Solved: Re: Disable Resilient Configuration - IOS 15.1(4)M6 on Cisco 2811 Router

MANGODZILLA · ‎04-21-2021

Hello to everyone, and thank you for joining this post.

I have my hands on a 2811 router in my lab; my willing is to explore various scenarios in order to get familiar with IOS commands and configurations, since I am preparing myself for my CCNA exam.

After upgrading the DRAM memory to 512MB, I upgraded this router from IOS 12 to 15 with success.
I got confortable with some basic configurations and the general management of the interfaces, so I proceeded then to approach some security features, more specifically: the Resilient Configuration, that seemed to be something crucial to master.

Having this document on my hand, I undestood the concept of the feature and I've activated the Resilient Configuration on the router.

Everything worked fine: I've secured both the IOS image and the primary bootset.
The router boots smoothly with the secured image and I also managed to restore the secured configuration with low effort.
I'm now writing this post because actually I can't figure out how to disable this feature.

As mentioned before, the IOS image ( c2800nm-adventerprisek9-mz.151-4.M6.bin wich weights 67.878.324 bytes) was secured and so it appears to be hidden on the flash memory.

ROUTER_2811#dir
Directory of flash:/

    3  -rw-        9418  Apr 20 2021 20:06:36 +02:00  archived-config-0
    4  -rw-      527849  Jan 26 2011 07:54:52 +01:00  128MB.sdf

128737280 bytes total (60305408 bytes free)
ROUTER_2811#

ROUTER_2811#sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 14-Feb-13 04:13 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

ROUTER_2811 uptime is 1 hour, 49 minutes
System returned to ROM by reload at 08:08:16 UTC Wed Apr 21 2021
System image file is "flash:c2800nm-adventerprisek9-mz.151-4.M6.bin"
Last reload type: Normal Reload

Despite this, it seems that the Resilient Configuration for it is already disabled:

ROUTER_2811#show secure bootset
IOS resilience router id FHK1504F193

IOS image resilience is not active

IOS configuration resilience version 15.1 activated at 20:20:15 summert Tue Apr 20 2021
Secure archive flash:.runcfg-20210420-182015.ar type is config
configuration archive size 2429 bytes

ROUTER_2811#

I can't seem to find any documentation for the disabling of this feature, and any help in this matter is higly appreciated.

Thanking you for your attention and for your help I'l send my best regards.

****
MACRO

MANGODZILLA · ‎05-14-2021

After some time I managed to understand how to approach to the disabling of the resilient feature.
In fact, the raw format of the compact flash worked fine.

View solution in original post

balaji.bandi · ‎04-21-2021

Can you post show version and show run.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MANGODZILLA · ‎04-21-2021

Hi @balaji.bandi, thank you very mutch for answering my post.

Following the complete output of the commands you asked for:

ROUTER_2811#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 14-Feb-13 04:13 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

ROUTER_2811 uptime is 14 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-adventerprisek9-mz.151-4.M6.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 1.0) with 509952K/14336K bytes of memory.
Processor board ID FHK1504F193
2 FastEthernet interfaces
5 ATM interfaces
4 Channelized E1/PRI ports
1 Virtual Private Network (VPN) Module
1 ATM/Voice AIM
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2811 FHK1504F193

Configuration register is 0x2142

ROUTER_2811#show run
Building configuration...


Current configuration : 8577 bytes
!
! Last configuration change at 12:53:20 summert Wed Apr 21 2021 by macro
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ROUTER_2811
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M6.bin
boot system rom
boot-end-marker
!
!
card type e1 0 0
card type e1 0 1
security authentication failure rate 3 log
security passwords min-length 8
logging buffered 4096
no logging console
no logging monitor
enable secret 5 $1$vVkH$tKvhs6/6phpziVRPYMC6D.
!
no aaa new-model
!
clock timezone ITALY 1 0
clock summer-time summertime recurring last Sun Mar 3:00 last Sun Oct 3:00
network-clock-participate wic 0
network-clock-participate wic 1
network-clock-participate aim 0
network-clock-select 1 E1 0/0/0
network-clock-select 2 E1 0/1/0
network-clock-select 3 E1 0/0/1
network-clock-select 4 E1 0/1/1
!
dot11 syslog
no ip source-route
ip options drop
!
!
ip cef
!
no ip dhcp use vrf connected
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.1
!
!
no ip bootp server
no ip domain lookup
ip domain name ims.vodafone.it
no ip port-map sip port udp 5060 description Session Initiation Protocol
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1504F193
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
 path flash:archived-config
 write-memory
username macro privilege 15 secret 4 BZwxiIJv/wgtTvOwuRGttJFnaFtmTuvMp4fVHCwbFmM
secure boot-config
!
redundancy
!
!
controller E1 0/0/0
 mode atm aim 0
!
controller E1 0/0/1
 mode atm aim 0
!
controller E1 0/1/0
 mode atm aim 0
!
controller E1 0/1/1
 mode atm aim 0
!
ip tftp source-interface ATM0/IMA1.1
!
class-map match-any CPPr-ttl
 match access-group name ttl-expired-acl
class-map match-all CPPr-host-know-undesiderable
 match access-group name known-undesirable-acl
!
!
policy-map CPPr-host
 class CPPr-host-know-undesiderable
  drop
policy-map CPPr-transit
 class CPPr-ttl
  police 8000 conform-action transmit  exceed-action drop  violate-action drop
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description **** INTERFACCIA WAN ****
 ip address 192.168.3.4 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description **** INTERFACCIA LAN ****
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/1/1
 no ip address
 scrambling-payload
 ima-group 1
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
!
interface ATM0/1/0
 no ip address
 scrambling-payload
 ima-group 1
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
!
interface ATM0/0/1
 no ip address
 scrambling-payload
 ima-group 1
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
!
interface ATM0/0/0
 no ip address
 scrambling-payload
 ima-group 1
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
!
interface ATM0/IMA1
 bandwidth inherit
 no ip address
 no atm ilmi-keepalive
 no atm enable-ilmi-trap
!
interface ATM0/IMA1.1 point-to-point
 description *** PVC VOCE ***
 ip address dhcp client-id FastEthernet0/0
 ip nat outside
 ip virtual-reassembly in
 atm route-bridged ip
 no atm enable-ilmi-trap
 snmp trap link-status
 pvc VOCE 10/35
  vbr-rt 2048 2048
  oam-pvc manage
  encapsulation aal5snap
 !
!
interface ATM0/IMA1.2 point-to-point
 description *** PVC DATI ***
 ip address dhcp client-id FastEthernet0/1
 ip virtual-reassembly in
 atm route-bridged ip
 no atm enable-ilmi-trap
 snmp trap link-status
 pvc DATA 10/36
  ubr 4096
  encapsulation aal5snap
 !
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation udp-timeout 60
no ip nat service sip udp port 5060
!
ip access-list extended known-undesirable-acl
 permit tcp any any fragments
 permit udp any any fragments
 permit icmp any any fragments
 permit ip any any fragments
ip access-list extended ttl-expired-acl
 permit ip any any ttl lt 2
!
!
!
!
!
snmp-server community kinte RO 97
snmp-server trap-source ATM0/IMA1.1
snmp-server trap-timeout 300
snmp-server queue-limit notification-host 50
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps atm pvc
snmp-server enable traps atm subif
snmp-server enable traps config
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps cpu threshold
!
tacacs-server directed-request
tacacs-server key 7 080440471318071206035E547A7C
control-plane host
 service-policy input CPPr-host
!
control-plane transit
 service-policy input CPPr-transit
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
privilege interface level 10 pvc
privilege interface all level 10 isdn
privilege interface all level 10 shutdown
privilege interface all level 10 ip
privilege interface level 10 no pvc
privilege interface all level 10 no isdn
privilege interface all level 10 no shutdown
privilege interface all level 10 no ip
privilege interface all level 10 no
privilege configure level 10 interface
privilege exec level 10 write memory
privilege exec level 10 write
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 reload
privilege exec all level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal no monitor
privilege exec level 10 terminal no
privilege exec level 10 terminal
privilege exec all level 10 debug
privilege exec all level 10 clear line
privilege exec level 10 clear
banner login ^C**** ROUTER CISCO 2811 LAB - MACRO **** ^C
!
line con 0
 exec-timeout 5 0
 privilege level 10
 login local
line aux 0
 no exec
 transport output none
line vty 0 4
 access-class 98 in
 exec-timeout 5 0
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 access-class 98 in
 exec-timeout 5 0
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp access-group peer 99
ntp access-group serve-only 1
ntp server 91.80.35.139 prefer
ntp server 91.80.35.171
end

balaji.bandi · ‎04-21-2021

I may have missed something here, you want to disable secure boot-image and secure boot-config,?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MANGODZILLA · ‎04-21-2021

That's correct;
I would like to disable all the Resilient Configuration feature in order to obtain access to the IOS image file.
Pratically my will is to restore the scenario as it was prior to enabling it.

balaji.bandi · ‎04-21-2021

Follow below guide that is the only way it works.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-resil-config.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MANGODZILLA · ‎04-21-2021

As mentioned in the post, I've already followed that specific guide to enable the Resilient Configuration; and there is no mention about disabling that feature: that's because I'm seeking for advices here in the community.

balaji.bandi · ‎04-21-2021

Restoring an Archived Router Configuration - is this help you ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MANGODZILLA · ‎04-21-2021

As stated in the post "I also managed to restore the secured configuration with low effort."

This means that I've already covered the "Restoring" section of the text.

balaji.bandi · ‎04-21-2021

May be i have overlooked because of Long post. if you have done all the steps it should recovered with normal mode.

Have you will erase the flash - ROMMON Mode and Load IOS Image fresh ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎04-21-2021

Hello ,

see the section Restrictions in the document linked by BB

>> This feature can be disabled only by using a console connection to the router.

Hope to help

Giuseppe

MANGODZILLA · ‎05-14-2021

After some time I managed to understand how to approach to the disabling of the resilient feature.
In fact, the raw format of the compact flash worked fine.