Modifying RANCID To Work With IOS XE

I recently needed to add a few Cisco IOS XE routers into a fairly old RANCID 2.3.8 install. I found out rather quickly this wasn’t going to work. Older versions of RANCID force use of the 3des-cbc cipher, while the newer IOS XE versions don’t support this.

This cipher mismatch is logged on the router as RANCID attempts to connect.

%SSH-3-NO_MATCH: No matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr

The official word is to upgrade RANCID to 3.5.1, however, there are two quick alternatives which will get our devices into RANCID and allow the upgrade to happen at a more convenient time.

Specifying a cipher per device

It’s possible to explicitly specify the ciper to be used per device in the ~/.cloginrc file. This is fine if you only have a few devices and the device list doesn’t often change.

add cyphertype router.hostname aes192-ctr

Making this change globally however, does not work

add cyphertype * aes192-ctr

Modifying the RANCID code to use

This method changes the default cipher to AES globally and is more suitable if you have a large number of devices, or a device list that frequently changes.

1. Make a backup of /usr/local/rancid/bin/clogin (yours may be located elsewhere)
2. Edit line 844 of the clogin script

From

if { "$cyphertype" == "" } { set cyphertype "3des" }

To

if { "$cyphertype" == "" } { set cyphertype "aes192-ctr" }

Obviously you can use any of the supported ciphers listed in the SSH router log entry.

That’s it, RANCID will now successfully connect to the latest IOS XE devices.