Where did my "show crypto" go?

Answered Question
Sep 20th, 2010
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I'm perplexed. My "show crypto" command tree seems to have disappeared from my ACE.


I am running:


dc4pt-lb-01/tier1# sh ver
Cisco Application Control Software (ACSW)
<snip>

Software
  loader:    Version 12.2[120]
  system:    Version A2(1.6a) [build 3.0(0)A2(1.6a) adbuild_08:46:04-2009/10/16_/auto/adbu-rel4/rel_a2_1_6_throttle/REL_3_0_0_A2_1_6A]
  system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_6a.bin
  installed license: ACE-VIRT-020 ACE-SEC-LIC-K9

Hardware
  Cisco ACE (slot: 6)


But when I went in to check my certificates, I get:


dc4pt-lb-01/tier1# show crypto
                        ^
% invalid command detected at '^' marker.


This is strange. The same commands work fine on another ACE running the same level of software and logged in enable mode in the same context.


The certificates are installed and working - I can browse to the VIP and verify the installed certificate from my browser.

Correct Answer by litrenta about 6 years 6 months ago

can you do a "show role" before you try "show crypto". In A2(1.2) and later you cannot do

show crytpo and show ft commands were disabled in network monitor role starting in A2(1.3).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
litrenta Mon, 09/20/2010 - 12:20
User Badges:
  • Cisco Employee,

can you do a "show role" before you try "show crypto". In A2(1.2) and later you cannot do

show crytpo and show ft commands were disabled in network monitor role starting in A2(1.3).

Marvin Rhoads Mon, 09/20/2010 - 12:59
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Ah, excellent catch. That's it. We recently enabled TACACS authentication on the non-working device and apparently we need to tweak the roles. I am only in as "Network Monitor":


dc4pt-lb-01/Admin# sh role

Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit   Monitor                 all
   2.   Permit   Monitor            changeto
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki
dc4pt-lb-01/Admin#


In my other devices I have all permissions:


dc4-lb-01/Admin# sh role

Role: Admin (System-defined)
Description: Administrator
Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                 all
   2.   Permit    Create         user access
   3.   Permit    Create              system
   4.   Permit    Create            changeto
   5.   Permit    Create       exec-commands

Role: Network-Admin (System-defined)
Description: Admin for L3 (IP and Routes) and L4 VIPs
Number of rules: 8
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create           interface
   2.   Permit    Create             routing
   3.   Permit    Create          connection
   4.   Permit    Create                 nat
   5.   Permit    Create                 vip
   6.   Permit    Create         config_copy
   7.   Permit    Create            changeto
   8.   Permit    Create       exec-commands

Role: Server-Maintenance (System-defined)
Description: Server maintenance, monitoring and debugging
Number of rules: 7
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Modify                real
   2.   Permit     Debug          serverfarm
   3.   Permit     Debug                 vip
   4.   Permit     Debug               probe
   5.   Permit     Debug         loadbalance
   6.   Permit    Create            changeto
   7.   Permit    Create       exec-commands

Role: Server-Appln-Maintenance (System-defined)
Description: Server maintenance and L7 policy application
Number of rules: 7
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                real
   2.   Permit    Create          serverfarm
   3.   Permit    Create         loadbalance
   4.   Permit    Create         config_copy
   5.   Permit    Create      real-inservice
   6.   Permit    Create       exec-commands
   7.   Permit    Create            changeto

Role: SLB-Admin (System-defined)
Description: Administrator for all load-balancing features
Number of rules: 11
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                real
   2.   Permit    Create          serverfarm
   3.   Permit    Create                 vip
   4.   Permit    Create               probe
   5.   Permit    Create         loadbalance
   6.   Permit    Create                 nat
   7.   Permit    Modify           interface
   8.   Permit    Create         config_copy
   9.   Permit    Create       exec-commands
  10.   Permit    Create      real-inservice
  11.   Permit    Create            changeto

Role: Security-Admin (System-defined)
Description: Administrator for all security features
Number of rules: 9
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create         access-list
   2.   Permit    Create             inspect
   3.   Permit    Create          connection
   4.   Permit    Modify           interface
   5.   Permit    Create                 AAA
   6.   Permit    Create                 nat
   7.   Permit    Create         config_copy
   8.   Permit    Create            changeto
   9.   Permit    Create       exec-commands

Role: SSL-Admin (System-defined)
Description: Administrator for all SSL features
Number of rules: 6
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                 ssl
   2.   Permit    Create                 pki
   3.   Permit    Modify           interface
   4.   Permit    Create         config_copy
   5.   Permit    Create            changeto
   6.   Permit    Create       exec-commands

Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit   Monitor                 all
   2.   Permit   Monitor            changeto
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki
dc4-lb-01/Admin#

Marvin Rhoads Mon, 09/20/2010 - 14:21
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I confirmed the fix. On the TACACS server I needed to add the shell command custom attributes: "shell:Admin*Admin default-domain" on my TACACS server's user group properties. Restarting the server and then re-logging into my ACE now presents me with all the expected commands.

Actions

This Discussion