07-16-2018 06:08 AM - edited 03-08-2019 03:41 PM
Hi,
I've set up a test 3850 switch in a stack as I was looking at testing implications of moving from IOS XE 3.6.8E to Denali 16.3.6. I successfully upgraded the switch stack although now I've lost all connectivity to it. I noticed with this IOS it added a load of ACL's and wondered if that could be the problem. Prior to this I have been successfully connecting in via SSH. Any ideas why I would be unable to now access the switch (other than console)
Thanks
07-16-2018 06:36 AM - edited 07-16-2018 06:38 AM
HI there,
Check the release notes for the fix:
Note When you upgrade to Cisco IOS XE Denali 16.3.5 the SSH access is lost, because it
cannot use the CISCO_IDEVID_SUDI_LEGACY RSA server key. Before upgrade, generate the
server key using the crypto key generate rsa command in global configuration mode. To verify whether the RSA server key is available on your device, run the
show crypto key command.
cheers,
Seb
07-16-2018 07:15 AM - edited 07-16-2018 07:18 AM
Thanks ok I see that but why would I not be able to ping my switch any longer. Nothing has changed other than upgrading to Denali 16.3.6. I had upgraded via Prime so the files in flash are .pkg in install mode. Can you help with what I would need to do here?
Thanks
07-16-2018 07:27 AM
You have my respect for trying to upgrade switches with Prime. (A few years ago a Prime 2.2 instance removed the running image, failed to upload a new one, didn't verify its presence (or lack of) and rebooted about 40 switches at a secure site. Needless to say, trying to physical access to and then xmodem'ing IOS back onto these switches made me never use Prime for that function again!)
Anyhow... first suspect is Prime. Get a console cable and check the switch. It could have not cleaned the old images off, in creating a second packages.conf boot file. Or perhaps it didn't upload the file correctly. Maybe Prime has invented new ways of botching upgrades since 2.2?!
cheers,
Seb.
11-01-2018 12:59 PM
we are looking to do this update to the 16x versions of IOS-XE. as part of our standard setup we issue the crypto key gen rsa command and generate our keys. if we do this when we configure the device initially we should have no need for redoing the keys prior to updating, is that correct?
Someone mentioned downgrading, was there a reason? or specific issue that caused the need to downgrade?
11-01-2018 03:45 PM
Hello
@inlandprinting wrote:
we are looking to do this update to the 16x versions of IOS-XE. as part of our standard setup we issue the crypto key gen rsa command and generate our keys. if we do this when we configure the device initially we should have no need for redoing the keys prior to updating, is that correct? - Correct
Someone mentioned downgrading, was there a reason? or specific issue that caused the need to downgrade? - not checked on the ios-ex version you've installed but one reason could be due to buggy software
try also to clean out any old .bin files of the switches and perform a clean up
request platform software package clean switch all
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide