Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
4
Replies

IOS LOST AGAIN

bobhall3
Level 1
Level 1

‎04-01-2005 11:20 AM - edited ‎03-02-2019 10:20 PM

I have a 2600 that had been running well for the last year but now twice in the last month its has lost the IOS and re-booted to ROMMON. Startup Config was not lost. Any ideas on why this is happening.

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎04-01-2005 11:42 AM

Bob

There are several things that you have not told us that would be helpful to know. You say that twice it has booted into ROMMON but did not tell us if these are the only times it has booted. If it fails every time it boots that is one thing and if sometimes it works and sometimes it does not that might be something different.

You have also not told us what you have had to do to recover from these errors (and in fact not told us that the errors were recoverable - but I am going to assume that they are recoverable since you say it has had a problem twice in a month which implies that after the first error that you got it running again).

One potential explanation for booting into ROMMON is either a problem with flash memory or that the image in flash has been erased. Since I am assuming that you got it running after the first error I am assuming that these are not the explanation (though re-seating the flash memory might be a good idea).

I am going to guess that the reason the router is booting into ROMMON is that someone changed the config register. You can check the current value of the config register by doing show version. The current value of config register is the last line displayed. The traditional value is 0x2102. I am guessing that it may be 0x2100. If this is the case change the config registerr and your problem will be solved.

If this is not the solution then it would be helpful if you would post the console output that is generated when the router reboots.

HTH

Rick

HTH

Rick
0 Helpful

bobhall3
Level 1
Level 1
In response to Richard Burts

‎04-01-2005 12:13 PM

Rick,

Thanks for the reply.

I will have to check after hours if it will hold the IOS on another re-boot. I reloaded the IOS through using hyper-terminal which took about an hour and a half. After it rebooted it came up fine as the Startup-Config file was still there.

Conf Reg currently is Configuration register is 0x3922

I apologize for not being to quick with this Rick but what your saying is someone from the outside changed my Conf Reg and all I needed to do was change it back ?

What do you suggest would be the best solution for protecting that type of attack.

Is there a log I can tap into to pull anything that may help in determining the cause?

Many thanks for your patience and response.

System returned to ROM by power-on

System image file is "flash:c2600-ik8s-mz.122-11.t"

cisco 2611 (MPC860) processor (revision 0x202) with 59392K/6144K bytes of memory

.

Processor board ID JAD03422860 (4008444100)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

2 Ethernet/IEEE 802.3 interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x3922

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to bobhall3

‎04-01-2005 12:56 PM

Bob

0x2102 is the traditional value of the config register. I have looked into the documentation and find that 0x3922 is a valid setting on the 2600 router and it looks like the difference between 0x2102 and 0x3922 are the bits that set the console speed on your router to 115200.

So I do not believe that there is a problem with someone changing your config register.

I think it is also interesting about your comment about recovering the error taking an hour and a half. Do I assume this means that you had to use xmodem to recover? If so this implies that the IOS image was no longer in flash.

Can you post a display of the content of flash? Also any boot system commands that are in the config file.

And If you are going to do a reboot I would suggest that you capture the results of show flash before you start the boot process, capture all console output while the router is booting. And if you are going to reboot it would not be a bad idea to power down the router and to reseat all the flash.

Let me know how it turns out.

HTH

Rick

HTH

Rick
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎04-01-2005 01:08 PM

Bob

This is a follow-up to address another part of your question. You asked if there were some log that you could use to see if someone had changed the config register. I do not believe that there is anything like that on the router itself. But it is possible to get that if you are using aaa and an ACS server. At a customer site where I do a lot of work we configure all of our routers with aaa accounting commands 15 default start-stop group tacacs+. This sends an accounting record to the ACS server for every privileged command that anyone enters and this includes configuration commands.

So if you continue to be interested in having a record of who changed what I would suggest that you look into this.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card