Highlighted
Established Member..
Established Member..
1071 views

Advanced Scripts Won't Log Into Devices

I have really scoured the forums and google thoroughly. I can't figure this one out on my own.

We have NA 9.22 running on Linux.

We don't have "Use Single Sign-On" enabled.

Our standard scripts run fine.

I can't get advanced Perl or Expect Scripts to connect to our devices.

When the advanced scripts fail, NA does a successsful snapshot afterwards!

 

I am currently trying Expect.

When I run an SSH session on the CLI proxy, and then "Convert to Expect Script" I get:

 

 

spawn telnet localhost $tc_proxy_telnet_port$
expect "$tc_proxy_login_prompt$"
send "$tc_user_username$\r"
expect "$tc_proxy_password_prompt$"
send "$tc_user_password$\r"

expect "$tc_proxy_prompt$"

set prompt "#"
set more_prompt "!!unknown!!"
set config_prompt "!!unknown!!"

set timeout 60

send "connect -info -nosession #$tc_device_id$\r"

 

When I run this I get:

 

 

Could not connect to device my-adm-rtr-1 (172.50.50.1). Failure Reason: Can't open SSH v2 connection to 172.50.50.1: username/password incorrect
NA>
Successful snapshot taken.
<snip>
Begin Post-task Snapshot
Step: Retrieve version information
Running: getversion (retrieve version information via CLI)
Connect Creating ssh connection to 172.50.50.1 [in realm WEST Core] with Last successful password  (Password rule PWDR1)
Connect - Attempting connection via SSH to 172.50.50.1 (port 22)
  Connected via SSHv2 to 172.50.50.1 (port 22)
Receive:  
my-adm-rtr-1 line 706  
my-adm-rtr-1#
<snip>

So I tried adding the device login and password using:

 

$tc_device_username$ / $tc_device_password$

and
$tc_device_enable_username$ / $tc_device_enable_password$

 

I had similar results.

 

What is the right way to do  "connect -info -nosession #$tc_device_id$\r" once the script has successfully connected to the proxy host and sees the "NA>" prompt?

 

I would like it to loop through the Device Password Rules like I've been told the standard scripts do. Notice that when it does the snapshot it says "Creating ssh connection to 172.50.50.1 [in realm WEST Core] with Last successful password  (Password rule PWDR1)."

 

I would really like to know how to make this work with Perl as well. So far I've had the same results.

 

Thank you

0 Likes
4 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Advanced Scripts Won't Log Into Devices

Is this a new install?  When the install ran, any issues related to the API part (at end)?  

 

Expect script looks ok from a quick review.  

 

 

When you connect to the proxy, you can just do connect <IP>  and it should connect using the last used password.  Can you make a connection to the device manually from the proxy?  

 

NA>help connect

NAME
connect - Connect to a device.

SYNOPSIS
connect [-login] [-method <telnet|ssh|ssh1|ssh2|rlogin>] [-override] [-info]
[-ignoreptyerrors] <hostname> [<port>]

DESCRIPTION
Connect to a device through the system's Proxy Interface via telnet, ssh, or
rlogin. If you are connected to a device through a console server, you may
hit ctrl-\ to return to the the system shell after logging out of the
device.

-login
Bypass single sign-on and instead take the user to the device login prompt.

-method <telnet|ssh|ssh1|ssh2|rlogin>
Method used to connect to devices outside of the system or for devices in the
system when single sign-on is turned off (implies -login option).

-override
Force a connection to a device in the event that simultaneous connection warning
or prevention is turned on.

-info
Dump connection variable information (can set the info prefix following a colon,
like "-info:<prefix>")

-ignoreptyerrors
Ignore pty errors for SSHv2 connections if "-login" option is on.

<hostname>
Hostname, Device ID, Fully Qualified Domain Name, or Primary IP Address to use
to lookup the device to connect to. The characters * and ? can be used
as wildcards. The device id can be specified instead by preceding it
with a '#'

<port>
Port to use to connect to devices outside of the system.

EXAMPLES
connect 192.0.2.10
connect -login Zangief
connect -override mydevice

 

 

 

0 Likes
Highlighted
Established Member..
Established Member..

Re: Advanced Scripts Won't Log Into Devices

Thanks for getting back to me so quickly. I've had a hard time logging back in after the site changes.

 

This is not a new install. I didn't do the install, but I am not aware of any issues with the api.

 

Connecting to a device from the proxy looks like this:

NA>connect my-adm-rtr-1
Attempting to connect to device my-adm-rtr-1 (172.50.50.1).

Device SSH Login:

 

This is probably due to having "Use Single Sign-On" turned off. We need this off to give different users different authority on our devices. Basically, it is like using -login all of the time.

 

I finally got one expect script (in hp na web console) to log into a device. I had to use:

 

spawn telnet localhost $tc_proxy_telnet_port$
expect "$tc_proxy_login_prompt$"
send "$tc_user_username$\r"
expect "$tc_proxy_password_prompt$"
send "$tc_user_password$\r"

<snip>

send "connect -info #$tc_device_id$\r"
expect "ogin"
send "$tc_device_username$\r"
expect "assword"
send "$tc_device_password$\r"

 

It looks simple, but it took me a while to figure it out. I'm still looking for some decent documentation on scripting HP NA.

 

Now I have to figure out how to see the results of running a script against multiple devices as a report. Especially if I am running a "show" command.

 

Thank you

 

 

 

 

 

 

 

send "connect -info #$tc_device_id$\r"
expect "ogin"
send "$tc_device_username$\r"
expect "assword"
send "$tc_device_password$\r"

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Advanced Scripts Won't Log Into Devices

Sorry Scott, totally missed that - you had mentioned you were running NA on Linux.  The port bit is needed so NA knows to use (for example) 8023 to connect as opposed to 23.  With Linux, 23 is tied to the OS (normally).  

 

Yes - Use Single Sign-On and -login.  I was just making sure you could actually log in and use the credentials.  But sounds like you're set there.  

 

Now, let's talk about the report re: command scripts.  What exactly is it you want to report on?  I ask for a few reasons:

 

1) If you're running a script to do a show command, that may not be the best idea (opinions may vary) but IMO a diagnostic would be better - here's a few reasons why:

    a) it is much less likely to get the ID of the task get tagged with making a change that they didn't do.  Let's say that you run this task and it's successful and it does a show ip interface brief - it doesn't make a change.  Then 30 mins later, Bob, you know, the guy who sits next to you goes and makes a change outside of NA without a change control in the middle of the day and that causes an outage.  Well, that device is going to send a syslog message, NA should pick it up and do a snapshot and see the changed config.  It'll try to figure out who made the change and (most likely) it's going to use your command script as oppposed to the syslog message as the reason for the change.  So you get tagged with that change and then have to explain and show that it wasn't you.  

   b) IMO much harder to report on what was done in a script than in a diagnostic.  There's a couple of ways, but not always what you want do have to do to get a report.   In a diagnostic, it's just much easier / simpler - just select Search For / Diagnostic, then you'll pick your DIagnostic and you can narrow down the results by filling ou the form.  

2) Seem to recall you wanted to go thru a group of devices and run a show command.  If you aren't set on this, you'd just have your script (command or diag - that's up to you - works the same) and then when you're looking at the "Run" form,. in the applies to field / device / group - just enter in the group that you're interested in.  Or you can use the task..csv template if you want to specify devices that way.  You don't have to handle looping thru the list, NA will do the heavy lifting for you and will just update $tc_device_id$ for each device that gets specified (in group or template).  A basic way of thinking about it is if you have 10 devices in your group, it just runs the script 10 times, once for each device.  Reality is there's one parent task (the script and 10 child tasks - each device).  

 

Hopefully that helps, if not just reply back and someone can fill in my gaps.  

 

Good luck.

Chris

 

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: Advanced Scripts Won't Log Into Devices

Hi Scott,

I am  also trying to achieve same as you mentioned but facing some issue in getting output from connected devices. Like
Using Python pexpect. Steps I am following is 

1. Using pexpect connect to NA Proxy

2. Execute "Connect <device_ip>"

3. On connected device , execute "show version"

4. Get "show version" output to a variable, using "child.before"

Everything works fine except #4. I am getting nothing as show version output.

But If use same env and script to login/ssh directly  to device and execute the "show version" I get output to my variable child.before.
Also if using script, I login into NA Proxy and execute any local command (for ex : show task) I see child.before output.

Only when script login to NA proxy and then connect to another device and execute command, command output or child.before is blank.

Can someone please help .

 

Thanks

Bobin

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.