Solved: Re: asr9010 crypto key generation command missing

Alex Zhang · ‎04-29-2019

Hi,

I'm setup an asr9010, but cannot ssh to it and cannot use "crypto key gen rsa" command. Please kindly help to take a look.

Every time I tried to login, the log shows "SSHD_[65713]: %SECURITY-SSHD-3-ERR_GENERAL : Failed No Host Key configured on the device "

And I tried to use "crypto key generate rsa" command but cannot find it.

The following are 2 tries looking for the "crypto key gen rsa".

1st try:

RP/0/RSP0/CPU0:asr9010#admin
RP/0/RSP0/CPU0:asr9010(admin)#crypto ?
key Long term key operations
RP/0/RSP0/CPU0:asr9010(admin)#crypto key ?
import Import Public Key
zeroize Remove keys

2nd try:

RP/0/RSP0/CPU0:asr9010#conf
RP/0/RSP0/CPU0:asr9010(config)#crypto ?
ca Certification authority
fips-mode Enable FIPS mode
gdoi Configure GDOI policy
ipsec Configure IPSEC policy
ipsec-node ipsec node global configuration
isakmp Configure isakmp Options
map Enter a crypto map

FYI, here is the show version and show install active:

show version:

asr9k-k9sec-px, V 6.4.1[Default], Cisco Systems, at disk0:asr9k-k9sec-px-6.4.1
Built on Wed Mar 28 19:26:50 PDT 2018
By iox-lnx-009 in /auto/srcarchive14/prod/6.4.1/asr9k-px/ws for pie

show install active

Secure Domain Router: Owner

Node 0/RSP0/CPU0 [RP] [SDR: Owner]
Boot Device: disk0:
Boot Image: /disk0/asr9k-os-mbi-6.4.1/0x100305/mbiasr9k-rsp3.vm
Active Packages:
disk0:asr9k-fpd-px-6.4.1
disk0:asr9k-k9sec-px-6.4.1
disk0:asr9k-mini-px-6.4.1

Node 0/RSP1/CPU0 [RP] [SDR: Owner]
Boot Device: disk0:
Boot Image: /disk0/asr9k-os-mbi-6.4.1/0x100305/mbiasr9k-rsp3.vm
Active Packages:
disk0:asr9k-fpd-px-6.4.1
disk0:asr9k-k9sec-px-6.4.1
disk0:asr9k-mini-px-6.4.1

Node 0/0/CPU0 [LC] [SDR: Owner]
Boot Device: mem:
Boot Image: /disk0/asr9k-os-mbi-6.4.1/lc/mbiasr9k-lc.vm
Active Packages:
disk0:asr9k-k9sec-px-6.4.1
disk0:asr9k-mini-px-6.4.1

Node 0/1/CPU0 [LC] [SDR: Owner]
Boot Device: mem:
Boot Image: /disk0/asr9k-os-mbi-6.4.1/lc/mbiasr9k-lc.vm
Active Packages:
disk0:asr9k-k9sec-px-6.4.1
disk0:asr9k-mini-px-6.4.1

Alex Zhang · ‎05-01-2019

This issue has been fixed finally.

The root cause is, the configuration step in Cisco's document is someway not correct. The "crypto key generate rsa" command is under exec mode BUT NOT configure mode.

Here is the Cisco's document:

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.html

View solution in original post

Mark Malone · ‎04-30-2019

Hi
Try in steps like this see if it opens up the syntax

Perform this task to configure SSH.
SUMMARY STEPS

1. configure

2. hostname hostname

3. domain name domain-name

4. commit

5. crypto key generate rsa [usage keys | general-keys] [keypair-label]

6. crypto key generate dsa

7. configure

8. ssh timeout seconds

9. Do one of the following:
ssh server [vrf vrf-name]
ssh server v2

10. commit

11. show ssh

12. show ssh session details

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.html

Alex Zhang · ‎04-30-2019

Hi Mark,

Thanks for your help, but commands in both step 5 and 6 are missing in the asr9010.

I did some research but only found nothing but "crypto key generate" requires k9 package. However, the k9sec package has been activated already as shown above.

Mark Malone · ‎04-30-2019

Hi
yes looks to be supported on that image odd crypto commands are not there , do you have the show ssh commands , are they available ?

Cisco IOS XR Security Package asr9k-k9sec-px.pie-6.4.1 Support for Encryption, Decryption,,Secure
Shell (SSH), Secure Socket Layer (SSL),
and Public-key infrastructure (PKI).

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/general/release/notes/b-release-notes-asr9k-641.pdf

Alex Zhang · ‎04-30-2019

Hi,

Here is the output:
SSH version : Cisco-2.0

id chan pty location state userid host
ver authentication connection type
--------------------------------------------------------------------------------------------------------------------------
Incoming sessions

Outgoing sessions

Mark Malone · ‎05-01-2019

have you got the right license for this ? its either that or the image requires changing if commands are not there at all
Its able to do ssh and the image says it supports it so somethings missing as the config guide shows that's all that's required to initiate it

Alex Zhang · ‎05-01-2019

Thanks Mark,

I didn't find any license request for the SSH, and I will schedule a maintenance window to upgrade or downgrade the IOS-XR and see if that works.

Alex Zhang · ‎05-01-2019

This issue has been fixed finally.

The root cause is, the configuration step in Cisco's document is someway not correct. The "crypto key generate rsa" command is under exec mode BUT NOT configure mode.

Here is the Cisco's document:

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0110.html

Mark Malone · ‎05-02-2019

thanks for posting the fix