Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4813
Views
4
Helpful
4
Replies

Does the Crypto Key get flushed when you reload a router with a different config?

Go to solution
jimmycher
Level 1
Level 1

‎07-24-2015 10:17 AM

I need to completely change configurations on a 3900 router at a remote site.  I am going to remote into the device, tftp a file into flash, then clear the startup.config with a write erase.  I will then copy the new config into startup, the new config will have a new name and domain-name.  Then I will reload.

Will the old crypto key carry over into the new config?   Otherwise, SSH will fail and I'll be locked out.

Please explain when and how the crypto key rsa gets flushed.

Many thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jimmycher

‎07-25-2015 11:16 AM

Sorry - I read your original post too quickly.

If you use the "write erase" method that should indeed clear not only the startup-config but also your rsa keys. You can also use "erase nvram".

I found an external blog example of verifying the latter command (which should be equivalent to yours) here:

http://networkengineering.stackexchange.com/questions/1892/backing-up-cisco-router-configuration-including-ssh-keys

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Traian Bratescu
Level 1
Level 1

‎07-24-2015 03:07 PM

Hi,

Don't have a good answer to your question but as alternatives....

1. Couldn't you temporarily allow telnet (perhaps with a temporary user/pass)?

2. You could also establish basic connectivity (with a safety net of "reload in xx") -meaning hostname domain name key Ip address and routing and then add the new configuration...

 

I realize this is just a workaround to your original question; unfortunately I don't have a physical test router right now (maybe you could try it and also tell us the results :) ).

 

Hope this can be of any help,

Traian

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-24-2015 07:12 PM

Your RSA key is not stored in the running configuration. It is in a special location in nvram:private-config not directly accessible to you outside the "crypto key" operation commands.

 

0 Helpful

Go to solution
jimmycher
Level 1
Level 1
In response to Marvin Rhoads

‎07-25-2015 10:48 AM

Thanks Marvin,  That kinda implies it gets flushed when I do a write erase?   since it is part of NVRAM?   What am I missing?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jimmycher

‎07-25-2015 11:16 AM

Sorry - I read your original post too quickly.

If you use the "write erase" method that should indeed clear not only the startup-config but also your rsa keys. You can also use "erase nvram".

I found an external blog example of verifying the latter command (which should be equivalent to yours) here:

http://networkengineering.stackexchange.com/questions/1892/backing-up-cisco-router-configuration-including-ssh-keys

0 Helpful
Customers Also Viewed These Support Documents