Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2917
Views
13
Helpful
2
Replies

% Rsa keys can't be generated by the startup configuration

astanislaus
Level 2
Level 2

‎01-29-2008 08:02 PM - edited ‎03-05-2019 08:48 PM

Question I:

===========

We are seeing the following error when we tftp the config to startup-config of the router and then reboot the router.

% Rsa keys can't be generated by the startup configuration

If we tftp the config without the following commands and then put it in manually after the tftp load it works fine :

crypto key gen rsa gen mod 1024

I did the following on a Cisco 3745 router running 12.4 in the lab :

1. Copied the config from router to tftp server.

2. Added the following two command to the saved config on the tftp server:

ip domain-name test

crypto key gen rsa gen mod 1024

3. Tftp'ed the new config to the router's startup-config.

4. Reloaded the router and got the error message:

% Rsa keys can't be generated by the startup configuration

Question II:

============

The command crypto key gen rsa gen mod 1024 - where does this command generate and write the key to - to NVRAM or to Flash. So may be it has to be just done once and may be that is what I am doing wrong by putting the commadnd in the startup config and may be that is why I am seeing the error message.

3 people had this problem
Labels:
Preview file
32 KB
0 Helpful
2 Replies 2

glen.grant
VIP Alumni
VIP Alumni

‎01-29-2008 08:12 PM

I have seen problems trying this also so maybe it just has to be done manually . Once you create the file it does not change again . It is kept over reloads so it would not have to change. The key is permanent in nvram unless you zeroize it . Believe it is kept in the private-config file in nvram . to verify this just remove that crypto key gen statement and reload the box , the key will still be there if you have already created it . Verify with the "show crypto key my rsa " command.

Richard Burts
Hall of Fame
Hall of Fame
In response to glen.grant

‎01-29-2008 08:21 PM

ALPHONSE

The command to generate the keys operates through the parser when you are on line with the router - and apparently not if you attempt it from the startup config.

To me attempting to TFTP the command to startup is not worth the effort that it takes. I always put the initial config into the router, manually generate the key, and forget about the key. I agree with Glen that once you generate the key it is relatively permanent. As Glen points out if you zeroize the key it will need to be regenerated. Or if you change the hostname of the router or the domain name of the router it will invalidate the key and you will need to regenerate it.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card