SSH connection to ASA for ARP collection no longer works ("prompt does not match")
candlerb opened this issue · comments
ERROR: Device::CLI::_get_arp_from_cli: wrn-asa1.int.example.net: login failed to remote host - prompt does not match at /usr/share/perl5/Net/Appliance/Session/Transport.pm line 78.
But if I login manually, the prompt is a simple one which looks like it should match the generic prompt in /usr/share/perl5/Net/CLI/Interact/phrasebook/cisco/pb
netdot@wrn-asa1.int.example.net's password:
Type help or '?' for a list of available commands.
wrn-asa1#
Unfortunately the error message doesn't show what text it was trying to match against the prompt.
Configuration in Site.conf is:
DEVICE_CLI_CREDENTIALS => [
{ pattern => '.*',
login => 'netdot',
password => '<snip>',
privileged => '<snip>',
transport => 'SSH',
timeout => '30',
},
],
system has libnet-appliance-session-perl 4.131260-1
root@netdot:~# ls -l /usr/share/perl5/Net/Appliance/Session/Transport.pm
-rw-r--r-- 1 root root 3493 May 6 2013 /usr/share/perl5/Net/Appliance/Session/Transport.pm
This used to work a while ago. Possible differences now are: (1) ASAs are now running firmware 9.1 and 9.6; (2) I may have done an "apt-get dist-upgrade" at some point.
Uncommenting $s->set_global_log_at('debug'); in Netdot/Model/Device/CLI.pm, and running with --debug, gives:
[ 0.092911] du SEEN:
Warning: Permanently added 'wrn-asa1.int.example.net' (RSA) to the list of known hosts.
netdot@wrn-asa1.int.example.net's password:
[ 0.093125] pr nope, doesn't (yet) match generic
[ 0.093278] pr nope, doesn't (yet) match prompt
[ 0.093406] pr nope, doesn't (yet) match err_string
[ 0.093521] pr nope, doesn't (yet) match user
[ 0.093648] pr hit, matches prompt pass
[ 0.094064] pr prompt has been set to (?^:[Pp]assword: ?$)
[ 0.095765] pr output matching prompt was "netdot@wrn-asa1.int.example.net's password: "
[ 0.095959] di trimmed command response:
Warning: Permanently added 'wrn-asa1.int.example.net' (RSA) to the list of known hosts.
[ 0.097335] pr finding prompt
[ 0.097545] du SEEN:
[ 0.097770] pr nope, doesn't (yet) match generic
[ 0.097933] pr nope, doesn't (yet) match prompt
[ 0.098084] pr nope, doesn't (yet) match err_string
[ 0.098254] pr nope, doesn't (yet) match user
[ 0.098412] pr nope, doesn't (yet) match pass
[ 0.098561] pr nope, doesn't (yet) match configure
[ 0.098711] pr nope, doesn't (yet) match basic
[ 0.098897] pr nope, doesn't (yet) match privileged
[ 0.099080] pr no match so far, more data?
[ 0.113154] du SEEN:
Type help or '?' for a list of available commands.
[ 0.113495] pr nope, doesn't (yet) match generic
[ 0.113651] pr nope, doesn't (yet) match prompt
[ 0.113833] pr hit, matches prompt err_string
[ 0.114005] pr prompt has been set to (?^:(?:Type help|(?:Error|ERROR|Usage|usage):|not allowed))
[ 0.114327] pr output matching prompt was "Type help or '?' for a list of available commands."
[ 0.114485] di trimmed command response:
ERROR: Device::CLI::_get_arp_from_cli: wrn-asa1.int.example.net: login failed to remote host - prompt does not match at /usr/share/perl5/Net/Appliance/Session/Transport.pm line 78.
That "Type help..." pattern match comes from /usr/share/perl5/Net/CLI/Interact/phrasebook/cisco/pixos/pb
Corrupting this file, e.g. by changing Type to Xype, makes it work again. Sheesh!
To finish off the analysis.
The problem is that it's using phrasebook/cisco/pixos/pb, which treats the "Type help..." message as part of prompt_err and fails to login.
Newer versions of Net::CLI::Interact have phrasebook/cisco/asa/pb, added on 4 Oct 2017
My Netdot server is on Ubuntu 14.04 and has libnet-cli-interact-perl 2.133420-1 (a version which is not tagged in the git repo; I guess it's an old SVN revision)
Ubuntu 18.04 has 2.300002-1 which was tagged on 14 Oct 2017, and is the current code apart from a couple of subsequent commits.
So if Netdot could be made to run on 18.04, this problem would go away.
Closing this ticket because it's a problem external to Netdot, but hopefully the solution here might be useful to someone.