Sep 032009
 

service password-encryption will not encrypt the tacacs-server key on most IOS 12.2 and below.

So be careful with copy&paste things like

tacacs-server key 7 120B0A02060E1E49392E273A3621315D091317

You have to enter your tacacs-server key in cleartext for a working tacacs setup.

tacacs-server key router-secrets.net

Erroneous configuration may result in the following output of debug tacacs:

TPLUS: Queuing AAA Authentication request 199 for processing
TPLUS: processing authentication start request id 199
TPLUS: Authentication start packet created for 199()
TPLUS: Using server 192.168.1.1
TPLUS(000000C7): connected to server 192.168.1.1
TPLUS: response received for AAA request 199
TPLUS: received bad AUTHEN packet: length = 6, expected 66016
TPLUS: Invalid AUTHEN packet (check keys)

The 0 string and 7 string keyword and argument pairs were added in 12.3(2)T

Jul 132009
 

This Problem is fixed in 8.2(2)



If you use RANCID with ASAs IOS 8.2(1) you may have noticed a change of the timestamp of coredump.cfg every time RANCID polls the device. This is a very annoying behaviour because you will get a new cvs-version of your config every day (or every time your RANCID polls your devices) without changing the device-configuration.

To get around this, just locate your RANCID-binaries and kick out the recurrent changing “show flash”-output in the source.

  • Open the file “rancid” with your favourite texteditor.
  • Find the section where the “show flash” code is parsed.
  • put the regexp-filter in the code to eliminate the annoying output.
  • Enjoy your clean config-history.
# This routine parses "show flash"
sub ShowFlash {
    # skip if this is 7000, 7200, 7500, or 12000; else we end up with
    # redundant data from dir /all slot0:
    print STDERR "    In ShowFlash: $_" if ($debug);

    while (<INPUT>) {
        tr/\015//d;
        last if (/^$prompt/);
        next if (/^(\s*|\s*$cmd\s*)$/);
        return(1) if ($type =~ /^(12[40]|7)/);
        return(-1) if (/command authorization failed/i);
        return(1) if /^\s*\^\s*$/;
        return(1) if /(Invalid input detected|Type help or )/;
        # the pager can not be disabled per-session on the PIX
        s/^<-+ More -+>\s*//;
        /\s+vlan\.dat$/ && next;
        /\s+coredumpinfo\/coredump\.cfg$/ && next;
        /\s+config\/archive-[0-9]+$/ && next;
        ProcessHistory("FLASH","","","!Flash: $_");
    }
    ProcessHistory("","","","!\n");
    return;
}

The first bold line removes the coredump.cfg from ASA-“show flash”-output.
The second bold line removes the archive-entries from IOS-“show flash”-output if you have archive-logging enabled.

Details:

This is a BUG in Version 8.2(1) and appears on all ASAs. The Bug is already fixed and will vanish in the next release.

See CISCO-BugID: CSCsz85597

 Posted by at 12:47