jimmycher
asked on
When does a Cisco router lose it's RSA key when it reloads?
I need to completely change configurations on a 3900 router at a remote site. I am going to remote into the device, tftp a file into flash, then clear the startup.config with a write erase. I will then copy the new config into startup, the new config will have a new name and domain-name. Then I will reload.
Will the old crypto key carry over into the new config? Otherwise, SSH will fail and I'll be locked out.
Please explain when and how the crypto key rsa gets flushed.
Many thanks.
Will the old crypto key carry over into the new config? Otherwise, SSH will fail and I'll be locked out.
Please explain when and how the crypto key rsa gets flushed.
Many thanks.
ASKER
Thanks. Are you sure if I use the same hostname and domain-name it will not clear the key? That might not be a bad option.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Technical answer. Thanks.
ASKER
I just tried out the config in the lab. The cron job noted above will execute at 2 minutes after every integer hour, i.e. 07:02:00, 08:02:00, etc., not every two minutes.
That being said, and I had 24 different keys generated (one every hour), I was still unable to SSH. I removed the cron job, and I manually rebuilt the keys. The I reloaded my PC. Still no joy, so I had to reboot the router to get SSH working again. Any ideas?
That being said, and I had 24 different keys generated (one every hour), I was still unable to SSH. I removed the cron job, and I manually rebuilt the keys. The I reloaded my PC. Still no joy, so I had to reboot the router to get SSH working again. Any ideas?
ASKER
I believe the correct syntax to my original question (on IoS version 15.2) would be:
event manager applet Generate-RSA
event timer watchdog time 120
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "crypto key gen rsa gen mod 512"
action 1.3 syslog msg "EEM RSA Generation"
This will generate a new key every 120 seconds, until you disable it.
This will not work on IoS version 12.4, or any other version where the "crypto key gen rsa" commands prompts you for a modulus.
Many thanks to Rauenpc for the help.
event manager applet Generate-RSA
event timer watchdog time 120
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "crypto key gen rsa gen mod 512"
action 1.3 syslog msg "EEM RSA Generation"
This will generate a new key every 120 seconds, until you disable it.
This will not work on IoS version 12.4, or any other version where the "crypto key gen rsa" commands prompts you for a modulus.
Many thanks to Rauenpc for the help.
ASKER
rauenpc provide invaluable help, please note the final configuration solution at the end of this trail. jc
I can think of two potential ways around this. One is to temporarily enable telnet. I know telnet is not a good choice, but if you enable it with a tight ACL, you can push the new config without worry of getting connected. Once the router is up, telnet in, create RSA key, test SSH, and then remove telnet.
Another option would be an EEM script to kick off the key generation. Just add it to the startup file.
event manager applet Generate-RSA
event timer cron name _EEMinternalname0 cron-entry "2 * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "crypto key gen rsa gen mod 1024"
action 1.3 syslog msg "EEM RSA Generation"
!
The above script would generate the key 2 minutes after the router booted. And it would repeat this every 2 minutes, so it would be a good idea to log in a quickly as possible to remove the script so that it doesn't continually generate keys.
In action:
Open in new window