Solved: Re: Enable, Secret, Privilege Password - Page 2

Joy3 · ‎07-29-2021

Hallo All,

I have configured my router with an enable secret 5 password and also added some usernames+privilege level+secret 5 password. However, when I reload the router, I am not prompted for any username or password. I have the aaa enabled to authenticate with TACACS, which I understand could be a problem. However, is there a solution without disabling aaa.

This will probably be the most basic question but I will go ahead and ask because I have dwelt on it all morning without success. I had deleted the configs from my router and would want to reconfigure with the exact same configs (maybe add a few usernames and change passwords). However, I am getting the following error messages:

R1(config)#enable secret 5 xyz
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.

It is clear, after reading, that secret 5 passwords are hashed, so, plain text will definitely not work. So, how do I generate an encrypted secret while maintaining the secret 5 level password? If I configure with secret password without specifying 5, the secret level is set to secret 9 in 'sh run' but I want to maintain it at secret 5.

Then this is also giving me the same problem when I enter a plain text secret 5 password:

R1(config)#username xyz privilege 15 secret 5 xyz
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

To add context to my issue, I had the running configs before erasing them from the router. When I directly paste it into my terminal, it works (with a warning) but unfortunately, I can't decrypt the MD5 passwords andy anyway, I am not even prompted to enter username or password on reboot.

R1(config)#username xyz privilege 15 secret 5 $1$H5hX$mxxxxxxx
WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type
R1(config)#
*Jul 29 2021 14:49:25.157 CEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password

I will really appreciate your help on this. Thanks.

Regards,

Joyce

Richard Burts · ‎08-09-2021

Joyce

When a tunnel does not come up there can certainly be a possibility that a firewall is blocking that traffic. But before we go down that path I think there are some things we need to look into.

- am I correct in assuming that this router is to be deployed at a remote site and will connect to 2 central site head end routers?

- in the previous post we were looking at access problems related to limited ip routing. I wonder if the same thing may be the issue here. Does this router have basic IP connectivity to either or both of the head end routers?

- if the router does not already have logging buffered set to level debugging I suggest that you enable the debug level for logging buffered.

- then attempt to bring up one or both of the tunnels.

- then look in the output of show logging for any messages about the tunnels.

- if that does not provide helpful information you might run debug while you attempt to bring up the tunnels.

HTH

Rick

Joy3 · ‎08-10-2021

Hallo Rick,

Yes, this router will be in a remote site and it will be connected to 2 end routers. What is puzzling is that a similar router (with almost similar configs) is connected to the 2 end routers via DMVPN and it is working properly.

The router has no connectivity to either of the end routers but I have gone throught a doc on the cisco website 'Common DMVPN Troubleshooting Solutions' and one of them is to test basic connectivity.

Ping from the hub to the spoke's using NBMA addresses and reverse.
These pings should go directly out the physical interface, not through the DMVPN tunnel. Hopefully, there is not a firewall that blocks ping packets. If this does not work, check the routing and any firewalls between the hub and spoke routers.

I will check this further tomorrow and see if it works. I will be sure to give feedback on the results but any more suggestions are welcome, as always.

Thanks again.

Regards,

Joyce

Richard Burts · ‎08-10-2021

Joyce

I think that the troubleshooting suggestion of pinging spoke to hub and hub to spoke is a good suggestion. Before you do that I would suggest verifying that the router LTE is providing access to Internet. Simple test would be to ping 8.8.8.8 and see if that works.

It might help if you post a current copy of the output of show ip route.

HTH

Rick

Joy3 · ‎08-11-2021

Hallo Rick,

The ping is 100% successful.

R1-1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/38/44 ms
R1-1#

Still no solution has worked so far and here is the output of sh ip route:

R1-1#sh ip route
Load for five secs: 1%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, *17:11:14.765 CEST Wed Aug 11 2021

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.142.64.138/32 is directly connected, Cellular0/2/0
C 10.201.167.32/28 is directly connected, Vlan300
L 10.201.167.33/32 is directly connected, Vlan300
C 10.201.185.0/28 is directly connected, Vlan100
L 10.201.185.1/32 is directly connected, Vlan100
172.30.0.0/16 is variably subnetted, 7 subnets, 3 masks
C 172.30.101.248/29 is directly connected, Vlan805
L 172.30.101.249/32 is directly connected, Vlan805
C 172.30.153.240/28 is directly connected, Vlan804
L 172.30.153.241/32 is directly connected, Vlan804
C 172.30.201.248/29 is directly connected, Vlan806
L 172.30.201.249/32 is directly connected, Vlan806
C 172.30.255.99/32 is directly connected, Loopback0
192.168.185.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.185.0/28 is directly connected, Vlan251
L 192.168.185.1/32 is directly connected, Vlan251
R1-1#

Thanks.

Regards,
Joyce

Joy3 · ‎08-12-2021

Hallo Rick,

We have finally found where the problem has been all along XD The license expired, so we will need to renew it.

All in all, thanks so much for the support. I have benefitted a lot from your responses.

Regards,

Joyce

Richard Burts · ‎08-12-2021

Joyce

Thanks for the update. Glad that the problem has been identified. And interesting that it turned out to be an issue with licensing. It has been an interesting discussion and I am glad that you have benefitted from it. I hope that you will continue to be active in the community.

HTH

Rick