Modifying RANCID To Work With IOS XE

I recently needed to add a few Cisco IOS XE routers into a fairly old RANCID 2.3.8 install. I found out rather quickly this wasn’t going to work. Older versions of RANCID force use of the 3des-cbc cipher, while the newer IOS XE versions don’t support this.

This cipher mismatch is logged on the router as RANCID attempts to connect.

%SSH-3-NO_MATCH: No matching cipher found: client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr

The official word is to upgrade RANCID to 3.5.1, however, there are two quick alternatives which will get our devices into RANCID and allow the upgrade to happen at a more convenient time.

Specifying a cipher per device

It’s possible to explicitly specify the ciper to be used per device in the ~/.cloginrc file. This is fine if you only have a few devices and the device list doesn’t often change.

add cyphertype router.hostname aes192-ctr

Making this change globally however, does not work

add cyphertype * aes192-ctr

Modifying the RANCID code to use

This method changes the default cipher to AES globally and is more suitable if you have a large number of devices, or a device list that frequently changes.

  1. Make a backup of /usr/local/rancid/bin/clogin (yours may be located elsewhere)
  2. Edit line 844 of the clogin script

From

if { "$cyphertype" == "" } { set cyphertype "3des" }

To

if { "$cyphertype" == "" } { set cyphertype "aes192-ctr" }

Obviously you can use any of the supported ciphers listed in the SSH router log entry.

That’s it, RANCID will now successfully connect to the latest IOS XE devices.


If you enjoyed this post consider sharing it on , , , or , and .