[rancid] Panrancid with PAN 6.0

Chip Pleasants wpleasants at gmail.com
Wed Jun 18 17:27:22 UTC 2014


I can open a ticket, but I'm concerned that I can not show them an example
of it broke besides the script. They may work with me if can't show its
broke manually. Thanks again Doug for assistance.

-Chip
On Jun 18, 2014 1:14 PM, "Hughes, Doug" <Douglas.Hughes at deshawresearch.com>
wrote:

>  EatCommand just takes care of registering and aligning for the next
> command since that command doesn’t produce any ouput, but you still need to
> do something with what echoes back to expect.
>
>
>
> Your below panlogin to firewallv5 worked perfectly.
>
> You can see it repeating each word and building until cli scripting-mode
> is on, and then everything after that works ok.
>
>
>
> Yet it didn’t work for firewallv6. This seems like a bug. I’d open a case
> with support.paloaltonetworks.com to see what’s going on. Something weird
> is causing the cli scripting-mode on to fail.
>
>
>
>
>
> *From:* Chip Pleasants [mailto:wpleasants at gmail.com]
> *Sent:* Wednesday, June 18, 2014 12:12 PM
> *To:* Hughes, Doug
> *Cc:* rancid-discuss at shrubbery.net
> *Subject:* Re: [rancid] Panrancid with PAN 6.0
>
>
>
> I think I see what you are talking about now.  Here are the two examples.
>  One from a version 6 and one from a  version 5.  Now the odd part is when
> I perform this test manually turning on  'set cli scripting-mode on' it
> doesn't auto-complete on versions 6.0.2 or 5.0.11.  Would there be
> a difference with the EatCommand portion of the script?  Thanks for taking
> the time to work with me Doug.
>
>
>
>
>
> [rancid at cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d
> FIREWALLV5.domain.com
>
> executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager
> off;show system info;show config running" FIREWALLV5.domain.com
>
> line: FIREWALLV5.domain.com
>
> line: rancid at FIREWALLV5(active)>
>
> line: rancid at FIREWALLV5(active)> set rancid at FIREWALLV5(active)> set cli
> rancid at FIREWALLV5(active)> set cli scripting-mode rancid at FIREWALLV5(active)>
> set cli scripting-mode on
>
> PROMPT MATCH: rancid at FIREWALLV5\(active\)[#>]
>
> HIT COMMAND:rancid at FIREWALLV5(active)> set rancid at FIREWALLV5(active)> set
> cli rancid at FIREWALLV5(active)> set cli scripting-mode rancid at FIREWALLV5(active)>
> set cli scripting-mode on
>
>
>
> COMMAND is: set cli scripting-mode on|EatCommand
>
> HIT COMMAND:rancid at FIREWALLV5(active)> set cli pager off
>
>
>
> COMMAND is: set cli pager off|EatCommand
>
> HIT COMMAND:rancid at FIREWALLV5(active)> show system info
>
>
>
> COMMAND is: show system info|ShowInfo
>
>     In ShowInfo:: rancid at FIREWALLV5(active)> show system info
>
> HIT COMMAND:rancid at FIREWALLV5(active)> show config running
>
>
>
> COMMAND is: show config running|ShowConfig
>
>     In ShowConfig: rancid at FIREWALLV5(active)> show config running
>
> line:
>
> exiting
>
> [rancid at cmh1vlobs01 rancid]$
>
>
>
>
>
>
>
> [rancid at cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d
> FIREWALLV6.domain.com
>
> executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager
> off;show system info;show config running" FIREWALLV6.domain.com
>
> line: FIREWALLV6.domain.com
>
> line: rancid at FIREWALLV6(active)>
>
> line: rancid at FIREWALLV6(active)> set rancid at FIREWALLV6(active)> set cli
> rancid at FIREWALLV6(active)> set cli scripting-mode rancid at FIREWALLV6(active)>
> set cli scripting-mode on
>
> PROMPT MATCH: rancid at FIREWALLV6\(active\)[#>]
>
> HIT COMMAND:rancid at FIREWALLV6(active)> set rancid at FIREWALLV6(active)> set
> cli rancid at FIREWALLV6(active)> set cli scripting-mode rancid at FIREWALLV6(active)>
> set cli scripting-mode on
>
>
>
> COMMAND is: set cli scripting-mode on|EatCommand
>
> HIT COMMAND:rancid at FIREWALLV6(active)> set rancid at FIREWALLV6(active)> set
> cli rancid at FIREWALLV6(active)> set cli pager rancid at FIREWALLV6(active)>
> set cli pager off
>
>
>
> COMMAND is: set cli pager off|EatCommand
>
> HIT COMMAND:rancid at FIREWALLV6(active)> show rancid at FIREWALLV6(active)>
> show system rancid at FIREWALLV6(active)> show system info
>
>
>
> COMMAND is: show system info|ShowInfo
>
>     In ShowInfo:: rancid at FIREWALLV6(active)> show rancid at FIREWALLV6(active)>
> show system rancid at FIREWALLV6(active)> show system info
>
> FIREWALLV6.domain.com: missed cmd(s): show config running
>
> FIREWALLV6.domain.com: missed cmd(s): show config running
>
> FIREWALLV6.domain.com: End of run not found
>
> FIREWALLV6.domain.com: End of run not found
>
> #
>
> [rancid at cmh1vlobs01 rancid]$ !
>
>
>
>
>
>
>
>  -Chip
>
>
>
>
>
> On Wed, Jun 18, 2014 at 11:35 AM, Hughes, Doug <
> Douglas.Hughes at deshawresearch.com> wrote:
>
> It doesn’t look like it is from your very first debugging output:
>
> COMMAND is: show system info|ShowInfo
>     In ShowInfo:: rancid at FIREWALL(active)> show rancid at FIREWALL(active)>
> show system rancid at FIREWALL(active)> show system info
>
>
> if scripting-mode was on, we wouldn’t see the stuff in red. (html mode on
> to read). The fact that the extra prompts show up indicates that it is
> intercepting the spaces and attempting to do ‘helpful command completion’.
>
>
>
>
>
>
>
> *From:* Chip Pleasants [mailto:wpleasants at gmail.com]
> *Sent:* Wednesday, June 18, 2014 8:52 AM
>
>
> *To:* Hughes, Doug
> *Cc:* rancid-discuss at shrubbery.net
> *Subject:* Re: [rancid] Panrancid with PAN 6.0
>
>
>
> It doesn't appear to be a bug, because I think its operating as you
> describe.  When I turn on  'set cli scripting-mode on' it doesn't
> autocomplete on versions 6.0.2 or 5.0.11. Any other thoughts what could be
> going on?
>
>
>
> Thanks,
>
> Chip
>
>
>
>
>
>
>
>
>
> On Tue, Jun 17, 2014 at 3:34 PM, Hughes, Doug <
> Douglas.Hughes at deshawresearch.com> wrote:
>
> Hrm. Yes, I had it correct the first time. (oof, busy day)
>
> ‘on’ is needed to prevent this ‘feature’:
>
> line: rancid at FIREWALL(active)> set rancid at FIREWALL(active)> set cli
> rancid at FIREWALL(active)> set cli pager rancid at FIREWALL(active)> set cli
> pager off
>
> After each space, it does essentially a rewrite of the line as it tried to
> ‘auto-correct’ you from typing the wrong thing. This gets in the way of
> parsing with expect quite heavily, so I attempt to disable it as soon as
> possible. If set cli scripting-mode on does not cause this to stop (and it
> looks like it doesn’t), then that appears to be a bug. You can also see
> this by using type script:
>
> Here’s how it looks at the command line:
> Drdgpfs0002:/tmp$ script
> drdgpfs0002:/tmp$ ssh -l admin paloalto.en
> admin at paloalto.en's password:
> Last login: Tue Jun 17 15:05:06 2014 from drdbcntl.en.desres.deshaw.com
> Welcome admin.
> admin at paloalto.en> set cli scripting-mode on
> admin at paloalto.en> set cli ? <ENTER here>
>
> Invalid syntax.
> admin at paloalto.en> exit
>
>
> Here's how it looks in the corresponding typescript file:
> i Script started on Tue 17 Jun 2014 03:25:13 PM EDT
> drdgpfs0002:/tmp$ ssh -l admin paloalto
> admin at paloalto.en's password: ^M
> Last login: Tue Jun 17 15:05:06 2014 from drdbcntl.en.desres.deshaw.com
> ^M^M
> Welcome admin.^M
> admin at paloalto.en> set ^M^[[Kadmin at paloalto.en> set cli
> ^M^[[Kadmin at paloalto.en>
>  set cli scripting-mode ^M^[[Kadmin at paloalto.en> set cli scripting-mode
> on^M
> admin at paloalto.en> set cli ?^M
> ^M
> Invalid syntax.^M
> admin at paloalto.en> exit^M
> Connection to paloalto.en closed.^M^M
> drdgpfs0002:/tmp$ exit^M^M
> exit^M
>
> Script done on Tue 17 Jun 2014 03:25:34 PM EDT
>
> If 'set cli scripting-mode on' doesn't disable the 'space' feature, then
> the rest of the expect is very iffy at best and difficult to manage
>
> Here's another way to confirm the behavior
>
> Type config <space>
>
> If it autocompletes to 'configure', then cli scripting-mode is not on and
> results *will* vary.
> Disabling the pager is also important since it disables the --more-- when
> show config is running.
>
> I am running 6.0.2 but no HA on PA-3020 and PA-2050
>
>
>
>
> From: Chip Pleasants [mailto:wpleasants at gmail.com]
>
> Sent: Tuesday, June 17, 2014 3:21 PM
>
> To: Hughes, Doug
> Cc: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Panrancid with PAN 6.0
>
> Tried it on both versions.  Seems like they both yield the same result.
>  Doesn't the script turn cli scripting-mode on? Or do we don't really care
> that's its on or off?
>
>
>
>
> user at FIREWALLV6(active)> set cli scripting-mode off
> user at FIREWALLV6(active)> set cli scripting-mode
>   off   off
>   on    on
>
> user at FIREWALLV6(active)> set cli scripting-mode
>
>
>
>
>
>
> user at FIREWALLV5(active)> set cli scripting-mode off
> user at FIREWALLV5(active)> set cli scripting-mode
>   off   off
>   on    on
>
> user at FIREWALLV5(active)> set cli scripting-mode
>
>
>
> -Chip
>
>
> On Tue, Jun 17, 2014 at 3:10 PM, Hughes, Doug <
> Douglas.Hughes at deshawresearch.com> wrote:
> Sorry, I meant ‘off’, you need to set it to off and then try the ? test.
>
> From: Chip Pleasants [mailto:wpleasants at gmail.com]
> Sent: Tuesday, June 17, 2014 2:48 PM
>
> To: Hughes, Doug
> Cc: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Panrancid with PAN 6.0
>
> Here's what I get. I get the same result from a version 5.x PA. I removed
> the "set cli scripting-mode on" from the script to test. Version 5.x PA
> works and version 6.x PA end up with the same result.
>
>
> user at FIREWALL(active)> set cli scripting-mode on
> user at FIREWALL(active)> set cli scripting-mode ?
> ? is not one of <on|off>
>
> Invalid syntax.
> user at FIREWALL(active)>
>
>
>
> line: rancid at FIREWALL(active)> set rancid at FIREWALL(active)> set cli
> rancid at FIREWALL(active)> set cli pager rancid at FIREWALL(active)> set cli
> pager off
> PROMPT MATCH: rancid at FIREWALL\(active\)[#>]
> HIT COMMAND:rancid at FIREWALL(active)> set rancid at FIREWALL(active)> set cli
> rancid at FIREWALL(active)> set cli pager rancid at FIREWALL(active)> set cli
> pager off
>
> COMMAND is: set cli pager off|EatCommand
> HIT COMMAND:rancid at FIREWALL(active)> show rancid at FIREWALL(active)> show
> system rancid at FIREWALL(active)> show system info
>
> COMMAND is: show system info|ShowInfo
>     In ShowInfo:: rancid at FIREWALL(active)> show rancid at FIREWALL(active)>
> show system rancid at FIREWALL(active)> show system info
> FIREWALL.dswinc.net: missed cmd(s): show config running
> FIREWALL.dswinc.net: missed cmd(s): show config running
> FIREWALL.dswinc.net: End of run not found
> FIREWALL.dswinc.net: End of run not found
> #
> [rancid at server rancid]$
>
>
>
>
> On Tue, Jun 17, 2014 at 2:28 PM, Hughes, Doug <
> Douglas.Hughes at deshawresearch.com> wrote:
> Ah, you are running in HA mode I see. That could be throwing things off,
> but I think I fixed that in 2013 sometime.
> (I don’t run any in HA)
>
> It looks to me like ‘set cli scripting-mode on’ is failing
>
> To confirm this, login to the PA at command line, then type set cli
> scripting-mode on
>
> Now type “set cli scripting-mode ?”
>
> If you get any sort of command completion, the cli scripting mode setting
> is not working and needs to be turned into a PA bug report. That is what it
> looks like it is happening by looking at the command staggering for
> subsequent lines.
>
> From: Chip Pleasants [mailto:wpleasants at gmail.com]
> Sent: Tuesday, June 17, 2014 1:39 PM
> To: Hughes, Doug
> Cc: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Panrancid with PAN 6.0
>
> Thanks Doug. I am running the most recent version, but for grins I
> replaced them anyway.  Still seeing the issue on two sets. The others seem
> to work fine. Anything I provide that help find the trouble?
>
> -Chip
>
>
> On Mon, Jun 16, 2014 at 4:37 PM, Hughes, Doug <
> Douglas.Hughes at deshawresearch.com> wrote:
> Yes, it’s working for me. Are you using the latest? (attached)
>
>
> From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On
> Behalf Of Chip Pleasants
> Sent: Monday, June 16, 2014 2:01 PM
> To: rancid-discuss at shrubbery.net
> Subject: [rancid] Panrancid with PAN 6.0
>
> Does anyone have Panrancid working with PAN version 6.0.2?  I have four
> sets running PAN version 5.0.11 without an issues.  Once I upgraded one set
> the script times out. Below is a debug. Let me know if you have any
> questions.
>
> Cheers,
>
> Chip
>
>
> [rancid at cmh1vlobs01 rancid]$ /usr/libexec/rancid/panrancid -d
> cmh1-z4-f01.domain.com
> executing panlogin -t 90 -c"set cli scripting-mode on;set cli pager
> off;show system info;show config running" cmh1-z4-f01.domain.com
> line: cmh1-z4-f01.domain.com
> line: spawn ssh -c 3des -x -l rancid cmh1-z4-f01.domain.com
> line:                                 NOTICE TO USERS
> line:   This is an official computer system and is the property of POOP
> Incorporated.
> line:   It is for authorized users only.  Unauthorized  users are
> prohibited.
> line:   Users (authorized or unauthorized) have no  explicit or implicit
> expectation of
> line:   privacy.  Any or all uses of this system may be subject to one or
> more of the
> line:   following actions:  interception, monitoring, recording, auditing,
> inspection and
> line:   disclosing to security personnel and law enforcement personnel, as
> well as
> line:   authorized officials of other agencies, both domestic and foreign.
> By using this
> line:   system, the user consents to these actions.  Unauthorized or
> improper use of
> line:   this system may result in administrative disciplinary action and
> civil and criminal
> line:   penalties.  By accessing this system you indicate your awareness
> of and
> line:   consent to these terms and conditions of use. Discontinue access
> immediately
> line:   if you do not agree to the conditions stated in this notice.
> line:
> line: Password:
> line: Last login: Mon Jun 16 08:00:00 2014 from cmh1vlobs01.domain.com
> line: Welcome rancid.
> line:
> line: rancid at CMH1-Z4-F01(active)>
> line: rancid at CMH1-Z4-F01(active)>
> line: rancid at CMH1-Z4-F01(active)> set rancid at CMH1-Z4-F01(active)> set cli
> rancid at CMH1-Z4-F01(active)> set cli scripting-mode rancid at CMH1-Z4-F01(active)>
> set cli scripting-mode on
> PROMPT MATCH: rancid at CMH1-Z4-F01\(active\)[#>]
> HIT COMMAND:rancid at CMH1-Z4-F01(active)> set rancid at CMH1-Z4-F01(active)>
> set cli rancid at CMH1-Z4-F01(active)> set cli scripting-mode
> rancid at CMH1-Z4-F01(active)> set cli scripting-mode on
>
> COMMAND is: set cli scripting-mode on|EatCommand
> HIT COMMAND:rancid at CMH1-Z4-F01(active)> set rancid at CMH1-Z4-F01(active)>
> set cli rancid at CMH1-Z4-F01(active)> set cli pager rancid at CMH1-Z4-F01(active)>
> set cli pager off
>
> COMMAND is: set cli pager off|EatCommand
> HIT COMMAND:rancid at CMH1-Z4-F01(active)> show rancid at CMH1-Z4-F01(active)>
> show system rancid at CMH1-Z4-F01(active)> show system info
>
> COMMAND is: show system info|ShowInfo
>     In ShowInfo:: rancid at CMH1-Z4-F01(active)> show rancid at CMH1-Z4-F01(active)>
> show system rancid at CMH1-Z4-F01(active)> show system info
> cmh1-z4-f01.domain.com : missed cmd(s): show config running
> cmh1-z4-f01.domain.com : missed cmd(s): show config running
> cmh1-z4-f01.domain.com : End of run not found
> cmh1-z4-f01.domain.com : End of run not found
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20140618/d5bdf576/attachment.html>


More information about the Rancid-discuss mailing list