08-22-2014 01:10 PM - edited 03-04-2019 11:35 PM
Configured a 2921 voice router. Put the TACACS config. Now I cannot log into the router because it cannot find the authentication server because I cannot no shut the port. It is just going through the authentication loop. It is not appearing to time out. How can I no shut the port so it can reach the server?
000675: *Aug 22 16:02:36: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: UNKNOWN] [localport: 0] [Reason: Login Authentication Failed] at 16:02:36 EDT Fri Aug 22 2014CC
Thanks!
Solved! Go to Solution.
08-22-2014 05:43 PM
Michael
This would be a pretty good suggestion only if you change it and substitute "console" where you say "telnet". The problem with the way that you have suggested is that when the router is hard reset any telnet session would hang, lose connectivity, and only can be re-established after the router has booted and is back on line with the current config. But I agree with you that some variation on password recovery would be the most likely solution.
To the original poster
You have not provided much detail about how the router is configured. If you have configured the router with SNMP such that some device in the network has read/write access then it may be possible to change the config/no shut the interface using SNMP.
HTH
Rick
08-22-2014 05:43 PM
Hi,
If you have your router config saved within a notepad file I would suggest a hard reset of the router while you have a telnet console session active to the device.
You can issue a break from you chosen telnet application (Putty, Teraterm ect..) to come out of the boot process and drop in to rommon.
From here you can change your device boot register to boot without using the saved configuration on the device flash, this will essentially allow you to boot the router as though it had just come out of the box.
From this point you can solve your problems, just don't forget to change the boot register back to its original settings. I'm not sure what the boot register value should be on a 2921, but generally the normal register value is 0x2102, to disable boot config from Flash you would change this value to 0x2142.
This is a common mistake when applying TACACS/ACL configuration, always remember if configuring a device that could potentially lock you out of the device, issue a delayed reload command to be safe!
I hope this helps and puts you on the right track :)
Cheers,
Michael
08-22-2014 05:43 PM
Michael
This would be a pretty good suggestion only if you change it and substitute "console" where you say "telnet". The problem with the way that you have suggested is that when the router is hard reset any telnet session would hang, lose connectivity, and only can be re-established after the router has booted and is back on line with the current config. But I agree with you that some variation on password recovery would be the most likely solution.
To the original poster
You have not provided much detail about how the router is configured. If you have configured the router with SNMP such that some device in the network has read/write access then it may be possible to change the config/no shut the interface using SNMP.
HTH
Rick
08-23-2014 02:13 AM
Hi Richard,
You sure are right!!! I don't know what i was thinking, i'll just put it down to it being very late at night when I wrote that post :)
Thanks for pointing out my error.
Michael
08-23-2014 08:17 AM
Michael
Do not be too hard on yourself. It was a good thought process and identified most of the elements of a successful solution. It just missed on one important point - and it was, after all, very late at night. :)
HTH
Rick
08-23-2014 08:32 AM
Thanks Rick,
Probably also worth adding on the reload command
Dev#reload in mm | hh:mm
exit telnet/ssh connection
restart telnet/ssh connection
Dev# reload cancel
dev#wr
Don't save new or updated config till after you have tested they work for remote access!
Example from my 1841.
Michael#reload ?
/noverify Don't verify file signature before reload.
/verify Verify file signature before reload.
LINE Reason for reload
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
warm Reload should be warm
<cr>
Michael#reload in ?
Delay before reload (mmm or hhh:mm)
Michael#reload in 5
Worth mentioning, not the type of command you want to be issuing on a production network device, these types of bugs should be ironed out in the test lab before being implemented live.
Michael
08-25-2014 03:30 AM
Hello
Also checkout using cisco rollback which doesn't require scheduled reloads - the concept I guess is taken from the juniper iOS which allows applied configuration to be rollback to the previous functional configuration after a set time if the user hadn't confirmed the changes he made.
this feature in juniper is an excellent safety net for incorrect configuration messing up your day!
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-3s/asr1000/config-mgmt-xe-3s-asr1000-book/cm-config-rollback.html
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide