other job (do the failures happen in particular windows in time)? Check the cron logs to see what else may be running at the time. Is it one F5 host or all of them that fail? Maybe it is host-related. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From rwest at zyedge.com Fri Jul 1 11:41:19 2011 From: rwest at zyedge.com (Ryan West) Date: Fri, 1 Jul 2011 11:41:19 +0000 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> , Message-ID: Ben and lee are not the only ones. I've been commenting that line out for a while. I have a mix of 9.4 - 10.2 being backed up to a debian 5 box. Sent from handheld On Jul 1, 2011, at 5:42 AM, Jethro R Binks wrote: > On Thu, 30 Jun 2011, Lee wrote: > >> Well!! It doesn't seem to depend on NOPIPE. rancid run manually to >> collect F5 configs works -- with NOPIPE set or clear. Rancid run from >> crontab sometimes works, sometimes not. >> >> Unless someone beats me to it (hint, hint :) I'll try to figure out next >> week if it's an env. variable setting missing from the crontab run >> that's causing the problem > > If something works from crontab but not from the command line, then the > classic explanation is that there is something in the environment that's > different. > > You can simply run the "env" command from cron and examine the mail output > to see what environment cron jobs run within. Then you can replicate that > at the command line and see if that fixes the problem, and then further > modify the environment to see what breaks. > > However, if it "sometimes" works from cron and sometimes not, then it is > unlikely to be the environment I'd say. Maybe something else: any NFS > automounting going on? Clashing with some other job (do the failures > happen in particular windows in time)? Check the cron logs to see what > else may be running at the time. Is it one F5 host or all of them that > fail? Maybe it is host-related. > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From ler762 at gmail.com Fri Jul 1 12:52:33 2011 From: ler762 at gmail.com (Lee) Date: Fri, 1 Jul 2011 08:52:33 -0400 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: On 7/1/11, Jethro R Binks wrote: > On Thu, 30 Jun 2011, Lee wrote: > >> Well!! It doesn't seem to depend on NOPIPE. rancid run manually to >> collect F5 configs works -- with NOPIPE set or clear. Rancid run from >> crontab sometimes works, sometimes not. >> >> Unless someone beats me to it (hint, hint :) I'll try to figure out next >> week if it's an env. variable setting missing from the crontab run >> that's causing the problem > > If something works from crontab but not from the command line, then the > classic explanation is that there is something in the environment that's > different. > > You can simply run the "env" command from cron and examine the mail output > to see what environment cron jobs run within. Right. I had to do that when porting my stuff from Solaris to Redhat. > Then you can replicate that > at the command line That I couldn't do. Maybe it was just me being ignorant, but there were some env. vars I couldn't get rid of. Any hints/tips on how to replicate a cron environment at the command line would be appreciated :) > and see if that fixes the problem, and then further > modify the environment to see what breaks. > > However, if it "sometimes" works from cron and sometimes not, then it is > unlikely to be the environment I'd say. On the one hand, I agree that sometimes works from cron & sometimes not doesn't sound like an environment differences problem. On the other hand, I don't have any other testable theory for what's causing the problem, so it's worth spending an hour or two to see if it is an environment or /bin/sh (cron) vs. /bin/bash (interactive) issue > Maybe something else: any NFS > automounting going on? I have no idea :( A VM running Redhat with SAN storage pretty much sums up my knowledge of that machine. > Clashing with some other job (do the failures > happen in particular windows in time)? Check the cron logs to see what > else may be running at the time. Is it one F5 host or all of them that > fail? Maybe it is host-related. We've also got Cisco NCM collecting F5 configs. maybe related is that it's just recently started spewing out F5 change reports that look like this: Configuration Diff < 001: # Binary configuration captured, checksum: 900614 002: # Device's text version of configuration follows 003: #----------------------------------------------------- 004: provision apm {} --- > 001: # Binary configuration captured, checksum: 710350 002: # Device's text version of configuration follows 003: #----------------------------------------------------- 004: provision apm {} Configuration Diff < 001: # Binary configuration captured, checksum: 710350 002: # Device's text version of configuration follows 003: #----------------------------------------------------- 004: provision apm {} --- > 001: # Binary configuration captured, checksum: 782192 002: # Device's text version of configuration follows 003: #----------------------------------------------------- 004: provision apm {} Configuration Diff < 001: # Binary configuration captured, checksum: 782192 002: # Device's text version of configuration follows 003: #----------------------------------------------------- 004: provision apm {} --- > 001: # Binary configuration captured, checksum: 764708 002: # Device's text version of configuration follows 003: #----------------------------------------------------- 004: provision apm {} But in any case, today is the start of a 4 day weekend for me & worrying about F5s isn't part of my plans :) Regards, Lee From jethro.binks at strath.ac.uk Fri Jul 1 13:05:35 2011 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri, 1 Jul 2011 14:05:35 +0100 (BST) Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: On Fri, 1 Jul 2011, Lee wrote: > > Clashing with some other job (do the failures > > happen in particular windows in time)? Check the cron logs to see what > > else may be running at the time. Is it one F5 host or all of them that > > fail? Maybe it is host-related. > > We've also got Cisco NCM collecting F5 configs. maybe related is that > it's just recently started spewing out F5 change reports that look > like this: > > Configuration Diff > < 001: # Binary configuration captured, checksum: 900614 > 002: # Device's text version of configuration follows > 003: #----------------------------------------------------- > 004: provision apm {} > --- > > 001: # Binary configuration captured, checksum: 710350 > 002: # Device's text version of configuration follows > 003: #----------------------------------------------------- > 004: provision apm {} That should be avoidable by modifying f5rancid to ignore those checksum lines in the subroutine that handles the output of the command that produces them. Unfortunately I know nothing about them so can't even begin to suggest where that is, but taking a look at the code now there's a similar example: # This routine parses "bigpipe db show" sub ShowDb { my($line) = (0); print STDERR " In ShowDb: $_" if ($debug); while () { tr/\015//d; ... /UCS.LoadTime/ && next; /Configsync\..*Time/ && next; Here, lines matching /UCS.LoadTime/ and /Configsync\..*Time/ are skipped. So I guess you need a similar line, in the appropriate sub, to skip lines matching /Binary configuration captured, checksum:/. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From bha.Qaqish at NITC.gov.jo Fri Jul 1 19:39:37 2011 From: bha.Qaqish at NITC.gov.jo (bha Qaqish) Date: Fri, 1 Jul 2011 22:39:37 +0300 Subject: [rancid] FW: Need Help important plz Message-ID: Dear I had installed rancid and work normally, I had I an issue Depending on the website , I had installed it on server and the web interface is available for non admin to access configuration: 1. How could I put a password for the web interface 2. How could I prevent access for some ip and grant access to another Am looking forward for your help plz Br -------------- next part -------------- An HTML attachment was scrubbed... URL: From bha.Qaqish at NITC.gov.jo Fri Jul 1 19:40:06 2011 From: bha.Qaqish at NITC.gov.jo (bha Qaqish) Date: Fri, 1 Jul 2011 22:40:06 +0300 Subject: [rancid] Need Help important plz Message-ID: Dear I had installed rancid and work normally, I had I an issue Depending on the website , I had installed it on server and the web interface is available for non admin to access configuration: 1. How could I put a password for the web interface 2. How could I prevent access for some ip and grant access to another Am looking forward for your help plz Br -------------- next part -------------- An HTML attachment was scrubbed... URL: From rwest at zyedge.com Fri Jul 1 19:44:29 2011 From: rwest at zyedge.com (Ryan West) Date: Fri, 1 Jul 2011 19:44:29 +0000 Subject: [rancid] Need Help important plz In-Reply-To: References: Message-ID: <5DC4853C6CC3EE4788779E0726E034DD9CDF8D@zy-ex1.zyedge.local> You can allow access to certain virtual directories in Apache. As for the password part, I'm using LDAP with a select number of users. Look at htpasswd for examples. -ryan From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of bha Qaqish Sent: Friday, July 01, 2011 3:40 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Need Help important plz Dear I had installed rancid and work normally, I had I an issue Depending on the website , I had installed it on server and the web interface is available for non admin to access configuration: 1. How could I put a password for the web interface 2. How could I prevent access for some ip and grant access to another Am looking forward for your help plz Br -------------- next part -------------- An HTML attachment was scrubbed... URL: From bha.Qaqish at NITC.gov.jo Fri Jul 1 19:50:58 2011 From: bha.Qaqish at NITC.gov.jo (bha Qaqish) Date: Fri, 1 Jul 2011 22:50:58 +0300 Subject: [rancid] Need Help important plz In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD9CDF8D@zy-ex1.zyedge.local> References: <5DC4853C6CC3EE4788779E0726E034DD9CDF8D@zy-ex1.zyedge.local> Message-ID: For password part , if anyone open the gui does it required a password . And by default what is the directory for the rancid web access n bha From: Ryan West [mailto:rwest at zyedge.com] Sent: Friday, July 01, 2011 10:44 PM To: bha Qaqish; rancid-discuss at shrubbery.net Subject: RE: Need Help important plz You can allow access to certain virtual directories in Apache. As for the password part, I'm using LDAP with a select number of users. Look at htpasswd for examples. -ryan From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of bha Qaqish Sent: Friday, July 01, 2011 3:40 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Need Help important plz Dear I had installed rancid and work normally, I had I an issue Depending on the website , I had installed it on server and the web interface is available for non admin to access configuration: 1. How could I put a password for the web interface 2. How could I prevent access for some ip and grant access to another Am looking forward for your help plz Br -------------- next part -------------- An HTML attachment was scrubbed... URL: From registration at myplaceinspace.com Fri Jul 1 21:09:49 2011 From: registration at myplaceinspace.com (Bryan) Date: Fri, 1 Jul 2011 17:09:49 -0400 Subject: [rancid] xrrancid on cisco IOS-XR Message-ID: <03E85EFCF7AD432A8EB2D52DFDB157C0@sbrbryan> I am still having issues w/rancid backing up cisco IOS-XR. This is version Cisco IOS XR Software, Version 3.9.0[00]. I using the patched expect strait from the ftp on shrubbery site. I can run ?xrrancid ?d myrouter? and the config is download completely to the current working directory. However if I let rancid run it normally or do a ?rancid-run mygroup? only have the config is downloaded before I get ?Connection closed by foreign host.? right in the middle of the config. At the top of the config I get ?RANCID-CONTENT-TYPE: cisco-xr? and according to what commands are being run I don?t understand why I can run it manually and it work but letting rancid run it and it only downloads part of the config. Both runs manually and automatically are using the same user and same ENV variables. When it stops in the middle it doesn?t always stop at the same spot (same length). I can ?rancid-run ASR? 5 times and 3 of the times it stop in the same spot and 2 times it stop a few lines before or after. Any help would be appreciated. >From a normal run: rancid 409 30383 0 16:59 pts/1 00:00:00 /bin/sh /usr/local/rancid/bin/rancid-run ASR rancid 410 409 0 16:59 pts/1 00:00:00 /bin/sh /usr/local/rancid/bin/rancid-run ASR rancid 414 410 0 16:59 pts/1 00:00:00 /bin/sh /usr/local/rancid/bin/control_rancid ASR rancid 449 414 0 16:59 pts/1 00:00:00 /usr/bin/perl /usr/local/rancid/bin/par -q -n 10 -c rancid-fe {} /usr/local/rancid/var/ASR/routers.up rancid 450 449 0 16:59 pts/1 00:00:00 sh -c (rancid-fe myrouter:cisco-xr) rancid 451 449 0 16:59 pts/1 00:00:00 sh -c (rancid-fe myrouter2:cisco-xr) rancid 452 450 0 16:59 pts/1 00:00:00 /usr/bin/perl /usr/local/rancid/bin/xrrancid myrouter rancid 453 451 0 16:59 pts/1 00:00:00 /usr/bin/perl /usr/local/rancid/bin/xrrancid myrouter2 rancid 454 452 0 16:59 pts/1 00:00:00 sh -c clogin -t 90 -c "terminal exec prompt no-timestamp;show running-config" myrouter myrouter.raw 2>&1 rancid 455 453 0 16:59 pts/1 00:00:00 sh -c clogin -t 90 -c "terminal exec prompt no-timestamp;show running-config" myrouter2 myrouter2.raw 2>&1 rancid 457 454 0 16:59 pts/1 00:00:00 /usr/bin/expect -- /usr/local/rancid/bin/clogin -t 90 -c terminal exec prompt no-timestamp;show running-config myrouter rancid 458 455 1 16:59 pts/1 00:00:00 /usr/bin/expect -- /usr/local/rancid/bin/clogin -t 90 -c terminal exec prompt no-timestamp;show running-config myrouter2 rancid 463 457 0 16:59 pts/3 00:00:00 telnet myrouter -------------- next part -------------- An HTML attachment was scrubbed... URL: From randy at psg.com Tue Jul 5 07:08:18 2011 From: randy at psg.com (Randy Bush) Date: Tue, 05 Jul 2011 16:08:18 +0900 Subject: [rancid] flash flash flash References: Message-ID: freebsd 8.2 rancid 2.3.6 - !Flash: disk0: 4188659712 bytes total (2632343552 bytes free) + !Flash: disk0: 4188659712 bytes total (2632331264 bytes free) i get a lot of these on ios and ios xr. i googled, searched the lists, ... and others whine too. but i have not seen an answer on list or in faq. clearly i am missing something as this is common as all get out. clue bat please randy From ler762 at gmail.com Tue Jul 5 12:20:58 2011 From: ler762 at gmail.com (Lee) Date: Tue, 5 Jul 2011 08:20:58 -0400 Subject: [rancid] flash flash flash In-Reply-To: References: Message-ID: On 7/5/11, Randy Bush wrote: > freebsd 8.2 > rancid 2.3.6 > > - !Flash: disk0: 4188659712 bytes total (2632343552 bytes free) > + !Flash: disk0: 4188659712 bytes total (2632331264 bytes free) > > i get a lot of these on ios and ios xr. i googled, searched the lists, > ... and others whine too. but i have not seen an answer on list or in > faq. clearly i am missing something as this is common as all get out. > > clue bat please Certain files are not displayed in rancid. Take a look at ShowFlash and DirSlotN in rancid to see which files are not displayed. eg # Filter dhcp database next if (/dhcp_[^. ]*\.txt/); I added a 'redacted' variable - eg: if (/dhcp[-_]database\s*$/) { # -LR- ignore dhcp database changes $redacted = 1; # -LR- remember that a file has not been displayed next; # -LR- } # -LR- and then suppress the bytes free line if files have not been displayed: if (/.*\(\d+ bytes (free|used)\)/) { # -LR- want to show bytes free? if ($redacted) { next; } # -LR- not when there are files that haven't been shown } # -LR- Lee From gmccullagh at gmail.com Wed Jul 6 12:28:54 2011 From: gmccullagh at gmail.com (Gavin McCullagh) Date: Wed, 6 Jul 2011 13:28:54 +0100 Subject: [rancid] rancid with Fortigate FG100A In-Reply-To: <201101311010.00032.diego.ercolani@ssis.sm> References: <20110130170234.GR13825@gmail.com> <201101311010.00032.diego.ercolani@ssis.sm> Message-ID: <20110706122854.GM26033@gmail.com> Hi guys, On Mon, 31 Jan 2011, Diego Ercolani wrote: > I've already submitted patch to accomplish fortinet. Here it is the relevant > post: > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html > > if you see in the mailing list there are time to time modifications. We've been using this with the 100A and are now using it also with a 200B (which works fine incidentally). However, one thing that I wonder is whether we really have the optimal command to pull the config. fnrancid currently uses "show full-configuration" to pull the config of the system. This pulls the absolutely full configuration with every unmodified default included. The result, for example, is that adding a simple firewall rule results in a patch like this: + edit 71 + set srcintf "port1" + set dstintf "port8" + set srcaddr "xxxxxxxxxxxx" + set dstaddr "all" + set rtp-nat disable + set action accept + set status enable + set dynamic-profile disable + unset dynamic-profile-access + set schedule "always" + set schedule-timeout disable + set service "HTTP" "HTTPS" + set utm-status disable + set logtraffic disable + set logtraffic-app enable + set auto-asic-offload enable + set webcache disable + set session-ttl 0 + set wccp disable + set fsso disable + set disclaimer disable + set natip 0.0.0.0 0.0.0.0 + set match-vip disable + set diffserv-forward disable + set diffserv-reverse disable + set tcp-mss-sender 0 + set tcp-mss-receiver 0 + set comments "Allow xxxxxxxxxxxx to connect for updates" + set endpoint-check disable + set label '' + set global-label '' + set replacemsg-override-group '' + set identity-based disable + set traffic-shaper '' + set traffic-shaper-reverse '' + set per-ip-shaper '' + set nat disable + set dynamic-profile-fallthrough disable + set client-reputation disable + next Only about five of the above lines were actually chosen, the rest are all defaults. Personally, I'm inclined more toward using just the "show" command which pulls the configuration settings that we have actually made omitting defaults. Is this "pull absolutely every detail" policy the norm in Rancid? Obviously I can change this locally myself if I really want. Gavin From diego.ercolani at ssis.sm Wed Jul 6 13:18:21 2011 From: diego.ercolani at ssis.sm (Diego Ercolani) Date: Wed, 6 Jul 2011 15:18:21 +0200 Subject: [rancid] rancid with Fortigate FG100A In-Reply-To: <20110706122854.GM26033@gmail.com> References: <20110130170234.GR13825@gmail.com> <201101311010.00032.diego.ercolani@ssis.sm> <20110706122854.GM26033@gmail.com> Message-ID: <201107061518.21647.diego.ercolani@ssis.sm> Hello, I don't knoww deeply fortigate because if I can I prefer to use linux directly so feel free to change the command or the command sequence to perform a configuration dump. This is the power of opensource, every one can add a small piece of his knowledge and bring the community a full (hopely errorproof) utility. I have only one clustered installation of fortigate and what I noticed is that from time to time, fortigate adds some line feed that make seem the configuration has changed... this is very annoying but I can't do experiments because it's a productin environment. Diego In data mercoled? 6 luglio 2011 14:28:54, Gavin McCullagh ha scritto: > Hi guys, > > On Mon, 31 Jan 2011, Diego Ercolani wrote: > > I've already submitted patch to accomplish fortinet. Here it is the > > relevant post: > > http://www.shrubbery.net/pipermail/rancid-discuss/2009-June/004005.html > > > > if you see in the mailing list there are time to time modifications. > > We've been using this with the 100A and are now using it also with a 200B > (which works fine incidentally). > > However, one thing that I wonder is whether we really have the optimal > command to pull the config. > > fnrancid currently uses "show full-configuration" to pull the config of the > system. This pulls the absolutely full configuration with every unmodified > default included. The result, for example, is that adding a simple > firewall rule results in a patch like this: > > + edit 71 > + set srcintf "port1" > + set dstintf "port8" > + set srcaddr "xxxxxxxxxxxx" > + set dstaddr "all" > + set rtp-nat disable > + set action accept > + set status enable > + set dynamic-profile disable > + unset dynamic-profile-access > + set schedule "always" > + set schedule-timeout disable > + set service "HTTP" "HTTPS" > + set utm-status disable > + set logtraffic disable > + set logtraffic-app enable > + set auto-asic-offload enable > + set webcache disable > + set session-ttl 0 > + set wccp disable > + set fsso disable > + set disclaimer disable > + set natip 0.0.0.0 0.0.0.0 > + set match-vip disable > + set diffserv-forward disable > + set diffserv-reverse disable > + set tcp-mss-sender 0 > + set tcp-mss-receiver 0 > + set comments "Allow xxxxxxxxxxxx to connect for updates" > + set endpoint-check disable > + set label '' > + set global-label '' > + set replacemsg-override-group '' > + set identity-based disable > + set traffic-shaper '' > + set traffic-shaper-reverse '' > + set per-ip-shaper '' > + set nat disable > + set dynamic-profile-fallthrough disable > + set client-reputation disable > + next > > Only about five of the above lines were actually chosen, the rest are all > defaults. Personally, I'm inclined more toward using just the "show" > command which pulls the configuration settings that we have actually made > omitting defaults. > > Is this "pull absolutely every detail" policy the norm in Rancid? > Obviously I can change this locally myself if I really want. > > Gavin > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From gmccullagh at gmail.com Wed Jul 6 13:35:36 2011 From: gmccullagh at gmail.com (Gavin McCullagh) Date: Wed, 6 Jul 2011 14:35:36 +0100 Subject: [rancid] rancid with Fortigate FG100A In-Reply-To: <201107061518.21647.diego.ercolani@ssis.sm> References: <20110130170234.GR13825@gmail.com> <201101311010.00032.diego.ercolani@ssis.sm> <20110706122854.GM26033@gmail.com> <201107061518.21647.diego.ercolani@ssis.sm> Message-ID: <20110706133536.GN26033@gmail.com> Hi, On Wed, 06 Jul 2011, Diego Ercolani wrote: > I don't knoww deeply fortigate because if I can I prefer to use linux directly > so feel free to change the command or the command sequence to perform a > configuration dump. > This is the power of opensource, every one can add a small piece of his > knowledge and bring the community a full (hopely errorproof) utility. I couldn't agree more, but I'm hoping to work out what the community in general thinks. I don't think this question is particularly a Fortigate one. In general, is it better for Rancid to record and version the entire config of a device including defaults, or to just version the non-default config. I can see arguments for both: - when you upgrade firmware, the defaults might change and rancid could presumably only note these if you version the entire config. - the config and patches can be quite complex if you version the entire config. - if the unit should fail, you get a new one and want to deploy the config from Rancid, I would usually prefer to just deploy our config changes and not override the defaults. If rancid holds the full config, you can't really work out what are defaults and what are your settings. Perhaps others might prefer to actually set those defaults where necessary. I imagine this issue arises with units other than the Fortigates. > I have only one clustered installation of fortigate and what I noticed is that > from time to time, fortigate adds some line feed that make seem the > configuration has changed... this is very annoying but I can't do experiments > because it's a productin environment. I've noticed the same actually, though generally it seems to be within the "app-detect" lines which are all defaults (at least on our install). Reducing this problem might be a happy side-effect of versioning the reduced config. Gavin From J.S.Peatfield at damtp.cam.ac.uk Wed Jul 6 14:55:44 2011 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Wed, 6 Jul 2011 15:55:44 +0100 (BST) Subject: [rancid] rancid 2.3.6: clogin with multiple devices fails... ($autologin not defined) In-Reply-To: References: Message-ID: On Thu, 23 Jun 2011, Lee wrote: > Hi, >> >> >> So is this something specific to my copy of rancid, or is this just a well >> known thing to be avoided? > > I'd never tried it before, so I stayed quiet :) But it's easy enough > to test, so > clogin -c "sh ip eigrp int" router1 router2 router3 ... router20 > worked for me using rancid 2.3.6 As discussed off the list, it works ok if clogin isn't set to use enable ie if you have autoenable or noenable set. The bug seems is triggered if the $enable variable gets set, then the next time round the loop it calls code which references a variable which isn't defined (anywhere in the code). I can see a number of possible fixes to the current clogin code but would prefer an expert to take a look at it... -- Jon From bgranholm at corp.crocker.com Wed Jul 6 15:05:09 2011 From: bgranholm at corp.crocker.com (Ben Granholm) Date: Wed, 06 Jul 2011 11:05:09 -0400 (EDT) Subject: [rancid] cvsweb/cvs help In-Reply-To: <7b788448-770c-4189-aae9-cc67aeb05f32@zimbra1.crocker.com> Message-ID: Greetings, I am currently running rancid on CentOS release 5.6 (Final) using cvs and cvsweb. This current configuration works great, however the display leaves something to be desired. We are keeping track of a number of configurations on various routers and switches, etc... but this is all done on our internal management network which has no DNS entries. So when I go to look at it, it is a giant list of IP addresses. It would be nice to have some sort of description on it. I could do a workaround by adding entries to a local dns or even the hosts file but I would rather a description field. If anyone has done this successfully, some guidance would be appreciated. Thanks, Ben Granholm -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Jul 6 15:48:18 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Jul 2011 15:48:18 +0000 Subject: [rancid] cvsweb/cvs help In-Reply-To: References: <7b788448-770c-4189-aae9-cc67aeb05f32@zimbra1.crocker.com> Message-ID: <20110706154818.GB7694@shrubbery.net> Wed, Jul 06, 2011 at 11:05:09AM -0400, Ben Granholm: > Greetings, > > I am currently running rancid on CentOS release 5.6 (Final) using cvs and cvsweb. This current configuration works great, however the display leaves something to be desired. We are keeping track of a number of configurations on various routers and switches, etc... but this is all done on our internal management network which has no DNS entries. So when I go to look at it, it is a giant list of IP addresses. It would be nice to have some sort of description on it. I could do a workaround by adding entries to a local dns or even the hosts file but I would rather a description field. If anyone has done this successfully, some guidance would be appreciated. Try cvsadmin -t (see manpage) for each file. that MAY appear in the cvsview (etc) pages; I do not know. From bgranholm at corp.crocker.com Wed Jul 6 18:37:42 2011 From: bgranholm at corp.crocker.com (Ben Granholm) Date: Wed, 06 Jul 2011 14:37:42 -0400 (EDT) Subject: [rancid] cvsweb/cvs help In-Reply-To: <20110706154818.GB7694@shrubbery.net> Message-ID: John, I tried as you suggested and nothing. I would have to mod the cvsweb.cgi for that to work and I am no perl guru by any stretch. Anyone else do this and how did you accomplish it? Ben Granholm ----- Original Message ----- From: "john heasley" To: "Ben Granholm" Cc: rancid-discuss at shrubbery.net Sent: Wednesday, July 6, 2011 11:48:18 AM Subject: Re: [rancid] cvsweb/cvs help Wed, Jul 06, 2011 at 11:05:09AM -0400, Ben Granholm: > Greetings, > > I am currently running rancid on CentOS release 5.6 (Final) using cvs and cvsweb. This current configuration works great, however the display leaves something to be desired. We are keeping track of a number of configurations on various routers and switches, etc... but this is all done on our internal management network which has no DNS entries. So when I go to look at it, it is a giant list of IP addresses. It would be nice to have some sort of description on it. I could do a workaround by adding entries to a local dns or even the hosts file but I would rather a description field. If anyone has done this successfully, some guidance would be appreciated. Try cvsadmin -t (see manpage) for each file. that MAY appear in the cvsview (etc) pages; I do not know. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Erich.Shellhammer at unisys.com Wed Jul 6 19:54:37 2011 From: Erich.Shellhammer at unisys.com (Shellhammer, Erich S) Date: Wed, 6 Jul 2011 14:54:37 -0500 Subject: [rancid] cvsweb/cvs help In-Reply-To: References: <20110706154818.GB7694@shrubbery.net> Message-ID: I did it the easy way. Host file entries, then in the device list I just used the hostnames. This then populated cvsweb with hostnames. I did it this way since I?m not adding devices more than 1-2 every 6 months. Erich Shellhammer From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Ben Granholm Sent: Wednesday, July 06, 2011 1:38 PM To: rancid-discuss at shrubbery.net Subject: Re: [rancid] cvsweb/cvs help John, I tried as you suggested and nothing. I would have to mod the cvsweb.cgi for that to work and I am no perl guru by any stretch. Anyone else do this and how did you accomplish it? Ben Granholm ________________________________ From: "john heasley" To: "Ben Granholm" Cc: rancid-discuss at shrubbery.net Sent: Wednesday, July 6, 2011 11:48:18 AM Subject: Re: [rancid] cvsweb/cvs help Wed, Jul 06, 2011 at 11:05:09AM -0400, Ben Granholm: > Greetings, > > I am currently running rancid on CentOS release 5.6 (Final) using cvs and cvsweb. This current configuration works great, however the display leaves something to be desired. We are keeping track of a number of configurations on various routers and switches, etc... but this is all done on our internal management network which has no DNS entries. So when I go to look at it, it is a giant list of IP addresses. It would be nice to have some sort of description on it. I could do a workaround by adding entries to a local dns or even the hosts file but I would rather a description field. If anyone has done this successfully, some guidance would be appreciated. Try cvsadmin -t (see manpage) for each file. that MAY appear in the cvsview (etc) pages; I do not know. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Jul 6 22:06:24 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Jul 2011 22:06:24 +0000 Subject: [rancid] rancid with Fortigate FG100A In-Reply-To: <20110706133536.GN26033@gmail.com> References: <20110130170234.GR13825@gmail.com> <201101311010.00032.diego.ercolani@ssis.sm> <20110706122854.GM26033@gmail.com> <201107061518.21647.diego.ercolani@ssis.sm> <20110706133536.GN26033@gmail.com> Message-ID: <20110706220624.GD15138@shrubbery.net> Wed, Jul 06, 2011 at 02:35:36PM +0100, Gavin McCullagh: > On Wed, 06 Jul 2011, Diego Ercolani wrote: > > This is the power of opensource, every one can add a small piece of his > > knowledge and bring the community a full (hopely errorproof) utility. thats funny. > In general, is it better for Rancid to record and version the entire > config of a device including defaults, or to just version the non-default > config. > > I can see arguments for both: > > - when you upgrade firmware, the defaults might change and rancid could > presumably only note these if you version the entire config. thats the impetus for the command that is used. hopefully the route of least surprise if you must recover a device's config. > - if the unit should fail, you get a new one and want to deploy the > config from Rancid, I would usually prefer to just deploy our config > changes and not override the defaults. If rancid holds the full config, > you can't really work out what are defaults and what are your settings. > Perhaps others might prefer to actually set those defaults where > necessary. if thats a concern, perhaps you need a full and non-full version [in separate groups]. > I imagine this issue arises with units other than the Fortigates. CatOS. > > I have only one clustered installation of fortigate and what I noticed is that > > from time to time, fortigate adds some line feed that make seem the > > configuration has changed... this is very annoying but I can't do experiments > > because it's a productin environment. perhaps that is a defect in fnrancid's login script? From adam.korab at gmail.com Thu Jul 7 16:00:25 2011 From: adam.korab at gmail.com (Adam Korab) Date: Thu, 7 Jul 2011 11:00:25 -0500 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid Message-ID: Hi, Using fnrancid.in 2258 2010-10-11 20:49:05Z included with 2.3.6, I'm polling a FortiGate FGT1000A running FortiOS 3.00. @commandtable contains only two commands, 'get system status' and 'show full-configuration'. Per the earlier FortiGate discussion, it's pulling the entire full (default) configuration for the sake of completeness. The problem comes in when spurious diffs are generated every hour because the system time, config version, and RSA key change: - !System time: Thu Jul 7 02:02:09 2011 + !System time: Thu Jul 7 03:02:11 2011 - #conf_file_ver=9393629122155995517 + #conf_file_ver=4523938947618233296 - DEK-Info: DES-EDE3-CBC - [blah blah private key] + DEK-Info: DES-EDE3-CBC + [blah blah other private key] So I figure it should be something along the lines of grep -v "System time","conf_file_ver" and "DEK-Info" but I don't know how to go about this. I found Dave LaPorte's post from 2006 in the archives (http://www.shrubbery.net/pipermail/rancid-discuss/2006-June/001542.html) but I'd like to make sure those changes would still work considering they apply to a 5 year old version of control_rancid and I'm using $RCSSYS = "svn". Thanks! --Adam From heas at shrubbery.net Thu Jul 7 17:04:46 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 7 Jul 2011 17:04:46 +0000 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: References: Message-ID: <20110707170445.GC29900@shrubbery.net> Thu, Jul 07, 2011 at 11:00:25AM -0500, Adam Korab: > - !System time: Thu Jul 7 02:02:09 2011 > + !System time: Thu Jul 7 03:02:11 2011 > > - #conf_file_ver=9393629122155995517 > + #conf_file_ver=4523938947618233296 what will become 2.3.7 has filters for these. attached. > - DEK-Info: DES-EDE3-CBC > - [blah blah private key] > + DEK-Info: DES-EDE3-CBC > + [blah blah other private key] any idea why this would change constantly? i'd have thought that private keys wouldnt change unless an admin changed them. > So I figure it should be something along the lines of grep -v "System > time","conf_file_ver" and "DEK-Info" but I don't know how to go about > this. I found Dave LaPorte's post from 2006 in the archives > (http://www.shrubbery.net/pipermail/rancid-discuss/2006-June/001542.html) > but I'd like to make sure those changes would still work considering > they apply to a 5 year old version of control_rancid and I'm using > $RCSSYS = "svn". they should; just use svn options instead of cvs. -------------- next part -------------- #! @PERLV_PATH@ ## ## $Id: fnrancid.in 2283 2011-02-04 23:15:07Z heas $ ## ## @PACKAGE@ @VERSION@ ## Copyright (c) 1997-2008 by Terrapin Communications, Inc. ## All rights reserved. ## ## This code is derived from software contributed to and maintained by ## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan, ## Pete Whiting, Austin Schutz, and Andrew Fort. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions ## are met: ## 1. Redistributions of source code must retain the above copyright ## notice, this list of conditions and the following disclaimer. ## 2. Redistributions in binary form must reproduce the above copyright ## notice, this list of conditions and the following disclaimer in the ## documentation and/or other materials provided with the distribution. ## 3. All advertising materials mentioning features or use of this software ## must display the following acknowledgement: ## This product includes software developed by Terrapin Communications, ## Inc. and its contributors for RANCID. ## 4. Neither the name of Terrapin Communications, Inc. nor the names of its ## contributors may be used to endorse or promote products derived from ## this software without specific prior written permission. ## 5. It is requested that non-binding fixes and modifications be contributed ## back to Terrapin Communications, Inc. ## ## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS ## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS ## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ## POSSIBILITY OF SUCH DAMAGE. # # A library built on Stephen Gill's Netscreen stuff to accomodate # the Fortinet product line. [d_pfleger at juniper.net] # # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-dV] [-l] [-f filename | hostname] # use Getopt::Std; getopts('dflV'); if ($opt_V) { print "@PACKAGE@ @VERSION@\n"; exit(0); } $log = $opt_l; $debug = $opt_d; #$debug = 1; $file = $opt_f; $host = $ARGV[0]; $found_end = 0; $timeo = 90; # fnlogin timeout in seconds my(@commandtable, %commands, @commands);# command lists my($aclsort) = ("ipsort"); # ACL sorting mode my($filter_commstr); # SNMP community string filtering my($filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string) = (@_); if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && scalar(%history)) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routine that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routine (ascending). sub numsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "get system" sub GetSystem { print STDERR " In GetSystem: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; last if (/$prompt/); next if (/^system time:/i); next if (/^\s*Virus-DB: .*/); next if (/^\s*Extended DB: .*/); next if (/^\s*IPS-DB: .*/); next if (/^FortiClient application signature package:/); ProcessHistory("","","","#$_"); } ProcessHistory("SYSTEM","","","\n"); return(0); } sub GetFile { print STDERR " In GetFile: $_" if ($debug); while () { last if (/$prompt/); } ProcessHistory("FILE","","","\n"); return(0); } sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; last if (/$prompt/); # System time is fortigate extraction time next if (/^\s*!System time:/); # remove occurrances of conf_file_ver next if (/^#?conf_file_ver=/); # filter variabilities between configurations. password encryption # upon each display of the configuration. if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { ProcessHistory("ENC","","","#$1 ENC $3\n"); next; } ProcessHistory("","","","$_"); } $found_end = 1; return(1); } # dummy function sub DoNothing {print STDOUT;} # Main @commandtable = ( {'get system status' => 'GetSystem'}, {'show full-configuration' => 'GetConf'} ); # Use an array to preserve the order of the commands and a hash for mapping # commands to the subroutine and track commands that have been completed. @commands = map(keys(%$_), @commandtable); %commands = map(%$_, @commandtable); $cisco_cmds=join(";", at commands); $cmds_regexp = join("|", map quotemeta($_), @commands); if (length($host) == 0) { if ($file) { print(STDERR "Too few arguments: file name required\n"); exit(1); } else { print(STDERR "Too few arguments: host name required\n"); exit(1); } } open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) { system "fnlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "fnlogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "fnlogin failed for $host: $!\n"; } else { open(INPUT,"fnlogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; if (/^Error:/) { print STDOUT ("$host fnlogin error: $_"); print STDERR ("$host fnlogin error: $_") if ($debug); last; } while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) { $cmd = $2; # - FortiGate prompts end with either '#' or '$'. Further, they may # be prepended with a '~' if the hostname is too long. Therefore, # we need to figure out what our prompt really is. if (!defined($prompt)) { if ($_ =~ m/^.+\~\$/) { $prompt = '\~\$ .*'; } else { if ($_ =~ m/^.+\$/) { $prompt = ' \$ .*'; } else { if ($_ =~ m/^.+\~#/) { $prompt = '\~# .*'; } else { if ($_ =~ m/^.+#/) { $prompt = ' # .*'; } } } } } print STDERR ("HIT COMMAND:$_") if ($debug); if (!defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$found_end) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$found_end) { print STDOUT "$found_end: found end\n"; print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } From adam.korab at gmail.com Thu Jul 7 16:47:28 2011 From: adam.korab at gmail.com (Adam Korab) Date: Thu, 7 Jul 2011 11:47:28 -0500 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: <20110707170445.GC29900@shrubbery.net> References: <20110707170445.GC29900@shrubbery.net> Message-ID: On Thu, Jul 7, 2011 at 12:04 PM, john heasley wrote: > > what will become 2.3.7 has filters for these. ?attached. Cool, thanks! > any idea why this would change constantly? ?i'd have thought that private > keys wouldnt change unless an admin changed them. No idea, unless it's used for HA sync and gets constant regenerated or something. How would I modify fnlogin.in to also exclude DEK-Info? --Adam From adam.korab at gmail.com Thu Jul 7 16:55:31 2011 From: adam.korab at gmail.com (Adam Korab) Date: Thu, 7 Jul 2011 11:55:31 -0500 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: <20110707170445.GC29900@shrubbery.net> References: <20110707170445.GC29900@shrubbery.net> Message-ID: On Thu, Jul 7, 2011 at 12:04 PM, john heasley wrote: > > what will become 2.3.7 has filters for these. ?attached. In other news, dropping this in place over $PREFIX/bin/fnrancid causes breakage. Did I miss a step here? Trying to get all of the configs. exec failed router manufacturer fortigate: No such file or directory ===================================== Getting missed routers: round 1. exec failed router manufacturer fortigate: No such file or directory ===================================== Getting missed routers: round 2. exec failed router manufacturer fortigate: No such file or directory ===================================== Getting missed routers: round 3. exec failed router manufacturer fortigate: No such file or directory ===================================== Getting missed routers: round 4. exec failed router manufacturer fortigate: No such file or directory From adam.korab at gmail.com Thu Jul 7 16:56:33 2011 From: adam.korab at gmail.com (Adam Korab) Date: Thu, 7 Jul 2011 11:56:33 -0500 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: References: <20110707170445.GC29900@shrubbery.net> Message-ID: On Thu, Jul 7, 2011 at 11:47 AM, Adam Korab wrote: > > How would I modify fnlogin.in to also exclude DEK-Info? and I meant fnrancid.in here, not fnlogin.in -- just to preemptively avoid confusion. --Adam From heas at shrubbery.net Thu Jul 7 17:20:38 2011 From: heas at shrubbery.net (john heasley) Date: Thu, 7 Jul 2011 17:20:38 +0000 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: References: <20110707170445.GC29900@shrubbery.net> Message-ID: <20110707172038.GE29900@shrubbery.net> Thu, Jul 07, 2011 at 11:55:31AM -0500, Adam Korab: > On Thu, Jul 7, 2011 at 12:04 PM, john heasley wrote: > > > > what will become 2.3.7 has filters for these. ?attached. > > In other news, dropping this in place over $PREFIX/bin/fnrancid causes > breakage. Did I miss a step here? you probably didnt replace the interpretter line. From bldewolf at csupomona.edu Thu Jul 7 23:25:57 2011 From: bldewolf at csupomona.edu (Brian De Wolf) Date: Thu, 7 Jul 2011 16:25:57 -0700 Subject: [rancid] Cisco ACSW support Message-ID: <20110707162557.689df7b3@woof> Hello, I found a patch on this list from 2008 that added ACSW support but it doesn't appear to have ever been merged. Further, after applying it, rancid still didn't work. I have attached a revised patch that makes it work again by adding a ";" to the end of the list of commands. The problem was that, in this case, WriteTerm was eating the line that held "$prompt exit" so rancid assumed clogin exited uncleanly. Instead, this makes the switch print an extra prompt for WriteTerm to eat so that rancid can see the exit line and realize that everything went as expected. Next, once we have a rancid run working correctly, I noticed it wasn't hiding the tacacs passwords right. This exposed a really broken regex in rancid: /^((tacacs|radius)-server\s(\w*[-\s(\s\S+])*\s?key) (\d )?\w+/ I've rewritten it to be less mind-bending, and added optional quotes around the \w+ to support the style ACSW uses. Please consider these patches for inclusion in future versions. Thanks! Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-acsw.patch Type: text/x-patch Size: 1729 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-tacacs-regex.patch Type: text/x-patch Size: 487 bytes Desc: not available URL: From krzysztof.zygmunt at gmail.com Fri Jul 8 08:14:14 2011 From: krzysztof.zygmunt at gmail.com (Krzysztof Zygmunt) Date: Fri, 8 Jul 2011 10:14:14 +0200 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: <20110707170445.GC29900@shrubbery.net> References: <20110707170445.GC29900@shrubbery.net> Message-ID: Hi, 2011/7/7 john heasley : > Thu, Jul 07, 2011 at 11:00:25AM -0500, Adam Korab: >> - !System time: Thu Jul ?7 02:02:09 2011 >> + !System time: Thu Jul ?7 03:02:11 2011 >> >> - #conf_file_ver=9393629122155995517 >> + #conf_file_ver=4523938947618233296 > > what will become 2.3.7 has filters for these. ?attached. Awesome, I've been waiting for that so much. Thanks. > >> - DEK-Info: DES-EDE3-CBC >> - [blah blah private key] >> + DEK-Info: DES-EDE3-CBC >> + [blah blah other private key] > > any idea why this would change constantly? ?i'd have thought that private > keys wouldnt change unless an admin changed them. > >> So I figure it should be something along the lines of grep -v "System >> time","conf_file_ver" and "DEK-Info" but I don't know how to go about >> this. ?I found Dave LaPorte's post from 2006 in the archives >> (http://www.shrubbery.net/pipermail/rancid-discuss/2006-June/001542.html) >> but I'd like to make sure those changes would still work considering >> they apply to a 5 year old version of control_rancid and I'm using >> $RCSSYS = "svn". > > they should; just use svn options instead of cvs. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From smokeping123 at hotmail.com Mon Jul 11 04:04:15 2011 From: smokeping123 at hotmail.com (Smokeping slt) Date: Mon, 11 Jul 2011 10:04:15 +0600 Subject: [rancid] Restore Older Rancid Configurations to Newer Rancid Server In-Reply-To: References: , , <20110630055725.GI9226@shrubbery.net>, Message-ID: hi all, Still I couldnt solve this issue. Where this configuration revision numbers stored. I only take the bakup of /usr/local/rancid directory. Even I restore all the configurations , revision numbers of each configuration file not showned. I followed the installation process using this URL : http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid Please help me to solve this out tnx -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmccullagh at gmail.com Mon Jul 11 09:24:16 2011 From: gmccullagh at gmail.com (Gavin McCullagh) Date: Mon, 11 Jul 2011 10:24:16 +0100 Subject: [rancid] excluding certain lines from diffs without editing @commandtable - fnrancid In-Reply-To: References: Message-ID: <20110711092416.GE5044@gmail.com> Hi, On Thu, 07 Jul 2011, Adam Korab wrote: > - DEK-Info: DES-EDE3-CBC > - [blah blah private key] > + DEK-Info: DES-EDE3-CBC > + [blah blah other private key] I discovered this problem too and patched fnrancid to ignore the key. I may have forgotten to post it back to the mailing list. My GetConf is now as follows: sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; last if (/$prompt/); # spot the start of an RSA private key $priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/); # spot the end of an RSA private key $priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/); next if($priv_key == 1); # remove occurrances of conf_file_ver next if (/^#?conf_file_ver=/); # filter variabilities between configurations. password encryption # upon each display of the configuration. if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) { ProcessHistory("ENC","","","#$1 ENC $3\n"); next; } ProcessHistory("","","","$_"); } $found_end = 1; return(1); } I asked Fortinet support who said: ------------------------------------------------------------------------------------ Dear Gavin, Certificate private key will keep changing every time you make a configuration change. This is because the private key is printed by an OpenSSL function which uses a new random number as the salt each time the function is called. So there is no way to keep it unchanged. It does not mean that the associated certificate is changing. ------------------------------------------------------------------------------------ so I figure it makes sense to just ignore it from rancid. My recollection is that it changed more often than at each config update, but it took me a fair bit of time to get this answer, so I figured this would do. Gavin From hugo.deprez at gmail.com Mon Jul 11 12:56:22 2011 From: hugo.deprez at gmail.com (Hugo Deprez) Date: Mon, 11 Jul 2011 14:56:22 +0200 Subject: [rancid] Rancid notification with SSMTP Message-ID: Hello, I am trying to setup e-mail notification for rancid. I am currently using rancid 2.3.6 on Debian. On the server we are using SSMTP to send mail notification. My problem is that SSMTP does not support aliases. Is there a way to configure mail notification for rancid with ssmtp ? Regards Hugo -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Jul 11 18:56:00 2011 From: heas at shrubbery.net (john heasley) Date: Mon, 11 Jul 2011 18:56:00 +0000 Subject: [rancid] Rancid notification with SSMTP In-Reply-To: References: Message-ID: <20110711185600.GC28490@shrubbery.net> Mon, Jul 11, 2011 at 02:56:22PM +0200, Hugo Deprez: > Hello, > > I am trying to setup e-mail notification for rancid. > I am currently using rancid 2.3.6 on Debian. > > On the server we are using SSMTP to send mail notification. > > My problem is that SSMTP does not support aliases. > > Is there a way to configure mail notification for rancid with ssmtp ? Postfix? seriously, postfix is pretty simple. dont see the point in ssmtp, except for an embedded system. otherwise, ssmtp probably has a so-called "smart host" configuration. perhaps you can put the aliases on the smart host. From bldewolf at csupomona.edu Mon Jul 11 19:07:44 2011 From: bldewolf at csupomona.edu (Brian De Wolf) Date: Mon, 11 Jul 2011 12:07:44 -0700 Subject: [rancid] Rancid notification with SSMTP In-Reply-To: References: Message-ID: <20110711120744.09a0f25d@woof> On Mon, 11 Jul 2011 05:56:22 -0700 Hugo Deprez wrote: > Hello, > > I am trying to setup e-mail notification for rancid. > I am currently using rancid 2.3.6 on Debian. > > On the server we are using SSMTP to send mail notification. > > My problem is that SSMTP does not support aliases. > > Is there a way to configure mail notification for rancid with ssmtp ? I ran into this same problem (the lack of configurable recipients) when I rolled out RANCID. Instead of fiddling with my mail config, I patched RANCID to be configurable. I have attached the patch I made, adjusted for 2.3.6. Two caveats with this patch, now that I review it (it's been a while): 1) It restricts group names to valid environment variable names. This bit me when I first used it because I was using dashes. 2) It uses bashisms in control_rancid, so the shebang should probably be /bin/bash or the "${!var}" expressions should be converted to something like "$(eval "echo\$${var}")". Good luck! -------------- next part -------------- A non-text attachment was scrubbed... Name: rancid-2.3.6-customizations.patch Type: text/x-patch Size: 5652 bytes Desc: not available URL: From smokeping123 at hotmail.com Tue Jul 12 06:58:01 2011 From: smokeping123 at hotmail.com (Smokeping slt) Date: Tue, 12 Jul 2011 12:58:01 +0600 Subject: [rancid] Restore Older Rancid Configurations to Newer Rancid Server In-Reply-To: References: , , <20110630055725.GI9226@shrubbery.net>, , , Message-ID: hi , tnx for you reply . I search for the files that you have mentioned. But I couldnt find such a file. [root at rancid ~]# find / -name *.cvs [root at rancid ~]# find / -name *.svn /usr/share/doc/pcsc-lite-1.4.4/ChangeLog.svn [root at rancid ~]# So this should not be the files which stored revision numbers. I couldnt find where they are stored your responses are highly. tnx Date: Mon, 11 Jul 2011 10:59:13 -0700 Subject: Re: [rancid] Restore Older Rancid Configurations to Newer Rancid Server From: rancid at gheek.net To: smokeping123 at hotmail.com The revision number is stored as part of the SVN/CVS. It should be in the .cvs or .svn files somewhere. 2011/7/10 Smokeping slt hi all, Still I couldnt solve this issue. Where this configuration revision numbers stored. I only take the bakup of /usr/local/rancid directory. Even I restore all the configurations , revision numbers of each configuration file not showned. I followed the installation process using this URL : http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid Please help me to solve this out tnx _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.deprez at gmail.com Tue Jul 12 19:01:11 2011 From: hugo.deprez at gmail.com (Hugo Deprez) Date: Tue, 12 Jul 2011 21:01:11 +0200 Subject: [rancid] Rancid notification with SSMTP In-Reply-To: <20110711120744.09a0f25d@woof> References: <20110711120744.09a0f25d@woof> Message-ID: Hello, thank you for your answer Brian. The solution I found is to create an alias using virtual_alias_maps (I define my alias from my LDAP server). It works great and it didn't take much time ! John, postfix is simple there is no issue with that. SSMTP is just doing what I am expecting from him (sending mail), so that's perfect. Regards, Hugo On 11 July 2011 21:07, Brian De Wolf wrote: > On Mon, 11 Jul 2011 05:56:22 -0700 > Hugo Deprez wrote: > > > Hello, > > > > I am trying to setup e-mail notification for rancid. > > I am currently using rancid 2.3.6 on Debian. > > > > On the server we are using SSMTP to send mail notification. > > > > My problem is that SSMTP does not support aliases. > > > > Is there a way to configure mail notification for rancid with ssmtp ? > > I ran into this same problem (the lack of configurable recipients) when > I rolled out RANCID. Instead of fiddling with my mail config, I > patched RANCID to be configurable. I have attached the patch I made, > adjusted for 2.3.6. > > Two caveats with this patch, now that I review it (it's been a while): > 1) It restricts group names to valid environment variable names. This > bit me when I first used it because I was using dashes. > 2) It uses bashisms in control_rancid, so the shebang should probably > be /bin/bash or the "${!var}" expressions should be converted to > something like "$(eval "echo\$${var}")". > > Good luck! -------------- next part -------------- An HTML attachment was scrubbed... URL: From ler762 at gmail.com Wed Jul 13 23:57:57 2011 From: ler762 at gmail.com (Lee) Date: Wed, 13 Jul 2011 19:57:57 -0400 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: On 6/30/11, Lee wrote: > On 6/28/11, Jethro R Binks wrote: >> On Mon, 27 Jun 2011, Lee wrote: >> >>> After seeing that the regularly scheduled rancid run failed to get >>> several F5 configs this morning I ran it manually: >>> >>> export NOPIPE=YES >>> rancid-run F5 >>> >>> rancid collected all the configs & no errors in the log. Crontab >>> kicked off the rancid run later in the day & several F5s showed up in >>> the log with the >>> missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls >>> --full-time --color=never /config/ssl/ssl.key >>> >>> again, run rancid manually with NOPIPE=YES and everything works. >>> >>> Any thoughts on how to debug the problem would be appreciated since >>> the standard debugging suggestion is to set NOPIPE and use the -d >>> option. I have yet to see rancid fail to get an F5 config if nopipe >>> is set >> >> In that case, in rancid.conf you can set NOPIPE permanently: >> >> # if NOPIPE is set, temp files will be used instead of a cmd pipe during >> # collection from the router(s). >> NOPIPE=YES; export NOPIPE > > Well!! It doesn't seem to depend on NOPIPE. rancid run manually to > collect F5 configs works -- with NOPIPE set or clear. Rancid run from > crontab sometimes works, sometimes not. > > Unless someone beats me to it (hint, hint :) I'll try to figure out > next week if it's an env. variable setting missing from the crontab > run that's causing the problem I've been dicking with this off & on for about a week now & I'm stuck. How do you change the line width on an F5??? (names changed to protect the guilty :) [prompt] ~ # bigpipe route static show^M No Routing Table Entries were found.^M [prompt] ~ # stty cols 160^M [prompt] ~ # ls --full-time --color=never /config/ssl/ssl ^M.crt^M total 3056^M that space, carriage return on the echoed "ls --full-time" command occurs at column 81. Even with an "stty cols 160" added to the f5rancid commandtable the darn F5 *still* splits the echoed command at column 80 when rancid is called via crontab. The annoying part is that logging in from a term window of 132 columns I can use stty to change the width down to 80 and see the F5 add the in the echoed output. Do an 'stty cols 160' and it echos the command with no added carriage returns. So..... am I doing something wrong? "stty cols NNN" works when I ssh in but it's not working for me when rancid is called from cron. Is there some other way to tell an F5 not to default to "stty cols 80" or not to do line wraps? TIA, Lee From ler762 at gmail.com Thu Jul 14 00:10:51 2011 From: ler762 at gmail.com (Lee) Date: Wed, 13 Jul 2011 20:10:51 -0400 Subject: [rancid] rancid 2.3.6: clogin with multiple devices fails... ($autologin not defined) In-Reply-To: References: Message-ID: On 7/6/11, Jon Peatfield wrote: > On Thu, 23 Jun 2011, Lee wrote: > >> Hi, > >>> >>> >>> So is this something specific to my copy of rancid, or is this just a >>> well >>> known thing to be avoided? >> >> I'd never tried it before, so I stayed quiet :) But it's easy enough >> to test, so >> clogin -c "sh ip eigrp int" router1 router2 router3 ... router20 >> worked for me using rancid 2.3.6 > > As discussed off the list, it works ok if clogin isn't set to use enable > ie if you have autoenable or noenable set. > > The bug seems is triggered if the $enable variable gets set, then the next > time round the loop it calls code which references a variable which isn't > defined (anywhere in the code). > > I can see a number of possible fixes to the current clogin code but would > prefer an expert to take a look at it... ... crickets ... OK, how 'bout a proposed fix? Starting at my line 756 in clogin it's: set enable 0 foreach router [lrange $argv $i end] { set router [string tolower $router] # attempt at platform switching. Fix is to move the "set enable 0" line after the "foreach router [..." line. Lee From J.S.Peatfield at damtp.cam.ac.uk Thu Jul 14 00:57:21 2011 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Thu, 14 Jul 2011 01:57:21 +0100 (BST) Subject: [rancid] rancid 2.3.6: clogin with multiple devices fails... ($autologin not defined) In-Reply-To: References: Message-ID: On Wed, 13 Jul 2011, Lee wrote: >> I can see a number of possible fixes to the current clogin code but would >> prefer an expert to take a look at it... > > ... crickets ... > > OK, how 'bout a proposed fix? Starting at my line 756 in clogin it's: > set enable 0 > foreach router [lrange $argv $i end] { > set router [string tolower $router] > # attempt at platform switching. > > Fix is to move the "set enable 0" line after the "foreach router [..." line. Which does seem to fix it, or at least hide the underlying problems... My worry is that the code is testing $enable in the loop before it can be set other than to 0, so either the testing of $enable code is wrong, or it really is intended to be the value of $enable from the *previous* time round the loop, in which case the fix may break something subtle... Then there is the use of $autoenable itself, which I assume was left when the variable was renamed, but it isn't obvious (to me) if that should be $avautoenable or $ae since I don't understand what the test is meant to be doing... So we have (in the unfixed 2.3.6): ... set enable 0 foreach router [lrange $argv $i end] { ... # look for noenable option in .cloginrc if { [find noenable $router] == "1" } { set enable 0 } ... if { $enable && $do_enapasswd && $autoenable == 0 && [llength $pswd] < 2 } { send_user -- "\nError: no enable password for $router in $password_file.\n" continue } ... ... } so maybe that test of $enable just needs to be moved after the places where enable is set... I clearly don't understand the code. -- Jon From ler762 at gmail.com Fri Jul 15 00:08:22 2011 From: ler762 at gmail.com (Lee) Date: Thu, 14 Jul 2011 20:08:22 -0400 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: On 7/13/11, Lee wrote: > On 6/30/11, Lee wrote: >> On 6/28/11, Jethro R Binks wrote: >>> On Mon, 27 Jun 2011, Lee wrote: <.. snip talk about NOPIPE & line width ..> > [prompt] ~ # bigpipe route static show^M > No Routing Table Entries were found.^M > [prompt] ~ # stty cols 160^M > [prompt] ~ # ls --full-time --color=never /config/ssl/ssl ^M.crt^M > total 3056^M > > that space, carriage return on the echoed "ls --full-time" command > occurs at column 81. Even with an "stty cols 160" added to the > f5rancid commandtable the darn F5 *still* splits the echoed command at > column 80 when rancid is called via crontab. Sprinkle enough "s/ \015//;" lines in f5rancid after the "while () {" and it works for me now when run from cron (see attached patch) I do not know perl; I'd appreciate it if someone could explain why "tr/ \015//d;" doesn't get rid of the embedded [space][cr] but "s/ \015//;" does. It would also be nice if someone could figure out how to change the F5 line width to 160 chars from the default 80. I think that'd be better than removing any embedded [space][cr] Lee -------------- next part -------------- A non-text attachment was scrubbed... Name: f5rancid.diff Type: application/octet-stream Size: 1783 bytes Desc: not available URL: From bohara at ripe.net Fri Jul 15 16:46:41 2011 From: bohara at ripe.net (Ben O'Hara) Date: Fri, 15 Jul 2011 18:46:41 +0200 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> Message-ID: <847CBFE2-6D09-42AA-9930-A94B6ABD4335@ripe.net> On 15 Jul 2011, at 02:08, Lee wrote: > On 7/13/11, Lee wrote: >> On 6/30/11, Lee wrote: >>> On 6/28/11, Jethro R Binks wrote: >>>> On Mon, 27 Jun 2011, Lee wrote: > <.. snip talk about NOPIPE & line width ..> > >> [prompt] ~ # bigpipe route static show^M >> No Routing Table Entries were found.^M >> [prompt] ~ # stty cols 160^M >> [prompt] ~ # ls --full-time --color=never /config/ssl/ssl ^M.crt^M >> total 3056^M >> >> that space, carriage return on the echoed "ls --full-time" command >> occurs at column 81. Even with an "stty cols 160" added to the >> f5rancid commandtable the darn F5 *still* splits the echoed command at >> column 80 when rancid is called via crontab. > > Sprinkle enough "s/ \015//;" lines in f5rancid after the "while > () {" and it works for me now when run from cron (see attached > patch) > > I do not know perl; I'd appreciate it if someone could explain why > "tr/ \015//d;" doesn't get rid of the embedded [space][cr] but "s/ > \015//;" does. > > It would also be nice if someone could figure out how to change the F5 > line width to 160 chars from the default 80. I think that'd be better > than removing any embedded [space][cr] > > Lee Hi, FYI, I applied this patch this morning and havent seen ant problems since, thanks! Ben -- Ben O'Hara RIPE Network Coordination Center Senior Systems Engineer Singel 258, Amsterdam, NL http://www.ripe.net +31 20 535 4444 PGP Fingerprint: 080A 52FF BF0A A7FB F176 E7DB 513D 9A3D E968 7DBC -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1731 bytes Desc: not available URL: From ler762 at gmail.com Sat Jul 16 17:26:41 2011 From: ler762 at gmail.com (Lee) Date: Sat, 16 Jul 2011 13:26:41 -0400 Subject: [rancid] Need some Help - F5's in RANCID In-Reply-To: <847CBFE2-6D09-42AA-9930-A94B6ABD4335@ripe.net> References: <4B27155520357F40B66920DD4F83715A01E0410F7D@reb-se-srv-19> <20110622165121.GH10691@shrubbery.net> <20110624155811.GD23349@shrubbery.net> <847CBFE2-6D09-42AA-9930-A94B6ABD4335@ripe.net> Message-ID: On 7/15/11, Ben O'Hara wrote: > > On 15 Jul 2011, at 02:08, Lee wrote: > >> On 7/13/11, Lee wrote: >>> On 6/30/11, Lee wrote: >>>> On 6/28/11, Jethro R Binks wrote: >>>>> On Mon, 27 Jun 2011, Lee wrote: >> <.. snip talk about NOPIPE & line width ..> >> >>> [prompt] ~ # bigpipe route static show^M >>> No Routing Table Entries were found.^M >>> [prompt] ~ # stty cols 160^M >>> [prompt] ~ # ls --full-time --color=never /config/ssl/ssl ^M.crt^M >>> total 3056^M >>> >>> that space, carriage return on the echoed "ls --full-time" command >>> occurs at column 81. Even with an "stty cols 160" added to the >>> f5rancid commandtable the darn F5 *still* splits the echoed command at >>> column 80 when rancid is called via crontab. >> >> Sprinkle enough "s/ \015//;" lines in f5rancid after the "while >> () {" and it works for me now when run from cron (see attached >> patch) >> >> I do not know perl; I'd appreciate it if someone could explain why >> "tr/ \015//d;" doesn't get rid of the embedded [space][cr] but "s/ >> \015//;" does. >> >> It would also be nice if someone could figure out how to change the F5 >> line width to 160 chars from the default 80. I think that'd be better >> than removing any embedded [space][cr] >> >> Lee > > Hi, > > FYI, I applied this patch this morning and havent seen ant problems since, > thanks! Great! Thanks for confirming it works :) Lee From slackert at gmail.com Mon Jul 18 15:16:52 2011 From: slackert at gmail.com (Slacker T) Date: Mon, 18 Jul 2011 10:16:52 -0500 Subject: [rancid] Fortigate false notifications Message-ID: Hello, I'm running rancid 2.3.6 and am having trouble with the config change notification "flapping". The content of the config isn't really changing, just different whitespace and sometimes crlf's. Wasn't sure if others have had this problem and whether it can be fixed on the firewall or within rancid. Maybe tell rancid to ignore leading and trailing whitespace....not sure about the errant crlf's. Firewall info: Fortigate-620B v4.0,build0313,110301 (MR2 Patch 4) Rancid info: 2.36 on CentOS 5.6 compiled from source Output of last few updates: Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2556) ????? set gui-ipv6 disable ????? set gui-lines-per-page 50 ????? set gui-load-balance enable - set gui-object-tags disable +???? set gui-object-tags disable ????? set gui-policy-interface-pairs-view enable ????? set gui-voip-profile disable ????? set hostname "fortigate" Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2549) @@ -75,7 +75,7 @@ ????? set gui-ipv6 disable ????? set gui-lines-per-page 50 ????? set gui-load-balance enable -???? set gui-object-tags disable + set gui-object-tags disable ????? set gui-policy-interface-pairs-view enable ????? set gui-voip-profile disable Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2554) @@ -24,8 +24,7 @@ ????? set sw1 auto ? end ? config system amc-slot -???? edit - "sw1" +???? edit "sw1" ????? next ? end ? config system Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2553) @@ -24,7 +24,8 @@ ????? set sw1 auto ? end ? config system amc-slot -???? edit "sw1" +???? edit + "sw1" ????? next ? end ? config system global Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2552) @@ -24,8 +24,7 @@ ????? set sw1 auto ? end ? config system amc-slot -???? edit - "sw1" +???? edit "sw1" ????? next ? end ? config system From andy at benthamroad.co.uk Mon Jul 18 15:56:36 2011 From: andy at benthamroad.co.uk (Andy) Date: Mon, 18 Jul 2011 16:56:36 +0100 Subject: [rancid] Fortigate false notifications In-Reply-To: References: Message-ID: <013601cc4563$46228cd0$d267a670$@co.uk> If you haven't disabled the pager in fnlogin, then that is worth a try. I found that disabling the console pager improved things quite a lot, but I still see this happen occasionally on various different Fortigate models and OS versions. I also tried removing all leading spaces, but that led to a difficult to read configuration file. Andy -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Slacker T Sent: 18 July 2011 16:17 To: rancid-discuss at shrubbery.net Subject: [rancid] Fortigate false notifications Hello, I'm running rancid 2.3.6 and am having trouble with the config change notification "flapping". The content of the config isn't really changing, just different whitespace and sometimes crlf's. Wasn't sure if others have had this problem and whether it can be fixed on the firewall or within rancid. Maybe tell rancid to ignore leading and trailing whitespace....not sure about the errant crlf's. Firewall info: Fortigate-620B v4.0,build0313,110301 (MR2 Patch 4) Rancid info: 2.36 on CentOS 5.6 compiled from source Output of last few updates: Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2556) ????? set gui-ipv6 disable ????? set gui-lines-per-page 50 ????? set gui-load-balance enable - set gui-object-tags disable +???? set gui-object-tags disable ????? set gui-policy-interface-pairs-view enable ????? set gui-voip-profile disable ????? set hostname "fortigate" Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2549) @@ -75,7 +75,7 @@ ????? set gui-ipv6 disable ????? set gui-lines-per-page 50 ????? set gui-load-balance enable -???? set gui-object-tags disable + set gui-object-tags disable ????? set gui-policy-interface-pairs-view enable ????? set gui-voip-profile disable Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2554) @@ -24,8 +24,7 @@ ????? set sw1 auto ? end ? config system amc-slot -???? edit - "sw1" +???? edit "sw1" ????? next ? end ? config system Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2553) @@ -24,7 +24,8 @@ ????? set sw1 auto ? end ? config system amc-slot -???? edit "sw1" +???? edit + "sw1" ????? next ? end ? config system global Index: configs/fortigate.example.com =================================================================== - -- configs/fortigate.example.com????? (revision 2552) @@ -24,8 +24,7 @@ ????? set sw1 auto ? end ? config system amc-slot -???? edit - "sw1" +???? edit "sw1" ????? next ? end ? config system _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Mon Jul 18 18:28:57 2011 From: heas at shrubbery.net (john heasley) Date: Mon, 18 Jul 2011 18:28:57 +0000 Subject: [rancid] Fortigate false notifications In-Reply-To: <013601cc4563$46228cd0$d267a670$@co.uk> References: <013601cc4563$46228cd0$d267a670$@co.uk> Message-ID: <20110718182857.GJ27729@shrubbery.net> Mon, Jul 18, 2011 at 04:56:36PM +0100, Andy: > If you haven't disabled the pager in fnlogin, then that is worth a try. > > I found that disabling the console pager improved things quite a lot, but I > still see this happen occasionally on various different Fortigate models and > OS versions. agreed. you can try the attached more complex handling from clogin. I'm guessing a bit; it might need more tweaking to handle however this device wipes the pager prompt. -------------- next part -------------- Index: fnlogin.in =================================================================== --- fnlogin.in (revision 2318) +++ fnlogin.in (working copy) @@ -448,6 +448,9 @@ expect -re $prompt; send -- "end\r" expect -re $prompt; + # this is the only way i see to get rid of more prompts in o/p..grrrrr + log_user 0 + set commands [split $command \;] set num_commands [llength $commands] for {set i 0} {$i < $num_commands} { incr i} { @@ -456,10 +459,12 @@ -re "$prompt" { send "\r" sleep 0.5 } - -gl "--More--" { send " " + -gl "--More--\[^\n\r]*" { send " " exp_continue - -re "\[\n\r]+" { exp_continue } } + -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)" + exp_continue + } } } expect { From ler762 at gmail.com Mon Jul 18 19:43:48 2011 From: ler762 at gmail.com (Lee) Date: Mon, 18 Jul 2011 15:43:48 -0400 Subject: [rancid] minor change to handle nexus 4000s Message-ID: The Nexus 4000s don't support the 'show environment power' command, so nxrancid doesn't collect the config. What works for me is to change ShowEnvPower to return 1 instead of -1 for /\% Invalid command at / I also added a 'next if (/^\s*\^\s*$/);' so it doesn't add a !Env: ^ line in the saved config file Lee From Alejandro.Sanchez at sitel.com Wed Jul 20 09:20:04 2011 From: Alejandro.Sanchez at sitel.com (Alejandro Sanchez) Date: Wed, 20 Jul 2011 11:20:04 +0200 Subject: [rancid] (no subject) Message-ID: <0B16BB48CDB47B4DADCFFB52E938212AD4862B@es2852k3exchg01.emea.sitel-world.net> Hi team, My .cloginrc file is not working properly. For some reason, is not using what I put on .cloginrc file I just have Add user * username Add password * password enablepassword Add method * ssh But when I test the login with clogin x.x.x.x, it then try to use telnet and the old credentials Any idea? **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gabbawp at gmail.com Wed Jul 20 09:27:27 2011 From: gabbawp at gmail.com (Gareth Hopkins) Date: Wed, 20 Jul 2011 11:27:27 +0200 Subject: [rancid] (no subject) In-Reply-To: <0B16BB48CDB47B4DADCFFB52E938212AD4862B@es2852k3exchg01.emea.sitel-world.net> References: <0B16BB48CDB47B4DADCFFB52E938212AD4862B@es2852k3exchg01.emea.sitel-world.net> Message-ID: Hi Alejandro, It sounds like clogin is referencing another .cloginrc file. You can make sure by using the -f flag when running clogin - clogin -f /location/of/.cloginrc Cheers, Gareth 2011/7/20 Alejandro Sanchez > Hi team,**** > > My .cloginrc file is not working properly. **** > > For some reason, is not using what I put on .cloginrc file**** > > ** ** > > I just have **** > > Add user * username **** > > Add password * password enablepassword**** > > Add method * ssh**** > > ** ** > > ** ** > > But when I test the login with clogin x.x.x.x, it then try to use telnet > and the old credentials**** > > ** ** > > Any idea?**** > **CONFIDENTIAL NOTICE** > This e-mail and any files transmitted with it may contain PRIVILEGED or > CONFIDENTIAL information and may be read or used only by the intended > recipient. If you are not the intended recipient of the e-mail or any of its > attachments, please be advised that you have received this e-mail in error > and that any use, dissemination, distribution, forwarding, printing, or > copying of this e-mail or any attached files is strictly prohibited. If you > have received this e-mail in error, please immediately purge it and all > attachments and notify the sender by reply e-mail. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alejandro.Sanchez at sitel.com Wed Jul 20 10:03:23 2011 From: Alejandro.Sanchez at sitel.com (Alejandro Sanchez) Date: Wed, 20 Jul 2011 12:03:23 +0200 Subject: [rancid] (no subject) References: <0B16BB48CDB47B4DADCFFB52E938212AD4862B@es2852k3exchg01.emea.sitel-world.net> Message-ID: <0B16BB48CDB47B4DADCFFB52E938212AD4873B@es2852k3exchg01.emea.sitel-world.net> Solved, thanks I was logged as root and there were 2 .cloginrc files on both root and rancid2 user Removed the root one ________________________________ De: Gareth Hopkins [mailto:gabbawp at gmail.com] Enviado el: mi?rcoles, 20 de julio de 2011 11:27 Para: Alejandro Sanchez CC: rancid-discuss at shrubbery.net Asunto: Re: [rancid] (no subject) Hi Alejandro, It sounds like clogin is referencing another .cloginrc file. You can make sure by using the -f flag when running clogin - clogin -f /location/of/.cloginrc Cheers, Gareth 2011/7/20 Alejandro Sanchez Hi team, My .cloginrc file is not working properly. For some reason, is not using what I put on .cloginrc file I just have Add user * username Add password * password enablepassword Add method * ssh But when I test the login with clogin x.x.x.x, it then try to use telnet and the old credentials Any idea? **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alejandro.Sanchez at sitel.com Wed Jul 20 14:37:44 2011 From: Alejandro.Sanchez at sitel.com (Alejandro Sanchez) Date: Wed, 20 Jul 2011 16:37:44 +0200 Subject: [rancid] authentication groups on .cloginrc file Message-ID: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net> Hi guys, Is there a way to create different ways of authentication? I have some devices that have tacacs and some just user/pass Also I have some that have autoenable. Thanks Best Regards Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brez at brezworks.com Wed Jul 20 15:19:58 2011 From: brez at brezworks.com (Jeremy Bresley) Date: Wed, 20 Jul 2011 10:19:58 -0500 Subject: [rancid] authentication groups on .cloginrc file In-Reply-To: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net> References: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net> Message-ID: <4E26F21E.3090104@brezworks.com> Yes, the cloginrc is parsed in order. So you can put your defaults as a * entry at the bottom of the file, and have your more specific entries above it. Something like: add user router123 localuser1 add user router* tacacsuser1 add user * tacacsuser2 router123 would use localuser1, all other devices matching router* would use tacacsuser1, and everything else would use tacacsuser2. Passwords/autoenable settings can be done this way as well. Jeremy On 7/20/2011 9:37 AM, Alejandro Sanchez wrote: > > Hi guys, > > Is there a way to create different ways of authentication? > > I have some devices that have tacacs and some just user/pass > > Also I have some that have autoenable. > > Thanks > > Best Regards > > **Alejandro S?nchez Lucas*** > *Network Specialist > > SITEL EMEA GNS > > **CONFIDENTIAL NOTICE** > This e-mail and any files transmitted with it may contain PRIVILEGED > or CONFIDENTIAL information and may be read or used only by the > intended recipient. If you are not the intended recipient of the > e-mail or any of its attachments, please be advised that you have > received this e-mail in error and that any use, dissemination, > distribution, forwarding, printing, or copying of this e-mail or any > attached files is strictly prohibited. If you have received this > e-mail in error, please immediately purge it and all attachments and > notify the sender by reply e-mail. > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alejandro.Sanchez at sitel.com Thu Jul 21 08:21:58 2011 From: Alejandro.Sanchez at sitel.com (Alejandro Sanchez) Date: Thu, 21 Jul 2011 10:21:58 +0200 Subject: [rancid] authentication groups on .cloginrc file References: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net> <4E26F21E.3090104@brezworks.com> Message-ID: <0B16BB48CDB47B4DADCFFB52E938212AD67102@es2852k3exchg01.emea.sitel-world.net> Its partly solved now. The problema I have is that, half of my boxes have tacacs and the others have normal user/pass. How can I set up the other generic access instead of adding device per device? So 2 generic access, one tacacs, that I already did but I need the other non-tacacs one Many thanks Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS ________________________________ De: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] En nombre de Jeremy Bresley Enviado el: mi?rcoles, 20 de julio de 2011 17:20 Para: rancid-discuss at shrubbery.net Asunto: Re: [rancid] authentication groups on .cloginrc file Yes, the cloginrc is parsed in order. So you can put your defaults as a * entry at the bottom of the file, and have your more specific entries above it. Something like: add user router123 localuser1 add user router* tacacsuser1 add user * tacacsuser2 router123 would use localuser1, all other devices matching router* would use tacacsuser1, and everything else would use tacacsuser2. Passwords/autoenable settings can be done this way as well. Jeremy On 7/20/2011 9:37 AM, Alejandro Sanchez wrote: Hi guys, Is there a way to create different ways of authentication? I have some devices that have tacacs and some just user/pass Also I have some that have autoenable. Thanks Best Regards Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From slackert at gmail.com Fri Jul 22 21:28:17 2011 From: slackert at gmail.com (Slacker T) Date: Fri, 22 Jul 2011 16:28:17 -0500 Subject: [rancid] Fortigate false notifications In-Reply-To: <20110718182857.GJ27729@shrubbery.net> References: <013601cc4563$46228cd0$d267a670$@co.uk> <20110718182857.GJ27729@shrubbery.net> Message-ID: On Mon, Jul 18, 2011 at 1:28 PM, john heasley wrote: > Mon, Jul 18, 2011 at 04:56:36PM +0100, Andy: >> If you haven't disabled the pager in fnlogin, then that is worth a try. >> >> I found that disabling the console pager improved things quite a lot, but I >> still see this happen occasionally on various different Fortigate models and >> OS versions. > > agreed. ?you can try the attached more complex handling from clogin. ?I'm > guessing a bit; it might need more tweaking to handle however this device > wipes the pager prompt. > > I tried the different pager settings on the Fortinets (there are only two), still had the same problem with both. I applied the fnlogin.diff patch and haven't had a false notification since. Thanks! From mircea.ionita at gmail.com Tue Jul 26 08:38:11 2011 From: mircea.ionita at gmail.com (Mircea Ionita) Date: Tue, 26 Jul 2011 11:38:11 +0300 Subject: [rancid] Rancid sending "diff -U 4" mails instead of actual diffs Message-ID: Hi guys, I've been having a problem with rancid lately, that is, it is sending mails containing "diff -U -4 -r1.437 " instead of actual diffs. I ran into this problem after I solved the initial issue, which was that rancid was sending empty emails (solved, more or less, by using the solution found on the group, which was to change the diff option from "-u" to "-U"). Now the mails don't come as often (and as empty) as before, but every time i make a change on a device, the abovementioned is the only thing I get. I must add that in CVS the diffs appear properly, as they should. I'm sorry if this is a double post, and thank you in advance for any help you can give. Mircea -- "I'm not a nerd, I'm a specialist." - Sagara Sousuke From mircea.ionita at gmail.com Tue Jul 26 12:51:22 2011 From: mircea.ionita at gmail.com (Mircea Ionita) Date: Tue, 26 Jul 2011 15:51:22 +0300 Subject: [rancid] Rancid sending "diff -U 4" mails instead of actual diffs In-Reply-To: References: Message-ID: Hi again, I forgot to mention that rancid is 2.3.6, and the system is fedora 11. Thank you! On Tue, Jul 26, 2011 at 11:38 AM, Mircea Ionita wrote: > Hi guys, > > I've been having a problem with rancid lately, that is, it is sending > mails containing "diff -U -4 -r1.437 " instead of actual > diffs. I ran into this problem after I solved the initial issue, which > was that rancid was sending empty emails (solved, more or less, by > using the solution found on the group, which was to change the diff > option from "-u" to "-U"). Now the mails don't come as often (and as > empty) as before, but every time i make a change on a device, the > abovementioned is the only thing I get. I must add that in CVS the > diffs appear properly, as they should. > I'm sorry if this is a double post, and thank you in advance for any > help you can give. > > > Mircea > -- > "I'm not a nerd, I'm a specialist." - Sagara Sousuke > -- "I'm not a nerd, I'm a specialist." - Sagara Sousuke From heas at shrubbery.net Tue Jul 26 16:40:43 2011 From: heas at shrubbery.net (john heasley) Date: Tue, 26 Jul 2011 16:40:43 +0000 Subject: [rancid] Rancid sending "diff -U 4" mails instead of actual diffs In-Reply-To: References: Message-ID: <20110726164043.GC9195@shrubbery.net> Tue, Jul 26, 2011 at 03:51:22PM +0300, Mircea Ionita: > > I've been having a problem with rancid lately, that is, it is sending > > mails containing "diff -U -4 -r1.437 " instead of actual > > diffs. I ran into this problem after I solved the initial issue, which > > was that rancid was sending empty emails (solved, more or less, by > > using the solution found on the group, which was to change the diff > > option from "-u" to "-U"). Now the mails don't come as often (and as > > empty) as before, but every time i make a change on a device, the > > abovementioned is the only thing I get. I must add that in CVS the > > diffs appear properly, as they should. the cvs diff just pipes to sendmail, with To (etc) headers written to sendmail's stdin. so, test that yourself to make sure that it works. see the control_rancid script. From Tim.McIntire at infinite.com Tue Jul 26 17:24:10 2011 From: Tim.McIntire at infinite.com (Tim McIntire) Date: Tue, 26 Jul 2011 12:24:10 -0500 Subject: [rancid] Extreme XOS patches for Rancid 2.3.6 Message-ID: Trying to get rancid 2.3.6 working for my Summit x450s and BD 8810s. I have it working on the cisco and juniper gear I have. I am running into two problems, one is that I need to disable clipaging on the extreme. The second is that the configuration file that is checked into CVS is blank. I was able to update the xrancid file to add the disable clipaging string to the command string and can run the clogin -c command successfully with the string that xrancid generates, but it still does not create a valid config file for CVS. I have tried a number of the suggestions that have been posted, but still cannot get it to work. I tried to manually patch the clogin and xrancid files based on the patches that have been posted based on 2.3.3, but still cannot get it to pull the configurations. Will the patches be included in the mainline or is there an updated patch for 2.3.6? Has anyone got this to work on 2.3.6? Thanks.. Tim ______________________________________________________________________________________________________________________________ This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify so to the sender by e-mail and delete the original message. In such cases, please notify us immediately at sanchar-sadhan at infinite.com . Further, you are not to copy, disclose, or distribute this e-mail or its contents to any unauthorized person(s) .Any such actions are considered unlawful. This e-mail may contain viruses. Infinite has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachments. Infinite reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infinite e-mail system. ***INFINITE******** End of Disclaimer********INFINITE******** -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Jul 26 18:56:05 2011 From: heas at shrubbery.net (john heasley) Date: Tue, 26 Jul 2011 18:56:05 +0000 Subject: [rancid] Extreme XOS patches for Rancid 2.3.6 In-Reply-To: References: Message-ID: <20110726185605.GD23333@shrubbery.net> Tue, Jul 26, 2011 at 12:24:10PM -0500, Tim McIntire: > Trying to get rancid 2.3.6 working for my Summit x450s and BD 8810s. I have it working on the cisco and juniper gear I have. > > I am running into two problems, one is that I need to disable clipaging on the extreme. The second is that the configuration file that is checked into CVS is blank. I was able to update the xrancid file to add the disable clipaging string to the command string and can run the clogin -c command successfully with the string that xrancid generates, but it still does not create a valid config file for CVS. > > I have tried a number of the suggestions that have been posted, but still cannot get it to work. I tried to manually patch the clogin and xrancid files based on the patches that have been posted based on 2.3.3, but still cannot get it to pull the configurations. > > Will the patches be included in the mainline or is there an updated patch for 2.3.6? > > Has anyone got this to work on 2.3.6? we need to make some changes for the newer XOS (or whatever they call it). asp has started that but hit an expect problem, which is waiting for me to find time to debug it. I can't comment on the patches you mention. From Alejandro.Sanchez at sitel.com Wed Jul 27 15:01:39 2011 From: Alejandro.Sanchez at sitel.com (Alejandro Sanchez) Date: Wed, 27 Jul 2011 17:01:39 +0200 Subject: [rancid] authentication groups on .cloginrc file References: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net> <4E26F21E.3090104@brezworks.com> Message-ID: <0B16BB48CDB47B4DADCFFB52E938212AE1668B@es2852k3exchg01.emea.sitel-world.net> Team, Any ideas on this? Best Regards Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS ________________________________ De: Alejandro Sanchez Enviado el: jueves, 21 de julio de 2011 10:22 Para: 'Jeremy Bresley'; rancid-discuss at shrubbery.net Asunto: RE: [rancid] authentication groups on .cloginrc file Its partly solved now. The problem I have is that, half of my boxes have tacacs and the others have normal user/pass. How can I set up the other generic access instead of adding device per device? So 2 generic access, one tacacs, that I already did but I need the other non-tacacs one Many thanks Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS ________________________________ De: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] En nombre de Jeremy Bresley Enviado el: mi?rcoles, 20 de julio de 2011 17:20 Para: rancid-discuss at shrubbery.net Asunto: Re: [rancid] authentication groups on .cloginrc file Yes, the cloginrc is parsed in order. So you can put your defaults as a * entry at the bottom of the file, and have your more specific entries above it. Something like: add user router123 localuser1 add user router* tacacsuser1 add user * tacacsuser2 router123 would use localuser1, all other devices matching router* would use tacacsuser1, and everything else would use tacacsuser2. Passwords/autoenable settings can be done this way as well. Jeremy On 7/20/2011 9:37 AM, Alejandro Sanchez wrote: Hi guys, Is there a way to create different ways of authentication? I have some devices that have tacacs and some just user/pass Also I have some that have autoenable. Thanks Best Regards Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.deprez at gmail.com Wed Jul 27 15:48:39 2011 From: hugo.deprez at gmail.com (Hugo Deprez) Date: Wed, 27 Jul 2011 17:48:39 +0200 Subject: [rancid] Rancid Looking glass slow Message-ID: Dear community, I configured the looking glass of rancid, But When I run a command on an equipment, it quite slow. Especially with the traceroute command. It can take up to 5 minute to show the traceroute command. I was wondering if anyone as already had this issue ? Could that be a configuration issue ? I do have a similary issue with the looking glass from http://wiki.version6.net/LG I am running debian 6 If you need more information feel free to ask. Hugo -------------- next part -------------- An HTML attachment was scrubbed... URL: From denyipanyany at gmail.com Wed Jul 27 19:01:17 2011 From: denyipanyany at gmail.com (Deny IP Any Any) Date: Wed, 27 Jul 2011 15:01:17 -0400 Subject: [rancid] nxrancid small suggestion/patch Message-ID: In my environment, adding {'show environment fex all fan' => 'ShowEnv'}, to my nxrancid's @commandtable yields valuable information about the power supply health of my N2K FEXs; it may be a valuable addition to others as well. I can provide this trivial change in DIFF format if that would be preferred. -- deny ip any any (4393649193 matches) From heas at shrubbery.net Wed Jul 27 21:15:24 2011 From: heas at shrubbery.net (john heasley) Date: Wed, 27 Jul 2011 21:15:24 +0000 Subject: [rancid] Rancid Looking glass slow In-Reply-To: References: Message-ID: <20110727211524.GC8038@shrubbery.net> Wed, Jul 27, 2011 at 05:48:39PM +0200, Hugo Deprez: > Dear community, > > I configured the looking glass of rancid, But When I run a command on an > equipment, it quite slow. > Especially with the traceroute command. It can take up to 5 minute to show > the traceroute command. and how long does it take if you run it manually on the router? perhaps dns resolution time? pkt loss between router and LG host? From rancid at gheek.net Wed Jul 27 21:49:19 2011 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 27 Jul 2011 14:49:19 -0700 Subject: [rancid] RANCID and Redcom Labs Slice 2100 Message-ID: Hey All, Has anyone used Expect or RANCID to connect to the Redcom Labs Slice 2100 or HDX? It has a menu like interface but nothing like routers/switches that are menu based. Just a curious question. -lance -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmccullagh at gmail.com Thu Jul 28 10:25:08 2011 From: gmccullagh at gmail.com (Gavin McCullagh) Date: Thu, 28 Jul 2011 11:25:08 +0100 Subject: [rancid] RANCID and Redcom Labs Slice 2100 In-Reply-To: References: Message-ID: <20110728102508.GQ13113@gmail.com> Hi, On Wed, 27 Jul 2011, Lance Vermilion wrote: > Has anyone used Expect or RANCID to connect to the Redcom Labs Slice 2100 or > HDX? It has a menu like interface but nothing like routers/switches that are > menu based. I take it this is a menu system in a text console? Many 3Com switches have something similar to this. Regrettably, the 3Coms don't seem to have a way to dump the config to the command line. This is the key issue really. After that, you may need to massage the code a little to best deal with your device's syntax and output. The 3Coms have a way to upload the config to a remote TFTP server and I've been considering using that as a workaround, ie connect to switch, upload the config to a server, then connect to the server over tftp and download the config for rancid to work on. It's messy though. Gavin From heas at shrubbery.net Fri Jul 29 09:03:36 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 29 Jul 2011 09:03:36 +0000 Subject: [rancid] nxrancid small suggestion/patch In-Reply-To: References: Message-ID: <20110729090336.GD5229@shrubbery.net> Wed, Jul 27, 2011 at 03:01:17PM -0400, Deny IP Any Any: > In my environment, adding > > {'show environment fex all fan' => 'ShowEnv'}, > > to my nxrancid's @commandtable yields valuable information about the > power supply health of my N2K FEXs; it may be a valuable addition to > others as well. on which platform(s) and does this create any "cycling" output, such as fan speeds? From Alejandro.Sanchez at sitel.com Fri Jul 29 11:38:10 2011 From: Alejandro.Sanchez at sitel.com (Alejandro Sanchez) Date: Fri, 29 Jul 2011 13:38:10 +0200 Subject: [rancid] authentication groups on .cloginrc file References: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net><4E26F21E.3090104@brezworks.com> <0B16BB48CDB47B4DADCFFB52E938212AE1668B@es2852k3exchg01.emea.sitel-world.net> Message-ID: <0B16BB48CDB47B4DADCFFB52E938212AE51286@es2852k3exchg01.emea.sitel-world.net> Hi team I am desperated. Still having issues with the authentication: I have the following: Add autoenable * 1 Add user * alex Add pass * alexpass Add autoenable * 0 Add user x.x.x.x alex Add pass x.x.x.x alexpass alexenapass The problem is that the second group is not being executed, so this box, is not being checked Any ideas? Alex ________________________________ De: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] En nombre de Alejandro Sanchez Enviado el: mi?rcoles, 27 de julio de 2011 17:02 Para: rancid-discuss at shrubbery.net Asunto: Re: [rancid] authentication groups on .cloginrc file Team, Any ideas on this? Best Regards Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS ________________________________ De: Alejandro Sanchez Enviado el: jueves, 21 de julio de 2011 10:22 Para: 'Jeremy Bresley'; rancid-discuss at shrubbery.net Asunto: RE: [rancid] authentication groups on .cloginrc file Its partly solved now. The problem I have is that, half of my boxes have tacacs and the others have normal user/pass. How can I set up the other generic access instead of adding device per device? So 2 generic access, one tacacs, that I already did but I need the other non-tacacs one Many thanks Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS ________________________________ De: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] En nombre de Jeremy Bresley Enviado el: mi?rcoles, 20 de julio de 2011 17:20 Para: rancid-discuss at shrubbery.net Asunto: Re: [rancid] authentication groups on .cloginrc file Yes, the cloginrc is parsed in order. So you can put your defaults as a * entry at the bottom of the file, and have your more specific entries above it. Something like: add user router123 localuser1 add user router* tacacsuser1 add user * tacacsuser2 router123 would use localuser1, all other devices matching router* would use tacacsuser1, and everything else would use tacacsuser2. Passwords/autoenable settings can be done this way as well. Jeremy On 7/20/2011 9:37 AM, Alejandro Sanchez wrote: Hi guys, Is there a way to create different ways of authentication? I have some devices that have tacacs and some just user/pass Also I have some that have autoenable. Thanks Best Regards Alejandro S?nchez Lucas Network Specialist SITEL EMEA GNS **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gabbawp at gmail.com Fri Jul 29 12:38:26 2011 From: gabbawp at gmail.com (Gareth Hopkins) Date: Fri, 29 Jul 2011 14:38:26 +0200 Subject: [rancid] authentication groups on .cloginrc file In-Reply-To: <0B16BB48CDB47B4DADCFFB52E938212AE51286@es2852k3exchg01.emea.sitel-world.net> References: <0B16BB48CDB47B4DADCFFB52E938212AD48F48@es2852k3exchg01.emea.sitel-world.net> <4E26F21E.3090104@brezworks.com> <0B16BB48CDB47B4DADCFFB52E938212AE1668B@es2852k3exchg01.emea.sitel-world.net> <0B16BB48CDB47B4DADCFFB52E938212AE51286@es2852k3exchg01.emea.sitel-world.net> Message-ID: Hi, Put your second group with the listed IP's at the top of the file. What's happening is you are matching * from the first group for everything. Cheers, Gareth 2011/7/29 Alejandro Sanchez > ** > > Hi team**** > > I am desperated.**** > > Still having issues with the authentication:**** > > ** ** > > I have the following:**** > > ** ** > > Add autoenable * 1**** > > Add user * alex**** > > Add pass * alexpass**** > > ** ** > > Add autoenable * 0**** > > Add user x.x.x.x alex**** > > Add pass x.x.x.x alexpass alexenapass**** > > ** ** > > The problem is that the second group is not being executed, so this box, is > not being checked**** > > ** ** > > Any ideas?**** > > ** ** > > Alex **** > ------------------------------ > > *De:* rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] *En nombre de ***Alejandro Sanchez** > *Enviado el:* mi?rcoles, 27 de julio de 2011 17:02 > > *Para:* **rancid-discuss at shrubbery.net** > *Asunto:* Re: [rancid] authentication groups on .cloginrc file > **** > > ** ** > > Team,**** > > Any ideas on this?**** > > ** ** > > Best Regards**** > > ** ** > > *Alejandro S?nchez Lucas** > *Network Specialist **** > > SITEL EMEA GNS**** > > **** > ------------------------------ > > *De:* **Alejandro Sanchez** > *Enviado el:* jueves, 21 de julio de 2011 10:22 > *Para:* 'Jeremy Bresley'; **rancid-discuss at shrubbery.net** > *Asunto:* RE: [rancid] authentication groups on .cloginrc file**** > > ** ** > > Its partly solved now.**** > > The problem I have is that, half of my boxes have tacacs and the others > have normal user/pass. How can I set up the other generic access instead of > adding device per device?**** > > ** ** > > So 2 generic access, one tacacs, that I already did but I need the other > non-tacacs one**** > > ** ** > > Many thanks **** > > ** ** > > *Alejandro S?nchez Lucas** > *Network Specialist **** > > SITEL EMEA GNS**** > ------------------------------ > > *De:* rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] *En nombre de *Jeremy Bresley > *Enviado el:* mi?rcoles, 20 de julio de 2011 17:20 > *Para:* **rancid-discuss at shrubbery.net** > *Asunto:* Re: [rancid] authentication groups on .cloginrc file**** > > ** ** > > Yes, the cloginrc is parsed in order. So you can put your defaults as a * > entry at the bottom of the file, and have your more specific entries above > it. > > Something like: > > add user router123 localuser1 > > add user router* tacacsuser1 > > add user * tacacsuser2 > > router123 would use localuser1, all other devices matching router* would > use tacacsuser1, and everything else would use tacacsuser2. > Passwords/autoenable settings can be done this way as well. > > Jeremy > > On 7/20/2011 9:37 AM, **Alejandro Sanchez** wrote: **** > > Hi guys,******** > > ** ****** > > Is there a way to create different ways of authentication?******** > > I have some devices that have tacacs and some just user/pass******** > > ** ****** > > Also I have some that have autoenable.******** > > ** ****** > > Thanks******** > > ** ****** > > Best Regards******** > > ** ****** > > *Alejandro S?nchez Lucas** > *Network Specialist ******** > > SITEL EMEA GNS**** > **** > > ** ****** > > **CONFIDENTIAL NOTICE** > This e-mail and any files transmitted with it may contain PRIVILEGED or > CONFIDENTIAL information and may be read or used only by the intended > recipient. If you are not the intended recipient of the e-mail or any of its > attachments, please be advised that you have received this e-mail in error > and that any use, dissemination, distribution, forwarding, printing, or > copying of this e-mail or any attached files is strictly prohibited. If you > have received this e-mail in error, please immediately purge it and all > attachments and notify the sender by reply e-mail.**** > > ** ** > > ** ** > > _______________________________________________**** > > Rancid-discuss mailing list**** > > Rancid-discuss at shrubbery.net**** > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss**** > > ** ** > > **CONFIDENTIAL NOTICE** > This e-mail and any files transmitted with it may contain PRIVILEGED or > CONFIDENTIAL information and may be read or used only by the intended > recipient. If you are not the intended recipient of the e-mail or any of its > attachments, please be advised that you have received this e-mail in error > and that any use, dissemination, distribution, forwarding, printing, or > copying of this e-mail or any attached files is strictly prohibited. If you > have received this e-mail in error, please immediately purge it and all > attachments and notify the sender by reply e-mail.**** > **CONFIDENTIAL NOTICE** > This e-mail and any files transmitted with it may contain PRIVILEGED or > CONFIDENTIAL information and may be read or used only by the intended > recipient. If you are not the intended recipient of the e-mail or any of its > attachments, please be advised that you have received this e-mail in error > and that any use, dissemination, distribution, forwarding, printing, or > copying of this e-mail or any attached files is strictly prohibited. If you > have received this e-mail in error, please immediately purge it and all > attachments and notify the sender by reply e-mail. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.deprez at gmail.com Fri Jul 29 15:57:04 2011 From: hugo.deprez at gmail.com (Hugo Deprez) Date: Fri, 29 Jul 2011 17:57:04 +0200 Subject: [rancid] Rancid Looking glass slow In-Reply-To: <20110727211524.GC8038@shrubbery.net> References: <20110727211524.GC8038@shrubbery.net> Message-ID: Hello, Thank you for the answer. Well it seems that the command is very slow on the equipments : arround 12 hopes for 2-3 minutes. I try on several equipments. I don't know if this is 'normal' time for a traceroute command ? I looked on the internet for some other looking glass, answer was much more quicker. I use /etc/hosts to resolv hostname and I didn't find any packet loss between my server and the equipments. any idea ? Thanks Hugo On 27 July 2011 23:15, john heasley wrote: > Wed, Jul 27, 2011 at 05:48:39PM +0200, Hugo Deprez: > > Dear community, > > > > I configured the looking glass of rancid, But When I run a command on an > > equipment, it quite slow. > > Especially with the traceroute command. It can take up to 5 minute to > show > > the traceroute command. > > and how long does it take if you run it manually on the router? perhaps > dns resolution time? pkt loss between router and LG host? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Routt at proquest.com Fri Jul 29 19:22:51 2011 From: Brian.Routt at proquest.com (Routt, Brian) Date: Fri, 29 Jul 2011 15:22:51 -0400 Subject: [rancid] Problem with Rancid and Nexus 7000 In-Reply-To: References: <20110209182515.GF26039@shrubbery.net> Message-ID: <24082900FD8BBB4F8A3E5CF2890E761E72DEAC6F@AAPQMAILBX02V.proque.st> How did you remove the #? I removed my banner and used different delimiters (}) but the running config still displays #. To illustrate, I typed this banner motd } ****************************************************** Message text ****************************************************** } But the config still displays this banner motd # ****************************************************** Message text ****************************************************** # Thanks -Brian Routt From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Matt L Sent: Wednesday, February 09, 2011 1:23 PM To: john heasley Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Problem with Rancid and Nexus 7000 Default login banner. Someone mentioned to me privately to change it to remove any #'s, and that actually did the trick. So everything looks good now. Thanks for the responses everyone! On Wed, Feb 9, 2011 at 1:25 PM, john heasley > wrote: Wed, Feb 09, 2011 at 11:02:13AM -0500, Matt L: > So I have Rancid working fine with all my other gear, ASA 5510's, Catalyst > 3560's, etc. We recently installed a Nexus 7000 and I have been trying to > get it going with Rancid. > > I created a new TACACS user for this purpose (due to the way logins work for > NX-OS), defined it in cloginrc with autoenable as '1'. > > This is what happens if I just run clogin to the box with no extra flags: > > [rancid at linuxhost ~]$ clogin nexus > nexus > spawn ssh -c 3des -x -l rancidnx nexus > #User Access Verification# where are the #'s coming from? from your tacacs, i suspect. that looks like a cli prompt to clogin. > Password: > > > It just sits there and does nothing at this point. I can enter the password > manually and it will login successfully. > > If I remove the autoenable from cloginrc, it will successfully login, but > then hang there (I assume waiting for enable prompt which will never > appear). > > Rancid version is 2.3.3 (I have tried with 2.3.6 clogin separately as well). > > NX-OS version is 5.1(2). > > Obviously until I can get past the initial login, I can't test with nxrancid > or any type of automation. > > Any ideas? Am I missing something stupid? > > Thanks, > > Matt > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Jul 29 20:11:41 2011 From: heas at shrubbery.net (john heasley) Date: Fri, 29 Jul 2011 20:11:41 +0000 Subject: [rancid] Problem with Rancid and Nexus 7000 In-Reply-To: <24082900FD8BBB4F8A3E5CF2890E761E72DEAC6F@AAPQMAILBX02V.proque.st> References: <20110209182515.GF26039@shrubbery.net> <24082900FD8BBB4F8A3E5CF2890E761E72DEAC6F@AAPQMAILBX02V.proque.st> Message-ID: <20110729201141.GS5357@shrubbery.net> Fri, Jul 29, 2011 at 03:22:51PM -0400, Routt, Brian: > How did you remove the #? I removed my banner and used different delimiters (}) but the running config still displays #. are you sure thats the problem? assuming that your problem still lies here: > > [rancid at linuxhost ~]$ clogin nexus > > nexus > > spawn ssh -c 3des -x -l rancidnx nexus > > #User Access Verification# > where are the #'s coming from? from your tacacs, i suspect. that looks > like a cli prompt to clogin. thats not the banner in the configuration. clogin should, after the _displayed_ banner and successful login, acquire a more specific match of the prompt and avoid matching the #s in the configuration.