Issues with 3845 Router

sly007 · ‎05-21-2007

I have a 3845 Router that my company just purchased. Once I log in, it says the SDM is installed on it, but I cant enable SSH on it. (2), When I configured it via the console, it did prompt for enable password, but since i took it to a region, it does not prompt for enable password again, it simply takes me to the enable mode, with the username password. I configured the enable password as ********, but it does not prompt for it. Can any one help me with these two issues? Thanks in advance.

Richard Burts · ‎05-21-2007

ERIAKHA

There are several things which might explain the difficulty with SSH:

- first are you running an image and feature set which supports SSH (in general it must be a feature set which supports crypto). If you can post the output of show version it would be easy to figure whether this was the issue.

- assuming that the image does support SSH, the next issue to look is whether the RSA keys have been generated. If you would post the output of the privilege level command show crypto key mypubkey rsa, we could see this answer.

- if the RSA keys have been generated but SSH does not work then the next issue is whether the vty lines are configured to support SSH. If you would post the configuration of the vty lines we could see this.

The other issue of it taking you direct to enable mode without prompting for the enable password sounds like the vty lines have been configured with privilege level 15 (which SDM frequently does). If that is in the config of the vty lines then you should remove it and it should prompt you for the enable password. The other possibility is that the user name has been configured for level 15 access. If you can post the line of configuration which specifies the user name we can figure this out.

HTH

Rick

HTH

Rick

sly007 · ‎05-22-2007

RICK,

Thank you very much for your prompt response to my request. Pls find below the reports of the various "shows" that i performed.

Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.4(3g), RELEASE SOFTWARE (fc

2)

Technical Support: http://www.cisco.com/techsupport

Compiled Mon 06-Nov-06 05:34 by alnguyen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

ROUTER uptime is 22 hours, 33 minutes

System returned to ROM by reload at 01:06:07 UTC Wed Mar 17 1993

System restarted at 01:06:57 UTC Wed Mar 17 1993

System image file is "flash:c3845-ipbase-mz.124-3g.bin"

Cisco 3845 (revision 1.0) with 222208K/39936K bytes of memory.

Processor board ID FCZ110471QE

2 Gigabit Ethernet interfaces

4 Serial interfaces

4 Channelized E1/PRI ports

DRAM configuration is 64 bits wide with parity enabled.

479K bytes of NVRAM.

62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

#show crypto key mypubkey rsa ?

% Unrecognized command

#show crypto key mypubkey rsa

^

% Invalid input detected at '^' marker.

#sh line vty 0 15

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

* 450 450 VTY - - - - 23 2 0 0/0 -

451 451 VTY - - - - 23 0 0 0/0 -

452 452 VTY - - - - 23 0 0 0/0 -

453 453 VTY - - - - 23 0 0 0/0 -

454 454 VTY - - - - 23 0 0 0/0 -

455 455 VTY - - - - 23 0 0 0/0 -

456 456 VTY - - - - 23 0 0 0/0 -

457 457 VTY - - - - 23 0 0 0/0 -

458 458 VTY - - - - 23 0 0 0/0 -

459 459 VTY - - - - 23 0 0 0/0 -

460 460 VTY - - - - 23 0 0 0/0 -

461 461 VTY - - - - 23 0 0 0/0 -

462 462 VTY - - - - 23 0 0 0/0 -

463 463 VTY - - - - 23 0 0 0/0 -

464 464 VTY - - - - 23 0 0 0/0 -

465 465 VTY - - - - 23 0 0 0/0 -

Richard Burts · ‎05-22-2007

ERIAKHA

The information that you posted allows us to solve one of the questions but not yet the second question.

The version and feature set of code that you are running is IP BASE W/O CRYPTO and it does not support SSH. If you upgrade the code to a version and feature set that does support crypto (there is a 12.4(3g) IP BASE with CRYPTO which does support SSH) then you will be able to use SSH.

We still do not have quite enough information to answer why telnet is going directly to privilege mode. If you would post the part of the router configuration that starts with line vty 0 4 it would get us closer to the answer.

HTH

Rick

HTH

Rick

sly007 · ‎05-22-2007

Thank you very much once again RICK, below are the information requested.

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 23 in

privilege level 14

password 7 12350C19174B5D10152C75780C370210571B43

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet

!

scheduler allocate 20000 1000

ntp clock-period 17179948

ntp server 192.168.0.254

!

end.

PSS note that the privilege level 15 on line vty 5 15 was configured by me that enables me to access the router via http.

Thank you very much once again.

Richard Burts · ‎05-22-2007

ERIAKHA

I believe that we are getting closer to understanding what is going on and to finding a solution.

I am a bit surprised to find this line under vty 0 4:

privilege level 14

I am not sure whether your router has something special configured for privilege level 14 or whether this was a typo and intended to be level 15. Would you post the output of show run | include priv

this will help clarify whether special privilege levels are configured.

The privilege level 15 on vty 5 15 is what I expected to find based on the symptoms. If someone logs in on those vty lines they will automatically go directly to privilege mode without being prompted for the enable password.

Do I understand from an earlier post that when you telnet to the router that you enter a user name and password? To clarify what is happening there would you also post the output of the command show run | include aaa

this will help us understand what is going on.

HTH

Rick

HTH

Rick

sly007 · ‎05-23-2007

Thank You very much Rick once again, for your continued interest in helping me.

Below is the output of the config you asked for.

#sh run | include privilege

with the password "cisco". The default username and password have a privilege level of 15.

username privilege 15 secret 0

privilege level 14

privilege level 15

#sh run | include aaa

aaa new-model

aaa authentication login default local

aaa session-id common

Richard Burts · ‎05-23-2007

ERIAKHA

I believe that we now have the answer about going to privilege mode without being prompted for the enable password. I have set it up on one of my routers and verified what I have found. What is happening is the result of the privilege level 14 on the first set of the vty lines. With that privilege level configured when you telnet to the router it does not prompt for the enable password and gives you the prompt with # which looks like you are in privilege mode. But at privilege level 14 you do not have access to the privilege level commands (I attempted config t from that prompt and received the response invalid command). If you telnet to the router, get that prompt, and do the command show privilege I believe that it will confirm that you are at privilege level 14 and do not really have access to the commands that the prompt makes you believe that you have. It is quite easy to test and confirm this.

The simple resolution to the issue is to remove privilege level 14 from vty 0 4. This will give you the behavior that you expect on this router. I am not clear how the level 14 got on those vty and therefore not clear whether removing the privilege level will impact anything. But I believe from your discussion in these posts that it is not anything that you need.

HTH

Rick

HTH

Rick

sly007 · ‎05-24-2007

Thank you very much RICK.

From the discussions I had with you and the suggestions you made, I have been able to remove the privilege level 15 that you suggested the SDM Feature normally install and introduce.

I have logged into the router remotely and for ONCE, I have been required to enter the enable password.

Thank you so much, I am really grateful

God bless.

sly007 · ‎05-24-2007

Thank you very much RICK.

From the discussions I had with you and the suggestions you made, I have been able to remove the privilege level 15 that you suggested the SDM Feature normally install and introduce.

I have logged into the router remotely and for ONCE, I have been required to enter the enable password.

Thank you so much, I am really grateful

God bless.

Richard Burts · ‎05-24-2007

ERIAKHA

I am glad that it is now working as you want it to. I am glad that my answers and discussion were helpful in this.

The forums are very useful places to exchange knowledge and to get questions answered. I encourage you to continue your participation in the forums.

HTH

Rick

HTH

Rick