[rancid] ASA IOS 9.8(2) support?

Tue Sep 12 15:09:23 UTC 2017

Chris GauthierSenior Network Engineer | comScore, Inc.
o +1 503-331-2704cgauthier at comscore.com
317 SW Alder St, Suite 500 | Portland | OR97204
............................................................................................................................................................................................................................

From: Wayne Eisenberg <Wayne.Eisenberg at CarolinasIT.com>
Date: Monday, September 11, 2017 at 9:06 PM
To: "Gauthier, Chris" <cgauthier at comscore.com>, "'rancid-discuss at shrubbery.net'" <rancid-discuss at shrubbery.net>
Subject: RE: [rancid] ASA IOS 9.8(2) support?

Here’s the relevant section of .cloginrc:

add method asa {ssh}
add user asa {username}
add password asa {pw_here} {pw_here}
add cyphertype asa {aes256-cbc}
add autoenable asa {0}

Pretty much the same pattern everything else in the file has.

I might be able to try the no login-history command, I don’t think I will be allowed to do the others. (auto-enable)

Isn’t there a verbose mode for one of the rancid commands, like a –vvv or something like that? Is that in clogin?

On CentOS7:
export NOPIPE=YES
rancid –d –t cisco $DeviceFQDN

Look for the $DeviceFQDN.raw and $DeviceFQDN.new files to help with debugging info.  Obviously, substitute your device’s FQDN for $DeviceFQDN.

When done, clear the NOPIPE variable.

Is this fixed in the current version of rancid?

............................................................................................................................................................................................................................

From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net<mailto:rancid-discuss-bounces at shrubbery.net>> on behalf of Wayne Eisenberg <Wayne.Eisenberg at CarolinasIT.com<mailto:Wayne.Eisenberg at CarolinasIT.com>>
Date: Sunday, September 10, 2017 at 10:48 PM
To: "'rancid-discuss at shrubbery.net'" <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: [rancid] ASA IOS 9.8(2) support?

Hi,

I have an ASA firewall running version 9.8(2), and the clogin script is missing something in the sequence such that I don’t get to the enable mode properly.

[rancid3]$ bin/clogin asa
spawn ssh -c aes256-cbc -x -l <username> asa
<username>@asa's password:
User logged in to ASA
Logins over the last 4 days: 28.  Last login: 22:33:20 UTC Sep 10 2017 from x.y.z.a
Failed logins since the last login: 0.  Last failed login: 06:03:53 UTC Sep 8 2017 from x.y.z.a
Type help or '?' for a list of available commands.
ASA> <username>
            ^
ERROR: % Invalid input detected at '^' marker.

Error: Unrecognized command, check your enable command
ASA> <username>
            ^
ERROR: % Invalid input detected at '^' marker.
ASA> enable
Password:
Password:

And that is where it stops (never tries to type in the enable password). If I manually input the enable password that I have in .clogin, it lets me into enable mode. Other ASA’s with older versions work fine, the .clogin file is properly written for this device. Could upgrading to the current version of rancid solve this (currently on v3.1)?

This sounds like it could be related to the .clogrinrc file.  What does it look like (obviously obfuscating credentials)?

Thanks,
Wayne

--Chris

________________________________

The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20170912/a207f08a/attachment.html>