Problem with old switch

Question

Problem with old switch

Closed this issue 9 months ago · 19 comments

NetBox version
What version of NetBox are you currently running?
3.6.2

Describe the bug
After run the script I get this message:

Traceback (most recent call last):
File "/opt/netbox/venv/lib/python3.10/site-packages/netbox_config_diff/compliance/models.py", line 65, in get_actual_config
async with AsyncScrapli(**self.to_scrapli()) as conn:
File "/opt/netbox/venv/lib/python3.10/site-packages/scrapli/driver/base/async_driver.py", line 42, in aenter
await self.open()
File "/opt/netbox/venv/lib/python3.10/site-packages/scrapli/driver/base/async_driver.py", line 84, in open
await self.transport.open()
File "/opt/netbox/venv/lib/python3.10/site-packages/scrapli/transport/plugins/asyncssh/transport.py", line 194, in open
self.session = await asyncio.wait_for(
File "/usr/lib/python3.10/asyncio/tasks.py", line 445, in wait_for
return fut.result()
File "/usr/lib/python3.10/asyncio/tasks.py", line 650, in _wrap_awaitable
return (yield from awaitable.await())
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/connection.py", line 8093, in connect
return await asyncio.wait_for(
File "/usr/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
return await fut
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/connection.py", line 440, in _connect
await options.waiter
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/connection.py", line 1275, in data_received
while self._inpbuf and self._recv_handler():
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/connection.py", line 1522, in _recv_packet
processed = handler.process_packet(pkttype, seq, packet)
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/packet.py", line 237, in process_packet
self._packet_handlers[pkttype](self, pkttype, pktid, packet)
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/connection.py", line 2168, in _process_kexinit
self._enc_alg_cs = self._choose_alg('encryption', self._enc_algs,
File "/opt/netbox/venv/lib/python3.10/site-packages/asyncssh/connection.py", line 1349, in _choose_alg
raise KeyExchangeFailed(
asyncssh.misc.KeyExchangeFailed: No matching encryption algorithm found, sent chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr and received aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

My switch is old, I can't changer the algorithm, I tried use telnet but I cant found the correct drive.

Answer 1 · 2023-09-27T10:22:13.000Z

Hi @RenatoPereira91, thanks for opening the issue
what are the switch models and os version?

Answer 2 · 2023-09-27T11:43:27.000Z

Hi @miaow2,

The models is WS-C2960-8TC-L. It's with the IOS 15.

Answer 3 · 2023-09-28T06:19:55.000Z

Unfortunately, I do not have such a device, if I post here a simple script that tries to open a connection with old algorithms, can you run it and post if it is successful or not?

Answer 4 · 2023-09-28T11:47:59.000Z

@miaow2 yes sure.

I created the a simple script using the scraps library, and I get the connection with the parameters:

connection = {
"host": device,
"auth_username": "cisco",
"auth_password": "cisco",
"auth_strict_key": False,
"transport": "paramiko",
}

I tried found this in your script, but without success kkkk (I dont have most knowledge about dev kk )

If you think better, I can send one email to you.

Answer 5 · 2023-09-28T12:46:29.000Z

there is a dictionary for scrapli connection
https://github.com/miaow2/netbox-config-diff/blob/develop/netbox_config_diff/compliance/models.py#L32

but paramiko does not support async and can not be used in the plugin

Answer 6 · 2023-09-28T13:57:16.000Z

I understood, send me the script that you would like test.

Answer 7 · 2023-09-29T07:29:22.000Z

the script is below, it only gets "show version" from the device, define host, auth_username and auth_password in the variable DEVICE
before running install scrapli pip install scrapli[asyncssh]
and please test script on devices with newer os versions

import asyncio

from scrapli import AsyncScrapli

DEVICE = {
    "host": "",
    "auth_username": "",
    "auth_password": "",
    "platform": "cisco_iosxe",
    "auth_strict_key": False,
    "transport": "asyncssh",
    "transport_options": {
        "asyncssh": {
            "kex_algs": [
                "curve25519-sha256",
                "curve25519-sha256@libssh.org",
                "curve448-sha512",
                "ecdh-sha2-nistp521",
                "ecdh-sha2-nistp384",
                "ecdh-sha2-nistp256",
                "ecdh-sha2-1.3.132.0.10",
                "diffie-hellman-group-exchange-sha256",
                "diffie-hellman-group14-sha256",
                "diffie-hellman-group15-sha512",
                "diffie-hellman-group16-sha512",
                "diffie-hellman-group17-sha512",
                "diffie-hellman-group18-sha512",
                "diffie-hellman-group14-sha256@ssh.com",
                "diffie-hellman-group14-sha1",
                "rsa2048-sha256",
                "diffie-hellman-group1-sha1",
                "diffie-hellman-group-exchange-sha1",
                "diffie-hellman-group-exchange-sha256",
            ],
            "encryption_algs": [
                "aes256-cbc",
                "aes192-cbc",
                "aes128-cbc",
                "3des-cbc",
                "aes256-ctr",
                "aes192-ctr",
                "aes128-ctr",
                "aes128-gcm@openssh.com",
                "chacha20-poly1305@openssh.com",
            ],
        },
    },
}


async def main():
    async with AsyncScrapli(**DEVICE) as conn:
        result = await conn.send_command("show version")
        print(result.result)


if __name__ == "__main__":
    asyncio.run(main())

Answer 8 · 2023-09-29T13:06:10.000Z

@miaow2 this code worked

Answer 9 · 2023-09-29T13:56:42.000Z

ok, then I will create a new release with this fix

Answer 10 · 2023-09-29T14:08:36.000Z

@miaow2 Thank you,

I have more one question, I fixed this code in my lab. I tried test if SNMP is correct, but if I use the "show running-config" it show me failed, with correctly SNMP config, If I use "show running-config | include snmp" work fine.

I tried used the Regex(I used "^((?!snmp).)*$") , but doesn't work because the signal "+" is showed:

Answer 11 · 2023-09-29T14:53:23.000Z

you tried regex with "show running-config" output?

Answer 12 · 2023-09-29T14:55:15.000Z

Yes, below I send the screenshot:

Answer 13 · 2023-09-29T15:06:29.000Z

I will check at my local setup why this is happening

Answer 14 · 2023-09-29T15:41:22.000Z

Ok, if you need any help let me know.

Answer 15 · 2023-09-29T16:17:02.000Z

ohhh, i understand, in exclude regex you should define regexp that will delete config lines that are not in rendered config and are in the actual configuration, so actual configuration starts looking like rendered
you should write regexps that match all lines from actual config except SNMP configuration then it will work

Answer 16 · 2023-09-29T16:26:41.000Z

If I set the regex with "^snmp.*" the code deleted all line started with snmp and get failed.

I understood that regex is to exclude line that match that rule.

Is more easy create the regex to match line to compliance, but if I create regex to exclude all line match is hard because I need knowledge the configuration all devices.

If you have any example about this, I can test.

Answer 17 · 2023-09-29T17:40:44.000Z

I am sorry, I read your regexp incorrectly, I fixed connection to old os versions and many empty lines when using negative regexp in release 1.2.2

Answer 18 · 2023-09-29T17:43:16.000Z

Nice, I will update here. Thank you so much

Answer 19 · 2023-09-29T18:14:46.000Z

Nice, the problems fixed