10-20-2019 10:49 AM - edited 10-20-2019 02:24 PM
Hi,
Several years ago, I've developed a C++ process (running on Linux RedHAT 7) that connects via SSH to Cisco routers (IOS 12.2).
The process's task is to monitor (retrieve&update) some preconfigured ACL and it uses the libshh 0.7.0 version (https://www.libssh.org/?s=libssh+0.7.0).
The ssh_set_blocking(session, 1) command is activated prior to the ssh_connect(session) one.
Several months ago, we've received two new Cisco routers with the IOS 15.1, and since then there is the SSH connection problem.
I've written a simple tester that loops (100 cycles) over all the Cisco routers (IOS 12.2 and the new IOS 15.1 ones). The tester just connects, disconnects and sleeps for 2 seconds.
All the 100 tests performed on the Cisco routers with IOS 12.2 - were successful.
Only 75-85 tests performed on the Cisco routers with IOS 15.1 - were successful, the other 15-25 attempts failed due to the timeout error.
What are the IOS 15 changes that could cause this problem, and how may I solve the problem?
Thanks
Zeev
10-21-2019 12:01 AM
- Consider this methodology as being unsupported. You can make configuration changes via the CISCO-COPY-CONFIG MIB , in a semi automatic way, is so desired. Better is to look into overall managerial products such as Cisco Prime to have consistent management of switches.
M.
10-21-2019 06:39 AM
Hi.
According to the customer requirements, I must perform SSH connect to the Cisco router (IOS version 15.1) and constantly retrieve and report the ACL details.
As I wrote in the description, there are no problems with the Cisco router (IOS version 12.2), but only with the one that runs IOS version 15.1.
What are the changes between these versions that prevent the normal connect operations, and how may I solve these problems?
Thanks
Zeev
10-21-2019 10:51 PM
- The 'customer requirements' shouldn't always be accepted ad hoc , and considered as being 'valid'.. In this case I argue they are not. Because controlled management and knowing who has access to the router also means that the acl's are also managed in an authorized manner.
M
10-22-2019 09:54 AM - edited 10-22-2019 10:48 AM
Hi,
Thanks for the replies :)
There are two reasons for not using the SNMP protocol, except for the customer requests:
Thanks again
Zeev
10-23-2019 01:49 AM
- As stated I still question the need of these procedures especially when strong authorization and managerial and change management is in place for the routers. Further moment such intense scrutinizing will induce an extra load on the router. Aside that it worked and now longer does , you won't get this supported by CISCO, since they have their own products such as Prime which can also do compliance auditing.
M.
10-23-2019 10:21 AM
Hi,
If I'll convince my project manager to change the implementation from the libssh based method to the SNMP based one,
would you mind to guide me in the SNMP first steps?
Thanks
Zeev
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide