05-14-2008 01:50 AM - edited 03-05-2019 10:57 PM
Hello,
I have inherited a problem with a stack of 4x 3750 switches. There is a TACACS configuration error on the stack that means I am unauthorized to configure any changes. Each switch has one interface connecting to the management network, but these interfaces are all down due to err-disable (channel-misconfig). If these connections were restored the TACACS server would be reachable and then I could configure the necessary changes.
Currently all switches are configured with a priority of 1 and Switch 2 in the stack is currently the master.
I am unable to sh/no sh the interfaces due to the TACACS problem. Is there any other way to clear the err-disable state?
Thanks
Steve
05-14-2008 04:53 AM
No local user account is defined on the stack? If not, I would suggest doing a password recovery procedure on the master which should enable you to create a local user account.
05-14-2008 05:18 AM
Hi,
To be honest I'm not sure as I haven't seen the config... inherited problem :-( But, at the moment the TACACS server is not reachable, so it is defaulting to the local enable password. When I try to enter "conf t" etc, I receive an authorization failed error, so I'm assuming the AAA authorization is misconfigured.
If I was able to bring any of the 4 management connections back up it would restore access to the TACACS server - and therefore I can login with TACACS account... and fix the config. I can't get these back up and running because all 4 connections are in "err-disable" state. So I need to know if there is a way to bring these interfaces back up without being able to shut/no shut? I've checked the errdisable recovery and it's disabled for channel-misconfig....
As this is on a live production stack, I don't want to go through the password recovery path. The other alternative I see is to reload one of the Stack members, which would clear the management interface and bring up access to the TACACS server.
The only concern I have with this is - all the switches are Stack priority of 1 (Switch 2 is the master at the moment). When I reload physically powercycle Switch 1 will this then cause a Master re-election on boot up and then cause all other switches to reload? I think usually this would only happen if the Stack master with higher priority is reloaded, but I'm not 100%. Does anyone know the circumstances for this happening?
Thanks in advance
Steve
05-14-2008 05:39 AM
You are going to at least need to reload - that alone may clear the err-disable state, and get you access, but I cannot make any guarantee.
If you need to reload anyway, you may as well go the sure-fire route and go though password recovery to get in.
Paul.
05-14-2008 05:48 AM
Thanks Paul
The reload should work, there was an error in the etherchannels between the Stack and the Management switches. When this was fixed the interfaces went to err-disabled, so the etherchannels should work once they are cleared.
At the moment Switch 1 has no connections apart from the Management interface, so I'll try the reload on it.
As I said before the only concern I have with this is whether or not this will cause the other devices to reload also?
Thanks
05-14-2008 05:53 AM
It should not cause the other switches in the stack to reload, but I have a niggle that as as they do quite a bit of state sharing between the switches in a stack (FIB tables etc) the stau *MAY* survive the power cycle of a single switch in the stack. If that's the only connection on that particular switch, it should not affect anything else so is worth a quick try on its own.
05-14-2008 05:59 AM
Thanks Paul. I agree, I'm haven't come across this before, I think I'll push back on a quick fix and get the topology labbed up first.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide