Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4069
Views
20
Helpful
7
Replies

RSA keys disappear while upgrading IOS on Cisco 891F

Go to solution
Stefan Strand
Level 1
Level 1

‎07-16-2017 02:42 AM

Hi, We are upgrading IOS on all our Cisco 891F routers from version 15.3(3)M5 to version 15.6(3)M2 to be able to support Cisco IWAN. During the upgrade, the RSA keys that we have created disappears. After reboot we only have: % Key pair was generated at: 19:56:17 UTC Jul 15 2017 Key name: CISCO_IDEVID_SUDI Key type: RSA KEYS Temporary key Usage: General Purpose Key Key is not exportable. Key Data: This means that the certificates are not working, and SSH is not working. Has anyone else noticed this, and any suggestions for a workaound/fix? Thanks, Stefan
5 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-17-2017 09:32 PM

Hi Stefan,

Please check the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd90410/?reffering_site=dumpcr

Regards,

Aditya

Please mark correct and helpful answers

View solution in original post

7 Replies 7

Go to solution
Andriy Sidko
Level 1
Level 1

‎07-16-2017 07:55 AM

I hit the same issue ~2 weeks ago whenever I was upgrading image from c800-universalk9-mz.SPA.153-3.M7.bin to c800-universalk9-mz.SPA.154-3.M7.bin.

After reboot router lost all rsa keys and flash drive had file systems errors.

Fix was:

fsck /all

restore certificate bundle from pksh12 file I exported rsa keys, certificate and intermediate certificate before router upgrade.

I didn't take so much time except I had to go to remote site where router is.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-17-2017 03:26 PM

Have not seen this issue per se, but i know that in some versions, the SUDI key that was automatically generated was being used for the SSH key. This is instead of the default RSA keypair generated for SSH ( because SUDI key is generated earlier). You may have to to change the SSH config to use the new key:

ip ssh rsa keypair-name keypair-name

It is possible the SUDI feature may have taken over your SSH key and caused the default RSA keys to be deleted since it was not being used. Might be worth a look to see if the issue can be reproduced on a non-production device.

0 Helpful

Go to solution
Stefan Strand
Level 1
Level 1
In response to Rahul Govindan

‎07-17-2017 09:47 PM

Hi,

Have noticed the SUDI key and have already created a key with a name, but that also get deleted. Will try some more tests in the lab.

Thanks alot!

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-17-2017 09:32 PM

Hi Stefan,

Please check the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd90410/?reffering_site=dumpcr

Regards,

Aditya

Please mark correct and helpful answers

Go to solution
Stefan Strand
Level 1
Level 1
In response to Aditya Ganjoo

‎07-17-2017 09:45 PM

Thanks alot, this was exactly what I was looking for.

Will try to re-create it in the lab and post an update later today.

Thanks alot!

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Stefan Strand

‎07-17-2017 09:49 PM

Hi Stefan,

Happy to help.

Please close the discussion or mark the answer in case it helped you.

Regards,

Aditya

0 Helpful

Go to solution
Stefan Strand
Level 1
Level 1
In response to Stefan Strand

‎07-19-2017 02:17 AM

Have been unable to recreate the problem...

But have upgraded several more, and after doing a "no archive" before the upgrade, all the upgrades have been working.

So thanks alot for finding it for me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents