[j-nsp] JUNOScript SSH sessions on 8.5: compression, hanging on close

[Chuck Anderson]

Has anyone else experienced issues with their automated scripts making 
use of JUNOScript over SSH?  We just upgraded to 8.5, and we 
encountered a few issues.

1. The new SSH server cannot negotiate compression properly with the 
old SSH client in the perl Net::SSH::Perl module that the JUNOScript 
Perl API uses to connect to the router.  The solution is to turn off 
Compression.  However, due to a bug in the JUNOScript Perl API, the 
option to do that doesn't work--it isn't passed correctly to 
Net::SSH::Perl.  Here is a fix for that (Case Matters in the 
Net::SSH::Perl options hash):

diff -up JUNOS/Access/ssh.pm~ JUNOS/Access/ssh.pm
--- JUNOS/Access/ssh.pm~        2007-02-28 08:55:55.000000000 -0500
+++ JUNOS/Access/ssh.pm 2008-03-07 01:49:04.000000000 -0500
@@ -65,7 +65,7 @@ sub start
                             protocol => '2,1',
                             port => $rport || 22,
                             interactive => $self->{'ssh-interactive'},
-                            compression => (defined $self->{'ssh-compress'} && 
+                            Compression => (defined $self->{'ssh-compress'} && 
                                             !$self->{'ssh-compress'}) ? 'no' : 'yes',
                             options => [ ForwardX11 => 'no' ]) || return;


2. Even with this fix, we see issues with our automated perl scripts 
hanging up after they are done doing what they need in JUNOScript, and 
try to close the SSH session with the router.  The session hangs at 
that point.  I have a case open with JTAC on this, but I was wondering 
if anyone else has seen this and may have a solution. 

We have been using this workaround with a timeout signal alarm for the 
time being:

    if ($state >= STATE_CONNECTED) {
        print "Closing connection\n" if $debug;
        eval {
            local $SIG{ALRM} = sub { die "timeout reached" };
            alarm 60;

            print "Sending request_end_session\n" if $debug;
            $jnx->request_end_session();
            print "request_end_session sent\nSending disconnect\n" if $debug;
            $jnx->disconnect();
            print "disconnect sent\n" if $debug;

            alarm 0;
        }
    }
    alarm 0;

   if ($@ and $@ == "timeout reached"){
        print "juniper-prefix-list.pl: Disconnect timeout, bailed\n";
   }


Here is an example of debug output from when this happens:

...
No changes made
Unlocking configuration
Closing connection
Sending request_end_session
hostname: input_channel_request: rtype exit-status reply 0
hostname: channel 1: rcvd eof
hostname: channel 1: output open -> drain
hostname: channel 1: rcvd close
hostname: channel 1: input open -> closed
hostname: channel 1: close_read
request_end_session sent
Sending disconnect
hostname: channel 1: obuf empty
hostname: channel 1: output drain -> closed
hostname: channel 1: close_write
hostname: channel 1: send close
hostname: channel 1: full closed
Disconnect timeout, bailed
REQUEST SUCCEEDED