SSH and Image_GraphViz problems

[yapjackson]

Hi,

Can you advise how can we use userid/admin for access to the router for the script?

[justkeepquiet]

Hi, what system version is used on the router?

[justkeepquiet]

However, by default you can configure anonymous access on the router (not "enabled"), in which case you do not need to specify a login/password.

To specify the login/password for Telnet connection, use the following entry, for example:
'url' => 'telnet://rviews:rviews@route-server.ip.att.net',

[yapjackson]

Hi, it is IOS XE, cisco asr1001. We have a username/password for security, and setup LOOKING-GLASS parser view on it (enabled access).

But we are not really sure the configurations we should be doing for the script to access the router properly for the required functions.

[justkeepquiet]

We on our router used anonymous access with control over IP. But you can configure a guest user, usually the login and password for is rviews/Rviews.

Privileged (enabled) access is only needed if you need to specify a counter for the ping and traceroute commands. But in your system can be differently configured permissions.

[justkeepquiet]

For example, here is part of the configuration from our router (Cisco 7200):

access-list 10 permit 10.64.16.11
...
line vty 0 4
 session-timeout 20  output
 access-class 10 in
 password n
 logging synchronous
 no login

[yapjackson]

Thanks. I will let our network team know. However our network team seems to have set it up through SSH instead of port 23. Does that matters? If that is the case is this correct?
'url' => 'telnet://lgadmin:xxxxx@10.1.1.1:22',
'pingtraceurl' => 'telnet://lgadmin:xxxxx@10.1.1.1:22',

[justkeepquiet]

You can use SSH instead of Telnet, the same way:
'url' => 'ssh://lgadmin:xxxxx@10.1.1.1:22',

pingtraceurl parameter basically not needed for IOS (only for Quagga).

[yapjackson]

Thanks alot. We are still getting "telnet connection closed" although when we manually telnet port 22 from the server itself, we can get through.

Thanks for your help we will check internally and let you know if any further issue.

[justkeepquiet]

First, check the Telnet/SSH connection from the web-server where the script is located.
By the console commands "telnet" or "ssh".

[justkeepquiet]

Ok. The script uses built-in php telnet-client, and for the SSH a plink command, which comes with the putty package. Check this.

[yapjackson]

Hi!

1. We are getting "Command failed." now.
2. From the server, we can ssh into the IOS with the provided username and password, as below

root@host [~]# ssh -l lgadmin 10.1.1.1
Local-Password:
IR01 line 2
IR01>
IR01>ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
IR01>

Any idea how we can fix it?

[justkeepquiet]

Perhaps your version of IOS has other authorization methods for the SSH.
Try to set up Telnet on the router (guest access). We can not test it now.

[yapjackson]

We will try harder and let you know. Thanks!

[yapjackson]

Hi!

1. Class Image_GraphViz not found!
2. [28-Nov-2017 11:32:37] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in

How can we fix these?

[yapjackson]

Hi!

Also a strange thing. Telnet is working properly. However when we change to SSH, all functions returns "Command Failed". Do you know the reason why?

[GizmoV]

Hello!

I have a same problem with Command failed. Maybe with PHP 7 ?

[justkeepquiet]

Hi,

1. Image_GraphViz - is a Pear library, you need install it: http://pear.php.net/package/Image_GraphViz/redirected

2. preg_replace not working correctly on php7, you can use php5 now. I did not rewrite the script for php7, I do not have time.

3. About Command Failed: I need more information about which Command executing. See the other answers above (about SSH/Telnet issues).

[GizmoV]

About problem with PHP7 everything is clear and described in the pull requests, sorry did not notice before writing :)
#5
About "Command failed" i think it relies to next topic and seen by me on PHP7 and PHP5.6
#7

[justkeepquiet]

Hi,

I fixed the code for the correct working on PHP7. Please check.

[GizmoV]

Hello Dmitry! Thank you!

Right now I have no way to check the result for PHP7, but I checked the same problem on PHP5.6 and now she is gone and no problems present in logfile of Apache or Nginx.
But there are other minor issues that now I will describe in detail.
Query1:

Output is good, but on the bottom of Result1:

Query2:

All is OK, then go deeper on any neighbour:

Click on any of received or advertised prefixes:

And result 2:

And result3:

Traceroute and Ping gives correct output, but with Command failed.

You may check all theese problems at http://lg.cln.net, os of our routers is JUNOS.
If necessary, I can check the same for PHP7, if you think it necessary?

Thank you again for your work!

[justkeepquiet]

Hi,
Thank you for testing. I'll check the code in the near future.
Also you can contact me directly by email dmitry.s@hsdn.org (available in Russian).

[GizmoV]

Hello Dmitry!
Ok, i will write you in Russian little later.
My name is Vitaly.

[yapjackson]

Hi!

1. We have installed Class Image_GraphViz, but the graph is not showing on lg.apc.sg. Can you advise?
2. We are using PHP 5.6, not PHP 7. But I think your latest update has fixed the php error already, thank you!
3. We are using telnet now, but strangely when we switch to SSH, it still shows command failed, even though the credential and everything is the same. We are using Cisco routers. Can you advise how can we troubleshoot such case with SSH?

[justkeepquiet]

Hi,

1. Try to enable error reporting in PHP. Also you can look the web server logs. Perhaps there is an error.
2. Please report about this, if errors is not fixed.
3. Which command or request shows "command failed" error now? Please more details.

[yapjackson]

Thank you again.

1. Image_GraphViz -> error reporting is already enabled but no error produced, but the graph is just showing empty graph at lg.apc.sg.

2. I have put up https://lg.apc.sg/index2.php , this is using SSH which has Command Failed for all requests. If there is any troubleshooting code I can add to find out the reason behind, it will help alot.

[justkeepquiet]

1. Check if the library is working. Save and run a simple script:

<?php
error_reporting(E_ERROR);
include 'Image/GraphViz.php';
$graph = new Image_GraphViz();
$graph->addNode('test', array(
	'label' => 'The Image_GraphViz is worked!',
	'shape' => 'none',
	'fontcolor' => 'green', 
	'fontsize' => 14
));
$graph->image('svg');
?>

The result should be: http://dev.hsdn.org/graphviz_test.php

2. Probably, the script does not connect to the router. Does the telnet command work from the console on your lg server?

[justkeepquiet]

I commit some changes now a3703b2. Please update the script.

[yapjackson]

Hi! We will settle the image at our end. Thanks for the advise.

For the "Command failed" issue. Yes, telnet is working fine as shown on lg.apc.sg. However once we change from telnet to ssh on lg.apc.sg/index2.php , it keep showing command failed.

We have updated the changes you made to your latest script as well. Can you advise?

[justkeepquiet]

By default Image_GraphViz library requires GraphViz software, you need download and install it.
See https://graphviz.gitlab.io/download/

This is a part of system requirements of the LG script:

 *  - GraphViz toolkit for drawing BGP pathes graph
 *      http://www.graphviz.org/
 *  - php pear package Image_GraphViz 
 *      http://pear.php.net/package/Image_GraphViz

Pear package Image_GraphViz is not includes GraphViz toolkit. It's different products.

[GizmoV]

yapjackson, maybe you just need to do this: pear install Image_GraphViz

[justkeepquiet]

GizmoV, the Image_GraphViz library is installed, because the script https://lg.apc.sg/test.php does not give an error about not found class. But the GraphViz binaries does not installed, so an empty result is returned.

[yapjackson]

Good news. Yes we have to install Graphviz on the server. It works now. However it shows "Not found BGP information of request." You can do a test on lg.apc.sg.

[yapjackson]

For "Command Failed" due to SSH, do you have any advice how can plink be installed on CentOS servers?

[justkeepquiet]

About "Not found BGP information of request.":
Probably, this is the problem of parsing the command show ip bgp. I need access to your router from my web server 88.147.254.238 for tests. You can provide this?

[justkeepquiet]

For installing plink on CentOS 7, try this:

rpm -ivh ftp://ftp.pbone.net/mirror/dag.wieers.com/redhat/el7/en/x86_64/dag/RPMS/putty-0.63-1.el7.rf.x86_64.rpm

[yapjackson]

Good news! After install plink it works. However you can do a ping, the response seems wrong?

"SG1APCIR01 line 2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.7.206, timeout is 2 seconds:
!"

[justkeepquiet]

For example, this is correct output of ping command on IOS: http://lg.regnets.ru/?command=ping&protocol=ipv4&query=8.8.8.8&router=kemerovo-br1

Perhaps the command is interrupted (Escape character detection problem? I do not known about this). Check the SSH using console command plink or ssh for see correct output.

Same problem on this https://lg.apc.sg/index2.php?command=trace&protocol=ipv4&query=8.8.8.8&router=apchosting-br1

[yapjackson]

Yes, when we use telnet://, it displays like this:
http://lg.regnets.ru/?command=ping&protocol=ipv4&query=8.8.8.8&router=kemerovo-br1

But after we change to ssh:// (no other changes, it becomes like https://lg.apc.sg/index2.php?command=trace&protocol=ipv4&query=8.8.8.8&router=apchosting-br1

I have switched index.php from ssh back to telnet now. You can try again to see the difference.

[justkeepquiet]

Yes, I see. But I do not known what is wrong. On our router working ok via plink. Please check plink command directly on your server for connection to the router.

[yapjackson]

I found the reason why.

When you switch from telnet to SSH, it will ask for a local password first like this, instead of a Local-User first like telnet case.

---

Local-Password:

Do you have any advise how we can resolve this?

[justkeepquiet]

Please show the string from script configuration array for your telnet connection.

[yapjackson]

	'url' => 'telnet://xxxx:xxxx@xx.xx.xx.xx',
	'pingtraceurl' => FALSE,
	'description' => 'APC Hosting',
	'group' => '132425',
	'ipv6' => TRUE,
	'os' => 'ios',

[justkeepquiet]

The "Local-Password" it is additional password? The standard login and password is sets on the configuration. Enable/admin password not supported by script.

[justkeepquiet]

Can you configure the telnet/ssh on router for not using additional passwords by default?

[yapjackson]

Hi,

1. For telnet, it ask for userid/password.
2. For ssh, it ask directly for password only.

We will check to see if we can do the same for SSH. Will update you!

[justkeepquiet]

GizmoV, the problems shown in the screenshots are fixed. Please update.

[yapjackson]

Hi, regarding the command problem, I think it is because when we use SSH to connect to the router, by default it need to run something like this ssh -l test 1.2.3.4 (in order to log in with a user name). Is there a command we can run to test out if the direct ssh log in command of the script works?

[justkeepquiet]

Hi,
The lg script uses plink command in the following format:

plink -ssh -l <LOGIN> -pw <PASSWORD> 1.2.3.4 <COMMAND>

You can test this command directly on the server. More examples of usage: https://www.thegeekstuff.com/2017/05/putty-plink-examples/

[yapjackson]

I think I found the problem. When I manually type the command directly, the output is this:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xx.xx.xx.xx, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

However when you try it on lg.apc.sg/index2.php, you can see the rest of the output is cut off. Is there some output error by the script due to the output?

[justkeepquiet]

I talked about this before. The command is interrupted prematurely. I do not know how to solve this problem. On our system works fine. I need the SSH access to your router for tests.

[yapjackson]

Hi! Can I email it to you at dmitry.s@hsdn.org?

[justkeepquiet]

Hi,
Yes, of course.

[dmitriypav]

to @hsdn
Hi Dmitry,
Could you please specify what kind of operating system and the version one do you use for LG?