configuration saving : is my script dangerous for my switches ?

[julian]

Hello,

I don't think so, but since few days, we have some problems with some nortel switches (470 & 5530), they crash (no way to ping them, and unable to connect directly on them with the admin port). We have to reboot them (cut off power).

I don't think my part of script is dangerous, but I would like you check it, I am not an expert on Nortel switches..

_{sub Recup_nortel_BS5530 {
      $prompt = qw(/\>/);
      $t= new Net::Telnet (Timeout=>25,
      Errmode=>'return',
      prompt=>$prompt,
      );   
      $t->open(@switch_details[1]) or die "=> Echec à l'ouverture de connexion \n=> ".$t->errmsg."";
      sleep 2;
      $ctrly=$t->put(chr(25)) or die "=> Echec de l'envoi de Ctrl+Y \n=> ".$t->errmsg."";
      sleep 2;      
      $t->waitfor('/Password:.*/');
      $password=$t->print("@switch_details[3]") or die "=> Echec à l'envoi du password\n=> ".$t->errmsg."";
      sleep 2;
      $majc=$t->print(chr(67)) or die "=> Echec de l'envoi de Maj+C \n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("enable") or die "=> Echec de l'envoi de enable \n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("copy running-config tftp address $serveur_tftp filename @switch_details[2]") or die "=> Echec de l'envoi de copy\n=> ".$t->errmsg."";
      sleep 5;
      $t->close;
      &controle_cfg;
      return 1;   
}}

As you can see, it's a simple perl script which connect by telnet on the 5530' and do a configuration backup.

Is there something wrong ? The backup is done correctly, no problem.. But maybe ? Don't know, it's why I ask you to check it, please.

Many thanks,

Regards,

Ju

ps : sorry for my poooor english ;p

[Michael McNamara]

Hi Julian and welcome to the forums!

Your English is very good so no worries there!

I see from your code that you are just "closing" the connection to the 5530 switch. I would guess that you might be creating a memory leak by just closing those connections, the switch might be holding the connection open since it wasn't cleanly terminated/close. You might want to add a "logout" to the end of your script.

What version of software are your switches running?

Good Luck!

[julian]

Hello,

Thanks for your answer

So, you purpose that :

_{sub Recup_nortel_BS5530 {
      $prompt = qw(/\>/);
      $t= new Net::Telnet (Timeout=>25,
      Errmode=>'return',
      prompt=>$prompt,
      );   
      $t->open(@switch_details[1]) or die "=> Echec à l'ouverture de connexion \n=> ".$t->errmsg."";
      sleep 2;
      $ctrly=$t->put(chr(25)) or die "=> Echec de l'envoi de Ctrl+Y \n=> ".$t->errmsg."";
      sleep 2;     
      $t->waitfor('/Password:.*/');
      $password=$t->print("@switch_details[3]") or die "=> Echec à l'envoi du password\n=> ".$t->errmsg."";
      sleep 2;
      $majc=$t->print(chr(67)) or die "=> Echec de l'envoi de Maj+C \n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("enable") or die "=> Echec de l'envoi de enable \n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("copy running-config tftp address $serveur_tftp filename @switch_details[2]") or die "=> Echec de l'envoi de copy\n=> ".$t->errmsg."";
      sleep 5;
     $t->cmd("logout") or die "=> Echec de l'envoi de logout\n=> ".$t->errmsg."";
      sleep 5;
      #$t->close;
      &controle_cfg;
      return 1;   
}}

=> removing "close"
=> adding "send logout"

(because my script crash if i do not comment close line)

If I ve got other kind of switch, should I use sending logout instead of ->close on them too ?

So is this memory leak problem can crash switches ?

Again, many thanks for your answers

[qazzie]

version version version? 

Simple answer it could, not likely since idle sessions will be killed after 15 mins... but who knows.

[Michael McNamara]

It really depends on the version of software you are running on your switches as Q alludes to.

There are quite a few documented issues which can be created by too many telnet sessions to a switch or failing to properly close open telnet sessions.

You might want to investigate SNMP as a possible means to accomplish the task your looking to automate. The SNMP mibs from Nortel are very extensive and you can almost do just about anything via SNMP that you can do via CLI. If you are specifically looking at backing up the configurations you should have a look on my blog;

http://blog.michaelfmcnamara.com/scripting/
http://mysite.verizon.net/michaelfmcnamara/files/switchtftpbackup.pl.txt

Good Luck!

[julian]

Hello

For the BS5530 =>  HW:32 FW:5.0.0.4 SW:v5.1.0.015 BN:15 (c) Nortel Networks

For the BS470 => HW:07       FW:3.6.0.7   SW:v3.7.0.04 ISVN:2

In fact, I can't use snmp for the moment If I could, I do it, but not possible from now..

You are saying with the actual code (without logout), if I chain (like 2, or 3 in the 5 minutes..) telnet connexion on the same switch, I can crash it ?

[qazzie]

In detail with every TCP session. There are two ways to close a session. Passive Close (remote close) and an Active Close (local close). Both are based on receiving fin packets and sending ack packets. Where Michael was referring to is that your initial script doesn't send a finish packet and so does the receiving end (the switch in this case) gets in a "close_wait" state. There a known issues with this specific case.

You could look up on telnes issues in the release notes if there are any.

qaz

[julian]

Hello,

Thanks for your answer.

Well, I've done this :

_{sub Recup_nortel_BS470 {   
      $prompt = qw(/\>/);
      $t= new Net::Telnet (Timeout=>25,
      Errmode=>'return',
      prompt=>$prompt
      );
      $t->open(@switch_details[1]) or die "=> Echec à l'ouverture de connexion \n=> ".$t->errmsg."";
      $ctrly=$t->put(chr(25)) or die "=> Echec de l'envoi de Ctrl+Y \n=> ".$t->errmsg."";
      $t->waitfor('/Username:.*/');
      $login=$t->print("@switch_details[4]") or die "=> Echec à l'envoi de l'username\n=> ".$t->errmsg."";
      sleep 2;
      $t->waitfor('/Password:.*/');
      $password=$t->print("@switch_details[3]") or die "=> Echec à l'envoi du password\n=> ".$t->errmsg."";
      sleep 2;
      $majc=$t->print(chr(67)) or die "=> Echec de l'envoi de Maj+C \n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("enable") or die "=> Echec de l'envoi de enable \n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("copy running-config tftp address $serveur_tftp filename @switch_details[2]") or die "=> Echec de l'envoi de copy\n=> ".$t->errmsg."";
      sleep 2;
      $t->cmd("logout") or die "=> Echec de l'envoi de logout\n=> ".$t->errmsg."";
      sleep 2;
      #$t->close;
      &controle_cfg;
      return 1;
}}

but now, I ve got this error on my script :

=> Echec de l'envoi de logout
=> pattern match read eof at ./Backup-Trinaps.pl line 175.

Which correspond to $t->cmd("logout") or die "=> Echec de l'envoi de logout\n=> ".$t->errmsg.""; line.

Any idea ?

[Michael McNamara]

Hi Julian,

I'm going to take a guess that you might not be waiting long enough for your backup command to complete before trying to issue the logout command. I'm guessing that you're using some telnet library for Perl. Unfortunately I don't use Perl for that purpose myself, I rely on Expect if I need to call a perform some function via telnet.

Before I starting utilizing SNMP I wrote a few Expect scripts to automate the same tasks you're looking to accomplish. Have a look at the code below;

Code: [Select]

# Copy the file from the switch to the TFTP server
send -- "copy $FILENAME tftp://$TFTPSERVER/$FILENAME\r"

# Check to see if the file copied successfully
expect {
   "copied successfully" {
      puts "$SWITCH successful<br>";
      }
   "Copy failed" {
      puts "ERROR: copy to TTP server failed for $SWITCH<br>";
      }
    }
expect "> "

The beauty of Expect is that I can branch the execution of the script based on the response. In the script above I'm backing up a Symbol WS5000 (v2.x) Wireless LAN Switch. I wait for the response back from the switch to determine if the backup failed or was successful before continuing the script.

While you probably don't want to rewrite your script, I can't blame you. You'll probably need to figure this one out on your own... but you have my guess.

Good Luck!

[julian]

Hello

Thanks for your script, I use  Expect too with some switch using ssh.

I found a way for my problem, have a look :

Code: [Select]

sub Recup_nortel_BS470 {
$prompt = qw(/\>/);
$t= new Net::Telnet (Timeout=>25,
Errmode=>'return',
prompt=>$prompt
);
$t->open(@switch_details[1]) or die "=> Echec à l'ouverture de connexion \n=> ".$t->errmsg."";
$ctrly=$t->put(chr(25)) or die "=> Echec de l'envoi de Ctrl+Y \n=> ".$t->errmsg."";
$t->waitfor('/Username:.*/');
$login=$t->print("@switch_details[4]") or die "=> Echec à l'envoi de l'username\n=> ".$t->errmsg."";
sleep 2;
$t->waitfor('/Password:.*/');
$password=$t->print("@switch_details[3]") or die "=> Echec à l'envoi du password\n=> ".$t->errmsg."";
sleep 2;
$majc=$t->print(chr(67)) or die "=> Echec de l'envoi de Maj+C \n=> ".$t->errmsg."";
sleep 2;
$t->cmd("enable") or die "=> Echec de l'envoi de enable \n=> ".$t->errmsg."";
sleep 2;
$t->cmd("copy running-config tftp address $serveur_tftp filename @switch_details[2]") or die "=> Echec de l'envoi de copy\n=> ".$t->errmsg."";
sleep 2;
$t->errmode(sub
{
die @_ unless $_[0] =~ /eof/
});
@output1 = $t->cmd('logout');
print @output1;
$t->close;
&controle_cfg;
return 1;
}
in fact, my problem was the prompt is changing when I send logout, which my script can't manage that correctly.. So, I capture this eof, and now it work.

I do some test, I don't have problem for the moment, so from now, this script seem to be correct for you ?

[Michael McNamara]

If it works in your testing then I would say it's good to go!

[Wouter de Jong]

We use rancid to manage device configs (Cisco, Extreme, Alteon, Juniper, Netscreen, F5 [soon]).
I never could it play along with the insane CTRL+Y, menu, etc.

I then fiddled with the idea to force a backup to TFTP via an SNMP-write.
Build a 2-liner with snmp-set, but never build it out for production.

Months ago I stumbled across Michael's tftpbackup script, and I've stripped it to work in conjunction with a wraprancid script
someone made. And yes... now it's integrated into rancid (config diff's by mail, and very handy in an SVN repository)

However... I've stumbled across some bug with Nortel 425 switches.
rancid runs hourly, and we have had quite some stacks that after a while would instantly respond to the SNMP-write command to initate the
the TFTP-upload with FAILED.

Even worse... after a while, mgmt-traffic to the stacks is lost.
You get arp, but it doesn't respond to ping, etc
Even if you put a port in the management vlan on the same stack, you can ping other stacks but not this one.

Worst to come : have had 3 stacks that after a while just stopped forwarding all traffic...

Must be some sort of memory leak.