When does a Cisco router lose it's RSA key when it reloads?

I need to completely change configurations on a 3900 router at a remote site.  I am going to remote into the device, tftp a file into flash, then clear the startup.config with a write erase.  I will then copy the new config into startup, the new config will have a new name and domain-name.  Then I will reload.

Will the old crypto key carry over into the new config?   Otherwise, SSH will fail and I'll be locked out.

Please explain when and how the crypto key rsa gets flushed.

Many thanks.
jimmycherAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
That's a great question. Under normal circumstances, I believe the router will store the RSA key in the nvram:private-config file, so replacing the startup-config file shouldn't blow away the RSA key. However, if you're changing the hostname and domain name, I'm not sure if that would work anymore.

I can think of two potential ways around this. One is to temporarily enable telnet. I know telnet is not a good choice, but if you enable it with a tight ACL, you can push the new config without worry of getting connected. Once the router is up, telnet in, create RSA key, test SSH, and then remove telnet.

Another option would be an EEM script to kick off the key generation. Just add it to the startup file.

event manager applet Generate-RSA
 event timer cron name _EEMinternalname0 cron-entry "2 * * * *"
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "crypto key gen rsa gen mod 1024"
 action 1.3 syslog msg "EEM RSA Generation"
!
The above script would generate the key 2 minutes after the router booted. And it would repeat this every 2 minutes, so it would be a good idea to log in a quickly as possible to remove the script so that it doesn't continually generate keys.

In action:
Press RETURN to get started!

sslinit fn

*Mar  1 00:00:03.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Mar  1 00:00:03.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface IPv6-mpls, changed state to up
*Mar  1 00:00:03.339: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:00:03.343: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:00:03.347: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Mar  1 00:00:03.347: %LINK-3-UPDOWN: Interface Serial3/0, changed state to up
*Mar  1 00:00:03.351: %LINK-3-UPDOWN: Interface Serial3/1, changed state to up
*Mar  1 00:00:03.355: %LINK-3-UPDOWN: Interface Serial3/2, changed state to up
*Mar  1 00:00:03.359: %LINK-3-UPDOWN: Interface Serial3/3, changed state to up
*Mar  1 00:00:04.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Mar  1 00:00:04.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Mar  1 00:00:04.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to down
*Mar  1 00:00:04.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0, changed state to down
*Mar  1 00:00:04.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/1, changed state to down
*Mar  1 00:00:04.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/2, changed state to down
*Mar  1 00:00:04.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/3, changed state to down
*Mar  1 00:00:04.567: %SYS-5-CONFIG_I: Configured from memory by console
*Mar  1 00:00:04.923: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 11:43 by prod_rel_team
*Mar  1 00:00:04.947: %SNMP-5-COLDSTART: SNMP agent on host new_router_R1 is undergoing a cold start
*Mar  1 00:00:05.483: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 00:00:05.683: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 00:00:05.715: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state to administratively down
*Mar  1 00:00:06.011: %LINK-5-CHANGED: Interface Serial3/0, changed state to administratively down
*Mar  1 00:00:06.135: %LINK-5-CHANGED: Interface Serial3/1, changed state to administratively down
*Mar  1 00:00:06.179: %LINK-5-CHANGED: Interface Serial3/2, changed state to administratively down
*Mar  1 00:00:06.215: %LINK-5-CHANGED: Interface Serial3/3, changed state to administratively down
new_router_R1#
*Mar  1 00:02:00.119: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
*Mar  1 00:02:00.119: %HA_EM-3-FMPD_ERROR: Error executing applet Generate-RSA2 statement 1.0
*Mar  1 00:02:00.931: %SSH-5-ENABLED: SSH 1.99 has been enabled
new_router_R1#
*Mar  1 00:02:04.967: %HA_EM-6-LOG: Generate-RSA2: EEM RSA2 Generation

*Mar  1 00:02:04.967: %SYS-5-CONFIG_I: Configured from console by vty0
*Mar  1 00:02:04.971: %SYS-5-CONFIG_I: Configured from console by vty1
*Mar  1 00:02:04.975: %SYS-5-CONFIG_I: Configured from console by vty2
new_router_R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
new_router_R1#

Open in new window

jimmycherAuthor Commented:
Thanks.   Are you sure if I use the same hostname and domain-name it will not clear the key?   That might not be a bad option.
rauenpcCommented:
I can't say for sure. I would think so, but I've never done that before.

You could always use the same EEM script, but change it to like 10 or 20 minutes ("20 * * * *")
that would give you time to let the router reboot, then you could attempt a login. If SSH carries over, great. Delete the EEM script and move on. If SSH is down, wait 20 minutes and you should have a new key.

I wish I had a solid answer, but since I've never done that before I don't want to guide you down a path of failure. We all know how much it stinks to have your own config lock you out of a device.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

jimmycherAuthor Commented:
Technical answer.  Thanks.
jimmycherAuthor Commented:
I just tried out the config in the lab.  The cron job noted above will execute at 2 minutes after every integer hour, i.e. 07:02:00, 08:02:00, etc., not every two minutes.  

That being said, and I had 24 different keys generated (one every hour), I was still unable to SSH.  I removed the cron job, and  I manually rebuilt the keys. The I reloaded my PC.  Still no joy, so I had to reboot the router to get SSH working again.  Any ideas?
jimmycherAuthor Commented:
I believe the correct syntax to my original question (on IoS version 15.2) would be:

event manager applet Generate-RSA
 event timer watchdog time 120
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "crypto key gen rsa gen mod 512"
 action 1.3 syslog msg "EEM RSA Generation"

This will generate a new key every 120 seconds, until you disable it.  

This will not work on IoS version 12.4, or any other version where the "crypto key gen rsa" commands prompts you for a modulus.

Many thanks to Rauenpc for the help.
jimmycherAuthor Commented:
rauenpc provide invaluable help, please note the final configuration solution at the end of this trail.   jc
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.