can't copy file to cisco switch

Question

can't copy file to cisco switch

Closed this issue 6 years ago · 3 comments

Hi there,

I love your script!
When copying iOS firmware to a switch using -f I get an error

besides that I'd like to copy it to all switches, instead of only the 'master' I hope this is possible.

#python swITch.py -e -i ip.list -a auth.txt -f c2960x-universalk9-mz.152-6.E.bin

SSH connection open to 10.xxx.xxx.xxx


Start transfer process: 2019-03-07 13:38:31.122455
Traceback (most recent call last):
  File "swITch.py", line 275, in <module>
    swITch()
  File "swITch.py", line 81, in __init__
    args.port, args.suppress, args.file, args.verbose, args.zomg)
  File "swITch.py", line 200, in main
    log.event('info', dev.transfer_file(file_image))  
  File "/Users/dennis/Downloads/swITch-master/device_connector.py", line 116, in transfer_file
    scp_transfer.transfer_file() # Transfer file                                      
  File "/Library/Python/2.7/site-packages/netmiko/scp_handler.py", line 279, in transfer_file
    self.put_file()
  File "/Library/Python/2.7/site-packages/netmiko/scp_handler.py", line 292, in put_file
    self.scp_conn.scp_transfer_file(self.source_file, destination)
  File "/Library/Python/2.7/site-packages/netmiko/scp_handler.py", line 39, in scp_transfer_file
    self.scp_client.put(source_file, dest_file)
  File "/Library/Python/2.7/site-packages/scp.py", line 157, in put
    self._recv_confirm()
  File "/Library/Python/2.7/site-packages/scp.py", line 361, in _recv_confirm
    raise SCPException(asunicode(msg[1:]))
scp.SCPException: Privilege denied.

Answer 1 · 2019-03-07T22:39:35.000Z

Hi, thanks for reaching out. I will take a look at the issue when I have a moment. Thanks.

Answer 2 · 2019-03-07T23:06:48.000Z

A quick guess, but Cisco's SCP (used for file transfer) requires authorization to be configured as well as authentication.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3850-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_0101.html

"Scp adds the requirement that AAA authorization be turned on so that the operating system can determine whether or not the user is at the correct privilege level."

This may explain your error message. scp.SCPException: Privilege denied.

I remember running into this issue a while ago. I added the flag -z (a hidden flag), to temporarily enable authorization for the transfer, then disable it afterwards. Adding -z in your command will run the following command on your switch. Note, it will use TACACS+ first, then fallback to local authorization.
aaa authorization exec default group TACACS_PLUS local

If this you just have local switch accounts, you may try to enable local authorization only to see if that resolves the privilege denied error.
aaa authorization exec default local

Let me know if that works. Again, this is from memory, so it may not be quite right. I don't have a Cisco lab available at the moment, so I will get one setup so I can perform additional testing.

Finally, regarding your request for copying images to all members flash in a stack and not just the master. At this stage, the script will only copy to the master. Copying the image to all members of the stack would be a feature request that I can work on. However, first I need to create a test environment :)

Let me know if you need clarification and if my suggestion works.

Answer 3 · 2019-03-08T09:01:47.000Z

Hi ctomkow,

the exec privilege seems to work indeed! It's copying now, thanks :)

I also tried to use -c to copy firmware from one flash to another, which would be a more controlled way of course, need to check if all the switches are the correct model etc...

After a while it times out I guess:

#python swITch.py -e -i 10.xxx.xxx.xx,cisco_ios -a auth.txt -c 'copy flash1:c2960x-universalk9-mz.152-6.E.bin flash4:c2960x-universalk9-mz.152-6.E.bin'
SSH connection open to 10.xxx.xxx.xxx


Traceback (most recent call last):
  File "swITch.py", line 275, in <module>
    swITch()
  File "swITch.py", line 81, in __init__
    args.port, args.suppress, args.file, args.verbose, args.zomg)
  File "swITch.py", line 189, in main
    log.event('log_only', dev.send_command(cmd) + "\n") # send command
  File "/Users/dennis/Downloads/swITch-master/device_connector.py", line 95, in send_command
    return self.device_connection.send_command(cmd)
  File "/Library/Python/2.7/site-packages/netmiko/base_connection.py", line 1188, in send_command
    search_pattern))
IOError: Search pattern never detected in send_command_expect: SER\-B0\#

It would be an awesome and useful feature, or if you can just provide the flash storage(s) you want it on, or just all.
The master can of course be different than flash1, I don't know what is faster, the scp or the copy from flash to flash.

For now I'll just loop through my switches and enable the scp and then copy it and disable scp afterwards :)
Again very awesome tool!