[rancid] ASA Config for Rancid

Piegorsch, Weylin William weylin at bu.edu
Tue Sep 12 19:14:37 UTC 2017


Thanks Ryan.  I hadn’t considered that; largely I’m trying to get away from telnet but it’s an approach that might actually work.

I’ve tried going down the path of “reset outside” on the ASA, but that’s not working as I expect it to :-(

Something I was poking around at.  I did a packet capture, and noted that telnet send a SYN, 3sec later another SYN, and so forth at 3, 6, 12, 24, and 48 seconds, before finally timing out at 95 seconds or so.  Rancid times out at 90 seconds; is there a way to increase this timeout to perhaps 100sec?  Is that something what can be done in .cloginrc, or perhaps types.conf?  I found some reference to bin/rancid and bin/clogin, but I’m trying to avoid modifying those (or anything in bin).

weylin

-----Original Message-----
From: Ryan West <rwest at zyedge.com>
Date: Monday, September 11, 2017 at 16:56
To: Weylin Piegorsch <weylin at bu.edu>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: RE: ASA Config for Rancid

    On Mon, Sep 11, 2017 at 16:51:34, Piegorsch, Weylin William wrote:
    > Subject: [rancid] ASA Config for Rancid
    > 
    > Cisco question, that I’m having a devil of a time getting a Cisco answer to.
    > 
    > I have several ASAs – some locally connected, some connected at the far end
    > of an IPSec tunnel.  In nearly all cases, I can’t get rancid to archive their
    > config.  For reasons that don’t relate to the ASA (has to do with the larger
    > network as a whole), I need telnet to be the first method, with SSH backup.
    > But, the ASAs drop the telnet request, they don’t send a TCP RST packet.  As
    > a consequence, rancid times out and considers it an unreachable device.
    > 
    > I’m trying to find a mechanism that doesn’t require specifying custom rancid
    > configs for ASAs that are different than anything else.
    > 
    
    Try to allow telnet access from the remote network as sourced from inside and then use 'management-access inside' and you should be able to telnet to the inside address from across a VPN tunnel.
    
    -ryan
    



More information about the Rancid-discuss mailing list