ASA interrogation test - timeout while waiting for prompt

ASA interrogation test - timeout while waiting for prompt

Hi All,

I'm attempting to test an asa-version-integration script on a ASA in my gns3 lab using commandrunner. However, I'm getting a "timeout while waiting for prompt" error. Any suggestion on what might be causing the issue. FYI, I am able to succeffuly login via ssh.

output: output.txt

The command I used to run it:

./ full-command --ssh robert,cisco ../indeni-knowledge/parsers/src/cisco/asa/show_version-interrogation.ind > output.txt

Also how does commandrunner handle priviledge mode. Is there a way to pass the secret password?



Thanks for reaching out regarding this issue, Robert. I'm sure others can speak to this in more detail, but I found a couple of things in the log worth highlighting:

2018-02-22 11:26:30,739 228 INFO - About to run full-command on device '' with source 'Set(../indeni-knowledge/parsers/src/cisco/asa/show_version-interrogation.ind)'
2018-02-22 11:26:30,739 228 INFO - Credentials: Set(SshUsernamePasswordCredentials(None,robert,cisco,))
2018-02-22 11:26:31,019 508 INFO - no Http credentials found for device
2018-02-22 11:26:31,026 515 WARN - Failed to read SSH PTY configuration. Using default values.
indeni.collector.GenericFailure: Header = Execution Error,
Description = Couldn't find any file in path: parsers/config/ssh-pty.yaml,
2018-02-22 11:26:33,658 3147 DEBUG - Client session created: Nio2Session[local=/, remote=/]
2018-02-22 11:26:33,659 3148 DEBUG - ClientUserAuthService(ClientSessionImpl[null@/]) client methods: [publickey, keyboard-interactive, password]
2018-02-22 11:26:33,663 3152 DEBUG - sessionCreated(ClientSessionImpl[null@/]) tracking
2018-02-22 11:26:33,664 3153 DEBUG - sendIdentification(ClientSessionImpl[null@/]): SSH-2.0-SSHD-CORE-1.3.0
2018-02-22 11:26:33,776 3265 DEBUG - processUserAuth(ClientSessionImpl[robert@/]) SSH_MSG_USERAUTH_SUCCESS Succeeded with password
[INFO] [02/22/2018 11:26:39.497] [] [akka://Command-Runner/user/interrogator-] Interrogation command completed ssh-interrogation. waiting for:0 , success:0, failed:1, remaining: 0
2018-02-22 11:26:39,498 8987 DEBUG - Adding new Set() commands to execute.
[INFO] [02/22/2018 11:26:39.498] [] [akka://Command-Runner/user/interrogator-] Interrogation success for device
[INFO] [02/22/2018 11:26:39.498] [] [akka://Command-Runner/user/interrogator-] Interrogation Tags found for device ssh -> true
[INFO] [02/22/2018 11:26:39.498] [] [akka://Command-Runner/user/interrogator-] Interrogation SUCCESS ! for device:
2018-02-22 11:27:39,589 69078 ERROR - Command execution failure
indeni.collector.CommandFailure: Header = Command execution error,
Description = Command 'asa-show-version-interrogation' failed to execute,
Message = Header = Execution Error,
Description = Device at (30000 ms) timeout while waiting for prompt [],

I find it curious I'm seeing SSH password success:

2018-02-22 11:26:33,764 3253 DEBUG - destroy(ClientSessionImpl[robert@/])[ssh-connection]
2018-02-22 11:26:33,764 3253 DEBUG - tryNext(ClientSessionImpl[robert@/]) attempting method=password
2018-02-22 11:26:33,765 3254 DEBUG - sendPassword(ClientSessionImpl[robert@/])[ssh-connection] send SSH_MSG_USERAUTH_REQUEST for password - modified=false
2018-02-22 11:26:33,765 3254 DEBUG - Writing 100 bytes
2018-02-22 11:26:33,765 3254 DEBUG - handleCompletedWriteCycle(Nio2Session[local=/, remote=/]) finished writing len=100
2018-02-22 11:26:33,765 3254 DEBUG - tryNext(ClientSessionImpl[robert@/]) successfully processed initial buffer by method=password
2018-02-22 11:26:33,775 3264 DEBUG - handleReadCycleCompletion(Nio2Session[local=/, remote=/]) read 36 bytes
2018-02-22 11:26:33,776 3265 DEBUG - processUserAuth(ClientSessionImpl[robert@/]) SSH_MSG_USERAUTH_SUCCESS Succeeded with password
2018-02-22 11:26:33,776 3265 DEBUG - destroy(ClientSessionImpl[robert@/])[ssh-connection]

There are more qualified experts in this arena, but I'm personally curious why this is happening: Description = Couldn't find any file in path: parsers/config/ssh-pty.yaml, and it if may be an issue. Hope that helps!

Hi Paul,

Thanks for the feedback. I tried running the commandrunner from within indeni-knowledge directory, right above the parsers folder. Unfortunately, it still cant find parsers/config/ssh-pty.yaml. I verified that it is there. Thus I'm still getting the errors. Do I have to set any env variables or run from a different directory....



Roberts-MacBook-Pro:indeni rpierce$ cd indeni-knowledge/
Roberts-MacBook-Pro:indeni-knowledge rpierce$ ../command-runner-6.0.62_0000/ full-command --verbose --ssh robert,cisco parsers/src/cisco/asa/show_version-interrogation.ind > output.txt
Roberts-MacBook-Pro:indeni-knowledge rpierce$ more output.txt
2018-02-23 08:44:28,874 340 INFO - Starting command runner
2018-02-23 08:44:28,877 343 INFO - About to run full-command on device '' with source 'Set(parsers/src/cisco/asa/show_version-interrogation.ind)'
2018-02-23 08:44:28,878 344 INFO - Credentials: Set(SshUsernamePasswordCredentials(None,robert,cisco,))
2018-02-23 08:44:29,307 773 INFO - no Http credentials found for device
2018-02-23 08:44:29,320 786 WARN - Failed to read SSH PTY configuration. Using default values.
indeni.collector.GenericFailure: Header = Execution Error,
Description = Couldn't find any file in path: parsers/config/ssh-pty.yaml,

at indeni.collector.knowledge.KnowledgeReader$$anonfun$readFile$1.apply(KnowledgeReader.scala:25)
at indeni.collector.knowledge.KnowledgeReader$$anonfun$readFile$1.apply(KnowledgeReader.scala:22)
at scala.util.Try$.apply(Try.scala:192)
at indeni.collector.knowledge.KnowledgeReader.readFile(KnowledgeReader.scala:22)
at indeni.collector.actors.ClientActorsFactory$.indeni$collector$actors$ClientActorsFactory$$sshPtyConfigurations$lzycompute(ClientActorsFactory.scala:155)
at indeni.collector.actors.ClientActorsFactory$.indeni$collector$actors$ClientActorsFactory$$sshPtyConfigurations(ClientActorsFactory.scala:150)
at indeni.collector.actors.ClientActorsFactory.indeni$collector$actors$ClientActorsFactory$$loadSshConfiguration(ClientActorsFactory.scala:117)
at indeni.collector.actors.ClientActorsFactory$$anonfun$4.apply(ClientActorsFactory.scala:71)
at indeni.collector.actors.ClientActorsFactory$$anonfun$4.apply(ClientActorsFactory.scala:68)
at scala.util.Success$$anonfun$map$1.apply(Try.scala:237)
at scala.util.Try$.apply(Try.scala:192)
at scala.concurrent.Future$$anonfun$map$1.apply(Future.scala:237)
at scala.concurrent.Future$$anonfun$map$1.apply(Future.scala:237)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:91)
at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91)
at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
at akka.dispatch.BatchingExecutor$
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:415)
at scala.concurrent.forkjoin.ForkJoinTask.doExec(
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(
2018-02-23 08:44:29,344 810 INFO - Compiling 'parsers/src/cisco/asa/show_version-interrogation.ind'

Path to ssh-pty.yaml

Roberts-MacBook-Pro:config rpierce$ ls

I like to know also how to ssh to ASA to run ASA commands. I can ssh to run commands on many devices, except ASA. I manage some 5585x ASA devices, I just could not ssh to run commands. The password never get accepted unless I interractively run the commands.

Hi Robert,

Can you see if you can work around that issue by-passing enable password prompt using "aaa authorization exec default group tacacs+ if-authenticated" or similar command based on the version.



You can pass the secret password prompt for a user authenitcated via the local database with the next commands:

ciscoasa(config)# aaa authorization exec LOCAL ?

configure mode commands/options:
auto-enable Allow authenticated users with sufficient privileges to
automatically enter privileged EXEC mode on login

ciscoasa(config)# aaa authorization exec LOCAL auto-enable

NOTE: Assign to the user that you created privilege level 15

All, I was able to resolve the issue. The issue was that the output was too long and paging. So commandrunner was hanging on the more. The quick fix was to only return the needed lines.

However, what is the best practice for paging? Should commandrunner be handling this by sending the appropriate command to disable paging. For the ASA it is "term paging 0"

Or should the script handle this?