Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

Where did my "show crypto" go?

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-20-2010 10:46 AM

I'm perplexed. My "show crypto" command tree seems to have disappeared from my ACE.

I am running:


dc4pt-lb-01/tier1# sh ver
Cisco Application Control Software (ACSW)
<snip>

Software
  loader:    Version 12.2[120]
  system:    Version A2(1.6a) [build 3.0(0)A2(1.6a) adbuild_08:46:04-2009/10/16_/auto/adbu-rel4/rel_a2_1_6_throttle/REL_3_0_0_A2_1_6A]
  system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_6a.bin
  installed license: ACE-VIRT-020 ACE-SEC-LIC-K9

Hardware
  Cisco ACE (slot: 6)

But when I went in to check my certificates, I get:

dc4pt-lb-01/tier1# show crypto
                        ^
% invalid command detected at '^' marker.

This is strange. The same commands work fine on another ACE running the same level of software and logged in enable mode in the same context.

The certificates are installed and working - I can browse to the VIP and verify the installed certificate from my browser.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
litrenta
Level 3
Level 3

‎09-20-2010 12:20 PM

can you do a "show role" before you try "show crypto". In A2(1.2) and later you cannot do

show crytpo and show ft commands were disabled in network monitor role starting in A2(1.3).

View solution in original post

0 Helpful
3 Replies 3

Go to solution
litrenta
Level 3
Level 3

‎09-20-2010 12:20 PM

can you do a "show role" before you try "show crypto". In A2(1.2) and later you cannot do

show crytpo and show ft commands were disabled in network monitor role starting in A2(1.3).

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to litrenta

‎09-20-2010 12:59 PM

Ah, excellent catch. That's it. We recently enabled TACACS authentication on the non-working device and apparently we need to tweak the roles. I am only in as "Network Monitor":

dc4pt-lb-01/Admin# sh role

Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit   Monitor                 all
   2.   Permit   Monitor            changeto
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki
dc4pt-lb-01/Admin#

In my other devices I have all permissions:

dc4-lb-01/Admin# sh role

Role: Admin (System-defined)
Description: Administrator
Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                 all
   2.   Permit    Create         user access
   3.   Permit    Create              system
   4.   Permit    Create            changeto
   5.   Permit    Create       exec-commands

Role: Network-Admin (System-defined)
Description: Admin for L3 (IP and Routes) and L4 VIPs
Number of rules: 8
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create           interface
   2.   Permit    Create             routing
   3.   Permit    Create          connection
   4.   Permit    Create                 nat
   5.   Permit    Create                 vip
   6.   Permit    Create         config_copy
   7.   Permit    Create            changeto
   8.   Permit    Create       exec-commands

Role: Server-Maintenance (System-defined)
Description: Server maintenance, monitoring and debugging
Number of rules: 7
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Modify                real
   2.   Permit     Debug          serverfarm
   3.   Permit     Debug                 vip
   4.   Permit     Debug               probe
   5.   Permit     Debug         loadbalance
   6.   Permit    Create            changeto
   7.   Permit    Create       exec-commands

Role: Server-Appln-Maintenance (System-defined)
Description: Server maintenance and L7 policy application
Number of rules: 7
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                real
   2.   Permit    Create          serverfarm
   3.   Permit    Create         loadbalance
   4.   Permit    Create         config_copy
   5.   Permit    Create      real-inservice
   6.   Permit    Create       exec-commands
   7.   Permit    Create            changeto

Role: SLB-Admin (System-defined)
Description: Administrator for all load-balancing features
Number of rules: 11
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                real
   2.   Permit    Create          serverfarm
   3.   Permit    Create                 vip
   4.   Permit    Create               probe
   5.   Permit    Create         loadbalance
   6.   Permit    Create                 nat
   7.   Permit    Modify           interface
   8.   Permit    Create         config_copy
   9.   Permit    Create       exec-commands
  10.   Permit    Create      real-inservice
  11.   Permit    Create            changeto

Role: Security-Admin (System-defined)
Description: Administrator for all security features
Number of rules: 9
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create         access-list
   2.   Permit    Create             inspect
   3.   Permit    Create          connection
   4.   Permit    Modify           interface
   5.   Permit    Create                 AAA
   6.   Permit    Create                 nat
   7.   Permit    Create         config_copy
   8.   Permit    Create            changeto
   9.   Permit    Create       exec-commands

Role: SSL-Admin (System-defined)
Description: Administrator for all SSL features
Number of rules: 6
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit    Create                 ssl
   2.   Permit    Create                 pki
   3.   Permit    Modify           interface
   4.   Permit    Create         config_copy
   5.   Permit    Create            changeto
   6.   Permit    Create       exec-commands

Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
  ---------------------------------------------
  Rule    Type    Permission      Feature
  ---------------------------------------------
   1.   Permit   Monitor                 all
   2.   Permit   Monitor            changeto
   3.     Deny    Create       exec-commands
   4.     Deny    Create     fault-tolerance
   5.     Deny    Create                 pki
dc4-lb-01/Admin#

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎09-20-2010 02:21 PM

I confirmed the fix. On the TACACS server I needed to add the shell command custom attributes: "shell:Admin*Admin default-domain" on my TACACS server's user group properties. Restarting the server and then re-logging into my ACE now presents me with all the expected commands.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents