Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3017
Views
5
Helpful
7
Replies

Unable to create an SSH script to a Firepower managed by a FMC

LaurentHofmann69
Level 1
Level 1

‎03-17-2020 02:41 AM - edited ‎03-17-2020 02:42 AM

Hello,

If I SSH directly to my Firepower, I can run the following command :

> show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :    228 :      10112 :         231 :        3

But If I try to script the exact same command, it won't recognise the command :

.\Downloads\plink.exe -ssh -sanitise-stdout -sanitise-stderr -v -pw passwd -batch admin@172.30.52.51 show vpn-sessiondb summary
Looking up host "172.30.52.51" for SSH connection
Connecting to 172.30.52.51 port 22
We claim version: SSH-2.0-PuTTY_Release_0.73
Remote version: SSH-2.0-OpenSSH_7.5 PKIX[10.1]
Using SSH protocol version 2
No GSSAPI security context available
Doing Diffie-Hellman key exchange using 2048-bit modulus and hash SHA-1 (unaccelerated) with standard group "group14"
Host key fingerprint is:
ssh-rsa 2048 65:0c:72:37:df:d7:ec:7a:0b:83:48:ef:2d:19:22:32
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
Using username "admin".
PSent password
re-authentication banner message from server:
| ************************ATTENTION:************************
| Quiconque accederait, ou tenterait d'acceder au S.I.
| sans y etre autorise risque un an de prison et 15244
| euros d'amende (Nouveau Code Penal - Article 323-1).
|  **********************************************************
|
End of banner message from server
Access granted
Opening main session channel
Opened main channel
Started a shell/command
               ^
% Invalid Command at '^' marker
Session sent command exit status 236
Main session channel closed
All channels closed

I also tried from a linux box with the SSH command, I get the same result. I also tried to put the command in a file, same result

 

Any ideas please ?

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-17-2020 04:52 AM - edited ‎03-17-2020 05:04 AM

You need to parse the command in seperate file, since directly you can not parse command that is the syntax having issue

 

here is example :

 

commands.txt - adding below line, required add enable and password also.
show vpn-sessiondb summary

./plink.exe -ssh -l $ASAUser -pw $ASApw $ASAIP -m commands.txt

check example :

 

http://www.hackandtinker.net/2014/11/18/using-plink-to-log-commands-from-your-sshtelnet-devices/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

LaurentHofmann69
Level 1
Level 1
In response to balaji.bandi

‎03-17-2020 06:51 AM

Hello,

 

Yes I tried this already but it is not working... It is managed by a FMC so there is no enable password.

Access granted
Opening main session channel
Opened main channel
Started a shell/command
          ^
% Invalid Command at '^' marker
          ^
% Invalid Command at '^' marker
               ^
% Invalid Command at '^' marker
              ^
% Incomplete Command at '^' marker
Session sent command exit status 236
Main session channel closed
All channels closed

The weird thing is that if I put only a "show" (last command in the capture) it says it is incomplete, so it identifies the input. But if I enter show run or vpn-sessiondb summary it says Invalid...

0 Helpful

LaurentHofmann69
Level 1
Level 1
In response to LaurentHofmann69

‎03-17-2020 06:53 AM

If I enter commands manually

 

End of banner message from server
Access granted
Opening main session channel
Opened main channel
Allocated pty
Started a shell/command
Last login: Tue Mar 17 13:52:10 UTC 2020 from 172.30.120.203 on pts/1
Successful login attempts for user 'admin' : 38

Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.3.0 (build 21)
Cisco Firepower 2110 Threat Defense v6.3.0 (build 83)

> show
INFO: % Type "show ?" for a list of subcommands
> show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :    248 :      10331 :         252 :        3
  SSL/TLS/DTLS               :    248 :      10331 :         252 :        3
Site-to-Site VPN             :      4 :      48884 :           6
  IKEv2 IPsec                :      1 :         40 :           2
  IKEv1 IPsec                :      3 :      48844 :           4
---------------------------------------------------------------------------
Total Active and Inactive    :    255             Total Cumulative :  59215
Device Total VPN Capacity    :   1500
Device Load                  :    17%
---------------------------------------------------------------------------

>
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to LaurentHofmann69

‎03-17-2020 07:28 AM

Try enable and parse the same command with the script and let us know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

LaurentHofmann69
Level 1
Level 1
In response to LaurentHofmann69

‎03-17-2020 08:46 AM 

enable
mypassword
show run 

show
End of banner message from server
Access granted
Opening main session channel
Opened main channel
Started a shell/command
          ^
% Invalid Command at '^' marker
          ^
% Invalid Command at '^' marker
               ^
% Invalid Command at '^' marker
              ^
% Incomplete Command at '^' marker
Session sent command exit status 236
Main session channel closed
All channels closed
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to LaurentHofmann69

‎03-17-2020 09:25 AM - edited ‎05-16-2020 12:16 AM

its looks like as soon as login the banner message kicking in that where the commands are rejected.

 

ASA for me it worked when i testing using my Linux kit with bash script with expect command.

 

let me try the script again with Plink and let you know - what my finidings.

 

mean time try plink with -q (quite mode)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

pa_amac
Level 1
Level 1

‎05-15-2020 02:28 PM

Hello Laurent,

 

Accessing the FTD SSH interface using plink works fine for single word command without parameters such as "dir", however the introduction of spaces in the FTD command line causes issues with plink command handling both from file (-m script_file) and via plink command line (plink -ssh [...] user@server show vpn-sessiondb summary).

 

You can work around this using Linux plink as follows:

echo -e 'show vpn-sessiondb summary\rexit\r' | plink -ssh -sanitise-stdout -sanitise-stderr -no-antispoof -pw [pw] -batch [user]@[server]

(the echo command above adds an FTD "exit" in order to terminate the session)

 

Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card