Expect and Cisco FWSM-problem

Discussion in 'Perl Misc' started by tmo, Oct 29, 2008.

  1. tmo

    tmo Guest

    Hi

    We update fwsm acl's by editing textfiles (partial automatically)
    (with 'clear configure access-list <>' in the top and 'access-list
    commit' in the bottom)and then ssh to the fwsm and tftp'ing the ACL's.

    However scripting this process with Expect.pm has caused the active
    fwsm
    to partially freeze on the management access (normal traffic ok)
    (Configuration update in progress by another process....) with no
    recover except forced failover and reload. The problem has not occured
    when doing it manually:
    copy tftp run
    tftp-server
    filename
    wr

    ....which is what the expect-script also does...only quicker of course,
    which may be the problem.

    The problem does not occur every time and seems (but not always) to be
    worst if the ACLs are 200kb+ . The ssh tftp-session is scriptet with
    perl-expect ver. 1.15-5 on a debian etch with a standard openssh. The
    FWSMs are running ver. 3.1.12 - older versions causes other management
    problems and since this is a production setup we try to avoid using
    the newest available OS'es unless we know there is a fix for this
    problem. There are abount 25k lines of ACL and 300 servers directly
    connected behind the firewall.

    Has anyone seen anything similar? Any ideas for a workaround? And what
    is best practice for acl updates (~ 55 same security level interfaces
    in single mode). Noone has been able to tell us a way to do this in
    ADSM/security manager.

    Thanks
    Tommy, Denmark
     
    tmo, Oct 29, 2008
    #1
    1. Advertising

  2. tmo wrote:
    > Hi
    >
    > We update fwsm acl's by editing textfiles (partial automatically)
    > (with 'clear configure access-list <>' in the top and 'access-list
    > commit' in the bottom)and then ssh to the fwsm and tftp'ing the ACL's.
    >
    > However scripting this process with Expect.pm has caused the active
    > fwsm
    > to partially freeze on the management access (normal traffic ok)
    > (Configuration update in progress by another process....) with no
    > recover except forced failover and reload. The problem has not occured
    > when doing it manually:
    > copy tftp run
    > tftp-server
    > filename
    > wr
    >
    > ...which is what the expect-script also does...only quicker of course,
    > which may be the problem.
    >
    > The problem does not occur every time and seems (but not always) to be
    > worst if the ACLs are 200kb+ . The ssh tftp-session is scriptet with
    > perl-expect ver. 1.15-5 on a debian etch with a standard openssh. The
    > FWSMs are running ver. 3.1.12 - older versions causes other management
    > problems and since this is a production setup we try to avoid using
    > the newest available OS'es unless we know there is a fix for this
    > problem. There are abount 25k lines of ACL and 300 servers directly
    > connected behind the firewall.
    >
    > Has anyone seen anything similar? Any ideas for a workaround? And what
    > is best practice for acl updates (~ 55 same security level interfaces
    > in single mode). Noone has been able to tell us a way to do this in
    > ADSM/security manager.


    This has little or nothing to do with Perl.
    If speed is a problem, you can use "send_slow()" instead of "send()" and
    also insert "sleep()" calls between commands.
    However, if the Cisco device prompts you for the next command, you
    should "expect()" that prompt before commencing.

    --
    These are my personal views and not those of Fujitsu Siemens Computers!
    Josef Möllers (Pinguinpfleger bei FSC)
    If failure had no penalty success would not be a prize (T. Pratchett)
    Company Details: http://www.fujitsu-siemens.com/imprint.html
     
    Josef Moellers, Oct 30, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. h4fun

    Cisco and telnet

    h4fun, Oct 18, 2007, in forum: Java
    Replies:
    1
    Views:
    476
    Esmond Pitt
    Oct 19, 2007
  2. Bret Jolly
    Replies:
    2
    Views:
    483
    Bret Jolly
    May 18, 2004
  3. Simon Strandgaard

    how to expect eof with expect+pty

    Simon Strandgaard, Dec 20, 2006, in forum: Ruby
    Replies:
    4
    Views:
    391
    Simon Strandgaard
    Dec 20, 2006
  4. erik
    Replies:
    3
    Views:
    492
    Brian McCauley
    Mar 19, 2005
  5. Phil
    Replies:
    0
    Views:
    181
Loading...

Share This Page