cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1701
Views
1
Helpful
2
Replies

Cannot generate Crypto Keys on ASR 920 using Startup Config

Team,

 

My router has a hostname and ip-domain configured. If I use the following command manually on the router in config mode, I am able to generate the crypto key and enable SSH.

 

crypto key generate rsa modulus 4096

 

However, if I load a new startup-config remotely via tftp, the same command in the config fails to generate a crypto key.

This is a problem, because we frequently load the configurations on our routers remotely (First wr erase, then copy from tftp, then reload). The "wr erase" part is necessary, otherwise some changes are overlapped.

 

1. Is there a way to automatically generate the crypto key as part of the startup config?

2. Is there any other (better) way to load the configs and not lose the existing crypto key?

 

Attached is a sample config

PS: The passwords are all generic and are used in the lab

1 Accepted Solution

Accepted Solutions

On IOS-XE, the only way we found to get around this situation is to create an EEM script which automatically checks for crypto keys at boot and generates them if missing

 

!

event manager session cli username "admin" privilege 15

event manager applet Crypto_Key_Gen authorization bypass

 event syslog pattern "System restarted"

 trigger delay 30

 action 1.0 cli command "enable"

 action 2.0 cli command "show crypto key mypubkey rsa | include key"

 action 3.0 regexp "Temporary key" "$_cli_result" var1

 action 4.0 if $var1 eq "Temporary key"

 action 5.0  syslog msg "Existing SSH cryptographic key present, skipping re-generation"

 action 6.0 else

 action 7.0  syslog msg "No existing SSH cryptographic key found, re-generating key"

 action 7.1  cli command "enable"

 action 7.2  cli command "crypto key gen rsa mod 4096"

 action 8.0 end

!

View solution in original post

2 Replies 2

any one please help with this i have this problem to

On IOS-XE, the only way we found to get around this situation is to create an EEM script which automatically checks for crypto keys at boot and generates them if missing

 

!

event manager session cli username "admin" privilege 15

event manager applet Crypto_Key_Gen authorization bypass

 event syslog pattern "System restarted"

 trigger delay 30

 action 1.0 cli command "enable"

 action 2.0 cli command "show crypto key mypubkey rsa | include key"

 action 3.0 regexp "Temporary key" "$_cli_result" var1

 action 4.0 if $var1 eq "Temporary key"

 action 5.0  syslog msg "Existing SSH cryptographic key present, skipping re-generation"

 action 6.0 else

 action 7.0  syslog msg "No existing SSH cryptographic key found, re-generating key"

 action 7.1  cli command "enable"

 action 7.2  cli command "crypto key gen rsa mod 4096"

 action 8.0 end

!