Mailing List Archive

Rancid 3.10 and ASA 9.14 failing?
I'm on 3.10 and just upgraded an cisco 5516 asa to 9.14, and it will not pull from rancid giving this error:

HIT COMMAND:XXXXX-ASA1# show running-config
In WriteTerm: XXXXX-ASA1# show running-config
HIT COMMAND:XXXXX-ASA1# write term
In WriteTerm: XXXXX-ASA1# write term
xxxxx-asa1.etsbcad.local: missed cmd(s): show redundancy secondary, show flash:, show running-config view full

Another otherwise identically configured ASA on 9.9(2) works fine.

All three of these commands work the same on 9.2 as on 9.14 (i.e. first and third do not exist, and show flash works). So it's something more subtle.

I've reviewed the release notes for 3.11 and didn't see anything that may apply; I am a bit reluctant to upgrade as I have a lot of changes to scripts to retrofit and upgrading is a pretty big job.

It's also remotely possible I broke this in one of my changes; again, a bit painful to back all changes out to tell.

So... please save me a bit of time... is anyone using ASA version 9.14 with Rancid? Does it work, or fail the same way? Knowing either one will save me a lot of time.

Thanks,
Linwood
Re: Rancid 3.10 and ASA 9.14 failing? [ In reply to ]
I spun up an ASAv 9.14.1 with a brand new rancid 3.10 install and had no
issues. I assume you know about making sure you run 'no aaa authentication
login-history' as that's needed for 9.9 as well. I can't remember if cisco
added that banner prompt in 9.2.

Regards,
Ryan

On Mon, Apr 27, 2020 at 11:59 AM on@LEFerguson.com <on@leferguson.com>
wrote:

> I'm on 3.10 and just upgraded an cisco 5516 asa to 9.14, and it will not
> pull from rancid giving this error:
>
>
>
> HIT COMMAND:XXXXX-ASA1# show running-config
>
> In WriteTerm: XXXXX-ASA1# show running-config
>
> HIT COMMAND:XXXXX-ASA1# write term
>
> In WriteTerm: XXXXX-ASA1# write term
>
> xxxxx-asa1.etsbcad.local: missed cmd(s): show redundancy secondary, show
> flash:, show running-config view full
>
>
>
> Another otherwise identically configured ASA on 9.9(2) works fine.
>
>
>
> All three of these commands work the same on 9.2 as on 9.14 (i.e. first
> and third do not exist, and show flash works). So it's something more
> subtle.
>
>
>
> I've reviewed the release notes for 3.11 and didn't see anything that may
> apply; I am a bit reluctant to upgrade as I have a lot of changes to
> scripts to retrofit and upgrading is a pretty big job.
>
>
>
> It's also remotely possible I broke this in one of my changes; again, a
> bit painful to back all changes out to tell.
>
>
>
> So… please save me a bit of time… is anyone using ASA version 9.14 with
> Rancid? Does it work, or fail the same way? Knowing either one will save
> me a lot of time.
>
>
>
> Thanks,
>
> Linwood
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
Re: Rancid 3.10 and ASA 9.14 failing? [ In reply to ]
My apologies, I think I missed this one. Thank you for testing.

Why is "no aaa authentication login-history" needed? I've tried it both ways and it still works. While I think it's pretty moot from a practical standpoint, most security auditors will complain if it's off.



From: Ryan Gelobter [mailto:ryan.g@atwgpc.net]
Sent: Tuesday, April 28, 2020 12:03 AM
To: on@LEFerguson.com
Cc: rancid-discuss@shrubbery.net
Subject: Re: [rancid] Rancid 3.10 and ASA 9.14 failing?

I spun up an ASAv 9.14.1 with a brand new rancid 3.10 install and had no issues. I assume you know about making sure you run 'no aaa authentication login-history' as that's needed for 9.9 as well. I can't remember if cisco added that banner prompt in 9.2.

Regards,
Ryan

On Mon, Apr 27, 2020 at 11:59 AM on@LEFerguson.com<mailto:on@LEFerguson.com> <on@leferguson.com<mailto:on@leferguson.com>> wrote:
I'm on 3.10 and just upgraded an cisco 5516 asa to 9.14, and it will not pull from rancid giving this error:

HIT COMMAND:XXXXX-ASA1# show running-config
In WriteTerm: XXXXX-ASA1# show running-config
HIT COMMAND:XXXXX-ASA1# write term
In WriteTerm: XXXXX-ASA1# write term
xxxxx-asa1.etsbcad.local: missed cmd(s): show redundancy secondary, show flash:, show running-config view full

Another otherwise identically configured ASA on 9.9(2) works fine.

All three of these commands work the same on 9.2 as on 9.14 (i.e. first and third do not exist, and show flash works). So it's something more subtle.

I've reviewed the release notes for 3.11 and didn't see anything that may apply; I am a bit reluctant to upgrade as I have a lot of changes to scripts to retrofit and upgrading is a pretty big job.

It's also remotely possible I broke this in one of my changes; again, a bit painful to back all changes out to tell.

So… please save me a bit of time… is anyone using ASA version 9.14 with Rancid? Does it work, or fail the same way? Knowing either one will save me a lot of time.

Thanks,
Linwood

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net<mailto:Rancid-discuss@www.shrubbery.net>
https://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Rancid 3.10 and ASA 9.14 failing? [ In reply to ]
Maybe there's an option or a patch I'm missing but I've noticed if I have
that on, rancid fails to backup because it messes with the first line it
expects when it logs in.

Regards,
Rya

On Sun, May 3, 2020 at 7:56 PM on@LEFerguson.com <on@leferguson.com> wrote:

> My apologies, I think I missed this one. Thank you for testing.
>
>
>
> Why is "no aaa authentication login-history" needed? I've tried it both
> ways and it still works. While I think it's pretty moot from a practical
> standpoint, most security auditors will complain if it's off.
>
>
>
>
>
>
>
> *From:* Ryan Gelobter [mailto:ryan.g@atwgpc.net]
> *Sent:* Tuesday, April 28, 2020 12:03 AM
> *To:* on@LEFerguson.com
> *Cc:* rancid-discuss@shrubbery.net
> *Subject:* Re: [rancid] Rancid 3.10 and ASA 9.14 failing?
>
>
>
> I spun up an ASAv 9.14.1 with a brand new rancid 3.10 install and had no
> issues. I assume you know about making sure you run 'no aaa authentication
> login-history' as that's needed for 9.9 as well. I can't remember if cisco
> added that banner prompt in 9.2.
>
>
>
> Regards,
>
> Ryan
>
>
>
> On Mon, Apr 27, 2020 at 11:59 AM on@LEFerguson.com <on@leferguson.com>
> wrote:
>
> I'm on 3.10 and just upgraded an cisco 5516 asa to 9.14, and it will not
> pull from rancid giving this error:
>
>
>
> HIT COMMAND:XXXXX-ASA1# show running-config
>
> In WriteTerm: XXXXX-ASA1# show running-config
>
> HIT COMMAND:XXXXX-ASA1# write term
>
> In WriteTerm: XXXXX-ASA1# write term
>
> xxxxx-asa1.etsbcad.local: missed cmd(s): show redundancy secondary, show
> flash:, show running-config view full
>
>
>
> Another otherwise identically configured ASA on 9.9(2) works fine.
>
>
>
> All three of these commands work the same on 9.2 as on 9.14 (i.e. first
> and third do not exist, and show flash works). So it's something more
> subtle.
>
>
>
> I've reviewed the release notes for 3.11 and didn't see anything that may
> apply; I am a bit reluctant to upgrade as I have a lot of changes to
> scripts to retrofit and upgrading is a pretty big job.
>
>
>
> It's also remotely possible I broke this in one of my changes; again, a
> bit painful to back all changes out to tell.
>
>
>
> So… please save me a bit of time… is anyone using ASA version 9.14 with
> Rancid? Does it work, or fail the same way? Knowing either one will save
> me a lot of time.
>
>
>
> Thanks,
>
> Linwood
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>
Re: Rancid 3.10 and ASA 9.14 failing? [ In reply to ]
That may be something I fixed, frankly I've lost track of all the little things like that I've patched. That's one reason that upgrades are so hard, I have to do a lot of differences each time. I need to investigate where it is with github, maybe I can do a more managed version; when I started I do not think it was possible.

But thanks for the reminder; now when I see that piece of code next upgrade I may recognize it. ?


From: Ryan Gelobter [mailto:ryan.g@atwgpc.net]
Sent: Monday, May 4, 2020 7:24 PM
To: on@LEFerguson.com; rancid-discuss@shrubbery.net
Subject: Re: [rancid] Rancid 3.10 and ASA 9.14 failing?

Maybe there's an option or a patch I'm missing but I've noticed if I have that on, rancid fails to backup because it messes with the first line it expects when it logs in.

Regards,
Rya

On Sun, May 3, 2020 at 7:56 PM on@LEFerguson.com<mailto:on@LEFerguson.com> <on@leferguson.com<mailto:on@leferguson.com>> wrote:
My apologies, I think I missed this one. Thank you for testing.

Why is "no aaa authentication login-history" needed? I've tried it both ways and it still works. While I think it's pretty moot from a practical standpoint, most security auditors will complain if it's off.



From: Ryan Gelobter [mailto:ryan.g@atwgpc.net<mailto:ryan.g@atwgpc.net>]
Sent: Tuesday, April 28, 2020 12:03 AM
To: on@LEFerguson.com<mailto:on@LEFerguson.com>
Cc: rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Rancid 3.10 and ASA 9.14 failing?

I spun up an ASAv 9.14.1 with a brand new rancid 3.10 install and had no issues. I assume you know about making sure you run 'no aaa authentication login-history' as that's needed for 9.9 as well. I can't remember if cisco added that banner prompt in 9.2.

Regards,
Ryan

On Mon, Apr 27, 2020 at 11:59 AM on@LEFerguson.com<mailto:on@LEFerguson.com> <on@leferguson.com<mailto:on@leferguson.com>> wrote:
I'm on 3.10 and just upgraded an cisco 5516 asa to 9.14, and it will not pull from rancid giving this error:

HIT COMMAND:XXXXX-ASA1# show running-config
In WriteTerm: XXXXX-ASA1# show running-config
HIT COMMAND:XXXXX-ASA1# write term
In WriteTerm: XXXXX-ASA1# write term
xxxxx-asa1.etsbcad.local: missed cmd(s): show redundancy secondary, show flash:, show running-config view full

Another otherwise identically configured ASA on 9.9(2) works fine.

All three of these commands work the same on 9.2 as on 9.14 (i.e. first and third do not exist, and show flash works). So it's something more subtle.

I've reviewed the release notes for 3.11 and didn't see anything that may apply; I am a bit reluctant to upgrade as I have a lot of changes to scripts to retrofit and upgrading is a pretty big job.

It's also remotely possible I broke this in one of my changes; again, a bit painful to back all changes out to tell.

So… please save me a bit of time… is anyone using ASA version 9.14 with Rancid? Does it work, or fail the same way? Knowing either one will save me a lot of time.

Thanks,
Linwood

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net<mailto:Rancid-discuss@www.shrubbery.net>
https://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Rancid 3.10 and ASA 9.14 failing? [ In reply to ]
Mon, May 04, 2020 at 06:23:32PM -0500, Ryan Gelobter:
> Maybe there's an option or a patch I'm missing but I've noticed if I have
> that on, rancid fails to backup because it messes with the first line it
> expects when it logs in.

I think this is what you're looking for, also in rancid 3.8:
https://github.com/haussli/rancid/commit/8c42b459807713226c5bc89a0038a77a778ebc69

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss