search

napalm-automation / napalm-ios

Apache License 2.0
31 stars 40 forks source link

Unable to open connection with Cisco ASA #45

Closed mirceaulinic closed 7 years ago

mirceaulinic commented 7 years ago

Description of Issue

I'm trying to open the connection with a Cisco ASA device.

napalm-ios version

$  pip freeze | grep napalm-ios
napalm-ios==0.2.0

netmiko version

$ pip freeze | grep netmiko
netmiko==1.0.0

IOS version and platform details

vpn-sfo01# sh ver

Cisco Adaptive Security Appliance Software Version 9.6(1)
Device Manager Version 7.6(1)

Compiled on Fri 18-Mar-16 14:08 PDT by builders
System image file is "disk0:/asa961-smp-k8.bin"
Config file at boot was "startup-config"

Error Traceback

>>> e.open()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/napalm_ios/ios.py", line 67, in open
    self.dest_file_system = self.device._autodetect_fs()
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/cisco_base_connection.py", line 57, in _autodetect_fs
    output = self.send_command_expect(cmd)
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 653, in send_command_expect
    return self.send_command(*args, **kwargs)
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 645, in send_command
    search_pattern))
IOError: Search pattern never detected in send_command_expect: vpn\-sfo01\#

Looks like it does not like a hostname containing hyphen?

Also, it would probably be good in the close method to check if the connection has been established before trying to close:

>>> e.close()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/napalm_ios/ios.py", line 74, in close
    self.device.disconnect()
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 857, in disconnect
    self.cleanup()
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/cisco_base_connection.py", line 52, in cleanup
    self.exit_config_mode()
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/cisco_base_connection.py", line 48, in exit_config_mode
    pattern=pattern)
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 749, in exit_config_mode
    if self.check_config_mode():
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/cisco_base_connection.py", line 30, in check_config_mode
    pattern=pattern)
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 730, in check_config_mode
    output = self.read_until_pattern(pattern=pattern)
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 191, in read_until_pattern
    return self._read_channel_expect(*args, **kwargs)
  File "/usr/local/salt/virtualenv/lib/python2.7/site-packages/netmiko/base_connection.py", line 144, in _read_channel_expect
    raise NetMikoTimeoutException("Timed-out reading channel, data not available.")
netmiko.ssh_exception.NetMikoTimeoutException: Timed-out reading channel, data not available.
mirceaulinic commented 7 years ago

I think the problem is actually after establishing: it executes: dir.

But the result of this command is not as expected:

vpn-sfo01# dir

Directory of disk0:/

11     drwx  4096         07:01:42 Apr 21 2016  log
22     drwx  4096         20:57:38 Jul 08 2014  crypto_archive
23     drwx  4096         09:16:20 Jun 11 2014  coredumpinfo
158    -rwx  38191104     09:18:26 Jun 11 2014  asa912-smp-k8.bin
159    -rwx  18097844     09:19:54 Jun 11 2014  asdm-713.bin

... many other files ...

175    -rwx  38676        09:25:52 Dec 04 2015  20151204.conf
176    -rwx  12131504     14:01:06 Oct 07 2015  anyconnect-linux-3.1.11004-k9.pkg
<--- More --->

My understanding is that the <--- More ---> block is not handled under the send_command method in netmiko's BaseConnection class.

mirceaulinic commented 7 years ago

Probably in netmiko should send terminal pager 0 before anything else. What do you think @ktbyers?

dbarrosop commented 7 years ago

An ASA? I don't think it's even supported. ASA doesn't run IOS, does it? Haven't seen one of those since version 7.

mirceaulinic commented 7 years ago

@dbarrosop According to the netmiko's readme, ASA is in the list of "Regularly tested"

dbarrosop commented 7 years ago

Yeah, but that's just transport. napalm-ios might be doing something IOS specific when opening the connection or the way configuration is loaded might be completely different. Honestly, I don't know : )

mirceaulinic commented 7 years ago

I am not sure either, but they are all using netmiko and it's just scraping the CLI at the end of the day. There may be differences in terms of commands excuted inside the napalm's methods - I don't know, it is the very first time when I try to use these boxes :D

ktbyers commented 7 years ago

Yes, ASA does not run Cisco IOS so Netmiko supports ASA, but napalm-ios does not support the ASA.

If you want to use Netmiko on an ASA, you need to use the ''cisco_asa' device_type.

Note, ASA does not have any "configure replace" operation and I would expect many/most of the getters would not work.

You could try a proof-of-concept on the ASA (and see what happens) if you replace the device_type argument to the ConnectHandler in the NAPALM with 'cisco_asa'.

mirceaulinic commented 7 years ago

Thanks for clarifying this @ktbyers!

Would make sense to you to have an optional argument in napalm-ios to specify the device type?

dbarrosop commented 7 years ago

I would hack it locally to test first, I agree with @ktbyers in that most of the code is probably not gonna work with ASA so a napalm-asa might be needed.

mirceaulinic commented 7 years ago

Oh right

I would expect many/most of the getters would not work

I did not see the "not"

ktbyers commented 7 years ago

@dbarrosop Yes, I haven't seen a reasonable way to achieve the NAPALM config operations (particularly replace). I know Patrick Ogenstad did some work on newer ASA OS, but I don't think I ever saw a solution that looked reasonable.

mirceaulinic commented 7 years ago

get_ntp_stats and ping are the only methods that worked :)

I see that it fails when executing the commands:

>>> e.get_interfaces()
executing: show ip interface brief
received:
received: show ip interface brief
                   ^
ERROR: % Invalid input detected at '^' marker.

I will check if the getters would work if we'd use the appropriate command.

mirceaulinic commented 7 years ago

I will check if the getters would work if we'd use the appropriate command.

Nope :)

mirceaulinic commented 7 years ago

Closing this issue, apologise for the false alarm. FTM hacking the local napalm-ios version to use the cisco_asa parameter is enough for what I need.

Thanks for your help @dbarrosop and @ktbyers!

ktbyers commented 7 years ago

Yes, ASA is a pretty different beast from IOS so even commands for getters would probably/possibly be different (in addition to the output).