search

networktocode / ntc-templates

TextFSM templates for parsing show commands of network devices
https://ntc-templates.readthedocs.io/
Other
1.08k stars 708 forks source link

cisco_asa_show_crypto_ipsec_sa.textfsm regex not capturing all data #785

Closed tom0010 closed 2 weeks ago

tom0010 commented 4 years ago
ISSUE TYPE
TEMPLATE USING
Value Filldown INTERFACE (\S+)
Value Filldown CRYPTO_MAP_TAG (\S+)
Value Filldown SEQUENCE_NUMBER (\d+)
Value Filldown LOCAL_ADDRESS (\d+\.\d+\.\d+\.\d+)
Value Filldown LOCAL_ADDRESS_NAME (\S+)
Value LOCAL_IDENTITY_ADDR (\d+\.\d+\.\d+\.\d+)
Value LOCAL_IDENTITY_MASK (\d+\.\d+\.\d+\.\d+)
Value LOCAL_IDENTITY_PROTOCOL (\d+)
Value LOCAL_IDENTITY_PORT (\d+)
Value REMOTE_IDENTITY_ADDR (\d+\.\d+\.\d+\.\d+)
Value REMOTE_IDENTITY_MASK (\d+\.\d+\.\d+\.\d+)
Value REMOTE_IDENTITY_PROTOCOL (\d+)
Value REMOTE_IDENTITY_PORT (\d+)
Value CURRENT_PEER (\d+\.\d+\.\d+\.\d+)
Value DYNAMIC_PEER (\d+\.\d+\.\d+\.\d+)
Value CURRENT_PEER_NAME (\S+)
Value DYNAMIC_PEER_NAME (\S+)
Value PACKETS_ENCAPSULATED (\d+)
Value PACKETS_ENCRYPTED (\d+)
Value PACKETS_DIGESTED (\d+)
Value PACKETS_DECAPSULATED (\d+)
Value PACKETS_DECRYPTED (\d+)
Value PACKETS_VERIFIED (\d+)
Value PACKETS_COMPRESSED (\d+)
Value PACKETS_DECOMPRESSED (\d+)
Value PACKETS_NOT_COMPRESSED (\d+)
Value PACKETS_COMPRESS_FAILED (\d+)
Value PACKETS_DECOMPRESS_FAILED (\d+)
Value PRE_FRAGMENT_SUCCESS (\d+)
Value PRE_FRAGMENT_FAILURES (\d+)
Value FRAGMENTS_CREATED (\d+)
Value PMTUS_SENT (\d+)
Value PMTUS_RECEIVED (\d+)
Value DECAP_FRAGS_NEEDING_REASSEMBLY (\d+)
Value SEND_ERRORS (\d+)
Value RECEIVE_ERRORS (\d+)
Value LOCAL_CRYPTO_ENDPOINT (\d+\.\d+\.\d+\.\d+)
Value REMOTE_CRYPTO_ENDPOINT (\d+\.\d+\.\d+\.\d+)
Value LOCAL_CRYPTO_ENDPOINT_NAME (\S+)
Value REMOTE_CRYPTO_ENDPOINT_NAME (\S+)
Value PATH_MTU (\d+)
Value IPSEC_OVERHEAD (\d+)
Value MEDIA_MTU (\d+)
Value CURRENT_INBOUND_SPI (\w+)
Value CURRENT_OUTBOUND_SPI (\w+)
Value INBOUND_SPI_HEX (\w+)
Value INBOUND_SPI_INTEGER (\d+)
Value INBOUND_ENCRYPTION (\S+)
Value INBOUND_AUTHENTICATION (\S+)
Value INBOUND_SETTINGS_IN_USE (.*)
Value INBOUND_SLOT (\d+)
Value INBOUND_CONNECTION_ID (\d+)
Value INBOUND_CRYPTO_MAP (\S+)
Value INBOUND_REMAINING_LIFETIME (\d+)
Value INBOUND_REMAINING_LIFETIME_KILOBYTES (\d+)
Value INBOUND_IV_SIZE (\d+\s+\w+)
Value INBOUND_REPLAY_DETECTION (\w+)
Value OUTBOUND_SPI_HEX (\w+)
Value OUTBOUND_SPI_INTEGER (\d+)
Value OUTBOUND_ENCRYPTION (\S+)
Value OUTBOUND_AUTHENTICATION (\S+)
Value OUTBOUND_SETTINGS_IN_USE (.*)
Value OUTBOUND_SLOT (\d+)
Value OUTBOUND_CONNECTION_ID (\d+)
Value OUTBOUND_CRYPTO_MAP (\S+)
Value OUTBOUND_REMAINING_LIFETIME (\d+)
Value OUTBOUND_REMAINING_LIFETIME_KILOBYTES (\d+)
Value OUTBOUND_IV_SIZE (\d+\s+\w+)
Value OUTBOUND_REPLAY_DETECTION (\w+)

Start
  ^interface:\s+${INTERFACE}\s*
  ^\s+Crypto map tag:\s+${CRYPTO_MAP_TAG},\s+local addr:\s+(?:${LOCAL_ADDRESS}|${LOCAL_ADDRESS_NAME})\s*
  ^\s+Crypto map tag:\s+${CRYPTO_MAP_TAG}, seq num:\s+${SEQUENCE_NUMBER},\s+local addr:\s+(?:${LOCAL_ADDRESS}|${LOCAL_ADDRESS_NAME})\s*
  ^\s+local\s+ident\s+\(addr\/mask\/prot\/port\):\s+\(${LOCAL_IDENTITY_ADDR}\/${LOCAL_IDENTITY_MASK}\/${LOCAL_IDENTITY_PROTOCOL}\/${LOCAL_IDENTITY_PORT}\)\s*
  ^\s+remote\s+ident\s+\(addr/mask/prot/port\):\s+\(${REMOTE_IDENTITY_ADDR}\/${REMOTE_IDENTITY_MASK}\/${REMOTE_IDENTITY_PROTOCOL}\/${REMOTE_IDENTITY_PORT}\)\s*
  ^\s+current_peer:\s+(?:${CURRENT_PEER}|${CURRENT_PEER_NAME})\s*
  ^\s+dynamic\s+allocated\s+peer\s+ip:\s+(?:${DYNAMIC_PEER}|${DYNAMIC_PEER_NAME})\s*
  ^\s+#pkts\s+encaps:\s+${PACKETS_ENCAPSULATED},\s+#pkts\s+encrypt:\s+${PACKETS_ENCRYPTED},\s+#pkts\s+digest:\s+${PACKETS_DIGESTED}\s*
  ^\s+#pkts\s+decaps:\s+${PACKETS_DECAPSULATED},\s+#pkts\s+decrypt:\s+${PACKETS_DECRYPTED},\s+#pkts\s+verify:\s+${PACKETS_VERIFIED}\s*
  ^\s+#pkts\s+compressed:\s+${PACKETS_COMPRESSED},\s+#pkts\s+decompressed:\s+${PACKETS_DECOMPRESSED}\s*
  ^\s+#pkts\s+not\s+compressed:\s+${PACKETS_NOT_COMPRESSED},\s+#pkts\s+comp\s+failed:\s+${PACKETS_COMPRESS_FAILED},\s+#pkts\s+decomp\s+failed:\s+${PACKETS_DECOMPRESS_FAILED}\s*
  ^\s+#pre-frag\s+successes:\s+${PRE_FRAGMENT_SUCCESS},\s+#pre-frag\s+failures:\s+${PRE_FRAGMENT_FAILURES},\s+#fragments\s+created:\s+${FRAGMENTS_CREATED}\s*
  ^\s+#PMTUs\s+sent:\s+${PMTUS_SENT},\s+#PMTUs\s+rcvd:\s+${PMTUS_RECEIVED},\s+#decapsulated\s+fra?gs\s+needing\s+reassembly:\s+${DECAP_FRAGS_NEEDING_REASSEMBLY}\s*
  ^\s+#send\s+errors:\s+${SEND_ERRORS},\s+#recv\s+errors:\s+${RECEIVE_ERRORS}\s*
  ^\s+local\s+crypto\s+endpt\.:\s+${LOCAL_CRYPTO_ENDPOINT},\s+remote\s+crypto\s+endpt\.:\s+${REMOTE_CRYPTO_ENDPOINT}\s*
  ^\s+local\s+crypto\s+endpt\.:\s+(?:${LOCAL_CRYPTO_ENDPOINT}|${LOCAL_CRYPTO_ENDPOINT_NAME})(\/\d+),\s+remote\s+crypto\s+endpt\.:\s+(?:${REMOTE_CRYPTO_ENDPOINT}|${REMOTE_CRYPTO_ENDPOINT_NAME})(\/\d+)\s*
  ^\s+path\s+mtu\s+${PATH_MTU},\s+ipsec\s+overhead\s+${IPSEC_OVERHEAD}(\(\d+\))?,\s+media\s+mtu\s+${MEDIA_MTU}\s*
  ^\s+current\s+outbound\s+spi:\s+${CURRENT_OUTBOUND_SPI}\s*
  ^\s+current\s+inbound\s+spi\s+:\s+${CURRENT_INBOUND_SPI}\s*
  ^\s+inbound\s+esp\s+sas:\s* -> Inbound
  ^\s+outbound\s+esp\s+sas:\s* -> Outbound

Inbound
  ^\s+spi:\s+${INBOUND_SPI_HEX}\s+\(${INBOUND_SPI_INTEGER}\)\s*
  ^\s+transform:\s+${INBOUND_ENCRYPTION}\s+${INBOUND_AUTHENTICATION}\s*
  ^\s+in\s+use\s+settings\s+=\{${INBOUND_SETTINGS_IN_USE},\s+\}\s*
  ^\s+slot:\s+${INBOUND_SLOT},\s+conn_id:\s+${INBOUND_CONNECTION_ID},\s+crypto-map:\s+${INBOUND_CRYPTO_MAP}\s*
  ^\s+sa\s+timing:\s+remaining\s+key\s+lifetime\s+\(sec\):\s+${INBOUND_REMAINING_LIFETIME}\s*
  ^\s+sa\s+timing:\s+remaining\s+key\s+lifetime\s+\(kB\/sec\):\s+\(${INBOUND_REMAINING_LIFETIME_KILOBYTES}\/${INBOUND_REMAINING_LIFETIME}\)\s*
  ^\s+IV\s+size:\s+${INBOUND_IV_SIZE}\s*
  ^\s+replay\s+detection\s+support:\s+${INBOUND_REPLAY_DETECTION}\s* -> Start

Outbound
  ^\s+spi:\s+${OUTBOUND_SPI_HEX}\s+\(${OUTBOUND_SPI_INTEGER}\)\s*
  ^\s+transform:\s+${OUTBOUND_ENCRYPTION}\s+${OUTBOUND_AUTHENTICATION}\s*
  ^\s+in\s+use\s+settings\s+=\{${OUTBOUND_SETTINGS_IN_USE},\s+\}\s*
  ^\s+slot:\s+${OUTBOUND_SLOT},\s+conn_id:\s+${OUTBOUND_CONNECTION_ID},\s+crypto-map:\s+${OUTBOUND_CRYPTO_MAP}\s*
  ^\s+sa\s+timing:\s+remaining\s+key\s+lifetime\s+\(sec\):\s+${OUTBOUND_REMAINING_LIFETIME}\s*
  ^\s+sa\s+timing:\s+remaining\s+key\s+lifetime\s+\(kB\/sec\):\s+\(${OUTBOUND_REMAINING_LIFETIME_KILOBYTES}\/${OUTBOUND_REMAINING_LIFETIME}\)\s*
  ^\s+IV\s+size:\s+${OUTBOUND_IV_SIZE}\s*
  ^\s+replay\s+detection\s+support:\s+${OUTBOUND_REPLAY_DETECTION}\s* -> Record Start

EOF
SAMPLE COMMAND OUTPUT
show run crypto map
SUMMARY

With my ASA I have discovered an extra value being presented from the ASA when using show run crypto map:

my_asa# show ipsec sa peer 10.10.10.10
peer address: 10.10.10.10
    Crypto map tag: outside_map0, seq num: 126, local addr: 10.20.20.20

      access-list movius_prod_dc extended permit tcp host 10.12.12.12 eq 8100 host 10.13.13.13 
      local ident (addr/mask/prot/port): (10.12.12.12/255.255.255.255/6/8100)
      remote ident (addr/mask/prot/port): (10.13.13.13/255.255.255.255/6/0 - 65535)

Offending line: remote ident (addr/mask/prot/port): (10.13.13.13/255.255.255.255/6/0 - 65535)

Regex doesn't match: ^\s+remote\s+ident\s+\(addr/mask/prot/port\):\s+\(${REMOTE_IDENTITY_ADDR}\/${REMOTE_IDENTITY_MASK}\/${REMOTE_IDENTITY_PROTOCOL}\/${REMOTE_IDENTITY_PORT}\)\s*

Template is expecting an ) after {REMOTE_IDENTITY_PORT} which doesn't exist in my output above.

STEPS TO REPRODUCE
async def ipsec_data(device):
    async with netdev.create(**device) as asa:
        command = "show crypto ipsec sa"
        template = "ntc-templates/templates/cisco_asa_show_crypto_ipsec_sa.textfsm" 
        output = await asa.send_command(command, strip_command=True)
        with open(template, "r") as f:
            template = textfsm.TextFSM(f)
        data = template.ParseText(output)
        output = []
        try:
            for x in data:
                output_dict = {}
                if x[13] == "10.13.13.13":
                    print(f"peer:{x[13]} Encryption Domain:{x[9]}/{x[10]}\n")
                    pprint(x)
                    print('\n')
EXPECTED RESULTS
peer:10.10.10.10 ED:10.13.13.13/255.255.255.255

['outside',
 'outside_map0',
 '126',
 '10.20.20.20',
 '',
 '10.12.12.12',
 '255.255.255.255',
 '6',
 '8100',
 '10.13.13.13',
 '255.255.255.255',
 '6',
 '0',
 '10.20.20.20',

OMITTED***...

']
ACTUAL RESULTS
peer:10.10.10.10 ED:/

['outside',
 'outside_map0',
 '126',
 '10.20.20.20',
 '',
 '10.12.12.12',
 '255.255.255.255',
 '6',
 '8100',
 '',
 '',
 '',
 '',
 '10.10.10.10',
 '',
 '',
 '',
WORKAROUND

Removing \) works:

^\s+remote\s+ident\s+\(addr/mask/prot/port\):\s+\(${REMOTE_IDENTITY_ADDR}\/${REMOTE_IDENTITY_MASK}\/${REMOTE_IDENTITY_PROTOCOL}\/${REMOTE_IDENTITY_PORT}\s*

itdependsnetworks commented 3 years ago

Should be able to change Value REMOTE_IDENTITY_PORT (\d+) -> Value REMOTE_IDENTITY_PORT (\d+|\d+ - \d+). Do you mind putting this fix in, as well as adding that data to the tests and submitting a PR?

mjbear commented 1 month ago

@tom0010 Are you still around and working with Cisco ASAs?

Based on the template, it doesn't look like this bug was fixed (yet).

From what I can see here, the ticket is placed against cisco_asa_show_crypto_ipsec_sa.textfsm, but the example output provided is from show ipsec sa peer X.X.X.X.

:dart: Please provide sanitized raw output from the cli for show crypto ipsec sa on a device exhibiting the bug you reported here.

If I have this raw output I can work up template changes. Thank you!

mjbear commented 3 weeks ago

From what I can see here, the ticket is placed against cisco_asa_show_crypto_ipsec_sa.textfsm, but the example output provided is from show ipsec sa peer X.X.X.X.

Before I responded I don't think I had looked at the index file. (Correction) The template you referenced is not used for ASA ipsec commands so the raw output provided is not directly usable for test data.

I'm taking a look at what changes need made (might just be the REMOTE_IDENTITY_PORT as Ken suggested).

jmcgill298 commented 2 weeks ago

lack of response, considering this abandoned