[rancid] ASA Config for Rancid

Piegorsch, Weylin William weylin at bu.edu
Tue Sep 12 19:06:20 UTC 2017


Thanks Ryan.  I’m unable to concretely determine a device is an ASA from it’s domain name, unless I populate .cloginrc with every ASA I have.  I used to do that, but it became cumbersome and at somepoint it was clear it would no longer scale.  For a while I also went down the path of having a .cloginrc-asa that had the ASA-specific methods and then included .cloginrc, but for similar manageability reasons I had to abandon that approach as well.

Is there a way to do that by some other means?

weylin

From: Dan Anderson <dan.w.anderson at gmail.com>
Date: Monday, September 11, 2017 at 17:01
To: Weylin Piegorsch <weylin at bu.edu>, Ryan West <rwest at zyedge.com>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] ASA Config for Rancid

You can set the method for the ASAs to be {ssh,telnet} in your .cloginrc file. I'm on my phone and don't have the exact syntax handy but it's pretty straightforward.

On Mon, Sep 11, 2017 at 4:56 PM Ryan West <rwest at zyedge.com<mailto:rwest at zyedge.com>> wrote:
On Mon, Sep 11, 2017 at 16:51:34, Piegorsch, Weylin William wrote:
> Subject: [rancid] ASA Config for Rancid
>
> Cisco question, that I’m having a devil of a time getting a Cisco answer to.
>
> I have several ASAs – some locally connected, some connected at the far end
> of an IPSec tunnel.  In nearly all cases, I can’t get rancid to archive their
> config.  For reasons that don’t relate to the ASA (has to do with the larger
> network as a whole), I need telnet to be the first method, with SSH backup.
> But, the ASAs drop the telnet request, they don’t send a TCP RST packet.  As
> a consequence, rancid times out and considers it an unreachable device.
>
> I’m trying to find a mechanism that doesn’t require specifying custom rancid
> configs for ASAs that are different than anything else.
>

Try to allow telnet access from the remote network as sourced from inside and then use 'management-access inside' and you should be able to telnet to the inside address from across a VPN tunnel.

-ryan
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
--
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20170912/6a01fcb8/attachment.html>


More information about the Rancid-discuss mailing list