05-14-2008 01:50 AM - edited 03-05-2019 10:57 PM
Hello,
I have inherited a problem with a stack of 4x 3750 switches. There is a TACACS configuration error on the stack that means I am unauthorized to configure any changes. Each switch has one interface connecting to the management network, but these interfaces are all down due to err-disable (channel-misconfig). If these connections were restored the TACACS server would be reachable and then I could configure the necessary changes.
Currently all switches are configured with a priority of 1 and Switch 2 in the stack is currently the master.
I am unable to sh/no sh the interfaces due to the TACACS problem. Is there any other way to clear the err-disable state?
Thanks
Steve
05-14-2008 04:53 AM
No local user account is defined on the stack? If not, I would suggest doing a password recovery procedure on the master which should enable you to create a local user account.
05-14-2008 05:18 AM
Hi,
To be honest I'm not sure as I haven't seen the config... inherited problem :-( But, at the moment the TACACS server is not reachable, so it is defaulting to the local enable password. When I try to enter "conf t" etc, I receive an authorization failed error, so I'm assuming the AAA authorization is misconfigured.
If I was able to bring any of the 4 management connections back up it would restore access to the TACACS server - and therefore I can login with TACACS account... and fix the config. I can't get these back up and running because all 4 connections are in "err-disable" state. So I need to know if there is a way to bring these interfaces back up without being able to shut/no shut? I've checked the errdisable recovery and it's disabled for channel-misconfig....
As this is on a live production stack, I don't want to go through the password recovery path. The other alternative I see is to reload one of the Stack members, which would clear the management interface and bring up access to the TACACS server.
The only concern I have with this is - all the switches are Stack priority of 1 (Switch 2 is the master at the moment). When I reload physically powercycle Switch 1 will this then cause a Master re-election on boot up and then cause all other switches to reload? I think usually this would only happen if the Stack master with higher priority is reloaded, but I'm not 100%. Does anyone know the circumstances for this happening?
Thanks in advance
Steve
05-14-2008 05:39 AM
You are going to at least need to reload - that alone may clear the err-disable state, and get you access, but I cannot make any guarantee.
If you need to reload anyway, you may as well go the sure-fire route and go though password recovery to get in.
Paul.
05-14-2008 05:48 AM
Thanks Paul
The reload should work, there was an error in the etherchannels between the Stack and the Management switches. When this was fixed the interfaces went to err-disabled, so the etherchannels should work once they are cleared.
At the moment Switch 1 has no connections apart from the Management interface, so I'll try the reload on it.
As I said before the only concern I have with this is whether or not this will cause the other devices to reload also?
Thanks
05-14-2008 05:53 AM
It should not cause the other switches in the stack to reload, but I have a niggle that as as they do quite a bit of state sharing between the switches in a stack (FIB tables etc) the stau *MAY* survive the power cycle of a single switch in the stack. If that's the only connection on that particular switch, it should not affect anything else so is worth a quick try on its own.
05-14-2008 05:59 AM
Thanks Paul. I agree, I'm haven't come across this before, I think I'll push back on a quick fix and get the topology labbed up first.
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: