Add TCP pre-flight check before SSH to prevent RADIUS lockout

Unreachable hosts are detected via a 3s socket connect on SSH_PORT
before any credentials are sent. Truly offline switches now fail
fast without touching RADIUS/AD at all.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-12 20:44:06 +00:00
parent c8de2620c8
commit b19494bc2d
+8
View File
@@ -3,6 +3,7 @@ import re
import logging import logging
import threading import threading
import time import time
import socket
from concurrent.futures import ThreadPoolExecutor, as_completed from concurrent.futures import ThreadPoolExecutor, as_completed
from functools import partial from functools import partial
from netmiko import ConnectHandler, NetmikoTimeoutException, NetmikoAuthenticationException from netmiko import ConnectHandler, NetmikoTimeoutException, NetmikoAuthenticationException
@@ -31,6 +32,13 @@ def connect_and_query(ip, login_delay=3):
} }
try: try:
# TCP pre-flight — bail before sending any credentials if port 22 is unreachable
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(3)
if s.connect_ex((ip, SSH_PORT)) != 0:
logger.warning(f"{ip}: port {SSH_PORT} unreachable, skipping")
return {"success": False, "ip": ip, "error": "Host unreachable"}
logger.info(f"Connecting to {ip}...") logger.info(f"Connecting to {ip}...")
# Allow legacy ssh-rsa keys used by FS switches # Allow legacy ssh-rsa keys used by FS switches