01-29-2008 08:02 PM - edited 03-05-2019 08:48 PM
Question I:
===========
We are seeing the following error when we tftp the config to startup-config of the router and then reboot the router.
% Rsa keys can't be generated by the startup configuration
If we tftp the config without the following commands and then put it in manually after the tftp load it works fine :
crypto key gen rsa gen mod 1024
I did the following on a Cisco 3745 router running 12.4 in the lab :
1. Copied the config from router to tftp server.
2. Added the following two command to the saved config on the tftp server:
ip domain-name test
crypto key gen rsa gen mod 1024
3. Tftp'ed the new config to the router's startup-config.
4. Reloaded the router and got the error message:
% Rsa keys can't be generated by the startup configuration
Question II:
============
The command crypto key gen rsa gen mod 1024 - where does this command generate and write the key to - to NVRAM or to Flash. So may be it has to be just done once and may be that is what I am doing wrong by putting the commadnd in the startup config and may be that is why I am seeing the error message.
01-29-2008 08:12 PM
I have seen problems trying this also so maybe it just has to be done manually . Once you create the file it does not change again . It is kept over reloads so it would not have to change. The key is permanent in nvram unless you zeroize it . Believe it is kept in the private-config file in nvram . to verify this just remove that crypto key gen statement and reload the box , the key will still be there if you have already created it . Verify with the "show crypto key my rsa " command.
01-29-2008 08:21 PM
ALPHONSE
The command to generate the keys operates through the parser when you are on line with the router - and apparently not if you attempt it from the startup config.
To me attempting to TFTP the command to startup is not worth the effort that it takes. I always put the initial config into the router, manually generate the key, and forget about the key. I agree with Glen that once you generate the key it is relatively permanent. As Glen points out if you zeroize the key it will need to be regenerated. Or if you change the hostname of the router or the domain name of the router it will invalidate the key and you will need to regenerate it.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide