Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Network Change & Configuration Management

Reply

Python script times out during IOS download

[ Edited ]
New Member
Posts: 3
5207     0

Hi,

 

I have a Python script to download IOS file to switches but as TFTP server is not local it can take about 10 minutes to download. I have set Script-Timeout to 1800 and thought this would help but it makes no difference and script fails after 5 minutes while download is still in progress.

 

Script section to download the file:

if check_file_present (tftp_file_name) == 0:
easy.log_message("info", "Switch image file {} - upload starts".format(tftp_file_name))
easy.send_command("copy tftp://{srv}{path}{file} flash:\r\r".format(
srv=server,
path=tftp_file_path,
file=tftp_file_name))

 

Error message I can see in Process Log after 5 minutes:

 

*** Error / Traceback (most recent call last): 
   File "", line 196, in  
   File "/mnt/host/lib/netmri_easy.py", line 88, in send_command 
     regex=regex 
   File "/usr/lib/python3.4/site-packages/infoblox_netmri/api/broker/v3_3_0/cli_connection_broker.py", line 221, in send_command 
     return self.api_request(self._get_method_fullname("send_command"), kwargs) 
   File "/usr/lib/python3.4/site-packages/infoblox_netmri/api/broker/broker.py", line 24, in api_request 
     params 
   File "/usr/lib/python3.4/site-packages/infoblox_netmri/client.py", line 227, in api_request 
     return self._make_request(url=url, method="post", data=data) 
   File "/usr/lib/python3.4/site-packages/infoblox_netmri/client.py", line 103, in _make_request 
     return self._send_request(url, method, data, extra_headers) 
   File "/usr/lib/python3.4/site-packages/infoblox_netmri/client.py", line 129, in _send_request 
     raise HTTPError(res.json(), response=res) 
 requests.exceptions.HTTPError: {'error': 'general/cli-error', 'message': 'Device command timeout or connection lost.'} 
  ***

LPNLROT20S313#show flash: | include c2960-lanbasek9-mz.122-55.SE12.bin 
 LPNLROT20S313#copy tftp://10.xxx.xxx.xxx/Cisco/2960/c2960-lanbasek9-mz.122-55.SE12.bin flash: 
 Destination filename [c2960-lanbasek9-mz.122-55.SE12.bin]?  
 Accessing tftp://10.xxx.xxx.xxx/Cisco/2960/c2960-lanbasek9-mz.122-55.SE12.bin... 
 Loading Cisco/2960/c2960-lanbasek9-mz.122-55.SE12.bin from 10.xxx.xxx.xxx (via Vlan300): !!!!!!!!!!!!!!!!!! 

 

Any suggestions how to fix that? I've even set exec-timeout under VTY session on the switch for 30 minutes but still makes no difference.

 

Thanks 

Re: Python script times out during IOS download

Expert
Posts: 69
5207     0

I don't have an answer to your direct question -- hopefully Sif does.

 

But FWIW, you can probably speed up the file transfers by switching to a TCP-based method -- HTTP(S), FTP, SCP, etc.  On the IOS devices, improve the throughput by addding:

  ip tcp mss 1460   !Lower if VPN or other encapsulation overhead

  ip tcp selective-ack

  ip tcp windows 65536

 

Also, "ip ssh timeout" is not a keep-alive.  It only limits how long a device that is initiating a connection will wait for the SSH session to become established.

 

And lastly, IOS 12.2(55)SE12 is really old and has a list of vulnerabilities according to the SotwareChecker.  Fixes are in 12.2(55)SE13 which is not yet available to download.  But a better choice would be 15.0(2)SE12 which we still run in over 80 (EOL) 2960 switches.

Re: Python script times out during IOS download

[ Edited ]
New Member
Posts: 3
5207     0

Hi,

 

Yes, our switches are really old and this is just keeping them more secure till they are replaced. According to CISCO website IOS 12.2(55)SE12 is the recommended MD firmware and I can't see any bugs for our switch model.

Also, I am a bit worried to go to version 15 as not sure how much has the syntax and commands changed and we don't have a spare switch to test it on. 

 

Also, when tried ftp as transfer method it doesn't even ask me for username and password (probably not supported in the current IOS) and I can't create anonymous account on the server. 

 

That SSH timeout is actually an exex-timeout under VTY session (my bad for wrong facts) so this should keep session alive for 30 minutes, shouldn't it?

Re: Python script times out during IOS download

Expert
Posts: 69
5207     0

Did you ever get this to work correctly?

 

What I didn't ask before was did you try the syntax for FTP as "copy ftp://userSmiley Tongueass@server/..."

 

Re: Python script times out during IOS download

New Member
Posts: 3
5207     0

In the end I've solved it by using FTP which downloads the file in under 5 mins. I didn't test that on bigger files which may take longer so it may still fail but I hope that timeout value will work with FTP.

 

With 2960 series switches you have to set FTP username and password within the config (which is stupid) instead of defining it in FTP connection as on many other devices (thanks CISCO! Smiley Sad

 

Suggestion with TFTP from Infoblox engineer was to use async_command (see below example) which was still failing due to missing the regular expression. Found on some Python forum to put: file=tftp_file_name),720, "#") but I don't think this was the right one as it was still failing. Swapped to FTP (after finally finding a way how to work with authenticated FTP on Cisco 2960) so didn't bother trying different signs. I think it's something else than "#" to be returned after script is finished.

 

TFTP Async command example:

if check_file_present (tftp_file_name) == 0:
easy.log_message("info", "Switch image file {} - upload starts".format(tftp_file_name))
easy.send_async_command("copy tftp://{srv}{path}{file} flash:\r\r".format(
srv=server,
path=tftp_file_path,
file=tftp_file_name),720, "#")

Showing results for 
Search instead for 
Did you mean: 

Recommended for You