From temkin at sig.com Wed Aug 6 12:32:02 2003 From: temkin at sig.com (Temkin, David) Date: Wed, 6 Aug 2003 08:32:02 -0400 Subject: Problem with CatOS logins Message-ID: I'm sure this question has been asked a million times, but I've tried all of the suggested fixes and haven't been able to figure it out. I have a freshly compiled/patched version of expect and tcl, so I don't think that's the issue... Cat5login appears to log into the switches correctly, but then it just hangs thinking that it's waiting for something else. Autoenable is enabled (the username goes straight to enable mode) so I don't think that's the issue either.. >From having clogin dump a raw file, here's what I see: User Access Verification Username: ServiceCW2k Password: xxx> (enable) Error: TIMEOUT reached And then it just dies. The logfile shows: Xxx.xxx.com clogin error: Error: TIMEOUT reached Xxx.xxx.com: missed cmd(s): show port ifindex,show module,dir sup-microcode:,dir sup-bootflash:,dir bootflash:,dir slot0:,show version,show flash,write term,show boot,dir slot1: Xxx.xxx.com: End of run not found Any help would be greatly appreciated... Thanks, -Dave From heas at shrubbery.net Wed Aug 6 17:56:48 2003 From: heas at shrubbery.net (john heasley) Date: Wed, 6 Aug 2003 17:56:48 +0000 Subject: Problem with CatOS logins In-Reply-To: References: Message-ID: <20030806175648.GZ803@shrubbery.net> Wed, Aug 06, 2003 at 08:32:02AM -0400, Temkin, David: > I'm sure this question has been asked a million times, but I've tried all of > the suggested fixes and haven't been able to figure it out. I have a > freshly compiled/patched version of expect and tcl, so I don't think that's > the issue... > > Cat5login appears to log into the switches correctly, but then it just hangs > thinking that it's waiting for something else. Autoenable is enabled (the > username goes straight to enable mode) so I don't think that's the issue > either.. the problem is that the current clogin does not handle auto-enable catalysts correctly. afaik, auto-enable was not possible on CatOS until relatively recently. I just need to find the time to work on it. > >From having clogin dump a raw file, here's what I see: > > User Access Verification > > Username: ServiceCW2k > Password: > xxx> (enable) > Error: TIMEOUT reached > > And then it just dies. > > The logfile shows: > > Xxx.xxx.com clogin error: Error: TIMEOUT reached > Xxx.xxx.com: missed cmd(s): show port ifindex,show module,dir > sup-microcode:,dir sup-bootflash:,dir bootflash:,dir slot0:,show > version,show flash,write term,show boot,dir slot1: > Xxx.xxx.com: End of run not found > > Any help would be greatly appreciated... > > Thanks, > -Dave From afort at choqolat.org Tue Aug 12 06:48:42 2003 From: afort at choqolat.org (Andrew Fort) Date: Tue, 12 Aug 2003 16:48:42 +1000 Subject: patches and alternative enterasys/riverstone support Message-ID: <3F388DCA.20009@choqolat.org> Hi folks, I've recently found myself with some new devices to add to the repository, which didn't have some things handled as originally expected (thanks for the variance, cisco).. The following patch for 'rancid' does the following: - Identifies 4500s and 3550s as switches - Gathers System, Motherboard and Power Supply serial numbers from Cat3550 (and possibly others) (NOTE: on a 3550 the System S/N really is usable with TAC, which is a real bonus ;). - Gathers 3550 (and again, possibly other) redundant power supply status info from the "show env all" output. - Ignores "show vlan" output on 3550/4500 IOS switches(*). (*) This really needs to be on a per-device configurable basis, which I believe is coming to a future rancid release (i.e., different device [groups] have different parser configuration and commands to run). The reason is that this patch is suitable really only if you're using the extended VLAN support (i.e., you have "vlan" configuration inside your main running-configuration, rather than just stored in the flash:vlan.dat file), whereas the "show vlan" output was included by RANCID to allow for the 2900XL/3500XL switches where this info was not available via the main configuration. On the Enterasys/Riverstone front, I've had some luck patching "rscmd" from the 'Quartz' package at http://www.nmops.org so that the -c option allows multiple commands to be executed. Since it was originally derived from clogin and is GPL, it should be suitable for inclusion (except that it's been stripped back for a slightly different method of usage and has less functionality than the current clogin derived scripts). This works well, and appears to avoid the output buffering issues seen with the other variants by doing 'expect "*"' to flush the input before sending more back to the device. I still have some features to add (last-resort password handling), but would appreciate if I could get some folks to run my mods on their systems. It involves a modded "rscmd" (from Quartz) and a modified rivrancid (i.e., :%s/rivlogin/rscmd/g). --snip-- --- /home/afort/rancid-2.3.eft/bin/rancid.in Thu Jan 2 06:15:47 2003 +++ ./rancid Mon Aug 11 16:30:04 2003 @@ -1,4 +1,4 @@ -#!@PERLV_PATH@ +#!/usr/bin/perl ## ## ## Copyright (C) 1997-2001 by Henry Kilmer. @@ -173,6 +173,8 @@ } /^Serial Number:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; + /^(System|Motherboard|Power supply) serial number:\s+(.*)$/ && + ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; /^Activation Key:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C2", "!$_") && next; /^ROM: \d+ Bootstrap .*(Version.*)$/ && @@ -242,9 +244,15 @@ } elsif ( $proc =~ /WS-C29/) { $type = "2900XL"; $device = "switch"; + } elsif ( $proc =~ /WS-C3550/) { + $type = "3550"; + $device = "switch"; } elsif ( $proc =~ /WS-C35/) { $type = "3500XL"; $device = "switch"; + } elsif ( $proc =~ /WS-C45/) { + $type = "4500"; + $device = "switch"; } elsif ( $proc =~ /6000/) { $type = "6000"; $device = "switch"; @@ -379,6 +387,8 @@ ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; /^\s*(redundant .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; + /^\s*(RPS is .*)/i && + ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; } ProcessHistory("COMMENTS","","","!\n"); return(0); @@ -928,6 +938,7 @@ last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /(Invalid input detected|Type help or )/; + return(1) if ($type =~ /^(3550|4500)$/); #return(1) if ($type !~ /^(2900XL|3500XL|6000)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX --snip-- -afort From bugtraq at porksoda.com Wed Aug 13 15:44:10 2003 From: bugtraq at porksoda.com (Bug) Date: Wed, 13 Aug 2003 08:44:10 -0700 Subject: missed cmds under redhat 9.0 Message-ID: <1060789450.2099.29.camel@blarg.porksoda.com> I am trying to migrate my rancid collection machine from Solaris 2.8 to Redhat 9.0. The diffs are working, but rancid logs into each cisco router 4 times with the errors - svl0rtr00: missed cmd(s): show diag,show install active,show controllers cbus svl0rtr01: missed cmd(s): show diag,show install active,show controllers cbus svl0rtr02: missed cmd(s): show diag,show install active,show controllers cbus When I look at the raw dialog, I see the commands are there - Entry=13: Addr=FFFF.FFFF.FFFF^M Entry=14: Addr=FFFF.FFFF.FFFF^M Entry=15: Addr=0000.2100.0000^M ^M svl0rtr00#show controllers cbus^M ^^M % Invalid input detected at '^' marker.^M ^M svl0rtr00#show diagbus^M ^M svl0rtr00#show diag^M ^M svl0rtr00#show module^M % Incomplete command.^M ^M svl0rtr00#show c7200^M ^^M % Invalid input detected at '^' marker.^M ^M svl0rtr00#show vtp status^M ^^M % Invalid input detected at '^' marker.^M ^M svl0rtr00#show vlan^M % Incomplete command.^M ^M svl0rtr00#write term^M Building configuration...^M ^M Current configuration : 11485 bytes^M !^M ! Last configuration change at 17:12:12 PDT Tue Aug 12 2003^M ! NVRAM config last updated at 17:12:13 PDT Tue Aug 12 2003^M !^M version 12.1^M This setup worked great under solaris, and it still works well for the foundry and extreme gear. Here's the versions solaris redhat OS 5.8 9.0 rancid 2.2.2 2.2.2 perl v5.6.1 v5.8.0 expect 5.38.0 5.38.0 Any help would be appreciated. It looks like it's in the perl parsing the output, but I haven't been able to chase it down. Thanks -Mark From DKing at tiscom.uscg.mil Wed Aug 13 19:52:51 2003 From: DKing at tiscom.uscg.mil (King, David) Date: Wed, 13 Aug 2003 15:52:51 -0400 Subject: missed cmds under redhat 9.0 Message-ID: <34B5A8CD1EA62E49AFCD4B8AD1B465AD1EB61C@tiscomex.tiscom.uscg.mil> The perl "study" command appears to cause the problem in RedHat 9. What I have determined at this point is that study in a sub (like sub ShowVersion) causes the regexp not to match when it returns to "main". Therefore a line in the router config is skipped. Remove "study" from the subs that use it and the problem will go away. (An alternative is to move study after the "last" statement which is a few lines later. This only causes the last line before the next command not to be "studied".) If you notice, the commands being skipped all follow a command whose output is parsed by a sub that uses study. I haven't determined if this is something specific to the way study is used in rancid or a general RedHat 9/perl 5.8.0 problem. At least, that worked for me, YMMV, David King From randy at psg.com Wed Aug 13 21:22:46 2003 From: randy at psg.com (Randy Bush) Date: Wed, 13 Aug 2003 14:22:46 -0700 Subject: config fetcher problems - cisco 1760 Message-ID: From: Randy Bush To: rancid-admin-psgnet at psg.com Subject: config fetcher problems - psgnet Date: Wed, 13 Aug 2003 21:15:26 +0000 The following routers have not been successfully contacted for more than 4 hours. -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com and yet, from the same host % rancid/bin/clogin -c 'show version;show version' blort.psg.com blort.psg.com spawn ssh -c 3des -x -l randy blort.psg.com randy at blort.psg.com's password: U N A U T H O R I Z E D A C C E S S P R O H I B I T E D blort>enable Password: blort# blort#term length 0 blort#show version Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-K9SV8Y7-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 12-Jun-03 11:04 by eaarmas Image text-base: 0x80008120, data-base: 0x81656784 ROM: System Bootstrap, Version 12.2(4r)XL, RELEASE SOFTWARE (fc1) blort uptime is 2 hours, 41 minutes System returned to ROM by reload System restarted at 18:38:19 UTC Wed Aug 13 2003 System image file is "flash:c1700-k9sv8y7-mz.122-15.T5.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. cisco 1760 (MPC860P) processor (revision 0x200) with 86184K/12120K bytes of memory. Processor board ID VMS05500QEE (2790806760), with hardware revision 0000 MPC860P processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 2 Voice FXO interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 blort#show version Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-K9SV8Y7-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 12-Jun-03 11:04 by eaarmas Image text-base: 0x80008120, data-base: 0x81656784 ROM: System Bootstrap, Version 12.2(4r)XL, RELEASE SOFTWARE (fc1) blort uptime is 2 hours, 41 minutes System returned to ROM by reload System restarted at 18:38:19 UTC Wed Aug 13 2003 System image file is "flash:c1700-k9sv8y7-mz.122-15.T5.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. cisco 1760 (MPC860P) processor (revision 0x200) with 86184K/12120K bytes of memory. Processor board ID VMS05500QEE (2790806760), with hardware revision 0000 MPC860P processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 2 Voice FXO interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 blort#exit Connection to blort.psg.com closed. From randy at psg.com Thu Aug 14 21:42:13 2003 From: randy at psg.com (Randy Bush) Date: Thu, 14 Aug 2003 14:42:13 -0700 Subject: config fetcher problems - cisco 1760 Message-ID: uh, any help with this, pleaae? The following routers have not been successfully contacted for more than 4 hours. -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com and yet, from the same host % rancid/bin/clogin -c 'show version;show version' blort.psg.com blort.psg.com spawn ssh -c 3des -x -l randy blort.psg.com randy at blort.psg.com's password: U N A U T H O R I Z E D A C C E S S P R O H I B I T E D blort>enable Password: blort# blort#term length 0 blort#show version Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-K9SV8Y7-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 12-Jun-03 11:04 by eaarmas Image text-base: 0x80008120, data-base: 0x81656784 ROM: System Bootstrap, Version 12.2(4r)XL, RELEASE SOFTWARE (fc1) blort uptime is 2 hours, 41 minutes System returned to ROM by reload System restarted at 18:38:19 UTC Wed Aug 13 2003 System image file is "flash:c1700-k9sv8y7-mz.122-15.T5.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. cisco 1760 (MPC860P) processor (revision 0x200) with 86184K/12120K bytes of memory. Processor board ID VMS05500QEE (2790806760), with hardware revision 0000 MPC860P processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 2 Voice FXO interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 blort#show version Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-K9SV8Y7-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 12-Jun-03 11:04 by eaarmas Image text-base: 0x80008120, data-base: 0x81656784 ROM: System Bootstrap, Version 12.2(4r)XL, RELEASE SOFTWARE (fc1) blort uptime is 2 hours, 41 minutes System returned to ROM by reload System restarted at 18:38:19 UTC Wed Aug 13 2003 System image file is "flash:c1700-k9sv8y7-mz.122-15.T5.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. cisco 1760 (MPC860P) processor (revision 0x200) with 86184K/12120K bytes of memory. Processor board ID VMS05500QEE (2790806760), with hardware revision 0000 MPC860P processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 2 Voice FXO interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 blort#exit Connection to blort.psg.com closed. From arnold at nipper.de Thu Aug 14 21:53:54 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Thu, 14 Aug 2003 23:53:54 +0200 Subject: config fetcher problems - cisco 1760 References: Message-ID: <002f01c362ae$92384a60$6790a8c0@nipper.de> On Thursday, August 14, 2003 11:42 PM, Randy Bush wrote: > uh, any help with this, pleaae? > > The following routers have not been successfully contacted for > more than 4 hours. > -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com > what does you logfile say? I'm having the same problem with C6509 running CatOS and the log file says: "my_c6509: End of run not found". I could not yet figure out what this really means. Arnold From randy at psg.com Thu Aug 14 22:00:18 2003 From: randy at psg.com (Randy Bush) Date: Thu, 14 Aug 2003 15:00:18 -0700 Subject: config fetcher problems - cisco 1760 References: <002f01c362ae$92384a60$6790a8c0@nipper.de> Message-ID: >> The following routers have not been successfully contacted for >> more than 4 hours. >> -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com > what does you logfile say? i knew there was more information hiding somewhere. Trying to get all of the configs. can not find channel named "exp3" while executing "close" ("foreach" body line 110) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/usr/home/randy/rancid/bin/hlogin" line 537) ; blort.psg.com clogin error: Error: EOF received blort.psg.com: missed cmd(s): show system-information,write term,show stack,show module,show flash,show version blort.psg.com: End of run not found ===================================== Getting missed routers: round 1. can not find channel named "exp3" while executing "close" ("foreach" body line 110) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/usr/home/randy/rancid/bin/hlogin" line 537) ; blort.psg.com clogin error: Error: EOF received blort.psg.com: missed cmd(s): show system-information,write term,show stack,show module,show flash,show version blort.psg.com: End of run not found ===================================== Getting missed routers: round 2. can not find channel named "exp3" while executing "close" ("foreach" body line 110) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/usr/home/randy/rancid/bin/hlogin" line 537) ; blort.psg.com clogin error: Error: EOF received blort.psg.com: missed cmd(s): show system-information,write term,show stack,show module,show flash,show version blort.psg.com: End of run not found ===================================== Getting missed routers: round 3. can not find channel named "exp3" while executing "close" ("foreach" body line 110) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/usr/home/randy/rancid/bin/hlogin" line 537) ; blort.psg.com clogin error: Error: EOF received blort.psg.com: missed cmd(s): show system-information,write term,show stack,show module,show flash,show version blort.psg.com: End of run not found ===================================== Getting missed routers: round 4. can not find channel named "exp3" while executing "close" ("foreach" body line 110) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] send_user "$router\n" # Figure out prompt. # Since autoena..." (file "/usr/home/randy/rancid/bin/hlogin" line 537) ; blort.psg.com clogin error: Error: EOF received blort.psg.com: missed cmd(s): show system-information,write term,show stack,show module,show flash,show version blort.psg.com: End of run not found From heas at shrubbery.net Thu Aug 14 22:25:59 2003 From: heas at shrubbery.net (john heasley) Date: Thu, 14 Aug 2003 15:25:59 -0700 Subject: config fetcher problems - cisco 1760 In-Reply-To: References: Message-ID: <20030814222559.GC19715@shrubbery.net> Thu, Aug 14, 2003 at 02:42:13PM -0700, Randy Bush: > uh, any help with this, pleaae? been very busy. > The following routers have not been successfully contacted for > more than 4 hours. > -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com > > and yet, from the same host is there an error in the log file for this device? has collection of this device been successful in the past (i dont have a 1700)? > % rancid/bin/clogin -c 'show version;show version' blort.psg.com > blort.psg.com > spawn ssh -c 3des -x -l randy blort.psg.com > randy at blort.psg.com's password: > > U N A U T H O R I Z E D A C C E S S P R O H I B I T E D > > blort>enable > Password: > blort# > blort#term length 0 > blort#show version > Cisco Internetwork Operating System Software > IOS (tm) C1700 Software (C1700-K9SV8Y7-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) > TAC Support: http://www.cisco.com/tac > Copyright (c) 1986-2003 by cisco Systems, Inc. > Compiled Thu 12-Jun-03 11:04 by eaarmas > Image text-base: 0x80008120, data-base: 0x81656784 > > ROM: System Bootstrap, Version 12.2(4r)XL, RELEASE SOFTWARE (fc1) > > blort uptime is 2 hours, 41 minutes > System returned to ROM by reload > System restarted at 18:38:19 UTC Wed Aug 13 2003 > System image file is "flash:c1700-k9sv8y7-mz.122-15.T5.bin" > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be found at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email to > export at cisco.com. > > cisco 1760 (MPC860P) processor (revision 0x200) with 86184K/12120K bytes of memory. > Processor board ID VMS05500QEE (2790806760), with hardware revision 0000 > MPC860P processor: part number 5, mask 2 > Bridging software. > X.25 software, Version 3.0.0. > 1 FastEthernet/IEEE 802.3 interface(s) > 2 Voice FXO interface(s) > 32K bytes of non-volatile configuration memory. > 16384K bytes of processor board System flash (Read/Write) > > Configuration register is 0x2102 > > blort#show version > Cisco Internetwork Operating System Software > IOS (tm) C1700 Software (C1700-K9SV8Y7-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) > TAC Support: http://www.cisco.com/tac > Copyright (c) 1986-2003 by cisco Systems, Inc. > Compiled Thu 12-Jun-03 11:04 by eaarmas > Image text-base: 0x80008120, data-base: 0x81656784 > > ROM: System Bootstrap, Version 12.2(4r)XL, RELEASE SOFTWARE (fc1) > > blort uptime is 2 hours, 41 minutes > System returned to ROM by reload > System restarted at 18:38:19 UTC Wed Aug 13 2003 > System image file is "flash:c1700-k9sv8y7-mz.122-15.T5.bin" > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be found at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email to > export at cisco.com. > > cisco 1760 (MPC860P) processor (revision 0x200) with 86184K/12120K bytes of memory. > Processor board ID VMS05500QEE (2790806760), with hardware revision 0000 > MPC860P processor: part number 5, mask 2 > Bridging software. > X.25 software, Version 3.0.0. > 1 FastEthernet/IEEE 802.3 interface(s) > 2 Voice FXO interface(s) > 32K bytes of non-volatile configuration memory. > 16384K bytes of processor board System flash (Read/Write) > > Configuration register is 0x2102 > > blort#exit > Connection to blort.psg.com closed. From heas at shrubbery.net Thu Aug 14 22:33:34 2003 From: heas at shrubbery.net (john heasley) Date: Thu, 14 Aug 2003 15:33:34 -0700 Subject: config fetcher problems - cisco 1760 In-Reply-To: <002f01c362ae$92384a60$6790a8c0@nipper.de> References: <002f01c362ae$92384a60$6790a8c0@nipper.de> Message-ID: <20030814223334.GD19715@shrubbery.net> Thu, Aug 14, 2003 at 11:53:54PM +0200, Nipper, Arnold: > On Thursday, August 14, 2003 11:42 PM, Randy Bush wrote: > > uh, any help with this, pleaae? > > > > The following routers have not been successfully contacted for > > more than 4 hours. > > -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com > > > > what does you logfile say? I'm having the same problem with C6509 running > CatOS and the log file says: "my_c6509: End of run not found". I could not > yet figure out what this really means. "end of run not found" means that either - a command-line was not found for one (or more) of the commands that cat5rancid issued to (or wants to) the device. eg: show version is supposed to be run, we never saw "prompt> show version". thus, premature disconnection and completely buggered devices do not trigger complete/partial config removal. - "prompt> exit" was not found, thus assume that somehow the exchange with the device went awry. - the end of the config (show config) was not found. for catos, that is /^end$/. this the config was truncated for some reason. all these measures (and those particular to other devices) are to TRY to ensure that vendor X's UI/whatever bugs and temporary network failures (etc) don't cause diffs. setenv NOPIPE YES cat5rancid -dl my_c6509 is often helpful. From heas at shrubbery.net Thu Aug 14 22:35:10 2003 From: heas at shrubbery.net (john heasley) Date: Thu, 14 Aug 2003 15:35:10 -0700 Subject: config fetcher problems - cisco 1760 In-Reply-To: References: <002f01c362ae$92384a60$6790a8c0@nipper.de> Message-ID: <20030814223510.GE19715@shrubbery.net> Thu, Aug 14, 2003 at 03:00:18PM -0700, Randy Bush: > >> The following routers have not been successfully contacted for > >> more than 4 hours. > >> -rw-r----- 1 randy staff 0 Aug 13 07:15 blort.psg.com > > what does you logfile say? > > i knew there was more information hiding somewhere. > > Trying to get all of the configs. > can not find channel named "exp3" > while executing > "close" > ("foreach" body line 110) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > send_user "$router\n" > > # Figure out prompt. > # Since autoena..." > (file "/usr/home/randy/rancid/bin/hlogin" line 537) > ; blort is an hp? your initial mail indicated a cisco 1700. is the device type incorrect in the router.db file? From randy at psg.com Thu Aug 14 22:36:27 2003 From: randy at psg.com (Randy Bush) Date: Thu, 14 Aug 2003 15:36:27 -0700 Subject: config fetcher problems - cisco 1760 References: <002f01c362ae$92384a60$6790a8c0@nipper.de> <20030814223510.GE19715@shrubbery.net> Message-ID: > blort is an hp? your initial mail indicated a cisco 1700. is the > device type incorrect in the router.db file? thank you randy From randy at psg.com Sat Aug 16 03:23:20 2003 From: randy at psg.com (Randy Bush) Date: Fri, 15 Aug 2003 20:23:20 -0700 Subject: old logs Message-ID: any recommendations for aging (== purging) old log files other than something like find -mtime +90 or whatever? randy From arnold at nipper.de Sat Aug 16 08:33:42 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Sat, 16 Aug 2003 10:33:42 +0200 Subject: old logs References: Message-ID: <006901c363d1$19d12f00$6590a8c0@notebook> Randy Bush wrote: > any recommendations for aging (== purging) old log files other than > something like find -mtime +90 or whatever? > IIRC that's what I found in the documentation "/usr/bin/find /var/rancid/logs -type f -mtime +2 -exec rm {} \;" Arnold From arnold at nipper.de Sat Aug 16 11:03:46 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Sat, 16 Aug 2003 13:03:46 +0200 Subject: supress diffs for certain config parts (port security CatOS) Message-ID: <003b01c363e6$118b0fe0$6790a8c0@nipper.de> Now that rancid is running smooth (thanks to Anchi and John) I would like rancid to not doing diffs for certain parts of the config? Why? I'm running port security with dynamic update on the C6509 CatOS boxes and the MAC addresses hence are part of the config. As these are changing frequently rancid sends config diffs almost always. Is there a knob to turn off diff for certain parts? Or more precisely: where do I have to insert a "grep -v"? Perhaps this could be made a feature. I.e specify a file with regexp pattern which will be omitted when doing the diff? Arnold From afort at choqolat.org Tue Aug 19 00:57:19 2003 From: afort at choqolat.org (Andrew Fort) Date: Tue, 19 Aug 2003 10:57:19 +1000 Subject: supress diffs for certain config parts (port security CatOS) In-Reply-To: <003b01c363e6$118b0fe0$6790a8c0@nipper.de> References: <003b01c363e6$118b0fe0$6790a8c0@nipper.de> Message-ID: <3F4175EF.6020203@choqolat.org> Nipper, Arnold wrote: >Now that rancid is running smooth (thanks to Anchi and John) I would like >rancid to not doing diffs for certain parts of the config? Why? I'm running >port security with dynamic update on the C6509 CatOS boxes and the MAC >addresses hence are part of the config. As these are changing frequently >rancid sends config diffs almost always. > >Is there a knob to turn off diff for certain parts? Or more precisely: where >do I have to insert a "grep -v"? Perhaps this could be made a feature. I.e >specify a file with regexp pattern which will be omitted when doing the >diff? > > >Arnold > > Hi Arnold - if this fits in with your environment (i.e., the person complaining of the constant diffage uses procmail) you could use a procmail filter, as suggested by John in the archives. See: http://www.shrubbery.net/pipermail/rancid-discuss/2002-September/000253.html and search for "almost all bgp speakers" in that (that text is at the end of the relevant post). This doesn't stop the diffage, but you'll only get email about diffage that you care about. cheers -afort From steve at smiller.org Fri Aug 22 05:05:51 2003 From: steve at smiller.org (Stephen Miller) Date: Thu, 21 Aug 2003 22:05:51 -0700 Subject: problem parsing config file on Nortel Passport Message-ID: <20030822045754.M94842@smiller.org> Hey, I've got an issue with grabbing the configs for a Nortel Passport 8006 switch. I have modified blogin to successfully login and set the terminal length to 0 and I can use "blogin -c "show config" switch" and it works...but when I try brancid on the switch it does not grab the configuration. I tried to modify the sub ShowConfig in brancid...but with no luck. Here is a snippett of the switch config: it begins: switch:5# show config Preparing to Display Configuration... # # FRI AUG 22 12:43:02 2003 IST # box type : Passport-8006 # software version : 3.3.0.0 # monitor version : 3.3.0.0 # # # Asic Info : # SlotNum |Name |CardType |MdaType |Parts Description # # Slot 1 8608GBE 0x20325108 0x00000000 IOM: GMAC=5 BFM: OP=3 TMUX=2 RARU=4 CPLD=5 # Slot 2 8608GBE 0x20325108 0x00000000 IOM: GMAC=5 BFM: OP=3 TMUX=2 RARU=4 CPLD=5 and ends with: # # NTP CONFIGURATION # ntp enable true ntp server create back switch# logout -- Could you point me in the right direction as to what to modify within brancid to have it parse the configuration? thanks, Steve ----------------------------- "Let's get dangerous" | Darkwing Dark | ----------------------------- From heas at shrubbery.net Fri Aug 22 19:24:53 2003 From: heas at shrubbery.net (john heasley) Date: Fri, 22 Aug 2003 12:24:53 -0700 Subject: problem parsing config file on Nortel Passport In-Reply-To: <20030822045754.M94842@smiller.org> References: <20030822045754.M94842@smiller.org> Message-ID: <20030822192453.GF4819@shrubbery.net> Thu, Aug 21, 2003 at 10:05:51PM -0700, Stephen Miller: > Hey, > > I've got an issue with grabbing the configs for a Nortel Passport 8006 switch. > > I have modified blogin to successfully login and set the terminal length to 0 > and I can use "blogin -c "show config" switch" and it works...but when I try > brancid on the switch it does not grab the configuration. > > I tried to modify the sub ShowConfig in brancid...but with no luck. Here is a > snippett of the switch config: > > it begins: > > switch:5# show config > Preparing to Display Configuration... > # > # FRI AUG 22 12:43:02 2003 IST > # box type : Passport-8006 > # software version : 3.3.0.0 > # monitor version : 3.3.0.0 > # > > # > # Asic Info : > # SlotNum |Name |CardType |MdaType |Parts Description > # > # Slot 1 8608GBE 0x20325108 0x00000000 IOM: GMAC=5 BFM: OP=3 TMUX=2 > RARU=4 CPLD=5 > # Slot 2 8608GBE 0x20325108 0x00000000 IOM: GMAC=5 BFM: OP=3 TMUX=2 > RARU=4 CPLD=5 > > > and ends with: > > # > # NTP CONFIGURATION > # > > ntp enable true > ntp server create > > back > switch# logout > > -- Could you point me in the right direction as to what to modify within > brancid to have it parse the configuration? brancid should return an error message when it fails. This would help identify the problem, if you can post it here. helpful debugging process is blogin -c 'cmd;cmd;cmd;...' router > router brancid -dlf router which will produce a trace of sorts, any error msgs, and a router.new file that will likely be truncated and provide hints of what triggered the failure. my best guess is that the last statement in ShowConfig is incorrect or incorrectly placed. perhaps it should be if (/^(exit|back)$/) and be within the while loop. however, i do not know the syntactical purpose of 'back' on the nortel. It would seem that it may be used to traverse up the configuration "stack", in which case brancid would need to detect whether a particular instance of 'back' indicated the end of a configuration or the end of a paragraph; WAG examaple, the end of a vlan config: ... vlan 1 stp disable back vlan 2 ... back ntp enable true ntp server create back (aka EOF) hope this helps. From heas at shrubbery.net Fri Aug 22 23:57:16 2003 From: heas at shrubbery.net (john heasley) Date: Fri, 22 Aug 2003 16:57:16 -0700 Subject: How to suppress CatOS port security changes (was Re: config fetcher problems - cisco 1760) In-Reply-To: <00d201c36347$79b72760$6790a8c0@nipper.de> References: <002f01c362ae$92384a60$6790a8c0@nipper.de> <20030814223334.GD19715@shrubbery.net> <00d201c36347$79b72760$6790a8c0@nipper.de> Message-ID: <20030822235716.GN4819@shrubbery.net> Fri, Aug 15, 2003 at 06:08:02PM +0200, Nipper, Arnold: > John, > > thanks for the help. Actually I guess the patch provided by Anchi did the > trick. No complaints since. While we are at it ... We are running port > security on the CatOS switches and the actual MAC entries are stored in the > config files. As MACs are changing frequently we get a lot of mails with > just the MAC entries having changed. I would like to suppress changes for > > - set port security 4/48 x-x-x-x-x-x > set port security 4/48 y-y-y-y-y-y > + set port security 4/48 z-z-z-z-z-z > > Is there a simple trick to do so? I have never used this stuff. If it learns these MACs completely dynamically, then cat5rancid should filter them. from the docs, it seems that it is also possible to configure static MACs, which we should not filter. what is the difference between the config syntax? From arnold at nipper.de Sat Aug 23 00:10:40 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Sat, 23 Aug 2003 02:10:40 +0200 Subject: How to suppress CatOS port security changes (was Re: config fetcher problems - cisco 1760) References: <002f01c362ae$92384a60$6790a8c0@nipper.de> <20030814223334.GD19715@shrubbery.net> <00d201c36347$79b72760$6790a8c0@nipper.de> <20030822235716.GN4819@shrubbery.net> Message-ID: <001701c3690a$fdb4cd60$6790a8c0@nipper.de> On Saturday, August 23, 2003 1:57 AM, john heasley wrote: > Fri, Aug 15, 2003 at 06:08:02PM +0200, Nipper, Arnold: >> John, >> >> thanks for the help. Actually I guess the patch provided by Anchi did the >> trick. No complaints since. While we are at it ... We are running port >> security on the CatOS switches and the actual MAC entries are stored in the >> config files. As MACs are changing frequently we get a lot of mails with >> just the MAC entries having changed. I would like to suppress changes for >> >> - set port security 4/48 x-x-x-x-x-x >> set port security 4/48 y-y-y-y-y-y >> + set port security 4/48 z-z-z-z-z-z >> >> Is there a simple trick to do so? > > I have never used this stuff. If it learns these MACs completely dynamically, > then cat5rancid should filter them. from the docs, it seems that it is also > possible to configure static MACs, which we should not filter. what is the > difference between the config syntax? Actually configuration is done via set port security 3/1 enable age 10 maximum 1 shutdown 0 violation restrict That means: allow 1 MAC address on port 3/1 and forget about it if there is no traffic for 10 minutes. If you see traffic from another MAC silently ignore. Hence MACs are learnt dynamically which makes replacements much easier. Though all MAC addresses currently known on port-security-enabled ports show up as static entries in the config. Arnold From heas at shrubbery.net Sat Aug 23 18:25:54 2003 From: heas at shrubbery.net (john heasley) Date: Sat, 23 Aug 2003 11:25:54 -0700 Subject: How to suppress CatOS port security changes (was Re: config fetcher problems - cisco 1760) In-Reply-To: <001701c3690a$fdb4cd60$6790a8c0@nipper.de> References: <002f01c362ae$92384a60$6790a8c0@nipper.de> <20030814223334.GD19715@shrubbery.net> <00d201c36347$79b72760$6790a8c0@nipper.de> <20030822235716.GN4819@shrubbery.net> <001701c3690a$fdb4cd60$6790a8c0@nipper.de> Message-ID: <20030823182554.GY4819@shrubbery.net> Sat, Aug 23, 2003 at 02:10:40AM +0200, Nipper, Arnold: > >> - set port security 4/48 x-x-x-x-x-x > >> set port security 4/48 y-y-y-y-y-y > >> + set port security 4/48 z-z-z-z-z-z > >> > >> Is there a simple trick to do so? > > > > I have never used this stuff. If it learns these MACs completely > dynamically, > > then cat5rancid should filter them. from the docs, it seems that it is > also > > possible to configure static MACs, which we should not filter. what is > the > > difference between the config syntax? > > Actually configuration is done via > > set port security 3/1 enable age 10 maximum 1 shutdown 0 violation restrict > > That means: allow 1 MAC address on port 3/1 and forget about it if there is > no traffic for 10 minutes. If you see traffic from another MAC silently > ignore. Hence MACs are learnt dynamically which makes replacements much > easier. Though all MAC addresses currently known on port-security-enabled > ports show up as static entries in the config. the following should filter them. please let me know if that works. thanks! Index: cat5rancid.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/cat5rancid.in,v retrieving revision 1.29 diff -c -r1.29 cat5rancid.in *** cat5rancid.in 23 Aug 2003 18:18:10 -0000 1.29 --- cat5rancid.in 23 Aug 2003 18:21:33 -0000 *************** *** 865,870 **** --- 865,871 ---- next; } /fair-queue individual-limit/ && next; + /^ set port security \d+\/\d+ \S+-\S+\-/ && next; # sort ip explicit-paths. if (/^ip explicit-path name (\S+)/) { my($key) = $1; From heas at shrubbery.net Sat Aug 23 18:48:09 2003 From: heas at shrubbery.net (john heasley) Date: Sat, 23 Aug 2003 11:48:09 -0700 Subject: supress diffs for certain config parts (port security CatOS) In-Reply-To: <003b01c363e6$118b0fe0$6790a8c0@nipper.de> References: <003b01c363e6$118b0fe0$6790a8c0@nipper.de> Message-ID: <20030823184809.GB4819@shrubbery.net> Sat, Aug 16, 2003 at 01:03:46PM +0200, Nipper, Arnold: > Now that rancid is running smooth (thanks to Anchi and John) I would like > rancid to not doing diffs for certain parts of the config? Why? I'm running > port security with dynamic update on the C6509 CatOS boxes and the MAC > addresses hence are part of the config. As these are changing frequently > rancid sends config diffs almost always. > > Is there a knob to turn off diff for certain parts? Or more precisely: where > do I have to insert a "grep -v"? Perhaps this could be made a feature. I.e > specify a file with regexp pattern which will be omitted when doing the > diff? fwiw, It is a goal to add more configurability, likely in/to become 3.0. From heas at shrubbery.net Sat Aug 23 19:13:36 2003 From: heas at shrubbery.net (john heasley) Date: Sat, 23 Aug 2003 12:13:36 -0700 Subject: missed cmds under redhat 9.0 In-Reply-To: <34B5A8CD1EA62E49AFCD4B8AD1B465AD1EB61C@tiscomex.tiscom.uscg.mil> References: <34B5A8CD1EA62E49AFCD4B8AD1B465AD1EB61C@tiscomex.tiscom.uscg.mil> Message-ID: <20030823191336.GC4819@shrubbery.net> Wed, Aug 13, 2003 at 03:52:51PM -0400, King, David: > The perl "study" command appears to cause the problem in RedHat 9. What I > have determined at this point is that study in a sub (like sub ShowVersion) > causes the regexp not to match when it returns to "main". Therefore a line > in the router config is skipped. Remove "study" from the subs that use it > and the problem will go away. (An alternative is to move study after the > "last" statement which is a few lines later. This only causes the last line > before the next command not to be "studied".) > > If you notice, the commands being skipped all follow a command whose output > is parsed by a sub that uses study. > > I haven't determined if this is something specific to the way study is used > in rancid or a general RedHat 9/perl 5.8.0 problem. > > At least, that worked for me, YMMV, > David King use of study was a prayer of squeezing a little more out of perl. :) i have removed them. thanks. From arnold at nipper.de Sun Aug 24 19:40:04 2003 From: arnold at nipper.de (Nipper, Arnold) Date: Sun, 24 Aug 2003 21:40:04 +0200 Subject: How to suppress CatOS port security changes (was Re: config fetcher problems - cisco 1760) References: <002f01c362ae$92384a60$6790a8c0@nipper.de> <20030814223334.GD19715@shrubbery.net> <00d201c36347$79b72760$6790a8c0@nipper.de> <20030822235716.GN4819@shrubbery.net> <001701c3690a$fdb4cd60$6790a8c0@nipper.de> <20030823182554.GY4819@shrubbery.net> Message-ID: <003801c36a77$856cac10$6790a8c0@nipper.de> On Saturday, August 23, 2003 8:25 PM, john heasley wrote: >> the following should filter them. please let me know if that works. > thanks! > Thanks! Works great :-)) Arnold