<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2>Chris,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2>Because Todd is using tacacs+ for authentication,
he set autoenable to 1 to get all the cisco routers/switches
working. The hostname glob he used for this setting also
matched his PIX causing this problem.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2>As autoenable needs to be 0 [the default] for a PIX to
work, you don't need to set it.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=946085220-09032007><FONT face=Arial
color=#0000ff size=2>Mike</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> sawall [mailto:sawall@gmail.com]
<BR><B>Sent:</B> Friday, March 09, 2007 1:51 PM<BR><B>To:</B> Todd
Heide<BR><B>Cc:</B> Mike Ashcraft;
Rancid-discuss@shrubbery.net<BR><B>Subject:</B> Re: [rancid] Re: PIX
authentication<BR></FONT><BR></DIV>
<DIV></DIV>The weird thing, I think, is that I don't have autoenable set in my
cloginrc file and it's working great with all of my firewalls. not that
todd shouldn't try it. i'm just confused....<BR><BR>chris<BR><BR><BR>
<DIV><SPAN class=gmail_quote>On 3/9/07, <B class=gmail_sendername>Todd Heide</B>
<<A href="mailto:Todd@equivoice.com">Todd@equivoice.com</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">DOH
Helps to read the instructions. I added autoenable, but didn't put<BR>the ip
of the device in. It is working from bin.clogin now. Lets see if<BR>it pulss
the config this time. Thanks for everyone who helped!<BR><BR>Thanks<BR>Todd
Heide<BR>Equivoice Inc.<BR><BR>CCNA CWLSS
CS-CISecS<BR>847-235-3308<BR><BR>Nothing ever goes as planned, Its a hell of a
notion,<BR>Even pharaohs turn to sand, Like a drop in the
ocean<BR><BR>-----Original Message----- <BR>From: Mike Ashcraft [mailto:<A
href="mailto:mashcraft@omniture.com">mashcraft@omniture.com</A>]<BR>Sent:
Friday, March 09, 2007 12:49 PM<BR>To: Todd Heide<BR>Cc: <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net
</A><BR>Subject: RE: [rancid] Re: PIX
authentication<BR><BR>Todd,<BR><BR>clogin IPADDRESS is 'hanging' because it is
waiting for the pix to<BR>return an enabled prompt. While you can
type at the user prompt, the<BR>clogin program is still in control and will
not pass your keystrokes on<BR>to the PIX. Notice that after the
timeout, your 'en' is entered at the<BR>shell prompt. Setting
autoenable to 0 will tell clogin that it will <BR>have to use the enable
command to get the enabled prompt.<BR><BR>Unlike other Cisco devices, the PIX
will not allow a tacacs+<BR>authenticated user to go straight to enable
mode.<BR><BR>Mike<BR><BR>-----Original Message----- <BR>From: <A
href="mailto:rancid-discuss-bounces@shrubbery.net">rancid-discuss-bounces@shrubbery.net</A><BR>[mailto:<A
href="mailto:rancid-discuss-bounces@shrubbery.net">rancid-discuss-bounces@shrubbery.net</A>]
On Behalf Of Todd Heide <BR>Sent: Friday, March 09, 2007 10:33 AM<BR>To:
Manuel Noriega<BR>Cc: <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR>Subject:
[rancid] Re: PIX authentication<BR><BR>OK, I didn't have the autoenable in
there, I will see if that helps, but <BR>I am still puzzled as to why it is
hanging when I try clogin IPADDRESS<BR>to the pix'<BR><BR>Thanks<BR>Todd
Heide<BR>Equivoice Inc.<BR><BR>CCNA CWLSS
CS-CISecS<BR>847-235-3308<BR><BR>Nothing ever goes as planned, Its a hell of a
notion, Even pharaohs turn <BR>to sand, Like a drop in the
ocean<BR><BR>-----Original Message-----<BR>From: Manuel Noriega [mailto:<A
href="mailto:mnoriega@amnetcorp.com">mnoriega@amnetcorp.com</A>]<BR>Sent:
Friday, March 09, 2007 11:19 AM<BR>To: Todd Heide <BR>Cc: sawall; <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR>Subject:
Re: [rancid] Re: PIX authentication<BR><BR>Are you using autoenable? I had
troule at the beginning. This is what I <BR>have in my .clogonrc
file.<BR><BR>add autoenable pix* 0<BR>add
method pixsps ssh<BR>add
cyphertype pixsps des<BR>add
user pixsps
pix<BR>add password pixsps
vtypassword enablepassword
<BR><BR><BR><BR>Regards,<BR><BR>Manuel<BR><BR>On Mar 9, 2007, at 10:45 AM,
Todd Heide wrote:<BR><BR>> Yep, the logs indicate basically the same thing
that running clogin<BR>> does, error: TIMEOUT reached. It is hanging when
trying to get to <BR>> privileged exec mode on the PIX. All the routers
work fine with ssh,<BR>> so I am not sure what the problem is, and why it
hangs, but I can ssh<BR>> to the pix from the command prompt and get all
the way in. <BR>><BR>><BR>><BR>><BR>><BR>> Nothing ever goes
as planned, Its a hell of a notion,<BR>><BR>> Even pharaohs turn to
sand, Like a drop in the ocean<BR>><BR>> From: sawall [mailto:<A
href="mailto:sawall@gmail.com"> sawall@gmail.com</A>]<BR>> Sent: Friday,
March 09, 2007 10:25 AM<BR>> To: Todd Heide<BR>> Subject: Re: [rancid]
Re: PIX authentication<BR>><BR>><BR>><BR>> sorry. i'm
not the greatest rancid guy. i modified my bin/rancid and
<BR><BR>> bin/clogin files slightly. and i'm not having any
issues.<BR>><BR>> what if you run "bin/rancid -d {fw ip
addr}"<BR>><BR>> should show some debug.<BR>><BR>><BR>><BR>>
On 3/9/07, Todd Heide < <A
href="mailto:Todd@equivoice.com">Todd@equivoice.com</A>>
wrote:<BR>><BR>><BR>><BR>> add user
67.1x.x.x
rancid<BR>> add password 67.1x.x.x
{********} {*********}<BR>>
add method
67.1x.x.x ssh<BR>><BR>><BR>>
This login setup works fine on a router, all our routers use Tacacs<BR>> +
as<BR>> well.<BR>> ________________________________________<BR>>
From: sawall [mailto:<A href="mailto:sawall@gmail.com">
sawall@gmail.com</A>]<BR>> Sent: Friday, March 09, 2007 10:10 AM<BR>>
To: Todd Heide<BR>> Subject: Re: [rancid] Re: PIX
authentication<BR>><BR>> what does your cloginrc file look
like?<BR>><BR>><BR>> On 3/9/07, Todd Heide < <A
href="mailto:Todd@equivoice.com">Todd@equivoice.com</A>> wrote:<BR>> I
get the same issue whether it is a pix or an ASA, version 6.3 or
7.x<BR>><BR>> ________________________________________<BR>> From:
sawall [mailto: <A
href="mailto:sawall@gmail.com">sawall@gmail.com</A>]<BR>> Sent: Friday,
March 09, 2007 9:50 AM<BR>> To: Todd Heide<BR>> Subject: Re: [rancid]
Re: PIX authentication<BR>><BR>> what version of pix? does the user
"rancid" have rights to call <BR>> enable?<BR>><BR>> just trying to
figure out your issue....<BR>><BR>><BR>> On 3/9/07, Todd Heide <
<A href="mailto:Todd@equivoice.com">Todd@equivoice.com</A> > wrote:<BR>>
[rancid@server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des
-x<BR><BR>> -l rancid 67.1x.x.x <A
href="mailto:rancid@67.1x.x.x">rancid@67.1x.x.x</A> 's password:<BR>> Type
help or '?' for a list of available commands.<BR>> pixfirewall> <BR>>
pixfirewall> en<BR>><BR>> Error: TIMEOUT reached<BR>>
[rancid@server ~]$ en<BR>><BR>> Thanks<BR>>
Toddc.<BR>><BR>><BR>> CCNA CWLSS CS-CISecS<BR>><BR>> Nothing
ever goes as planned, Its a hell of a notion, Even pharaohs <BR>> turn to
sand, Like a drop in the ocean<BR>>
________________________________________<BR>> From: sawall [mailto:<A
href="mailto:sawall@gmail.com">sawall@gmail.com</A> ]<BR>> Sent: Friday,
March 09, 2007 9:39 AM <BR>> To: Todd Heide<BR>> Subject: Re: [rancid]
Re: PIX authentication<BR>><BR>> what does the output look like when you
try it manually. below is what<BR><BR>> i have for version 6.3 and 7.2. (i
changed the enable to enable 5 so i <BR><BR>> could limit the commands that
could run for this user).<BR>><BR>> # su - rancid<BR>><BR>> >
clogin pixver63<BR>> pixver63<BR>> spawn ssh -c 3des -x -l pixbkup
pixver63 pixbkup@pixver63's password: <BR>> Type help or '?' for a list of
available commands.<BR>> pixver63><BR>> pixver63> enable 5<BR>>
Password: *******<BR>> pixver63#<BR>> pixver63# exit<BR>><BR>>
Logoff<BR>><BR>> Connection to pixver63 closed. <BR>><BR>><BR>>
> clogin pixver72<BR>> pixver72<BR>> spawn ssh -c 3des -x -l pixbkup
pixver72<BR>> pixbkup@pixver72 's password:<BR>> Type help or '?' for a
list of available commands.<BR>> pixcof01p> enable 5<BR>> Password:
*******<BR>> pixcof01p#<BR>> pixcof01p# exit<BR>><BR>>
Logoff<BR>><BR>> Connection to pixver72 closed.<BR>><BR>> On
3/9/07, Todd Heide < <A
href="mailto:Todd@equivoice.com">Todd@equivoice.com</A>> wrote:<BR>>
Running it manually is when I found the problem. It hangs when I
enter<BR><BR>> enable, then times out.<BR>><BR>> Thanks<BR>> Todd
Heide<BR>> Equivoice Inc.<BR>> <BR>><BR>> CCNA CWLSS
CS-CISecS<BR>> 847-235-3308<BR>><BR>> Nothing ever goes as planned,
Its a hell of a notion, Even pharaohs<BR>> turn to sand, Like a drop in the
ocean<BR>> ________________________________________ <BR>> From: sawall
[mailto: <A href="mailto:sawall@gmail.com">sawall@gmail.com</A>]<BR>> Sent:
Friday, March 09, 2007 9:01 AM<BR>> To: Todd Heide<BR>> Cc: <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net
</A><BR>> Subject: Re: [rancid] Re: PIX authentication<BR>><BR>> are
you using the default clogin files? i am backing up 60+ pix<BR>> firewalls.
515s and 525s. version 6.3 - 7.2. i'm not having any<BR>> problems at all.
<BR>><BR>> have you run clogin manually to see how it's connecting to
the pix and<BR><BR>> to see if that works.<BR>><BR>> chris<BR>> On
3/9/07, Todd Heide < <A href="mailto:Todd@equivoice.com">Todd@equivoice.com
</A>> wrote:<BR>> I found a second issue, another pix I log into, if I
type enable it<BR>> hangs!<BR>><BR>> Thanks<BR>> Todd
Heide<BR>> Equivoice Inc.<BR>><BR>> CCNA CWLSS CS-CISecS<BR>>
847-235-3308 <BR>><BR>> Nothing ever goes as planned, Its a hell of a
notion, Even pharaohs<BR>> turn to sand, Like a drop in the ocean
-----Original Message-----<BR>> From: <A
href="mailto:rancid-discuss-bounces@shrubbery.net">rancid-discuss-bounces@shrubbery.net</A>
[mailto:<BR>> <A
href="mailto:rancid-discuss-bounces@shrubbery.net">rancid-discuss-bounces@shrubbery.net</A>]
On Behalf Of Todd Heide<BR>> Sent: Friday, March 09, 2007 8:49 AM <BR>>
To: <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR>>
Subject: [rancid] PIX authentication<BR>><BR>> I have been wondering why
I never get an update when trying to get<BR>> rancid to pull a config from
a PIX and discovered that when Rancid<BR>> logs in, it doesn't put in
enable and password, so the device times<BR>> out.<BR>> Where can I fix
that?<BR>><BR>> Thanks<BR>> Todd<BR>><BR>><BR>> CCNA CWLSS
CS-CISecS<BR>><BR>><BR>> Nothing ever goes as planned, Its a hell of
a notion, Even pharaohs<BR>> turn to sand, Like a drop in the
ocean<BR>><BR>> _______________________________________________ <BR>>
Rancid-discuss mailing list<BR>> <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR>>
<A
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
</A><BR>> _______________________________________________<BR>>
Rancid-discuss mailing list<BR>> <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR>>
<A
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</A><BR>><BR>><BR>><BR>><BR>>
_______________________________________________<BR>> Rancid-discuss mailing
list<BR>> <A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR>>
<A
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</A><BR><BR>_______________________________________________
<BR>Rancid-discuss mailing list<BR><A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR><A
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
</A><BR>_______________________________________________<BR>Rancid-discuss
mailing list<BR><A
href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</A><BR><A
href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</A><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>