cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4165
Views
0
Helpful
10
Replies

Script to manage ASA AND PIX

rtjensen4
Level 4
Level 4

Hi all,

This may be a bit more suited for a Perl forum, but I figured I'd come straight to the Cisco GURUs here...

I'm looking for a way to manage both my PIX and ASAs via SSH with a single Perl scrpt.

ASAs running: 7.2(4) OR 7.2(3)

PIXs running: 6.3(5) OR 6.3(3)

I've done some forum surfing and found that Cisco recommends using the Net::Appliance::Session module to manage the PIXs via SSH and IOS via SSH, but that doesn't seem to work for the ASAs. Yes, it works well for the PIX, but when I do a debug on ASA this is what I get:

client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2SSH2: begin server key generation

SSH2: complete server key generation, elapsed time = 550 ms

SSH2 2: SSH2_MSG_KEXINIT sent

SSH2 2: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-cbc hmac-md5 none

SSH2: kex: server->client aes128-cbc hmac-md5 none

SSH2 2: expecting SSH2_MSG_KEXDH_INIT

SSH2 2: SSH2_MSG_KEXDH_INIT received

SSH2 2: signature length 143

SSH2: kex_derive_keys complete

SSH2 2: newkeys: mode 1

SSH2 2: SSH2_MSG_NEWKEYS sent

SSH2 2: waiting for SSH2_MSG_NEWKEYS

SSH2 2: newkeys: mode 0

SSH2 2: SSH2_MSG_NEWKEYS receivedSSH(conn): user authen method is 'use AAA', aaa server group ID = 1

SSH(conn): user authen method is 'use AAA', aaa server group ID = 1

SSH2 2: authentication successful for conn

SSH2 2: channel open request

SSH2 2: pty-req request

SSH2 2: requested tty: xterm, height 0, width 0

SSH2 2: env request

SSH2 2: shell request

SSH2 2: shell message receivedSSH2: TCP read failed, error code = 0x86300003 "TCP connection closed"

SSH2: receive SSH message: [no message ID: variable *data is NULL]

SSH2: Session disconnected by SSH server - error 0x00 "Internal error"

Perl Output: Command response matched device error string at /usr/local/share/perl/5.8.8/Net/Appliance/Session/Transport.pm line 46

Looks like my PC and the firewall are exchanging keys, but there's an issue establishing the command shell.

I've tried using Net::SSH::Perl, but that method is rather klunky and a pain to adapt to different purposes. It involves generating different types of SSH packets depending on the prompt. In order to just login and pull the config, it's close to 100 lines of code. Anyone have any better options? Should I take this to TAC?

1 Accepted Solution

Accepted Solutions

Ugh, Linux. You couldn't have used a real OS like FreeBSD...

I think Linux comes with a program called strace that will trace the syscalls of a running process. You might try running your script using strace (strace -f to follow forks) to see exactly how it's executing ssh. This might give us a clue as to why it's failing.

View solution in original post

10 Replies 10

yjdabear
VIP Alumni
VIP Alumni

Is it the same result if you manually SSH to the ASA on the command line? What does "ssh -lxxxx -vvv username@asa-name" return?

Here is what Happens when I SSH from the my PC...

Cosmos-ASA# debug ssh 2

debug ssh enabled at level 2

Cosmos-ASA# Device ssh opened successfully.

SSH2: SSH client: IP = '10.1.1.99' interface # = 1

SSH: host key initialised

SSH2: starting SSH control process

SSH2: Exchanging versions - SSH-1.99-Cisco-1.25

SSH2: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH2: receive SSH message: 83 (83)

SSH2: client version is - SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2

client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.2SSH2: begin server key generation

SSH2: complete server key generation, elapsed time = 580 ms

SSH2 2: SSH2_MSG_KEXINIT sent

SSH2 2: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-cbc hmac-md5 none

SSH2: kex: server->client aes128-cbc hmac-md5 none

SSH2 2: expecting SSH2_MSG_KEXDH_INIT

SSH2 2: SSH2_MSG_KEXDH_INIT received

SSH2 2: signature length 143

SSH2: kex_derive_keys complete

SSH2 2: newkeys: mode 1

SSH2 2: SSH2_MSG_NEWKEYS sent

SSH2 2: waiting for SSH2_MSG_NEWKEYS

SSH2 2: newkeys: mode 0

SSH2 2: SSH2_MSG_NEWKEYS receivedSSH(conn): user authen method is 'use AAA', aaa server group ID = 1

SSH(conn): user authen method is 'use AAA', aaa server group ID = 1

SSH2 2: authentication successful for conn

SSH2 2: channel open request

SSH2 2: pty-req request

SSH2 2: requested tty: xterm, height 24, width 80

SSH2 2: env request

SSH2 2: shell request

SSH2 2: shell message received

I see the main difference starting at:

SSH2 2: pty-req request

SSH2 2: requested tty: xterm, height 24, width 80

Most problems we've seen regarding this error are due to encryption algorithm mismatches. Make sure the encryption algorithm used by the script is supported by the ASA. For example, if the client is using 3DES or AES, make sure the ASA's license supports those algorithms.

You might also try regenerating the crypto keys on the ASA:

conf t

crypto key zeroize rsa

crypto key gen rsa

Do not create a key with a modulus greater than 1024 bits.

Ok I did as suggested. I regenerated the RSA Keys on the ASA as both 1024, then again as 768. I also tweaked the SSH connection on my PC and set it to use 3des, then des... It seems like something changed and it's not even getting as far as it was previously. I did a debug on the ASA when i set ssh in the script to use a cipher i know it doesn't support, blowfish. the debug obviously shows that there's a cipher mismatch, but the other ciphers i used seem to work fine... the debug shows the two devices matching encryption algoriths.

3des:

Device ssh opened successfully.

SSH1: SSH client: IP = '10.1.1.100' interface # = 1

SSH: host key initialised

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-1.99-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH1: receive SSH message: 83 (83)

SSH1: client version is - SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5

client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5SSH1: begin server key generation

SSH1: complete server key generation, elapsed time = 350 ms

SSH2 1: SSH2_MSG_KEXINIT sent

SSH2 1: SSH2_MSG_KEXINIT received

SSH2: kex: client->server 3des-cbc hmac-md5 none

SSH2: kex: server->client 3des-cbc hmac-md5 none

SSH2 1: expecting SSH2_MSG_KEXDH_INIT

SSH2 1: SSH2_MSG_KEXDH_INIT received

SSH2 1: signature length 111

SSH2: kex_derive_keys complete

SSH2 1: newkeys: mode 1

SSH2 1: SSH2_MSG_NEWKEYS sent

SSH2 1: waiting for SSH2_MSG_NEWKEYSSSH1: TCP read failed, error code = 0x86300001 "TCP connection reset"

SSH1: receive SSH message: [no message ID: variable *data is NULL]

SSH2 0: Unexpected mesg type receivedSSH1: Session disconnected by SSH server - error 0x00 "Internal error"

AES-128:

Device ssh opened successfully.

SSH1: SSH client: IP = '10.1.1.100' interface # = 1

SSH: host key initialised

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-1.99-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH1: receive SSH message: 83 (83)

SSH1: client version is - SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5

client version string:SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5SSH1: begin server key generation

SSH1: complete server key generation, elapsed time = 410 ms

SSH2 1: SSH2_MSG_KEXINIT sent

SSH2 1: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-cbc hmac-md5 none

SSH2: kex: server->client aes128-cbc hmac-md5 none

SSH2 1: expecting SSH2_MSG_KEXDH_INIT

SSH2 1: SSH2_MSG_KEXDH_INIT received

SSH2 1: signature length 111

SSH2: kex_derive_keys complete

SSH2 1: newkeys: mode 1

SSH2 1: SSH2_MSG_NEWKEYS sent

SSH2 1: waiting for SSH2_MSG_NEWKEYSSSH1: TCP read failed, error code = 0x86300001 "TCP connection reset"

SSH1: receive SSH message: [no message ID: variable *data is NULL]

SSH2 0: Unexpected mesg type receivedSSH1: Session disconnected by SSH server - error 0x00 "Internal error"

I reset all the keys on my system and verified I can connect to the ASA by using the command line. Any other ideas?

Here is the script I'm using:

use Net::Appliance::Session;

my $s = Net::Appliance::Session->new('10.1.1.3');

eval {

$s->connect(Name => 'conn', Password => 'conn', Transport => 'SSH',

Opts =>['-c','3des'], SHCK => 0 );

$s->begin_privileged('conn');

print $s->cmd('show ver');

$s->end_privileged;

};

if ($@) {

$e = Exception::Class->caught();

ref $e ? $e->rethrow : die $e;

}

$s->close;

Script output:

ryan@ryan-desktop:~/PERL/appliance$ perl appliancetest.pl

Failed to get first prompt at appliancetest.pl line 6

I've tried various options with for Net::Appliance::Session messing with Phrasebooks, and SHCK, but with no luck. Any thoughts??

Can you use other SSH clients to connect to the ASA? If so, this may point to a compatibility problem between this module and the ASA. I've never used this module, but according the readme, it uses Expect for SSH. It looks like it spawns the ssh executable on the host station. In this case, it passes the "-c 3des" option.

Can you use ssh on the UNIX workstation to connect to this ASA?

Hi, thanks for helping so much with this...

Yes, I'm able to ssh via the command line.

"ssh -l -c 3des "

On what UNIX platform are you running this script?

I'm running:

Ubuntu 7.10 (Gutsy Gibbon)

Ugh, Linux. You couldn't have used a real OS like FreeBSD...

I think Linux comes with a program called strace that will trace the syscalls of a running process. You might try running your script using strace (strace -f to follow forks) to see exactly how it's executing ssh. This might give us a clue as to why it's failing.

I found out how to display every line from the module to stdout... turns out that the known_hosts file had the wrong keys stored in it or something. I just disabled host key checking globally for SSH, and that fixed it. Thanks for all your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco