[rancid] Re: Problem getting config from Cisco ASA firewalls

Ronni Jensen ronnij at gmail.com
Thu Dec 17 11:20:20 UTC 2009 

Oh, it also got onto the box before, it's just the enable part that seems to
be the problem.. This is without debug stuff:


[rancid at LinuxSrv ~]$ /usr/libexec/rancid/clogin -t 10 192.168.1.2
192.168.1.2
spawn telnet 192.168.1.2
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.

User Access Verification
Password:
Type help or '?' for a list of available commands.
ASAFW01>
Error: TIMEOUT reached
[rancid at LinuxSrv ~]$




On Thu, Dec 17, 2009 at 11:36 AM, William <willay at gmail.com> wrote:

> so its getting onto the box now... but doesnt enable... whats the
> output without all the debug junk?
>
> 2009/12/17 Ronni Jensen <ronnij at gmail.com>:
> > It's like it never gets to the enable-part.. Here is the debug output of
> a
> > manual clogin run:
> >
> >
> > [rancid at LinuxSrv ~]$ /usr/libexec/rancid/clogin -d -t 10 10.10.1.2
> > 10.10.1.2
> > spawn telnet 10.10.1.2
> > parent: waiting for sync byte
> > parent: telling child to go ahead
> > parent: now unsynchronized from child
> > spawn: returns {13658}
> > expect: does "" (spawn_id exp4) match regular expression "(Connection
> > refused|Secure connection [^\n\r]+ refused)"? no
> > "(Connection closed by|Connection to [^\n\r]+ closed)"? no
> > expect: does "" (spawn_id exp4) match glob pattern "unknown host\r"? no
> > expect: does "" (spawn_id exp4) match glob pattern "Host is unreachable"?
> no
> > "No address associated with name"? no
> > "(Host key not found |The authenticity of host .* be
> > established).*(yes/no)?"? no
> > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
> > "Offending key for .* (yes/no)?"? no
> > "(denied|Sorry)"? no
> > "Login failed"? no
> > "% (Bad passwords|Authentication failed)"? no
> > "Press any key to continue"? no
> > "Enter Selection: "? no
> > "Last login:"? no
> > "@[^\r\n]+ ([Pp]assword|passwd):"? no
> > "pix"? no
> > "([Pp]assword|passwd):"? no
> > "(#| \(enable\))"? no
> > "Login invalid"? no
> > Trying 10.10.1.2...
> > Connected to 10.10.1.2.
> > Escape character is '^]'.
> > expect: does "Trying 10.10.1.2...\r\r\nConnected to
> 10.10.1.2.\r\r\nEscape
> > character is '^]'.\r\r\n" (spawn_id exp4) match regular expression
> > "(Connection refused|Secure connection [^\n\r]+ refused)"? no
> > "(Connection closed by|Connection to [^\n\r]+ closed)"? no
> > expect: does "Trying 10.10.1.2...\r\r\nConnected to
> 10.10.1.2.\r\r\nEscape
> > character is '^]'.\r\r\n" (spawn_id exp4) match glob pattern "unknown
> > host\r"? no
> > expect: does "Trying 10.10.1.2...\r\r\nConnected to
> 10.10.1.2.\r\r\nEscape
> > character is '^]'.\r\r\n" (spawn_id exp4) match glob pattern "Host is
> > unreachable"? no
> > "No address associated with name"? no
> > "(Host key not found |The authenticity of host .* be
> > established).*(yes/no)?"? no
> > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
> > "Offending key for .* (yes/no)?"? no
> > "(denied|Sorry)"? no
> > "Login failed"? no
> > "% (Bad passwords|Authentication failed)"? no
> > "Press any key to continue"? no
> > "Enter Selection: "? no
> > "Last login:"? no
> > "@[^\r\n]+ ([Pp]assword|passwd):"? no
> > "pix"? no
> > "([Pp]assword|passwd):"? no
> > "(#| \(enable\))"? no
> > "Login invalid"? no
> > User Access Verification
> > Password:
> > expect: does "Trying 10.10.1.2...\r\r\nConnected to
> 10.10.1.2.\r\r\nEscape
> > character is '^]'.\r\r\n\r\n\r\nUser Access Verification\r\n\r\nPassword:
> "
> > (spawn_id exp4) match regular expression "(Connection refused|Secure
> > connection [^\n\r]+ refused)"? no
> > "(Connection closed by|Connection to [^\n\r]+ closed)"? no
> > expect: does "Trying 10.10.1.2...\r\r\nConnected to
> 10.10.1.2.\r\r\nEscape
> > character is '^]'.\r\r\n\r\n\r\nUser Access Verification\r\n\r\nPassword:
> "
> > (spawn_id exp4) match glob pattern "unknown host\r"? no
> > expect: does "Trying 10.10.1.2...\r\r\nConnected to
> 10.10.1.2.\r\r\nEscape
> > character is '^]'.\r\r\n\r\n\r\nUser Access Verification\r\n\r\nPassword:
> "
> > (spawn_id exp4) match glob pattern "Host is unreachable"? no
> > "No address associated with name"? no
> > "(Host key not found |The authenticity of host .* be
> > established).*(yes/no)?"? no
> > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
> > "Offending key for .* (yes/no)?"? no
> > "(denied|Sorry)"? no
> > "Login failed"? no
> > "% (Bad passwords|Authentication failed)"? no
> > "Press any key to continue"? no
> > "Enter Selection: "? no
> > "Last login:"? no
> > "@[^\r\n]+ ([Pp]assword|passwd):"? no
> > "pix"? no
> > "([Pp]assword|passwd):"? yes
> > expect: set expect_out(0,string) "Password:"
> > expect: set expect_out(1,string) "Password"
> > expect: set expect_out(spawn_id) "exp4"
> > expect: set expect_out(buffer) "Trying 10.10.1.2...\r\r\nConnected to
> > 10.10.1.2.\r\r\nEscape character is '^]'.\r\r\n\r\n\r\nUser Access
> > Verification\r\n\r\nPassword:"
> > send: sending "exec_pass\r" to { exp4 }
> > expect: continuing expect
> > expect: does " " (spawn_id exp4) match regular expression "(Connection
> > refused|Secure connection [^\n\r]+ refused)"? no
> > "(Connection closed by|Connection to [^\n\r]+ closed)"? no
> > expect: does " " (spawn_id exp4) match glob pattern "unknown host\r"? no
> > expect: does " " (spawn_id exp4) match glob pattern "Host is
> unreachable"?
> > no
> > "No address associated with name"? no
> > "(Host key not found |The authenticity of host .* be
> > established).*(yes/no)?"? no
> > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
> > "Offending key for .* (yes/no)?"? no
> > "(denied|Sorry)"? no
> > "Login failed"? no
> > "% (Bad passwords|Authentication failed)"? no
> > "Press any key to continue"? no
> > "Enter Selection: "? no
> > "Last login:"? no
> > "@[^\r\n]+ ([Pp]assword|passwd):"? no
> > "pix"? no
> > "([Pp]assword|passwd):"? no
> > "(#| \(enable\))"? no
> > "Login invalid"? no
> > expect: does " \r\n" (spawn_id exp4) match regular expression
> "(Connection
> > refused|Secure connection [^\n\r]+ refused)"? no
> > "(Connection closed by|Connection to [^\n\r]+ closed)"? no
> > expect: does " \r\n" (spawn_id exp4) match glob pattern "unknown host\r"?
> no
> > expect: does " \r\n" (spawn_id exp4) match glob pattern "Host is
> > unreachable"? no
> > "No address associated with name"? no
> > "(Host key not found |The authenticity of host .* be
> > established).*(yes/no)?"? no
> > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
> > "Offending key for .* (yes/no)?"? no
> > "(denied|Sorry)"? no
> > "Login failed"? no
> > "% (Bad passwords|Authentication failed)"? no
> > "Press any key to continue"? no
> > "Enter Selection: "? no
> > "Last login:"? no
> > "@[^\r\n]+ ([Pp]assword|passwd):"? no
> > "pix"? no
> > "([Pp]assword|passwd):"? no
> > "(#| \(enable\))"? no
> > "Login invalid"? no
> > Type help or '?' for a list of available commands.
> > ASAFW01>
> > expect: does " \r\nType help or '?' for a list of available
> > commands.\r\n\rASAFW01> " (spawn_id exp4) match regular expression
> > "(Connection refused|Secure connection [^\n\r]+ refused)"? no
> > "(Connection closed by|Connection to [^\n\r]+ closed)"? no
> > expect: does " \r\nType help or '?' for a list of available
> > commands.\r\n\rASAFW01> " (spawn_id exp4) match glob pattern "unknown
> > host\r"? no
> > expect: does " \r\nType help or '?' for a list of available
> > commands.\r\n\rASAFW01> " (spawn_id exp4) match glob pattern "Host is
> > unreachable"? no
> > "No address associated with name"? no
> > "(Host key not found |The authenticity of host .* be
> > established).*(yes/no)?"? no
> > "HOST IDENTIFICATION HAS CHANGED.* (yes/no)?"? no
> > "Offending key for .* (yes/no)?"? no
> > "(denied|Sorry)"? no
> > "Login failed"? no
> > "% (Bad passwords|Authentication failed)"? no
> > "Press any key to continue"? no
> > "Enter Selection: "? no
> > "Last login:"? no
> > "@[^\r\n]+ ([Pp]assword|passwd):"? no
> > "pix"? no
> > "([Pp]assword|passwd):"? no
> > "(#| \(enable\))"? no
> > "Login invalid"? no
> > expect: timed out
> > Error: TIMEOUT reached
> > [rancid at LinuxSrv ~]$
> >
> >
> >
> > On Thu, Dec 17, 2009 at 11:03 AM, William <willay at gmail.com> wrote:
> >>
> >> Ronni,
> >>
> >> Try running the clogin program manually, for example type from the
> >> command prompt (as the rancid user):
> >>
> >> clogin 10.10.1.2
> >>
> >> and paste the output?
> >>
> >> Cheers,
> >>
> >>
> >>
> >> 2009/12/17 Ronni Jensen <ronnij at gmail.com>:
> >> > Hi,
> >> >
> >> > I tried with the example you wrote, but it didn't change anything.. I
> >> > still
> >> > get the "clogin error: Error: TIMEOUT reached" errors in the logfile.
> >> >
> >> > Any other suggestions how I can fix the error?
> >> >
> >> > Best regards,
> >> > Ronni
> >> >
> >> > On Thu, Dec 17, 2009 at 9:10 AM, William <willay at gmail.com> wrote:
> >> >>
> >> >> Ronni,
> >> >>
> >> >> According to your email when accessing the firewall manually there is
> >> >> no autoenable, so I would try the following config for your device:
> >> >>
> >> >> add userprompt 10.10.1.2      pix
> >> >> add method 10.10.1.2          telnet
> >> >> add password 10.10.1.2        {exec_pass} {enable_pass}
> >> >>
> >> >>
> >> >> hope this helps.
> >> >>
> >> >> Cheers,
> >> >>
> >> >> Will
> >> >>
> >> >> 2009/12/17 Ronni Jensen <ronnij at gmail.com>:
> >> >> > Hi,
> >> >> >
> >> >> > My rancid installation works perfectly for Cisco Catalyst switches
> >> >> > and
> >> >> > other
> >> >> > stuff too.. but for the Cisco ASA firewalls it fails.. In the logs,
> I
> >> >> > get
> >> >> > the "clogin error: Error: TIMEOUT reached" error.
> >> >> >
> >> >> > .cloginrc for a particular FW looks like:
> >> >> >
> >> >> > add password 10.10.1.2        {exec_pass} {enable_pass}
> >> >> > add method 10.10.1.2          telnet
> >> >> > add autoenable 10.10.1.2      {1}
> >> >> >
> >> >> > I've also tried replacing IP-address with DNS hostname or just
> using
> >> >> > a
> >> >> > wildcard star... no difference. When I telnet directly from the
> >> >> > server
> >> >> > to
> >> >> > the firewall, the sequence looks like:
> >> >> >
> >> >> >
> >> >> > [me at LinuxSrv ~]$ telnet 192.168.1.2
> >> >> > Trying 10.10.1.2...
> >> >> > Connected to 10.10.1.2.
> >> >> > Escape character is '^]'.
> >> >> > User Access Verification
> >> >> > Password: <TYPING PASSWD>
> >> >> > Type help or '?' for a list of available commands.
> >> >> > UMUSASA01> <TYPING "ENABLE">
> >> >> > Password: *******
> >> >> > UMUSASA01#
> >> >> >
> >> >> > Any ideas?
> >> >> > _______________________________________________
> >> >> > Rancid-discuss mailing list
> >> >> > Rancid-discuss at shrubbery.net
> >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >> >> >
> >> >
> >> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20091217/25bb571f/attachment.html

More information about the Rancid-discuss mailing list