search

CiscoTestAutomation / genieparser

sub-component of Genie that parse the device output into structured datastructure
Apache License 2.0
253 stars 388 forks source link

ShowCryptoIpsecProfile parser failure #893

Closed woytek92 closed 1 month ago

woytek92 commented 2 months ago

Hello, I've tried to parse output from the "show crypto ipsec profile" command but unfortunately parser is not working. Could you please take a look on it?

It was tested on Cisco IOS XE Software, Version 16.09.05

My code:

from nornir import InitNornir
from nornir_scrapli.tasks import send_command
from nornir_utils.plugins.functions import print_result
import ipdb
import logging

nr = InitNornir(config_file="config.yaml")

logging.basicConfig(filename="logs.txt", level=logging.DEBUG)

def responder_only(task):

crypto_profile_list = task.run(task=send_command, command="show crypto ipsec profile") 
task.host["facts"] = crypto_profile_list.scrapli_response.genie_parse_output()

results = nr.run(task=responder_only)

print_result(results)
ipdb.set_trace()

Debug output: DEBUG:scrapli.channel:read: b'IPSEC profile DCCRT1012-IPSEC-PROFILE\n\tIKEv2 Profile: DCCRT1012-IKEv2-PROFILE\n\tSecurity association lifetime: 102400000 kilobytes/27000 seconds\n\tResponder-Only (Y/N): Y\n\tPFS (Y/N): N\n\tMixed-mode : Disabled\n\tTransform sets={ \n\t\tRSITE-ipsec-proposal-set: { esp-gcm 256 } , \n\t}\n\nIPSEC profile FRCRT1012-IPSEC-PROFILE\n\tIKEv2 Profile: FRCRT1012-IKEv2-PROFILE\n\tSecurity association lifetime: 102400000 kilobytes/27000 seconds\n\tResponder-Only (Y/N): Y\n\tPFS (Y/N): N\n\tMixed-mode : Disabled\n\tTransform sets={ \n\t\tRSITE-ipsec-proposal-set: { esp-gcm 256 } , \n\t}\n\nIPSEC profile default\n\tSecurity association lifetime: 4608000 kilobytes/3600 seconds\n\tResponder-Only (Y/N): N\n\tPFS (Y/N): N\n\tMixed-mode : Disabled\n\tTransform sets={ \n\t\tdefault: { esp-aes esp-sha-hmac } , \n\t}\n\nWARRT9102#' WARNING:scrapli:failed to parse data with genie, genie raised exception: local variable 'profile_name_dict' referenced before assignment

Raw output:

WARRT9102#show crypto ipsec profile IPSEC profile DCCRT1012-IPSEC-PROFILE IKEv2 Profile: DCCRT1012-IKEv2-PROFILE Security association lifetime: 102400000 kilobytes/27000 seconds Responder-Only (Y/N): Y PFS (Y/N): N Mixed-mode : Disabled Transform sets={ RSITE-ipsec-proposal-set: { esp-gcm 256 } , }

IPSEC profile FRCRT1012-IPSEC-PROFILE IKEv2 Profile: FRCRT1012-IKEv2-PROFILE Security association lifetime: 102400000 kilobytes/27000 seconds Responder-Only (Y/N): Y PFS (Y/N): N Mixed-mode : Disabled Transform sets={ RSITE-ipsec-proposal-set: { esp-gcm 256 } , }

IPSEC profile default Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Mixed-mode : Disabled Transform sets={ default: { esp-aes esp-sha-hmac } , }

SohanTirpude commented 2 months ago

Hello @woytek92,

I was able to find the cause of this issue and found the solution as well. With the solution, the output now looks like this:

{
    "ipsec_profile_name": {
        "DCCRT1012-IPSEC-PROFILE": {
            "security_association_lifetime": "102400000 kilobytes/27000 seconds",
            "responder_only": "Y",
            "psf": "N",
            "mixed_mode": "Disabled",
            "tranform_sets": {
                "RSITE-ipsec-proposal-set": {
                    "transform_set_name": "esp-gcm",
                    "transform_set_method": "256"
                }
            }
        },
        "FRCRT1012-IPSEC-PROFILE": {
            "security_association_lifetime": "102400000 kilobytes/27000 seconds",
            "responder_only": "Y",
            "psf": "N",
            "mixed_mode": "Disabled",
            "tranform_sets": {
                "RSITE-ipsec-proposal-set": {
                    "transform_set_name": "esp-gcm",
                    "transform_set_method": "256"
                }
            }
        },
        "default": {
            "security_association_lifetime": "4608000 kilobytes/3600 seconds",
            "responder_only": "N",
            "psf": "N",
            "mixed_mode": "Disabled",
            "tranform_sets": {
                "default": {
                    "transform_set_name": "esp-aes",
                    "transform_set_method": "esp-sha-hmac"
                }
            }
        }
    }
}

Kindly check and confirm if everything looks correct.

Thank you.

woytek92 commented 2 months ago

Hello @SohanTirpude,

Thank you for finding a solution. I confirm the output looks correct.

SohanTirpude commented 2 months ago

Hello @woytek92,

Thank you for the confirmation. I will try to merge the PR as soon as possible. Once it is merged, I will update you back.

Thank you.

woytek92 commented 1 month ago

Hello @SohanTirpude,

Could you please provide me the solution for this case? I have some activities planned for this week, and having the parser up and running would be incredibly helpful for my progress.

SohanTirpude commented 1 month ago

Hello @woytek92,

You have to update ShowCryptoIpsecProfile available in this path: src/genie/libs/parser/iosxe/show_crypto.py. You have to update regex p1 with this pattern ^IPSEC profile\s*(?P<profile_name>[\w\-]+)$ and regex p8 with this pattern ^(?P<transforset>[\w\-]+)\s*:\s*{\s*(?P<transform_set_name>[\w-]+)\s+(?P<transform_set_method>[\w-]+)\s*}\s*,$.

Kindly do so and let me know if you have any other questions.

Also, the PR got merged so the fix will be available in the upcoming pyats 24.10 version, hence I will be closing this ticket for now. If you have any questions, kindly let me know.

Thank you.