When does a Cisco router lose it's RSA key when it reloads?

That's a great question. Under normal circumstances, I believe the router will store the RSA key in the nvram:private-config file, so replacing the startup-config file shouldn't blow away the RSA key. However, if you're changing the hostname and domain name, I'm not sure if that would work anymore.

I can think of two potential ways around this. One is to temporarily enable telnet. I know telnet is not a good choice, but if you enable it with a tight ACL, you can push the new config without worry of getting connected. Once the router is up, telnet in, create RSA key, test SSH, and then remove telnet.

Another option would be an EEM script to kick off the key generation. Just add it to the startup file.

event manager applet Generate-RSA
 event timer cron name _EEMinternalname0 cron-entry "2 * * * *"
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "crypto key gen rsa gen mod 1024"
 action 1.3 syslog msg "EEM RSA Generation"
!
The above script would generate the key 2 minutes after the router booted. And it would repeat this every 2 minutes, so it would be a good idea to log in a quickly as possible to remove the script so that it doesn't continually generate keys.

In action:

Press RETURN to get started!

sslinit fn

*Mar  1 00:00:03.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Mar  1 00:00:03.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface IPv6-mpls, changed state to up
*Mar  1 00:00:03.339: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:00:03.343: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:00:03.347: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Mar  1 00:00:03.347: %LINK-3-UPDOWN: Interface Serial3/0, changed state to up
*Mar  1 00:00:03.351: %LINK-3-UPDOWN: Interface Serial3/1, changed state to up
*Mar  1 00:00:03.355: %LINK-3-UPDOWN: Interface Serial3/2, changed state to up
*Mar  1 00:00:03.359: %LINK-3-UPDOWN: Interface Serial3/3, changed state to up
*Mar  1 00:00:04.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Mar  1 00:00:04.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Mar  1 00:00:04.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to down
*Mar  1 00:00:04.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0, changed state to down
*Mar  1 00:00:04.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/1, changed state to down
*Mar  1 00:00:04.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/2, changed state to down
*Mar  1 00:00:04.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/3, changed state to down
*Mar  1 00:00:04.567: %SYS-5-CONFIG_I: Configured from memory by console
*Mar  1 00:00:04.923: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 3600 Software (C3640-JK9S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 11:43 by prod_rel_team
*Mar  1 00:00:04.947: %SNMP-5-COLDSTART: SNMP agent on host new_router_R1 is undergoing a cold start
*Mar  1 00:00:05.483: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 00:00:05.683: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 00:00:05.715: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state to administratively down
*Mar  1 00:00:06.011: %LINK-5-CHANGED: Interface Serial3/0, changed state to administratively down
*Mar  1 00:00:06.135: %LINK-5-CHANGED: Interface Serial3/1, changed state to administratively down
*Mar  1 00:00:06.179: %LINK-5-CHANGED: Interface Serial3/2, changed state to administratively down
*Mar  1 00:00:06.215: %LINK-5-CHANGED: Interface Serial3/3, changed state to administratively down
new_router_R1#
*Mar  1 00:02:00.119: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
*Mar  1 00:02:00.119: %HA_EM-3-FMPD_ERROR: Error executing applet Generate-RSA2 statement 1.0
*Mar  1 00:02:00.931: %SSH-5-ENABLED: SSH 1.99 has been enabled
new_router_R1#
*Mar  1 00:02:04.967: %HA_EM-6-LOG: Generate-RSA2: EEM RSA2 Generation

*Mar  1 00:02:04.967: %SYS-5-CONFIG_I: Configured from console by vty0
*Mar  1 00:02:04.971: %SYS-5-CONFIG_I: Configured from console by vty1
*Mar  1 00:02:04.975: %SYS-5-CONFIG_I: Configured from console by vty2
new_router_R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
new_router_R1#

Select allOpen in new window

Thanks.   Are you sure if I use the same hostname and domain-name it will not clear the key?   That might not be a bad option.

Technical answer.  Thanks.

I just tried out the config in the lab.  The cron job noted above will execute at 2 minutes after every integer hour, i.e. 07:02:00, 08:02:00, etc., not every two minutes.  

That being said, and I had 24 different keys generated (one every hour), I was still unable to SSH.  I removed the cron job, and  I manually rebuilt the keys. The I reloaded my PC.  Still no joy, so I had to reboot the router to get SSH working again.  Any ideas?

I believe the correct syntax to my original question (on IoS version 15.2) would be:

event manager applet Generate-RSA
 event timer watchdog time 120
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "crypto key gen rsa gen mod 512"
 action 1.3 syslog msg "EEM RSA Generation"

This will generate a new key every 120 seconds, until you disable it.  

This will not work on IoS version 12.4, or any other version where the "crypto key gen rsa" commands prompts you for a modulus.

Many thanks to Rauenpc for the help.

rauenpc provide invaluable help, please note the final configuration solution at the end of this trail.   jc