Expect and Cisco FWSM-problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

We update fwsm acl's by editing textfiles (partial automatically)
(with 'clear configure access-list <>' in the top and 'access-list
commit' in the bottom)and then ssh to the fwsm and tftp'ing the ACL's.

However scripting this process with Expect.pm has caused the active
to partially freeze on the management access (normal traffic ok)
(Configuration update in progress by another process....) with no
recover except forced failover and reload. The problem has not occured
when doing it manually:
copy tftp run

...which is what the expect-script also does...only quicker of course,
which may be the problem.

The problem does not occur every time and seems (but not always) to be
worst if the ACLs are 200kb+ . The ssh tftp-session is scriptet with
perl-expect ver. 1.15-5 on a debian etch with a standard openssh. The
FWSMs are running ver. 3.1.12 - older versions causes other management
problems and since this is a production setup we try to avoid using
the newest available OS'es unless we know there is a fix for this
problem. There are abount 25k lines of ACL and 300 servers directly
connected behind the firewall.

Has anyone seen anything similar? Any ideas for a workaround? And what
is best practice for acl updates (~ 55 same security level interfaces
in single mode). Noone has been able to tell us a way to do this in
ADSM/security manager.

Tommy, Denmark

Re: Expect and Cisco FWSM-problem

tmo wrote:
Quoted text here. Click to load it

This has little or nothing to do with Perl.
If speed is a problem, you can use "send_slow()" instead of "send()" and
also insert "sleep()" calls between commands.
However, if the Cisco device prompts you for the next command, you
should "expect()" that prompt before commencing.

These are my personal views and not those of Fujitsu Siemens Computers!
Josef Möllers (Pinguinpfleger bei FSC)
    If failure had no penalty success would not be a prize (T.  Pratchett)
Company Details: http://www.fujitsu-siemens.com/imprint.html

Site Timeline