Re: Configuration mode locked exclusively during configuration replace

hayesa · ‎04-19-2017

Hello,

I am remotely (ssh) working on an active, productive switch that I accidentally locked and I need a solution. While attempting to test the configuration replace command, the switch didn't take the rollback and stopped me from issuing any further configuration commands. Any time I try to enter an Interface or any other higher config mode I am given this line:

Configuration mode locked exclusively by user 'unknown' process '13' from terminal '0'. Please try later.

I also checked the configuration lock:

SW#sh configuration lock
Parser Configure Lock
---------------------
Owner PID : 13
User : unknown
TTY : 0
Type : EXCLUSIVE
State : LOCKED
Class : ROLLBACK
Count : 1
Pending Requests : 0
User debug info : Rollback
Session idle state : TRUE
No of exec cmds getting executed : 0
No of exec cmds blocked : 0
Config wait for show completion : FALSE
Remote ip address : Unknown
Lock active time (in Sec) : 15998
Lock Expiration timer (in Sec) : 600

No idea what to do. I haven't tried to physically console into the switch yet, as it is at a remote site. Though another thread I was reading listed that as a solution.

Any help would be greatly appreciated!

hayesa · ‎11-03-2017

Still looking for an answer to this. Aside from consoling in or reloading, what can I do? And what caused this issue?

Meheretab Mengistu · ‎11-03-2017

Hi Hayesa,

@hayesa wrote:

Still looking for an answer to this. Aside from consoling in or reloading, what can I do? And what caused this issue?

Have you tried "clear configuration lock" from privileged EXEC mode? I have not encounter it personally.

The possible cause is that you were running configure replace ... without nolock:

configure replace target-url [nolock] [list] [force] [ignorecase] [reverttrigger[error][timerminutes]|timeminutes]

However, it should release the lock when you exit or end the session. Did you exit the terminal session? Or, did it timeout before locking?

If clear configuration lock does not unlock it, the other option you get is attempt "console" in.

HTH,

Meheretab

HTH,
Meheretab

hayesa · ‎11-06-2017

Hey Meheretab,

Thank you for your reply!

I have tried the clear configuration lock command but I always get this error:

SW1#clear configuration lock
^
% Invalid input detected at '^' marker.

Do you have any idea why this command isn't recognized?

I can't console in as the switch is in a remote location. I don't currently have access to it without an 8 hr road trip and I'm not willing to do that yet.

Also, your statement of possible cause is likely correct. I didn't use the nolock option when running configure replace.

Meheretab Mengistu · ‎11-06-2017

What are your options when you run 'clear ?' ? Please also post the output of 'sh privilege'.

HTH,
Meheretab

HTH,
Meheretab

hayesa · ‎11-06-2017

ALF_SW1#sh privilege
Current privilege level is 15
ALF_SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ALF_SW1(config)#int g1/1/1
Configuration mode locked exclusively by user 'unknown' process '14' from terminal '0'. Please try later.
ALF_SW1(config)#exit

ALF_SW1#clear ?
aaa Clear AAA values
access-list Clear access list statistical information
access-template Access-template
adjacency Adjacent nodes
archive Clear archive data
arp-cache Clear the entire ARP cache
authentication Clear specified Auth Manager sessions
cdp Reset cdp information
cef Cisco Express Forwarding
cns CNS agents
controllers Clear interface controller info
counters Clear counters on one or all interfaces
crypto Encryption subsystem
dot1x Clear 802.1x information
eap Clear specified EAP details
eigrp EIGRP clear commands
energywise Clear EnergyWise information
eou EAPoUDP
errdisable Clear error disable from an interface/vlan
host Delete host table entries
interface Clear the hardware logic on an interface
ip IP
ipc Interprocess communications commands
ipv6 IPv6 clear commands
kerberos Clear Kerberos Values
l2protocol-tunnel clear Layer 2 protocol tunnel
lacp Port channel information
license License
line Reset a terminal line
lldp Reset lldp information
logging Clear logging buffer
mac MAC forwarding table
macsec Clear MACsec statistics counters
memory Memory counters
mka MKA Clear Commands
mls mls keyword
netconf NETCONF
nmsp Clear NMSP traffic counters
pagp Port channel information
parser Clear parser data
pmon Clear Performance Monitor Statistics
port-security Clear secure information
radius Clears radius server information
scp Clear SCP commands
spanning-tree Clear spanning tree parameters
tcp Clear a TCP connection or statistics
vmps VMPS statistics
vtp Clear VTP items
xdr XDR information

Meheretab Mengistu · ‎11-06-2017

Interesting!
Please post the output of 'sh ssh', and 'who'. How many remote connections do we have?

HTH,
Meheretab

HTH,
Meheretab

hayesa · ‎11-06-2017

ALF_SW1#sh ssh
%No SSHv1 server connections running.
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started ahayes
0 2.0 OUT aes256-cbc hmac-sha1 Session started ahayes

ALF_SW1#who
Line User Host(s) Idle Location
* 1 vty 0 ahayes idle 00:00:00 x.x.x.x

Interface User Mode Idle Peer Address

Meheretab Mengistu · ‎11-06-2017

Please try the following two commands (at this time I'm just brainstorming):
!
config t
no configure mode exclusive
no configure terminal lock
!

Which IOS version are you running?

HTH,
Meheretab

HTH,
Meheretab

TexNolan · ‎04-17-2019

I also have a new switch (to us) and it is locked. I have access to the configs via console, however, I am not seeing where to correct a locked privilege mode.

What causes this issue? Locked executive node?

Not sure how to explain this.

Blue is where I entered commands.

MS.40.SW1#ssh 10.**.**.47
Password:
MG.30.SW2>login
MG.30.SW2>login

User Access Verification

Username: admin
Password:

AS.SN.MG.30.SW2>login

User Access Verification

Username: jton
Password:

MG.30.SW2>en
% Error in authentication.

MG.30.SW2>

What is allows,,,

MG.30.SW2>?

Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
ping Send echo messages
rcommand Run command on remote switch
release Release a resource
renew Renew a resource
rep Resilient Ethernet Protocol Exec Commands
resume Resume an active network connection
routing-context Routing Context
set Set system parameter (not config)
show Show running system information
ssh Open a secure shell client connection
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
tunnel Open a tunnel connection
where List active connections

MG.30.SW2>show ?
aaa Show AAA values
adjacency Adjacent nodes
arp ARP table
auto Show Automation Template
banner Display banner information
bfd BFD protocol info
caaa Subscriber Policy Entity Information
cache Shows Device-Sensor Cache Informations
calendar Display the hardware calendar
call-home Show command for call home
capability Capability Information
cca CCA information
class-map Show CPL Class Map
clock Display the system clock
cns CNS agents
controllers Interface controller status
crypto Encryption module
dampening Display dampening information
dcm Data Collection Manager Core Details
device Display device classifier information
device-sensor Shows Device Sensor Information
diagnostic Show command for diagnostic
dot1q-tunnel Display dot1q tunnel ports
dot1x Dot1x information
eee Show Energy Efficient Ethernet
eigrp EIGRP show commands
env Environmental facilities
epm EPM information
errdisable Error disable
etherchannel EtherChannel information
event-manager Event manager information
exception exception informations
fhrp FHRP information
fips FIPS information
flash1: display information about flash1: file system
flash: display information about flash: file system
flow-sampler Display the flow samplers configured
flowcontrol show flow control information
format Show format information
hosts IP domain-name, lookup style, nameservers, and host table
id-manager ID pool manager
idprom show IDPROMs for interfaces
if-mgr if-mgr information
inventory Show the physical inventory
ip IP information
ipc Interprocess communications commands
ipv6 IPv6 information
kerberos Show Kerberos Values
kron Kron Subsystem
l2 Layer 2
l2protocol-tunnel Display L2PT status and configurations
lacp Port channel information
ldap Shows LDAP information
link Show Link
lldp LLDP information
location Display the system location
login Display Secure Login Configurations and State
mab MAB information
mac MAC configuration
macro Show command macros
mdns MDNS feature
mediatrace Mediatrace show commands
memory Memory statistics
mls mls global commands
monitor Monitoring different system events
mtm MTM
network-policy Network Policy profile information
object-group List object groups
odm-format Show the schema used for ODM input file
ospfv3 OSPFv3 information
pagp Port channel information
parameter-map Show parameter map of type
parser Display parser information
platform platform specific show commands
pm Show Port Manager commands
pnp Display PNP information
policy-map Show Policy Map
power Switch Power
pre PRE show commands
profile Media services profile application
queue Show queue contents
queueing Show queueing configuration
radius Shows radius information
rep Resilient Ethernet Protocol
resource Resource group statistics
rmon rmon statistics
route-tag route-tag information
rpl RPL protocol status
sasl show SASL information
scalable-queue Scalable Queue statistics
sched-event Scheduler event information
scp SCP commands
sessions Information about Telnet connections
snmp snmp statistics
sockets Socket Details
ssh Status of SSH server connections
stack-power Power stack information
status Show service module status
storm-control Show storm control configuration
switch show information about the stack ring
tacacs Shows tacacs+ server statistics
template Template information
terminal Display terminal configuration parameters
test_rib_access RIB_ACCESS TEST info
time-range Time range
topology Topology instance information
traffic-shape traffic rate shaping configuration
udld UDLD information
udp UDP Details
usb USB Interface
users Display information about terminal lines
version System hardware and software status
vlan VTP VLAN status
vmps VMPS version information
vrf VPN Routing/Forwarding instance information
vrrp VRRP information
vtp VTP information
wsma Show Web Services Management Agents information
xdr Show details about XDR
xos Cross-OS Library Information and Traces
xsd-format Show the ODM XSD for the command

MG.30.SW2#sh ru | ex !
Building configuration...

Current configuration : 14056 bytes
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname MG.30.SW2
boot-start-marker
boot-end-marker
username admin privilege 15 password 0 A*******76
username jton privilege 15 password 0 A******76
aaa new-model
aaa session-id common
clock timezone CDT -6 0
clock summer-time CDT recurring
switch 1 provision ws-c3750x-48p
switch 8 provision ws-c3750x-48p
system mtu routing 1500
no ip domain-lookup
ip domain-name aseschool.org
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
crypto pki trustpoint TP-self-signed-4*****6
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4****6
revocation-check none
rsakeypair TP-self-signed-4*****6
crypto pki trustpoint TP-self-signed-1****8
revocation-check crl
crypto pki trustpoint TP-self-signed-3****0
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3****0
revocation-check none
rsakeypair TP-self-signed-3****0
crypto pki certificate chain TP-self-signed-4****6
certificate self-signed 01
3082022B ***** ****** 9BFCDC
quit
crypto pki certificate chain TP-self-signed-1****8
crypto pki certificate chain TP-self-signed-3****0
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 0
auto qos srnd4
vlan internal allocation policy ascending
class-map match-all SECURITY_CLASS
match access-group name SECURITY
policy-map SECURITY_POLICY
class SECURITY_CLASS
set dscp ef
interface FastEthernet0
no ip address
interface GigabitEthernet1/0/1
description SECURITY Galaxy Panel
switchport access vlan 46
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/2
description SECURITY Panel
switchport access vlan 46
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/3
description SECURITY Cameras
switchport access vlan 591
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/4
description SECURITY Cameras
switchport access vlan 591
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/5
description SECURITY Cameras
switchport access vlan 591
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/6
description SECURITY Cameras
switchport access vlan 46
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/7
description Test Camera Lorex ..100
switchport access vlan 2191
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/8
description FUTURE use
shutdown
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/9
description FUTURE use
shutdown
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/10
description UPLINK TO WAP
switchport trunk native vlan 254
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/11
description UPLINK TO WAP
switchport trunk native vlan 254
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/12
description UPLINK TO WAP
switchport trunk native vlan 254
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/13
description Martin Gym Printer
switchport access vlan 49
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/14
description FUTURE use
shutdown
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/15
description FUTURE use
shutdown
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/16
description FUTURE use
shutdown
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/17
description FUTURE use
shutdown
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
spanning-tree portfast edge
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
description FUTURE use
switchport access vlan 47
shutdown
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
spanning-tree portfast edge
service-policy input SECURITY_POLICY
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface GigabitEthernet1/0/29
interface GigabitEthernet1/0/30
interface GigabitEthernet1/0/31
interface GigabitEthernet1/0/32
interface GigabitEthernet1/0/33
interface GigabitEthernet1/0/34
interface GigabitEthernet1/0/35
interface GigabitEthernet1/0/36
interface GigabitEthernet1/0/37
interface GigabitEthernet1/0/38
interface GigabitEthernet1/0/39
interface GigabitEthernet1/0/40
interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/42
interface GigabitEthernet1/0/43
interface GigabitEthernet1/0/44
interface GigabitEthernet1/0/45
interface GigabitEthernet1/0/46
interface GigabitEthernet1/0/47
interface GigabitEthernet1/0/48
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
description UPLINK TO low_main_3750E_48
switchport trunk encapsulation dot1q
switchport trunk native vlan 3000
switchport mode trunk
service-policy input SECURITY_POLICY
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface GigabitEthernet8/0/1
interface GigabitEthernet8/0/2
interface GigabitEthernet8/0/3
interface GigabitEthernet8/0/4
interface GigabitEthernet8/0/5
interface GigabitEthernet8/0/6
interface GigabitEthernet8/0/7
interface GigabitEthernet8/0/8
interface GigabitEthernet8/0/9
interface GigabitEthernet8/0/10
interface GigabitEthernet8/0/11
interface GigabitEthernet8/0/12
interface GigabitEthernet8/0/13
interface GigabitEthernet8/0/14
interface GigabitEthernet8/0/15
interface GigabitEthernet8/0/16
interface GigabitEthernet8/0/17
interface GigabitEthernet8/0/18
interface GigabitEthernet8/0/19
interface GigabitEthernet8/0/20
interface GigabitEthernet8/0/21
interface GigabitEthernet8/0/22
interface GigabitEthernet8/0/23
interface GigabitEthernet8/0/24
interface GigabitEthernet8/0/25
interface GigabitEthernet8/0/26
interface GigabitEthernet8/0/27
interface GigabitEthernet8/0/28
interface GigabitEthernet8/0/29
interface GigabitEthernet8/0/30
interface GigabitEthernet8/0/31
interface GigabitEthernet8/0/32
interface GigabitEthernet8/0/33
interface GigabitEthernet8/0/34
interface GigabitEthernet8/0/35
interface GigabitEthernet8/0/36
interface GigabitEthernet8/0/37
interface GigabitEthernet8/0/38
interface GigabitEthernet8/0/39
interface GigabitEthernet8/0/40
interface GigabitEthernet8/0/41
interface GigabitEthernet8/0/42
interface GigabitEthernet8/0/43
interface GigabitEthernet8/0/44
interface GigabitEthernet8/0/45
interface GigabitEthernet8/0/46
interface GigabitEthernet8/0/47
interface GigabitEthernet8/0/48
interface GigabitEthernet8/1/1
interface GigabitEthernet8/1/2
interface GigabitEthernet8/1/3
interface GigabitEthernet8/1/4
interface TenGigabitEthernet8/1/1
interface TenGigabitEthernet8/1/2
interface Vlan1
description Management VLAN
no ip address
no ip route-cache
shutdown
interface Vlan254
description Management VLAN
ip address 10.**.**.47 255.255.255.0
ip helper-address 10.**.**.32
no ip route-cache
interface Vlan2191
no ip address
interface Vlan3000
ip address 10.**.**.31 255.255.255.0
ip default-gateway 10.**.**.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip ssh authentication-retries 2
ip ssh version 2
ip access-list extended SECURITY
permit ip 10.**.**.0 0.0.0.255 any
banner motd ^CC
^C
line con 0
exec-timeout 5 0
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 5 0
transport input ssh
line vty 5 15
exec-timeout 5 0
transport input ssh
ntp master ***
ntp server 132.**.**.5
end

MG.30.SW2#
MG.30.SW2#

John Katsoulas · ‎07-19-2021

Most probably you have solved this by now. But as a future reference:

at exec mode enter #show line

there will be more than 1 line connected on the device.

clear all lines not used by entering: #clear line <No to clear> Te device will not let you clear the current line, marked with an asterisk.

the configuration lock should now be cleared so that you can re-enter configuration mode

trust this helps!