06-30-2011 08:44 AM - edited 03-07-2019 01:02 AM
We are installing a large campus with a centralized network management workstation. Currently, we are using an ssh client to communicate with the different network devices. A problem has come up when installing new configurations into the devices. During major configuration changes, we wr erase the start up configuration, copy in the new configuration in the start and reload. Unfortunately, this causes the rsa key to be erased and ssh communications can't be restarted.
Currently the command we are using is "crypto key generate rsa general-keys modulus 1024". How do we inbed this within the configuration so that it starts a new key and communication isn't required at the console port? Thanks for any help provided in advance.
Charles Davis
06-30-2011 12:52 PM
General RSA keys will not appear in the configuration. The key that does is the one used when HTTPS access is enabled.
ip http secure-server
07-01-2011 07:20 AM
So how are ssh communications able to be established from remote equipment other than connecting to them with a console cable? If a failure happens and the configuration must be completely re-written, is it always required that a person physically touch the device? Thanks for your input on this.
07-01-2011 07:39 AM
when you erase your start up config, you are basically wiping out everything including the management IP address of the device. When this happens, the device goes back to default config, and the only way to access it is by using a console cable.
07-01-2011 09:57 AM
I agree. What we would do is wr er to remove the old configuration, and then copy in the new configuration. Is it possible to copy in a new configuration onto the old one so that the rsa key remains through a reboot?
07-01-2011 11:34 AM
In situations for which you want to start fresh, you should
!---------Get rid of the old RSA key--------
crypto key zeroize rsa
!---------Get rid of old config-----------
wr erase
!---------Reload------------
!----------Paste the new config-------
!----------Generate a new key--------
crypto key generate rsa general-keys modulus 1024
Message was edited by: Antonio Knox
07-04-2011 02:32 PM
Charles
I basically agree with Antonio but think the solution does not need to be quite as complex as his suggestion. I believe that it should be sufficient that after wr erase that you do the crypto key generate in making your config changes.
If the objective were to replace an existing key with a new key then I absolutely agree with Antonio. But I believe that your situation is that a new key is a byproduct of the changes and not the objective.
HTH
Rick
Sent from Cisco Technical Support iPhone App
07-04-2011 07:53 PM
Absolutely. Because during the wr erase process our crypto key gets erased as well. This makes it impossible to then reconnect to the device once it has been reloaded remotely. What I am looking for is a way to reload a configuration, reboot the switch and still have a standing crypto key to reconnect with. Otherwise, a technician wil have to actually connect to the device each time a new configuration is required. So I guess the main question is how after a wr er, a upload of a new configuration and a reload, do you force the switch to generate a new key or hold on to the one that is currently being used. This is being forced on us because the only management workstations are desktops and are not laptops that can be taken to the device and connected via console. Thanks in advance to both of you for your patience and help.
Charles
07-04-2011 08:38 PM
Charles
Do I understand correctly that you upload a new config to the device? If so then it should be possible to incorporate the crypto key generate command into the config that you upload.
HTH
Rick
Sent from Cisco Technical Support iPhone App
07-05-2011 03:15 PM
Rick,
That is exactly what we are trying to do. But when we just spell out the generate command at the end of the configuration, while there is no error from the device, no crypto key gets generated. It is only when you actually go in via console and re-enter the command does an rsa key get generated. This is mainly an issue on either 2960g or 3750 switches. Routers seem to store the rsa keys in different locations.
07-06-2011 12:06 PM
You may be able to push the key generation via SNMP. Simply upload the config, and then access the switch via SNMP and generate the key.
07-06-2011 05:38 PM
Is there any other way? We do not run SNMP on our systems. I was hoping that i was just doing something wrong in my configuration when I reinstalled it. Unfortunately, I am trying to also make this friendly for users that aren't highly trained in Cisco devices.
07-06-2011 06:24 PM
Have you tried just putting it as the last command in your config text file. It should with just " crypto key gen my rsa 1024" as the last command in your config file.
07-06-2011 07:17 PM
I thought of that to, but it didn't seem to work. There were no errors but an rsa key was not generated.
07-07-2011 06:06 AM
I could think of a couple of different ways to do this, but one involves using telnet first via the config push then enabling SSHv2, and the other involves what could easily become an overly complex EEM applet. But I don't really see a supremely simple way to do it outside of the suggestions posted here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide