cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15309
Views
30
Helpful
13
Replies

No shell access after upgrade to CPI 3.5

Hilario Martin
Level 4
Level 4

Hi,

After upgrading from Prime 3.2 to 3.5 and  trying to open a shell I´ve got this message:

prime Shell will be disabled as it reached timeout. Please install root patch to enable shell

I could verify that the shell command is not visible anymore from the CLI.

Any idea about this?

 

Cisco Application Deployment Engine OS Release: 4.1
ADE-OS Build Version: 4.1.0.001
ADE-OS System Architecture: x86_64

Copyright (c) 2009-2018 by Cisco Systems, Inc.
All rights reserved.
Hostname: xxx


Version information of installed applications
---------------------------------------------

Cisco Prime Infrastructure
********************************************************
Version : 3.5.0 [FIPS not Enabled]
Build : 3.5.0.0.550

 

 

Thanks in advance,

HMG.

 

2 Accepted Solutions

Accepted Solutions

esterodr
Cisco Employee
Cisco Employee

Hello, 

 

For this kind of issue is better to open a TAC case so the Prime Infrastructure Engineer can recover the shell cli access using a patch file. This procedure requires TAC to copy a RootEnable patch into the Prime defaultRepo, and install it so you can recover back the shell password.

 

I did the below steps already and it worked. Please check below: 

 

Recover Shell CLI Access on Prime 3.5:

 

To copy the file from SFTP Server to Prime 3.5:


prime3.5/admin# copy sftp://a.b.c.d/RootEnable-appbundle-x86_64.tar.gz disk:/defaultRepo
Username: cisco
Password: cisco123!

 

(This syntax is to copy the file from SFTP Server to the defaultRepo of the Prime).

(You can put your own credentials on your SFTP server, this is just an example).
(a.b.c.d stands for the IP Address of the SFTP Server).

 

Check the file got copied successfully: 

 

apl90624/admin# show repo defaultRepo
RootEnable-appbundle-x86_64.tar.gz

 

Execute the install command, and below the expected output: 

 

apl90624/admin# application install RootEnable-appbundle-x86_64.tar.gz defaultRepo
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Please ensure you have a backup of the system before proceeding.
Proceed with the application install ? (yes/no) [yes] ? yes
Initiating Application installation...

Application successfully installed


Reconfigure the shell password back:


apl90624/admin# shell

Shell access password is not set
Configure password for shell access

Password :
Password Again :

Shell access password is set
Run the command again to enter shell


apl90624/admin# shell
Enter shell access password :
Starting bash shell ...
ade #

 

Root password successfully recovered.

 

Hope this helps to fix the issue.

View solution in original post

Hi Hilario,

The recommendation is to open the TAC case and get into webex with the Engineer for him/her to provide you with the patch and do the procedures to recover the shell password, that patch is an internal file not available to customers for download like any other files for Prime Infrastructure.
I'm glad my post has helped you!

View solution in original post

13 Replies 13

pieterh
VIP
VIP

root shell is reserved for use by Cisco TAC?

look at this thread

 

when assisted by Cisco TAC you may be asked to install the root patch for use by the support engineer

after he finishes the root patch will be removed again.

 

Hi,

 

Thanks pieterh,

 

I thinks only root shell is reserved to Cisco TAC but  admin shell.should be accessible.

 

Regards,

Hilario.

Hi,

 

Thanks pieterh,

 

I thinks only root shell is reserved to Cisco TAC but  admin shell.should be accessible.

 

Regards,

Hilario.

Waldemar Gretz
Level 1
Level 1

Hi,

i have the problem too, but on my CPI i have the following:

 

/admin# shell 
                    ^ 
% invalid command detected at '^' marker. 

 

Please HELP!!!

esterodr
Cisco Employee
Cisco Employee

Hello, 

 

For this kind of issue is better to open a TAC case so the Prime Infrastructure Engineer can recover the shell cli access using a patch file. This procedure requires TAC to copy a RootEnable patch into the Prime defaultRepo, and install it so you can recover back the shell password.

 

I did the below steps already and it worked. Please check below: 

 

Recover Shell CLI Access on Prime 3.5:

 

To copy the file from SFTP Server to Prime 3.5:


prime3.5/admin# copy sftp://a.b.c.d/RootEnable-appbundle-x86_64.tar.gz disk:/defaultRepo
Username: cisco
Password: cisco123!

 

(This syntax is to copy the file from SFTP Server to the defaultRepo of the Prime).

(You can put your own credentials on your SFTP server, this is just an example).
(a.b.c.d stands for the IP Address of the SFTP Server).

 

Check the file got copied successfully: 

 

apl90624/admin# show repo defaultRepo
RootEnable-appbundle-x86_64.tar.gz

 

Execute the install command, and below the expected output: 

 

apl90624/admin# application install RootEnable-appbundle-x86_64.tar.gz defaultRepo
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Please ensure you have a backup of the system before proceeding.
Proceed with the application install ? (yes/no) [yes] ? yes
Initiating Application installation...

Application successfully installed


Reconfigure the shell password back:


apl90624/admin# shell

Shell access password is not set
Configure password for shell access

Password :
Password Again :

Shell access password is set
Run the command again to enter shell


apl90624/admin# shell
Enter shell access password :
Starting bash shell ...
ade #

 

Root password successfully recovered.

 

Hope this helps to fix the issue.

In addition to the above, once you upgrade PI from 3.X to PI 3.5, at the CLI prompt that asks you to "disable the shell", please say NO, because if you say YES, you will disable the shell, forcing to perform the above procedure described.

Regards,

Hi,

I did the same mistake by answering YES at the installation wizard. When I install the patch, shell access is only avaiable for a specific time. Suddenly, the "shell" command disapeared at the cli. After reboot, I could reinstall the root patch. Is there any way to make it persistent?

Hi Tobias,



When you install the root patch to get shell access again, right after that you need to logout/login back to CLI to enable this password.

If you want to make the root persistent you need to open a TAC case since I don't know such procedure.



Regards,


thanks for your info esterodr,

is there any way to get RootEnable-appbundle-x86_64.tar.gz without open a TAC?

 

regards :-)

 

Hi Hilario,

The recommendation is to open the TAC case and get into webex with the Engineer for him/her to provide you with the patch and do the procedures to recover the shell password, that patch is an internal file not available to customers for download like any other files for Prime Infrastructure.
I'm glad my post has helped you!

Can you check if this issue happens again? There seems to be a bug as we keep losing shell access. I have installed root patch several times. After few days I get the same time out message and have to install root patch again.

 

To compound the issue we ran into another potential bug where /var fills up and Prime stops working. I can't get to shell because of above mentioned issue. I had to do CentOS ISO recovery to access the  /var volume and delete large files to bring up Prime.

 

Hope this helps if someone runs into this issue.

 

Hi yprasannas,



There are a couple of bugs for /var getting full: CSCvb45802 and CSCvb65492.



Below links:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo65492

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb45802



You can try to apply the WA, but if issue still happens, please open a case with TAC to have it fixed permanently.

The shell access should not be getting lost from time to time, if you have the root patch you can use it to recover the shell password without using CentOS image.



Hope this helps,


Thanks for the info.

 

Regarding the shell access ...yes we keep losing it even after installing root patch. I have another TAC case open on this. I will update you all on how it goes.