cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5518
Views
5
Helpful
16
Replies

Crypto Generate script

Richard Clayton
Level 1
Level 1

HI

My goal

- crypto key generated by startup config

- 'no shut' a specifc interface

- save the config to nvram

My Script

!

kron occurrence crypto_key in 2 oneshot

policy-list crypto_key

!

kron policy-list crypto_key

cli event manager run crypto_key

!

event manager applet crypto_key

event none sync yes

action 1 cli command "enable"

action 2 cli command "config t"

action 3 cli command "crypto key generate rsa modulus 2048"

action 4 cli command "interface GigabitEthernet0/0"

action 5 cli command "no shut"

action 6 cli command "exit"

action 7 cli command "exit"

action 8 cli command "write mem"

action 9 cli command "end"

!

The result

- The key is generated

- The interface is 'no shut'

- The config is not saved so each reboot starts the process again

Any ideas why the save isn't working or if there is a better way of achieving my goals.

Thanks

Rick

2 Accepted Solutions

Accepted Solutions

This looks like a big hack.  I would not do this.  Instead, do:

event manager applet crypto_key

event timer cron cron-entry "@reboot"

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 1.2 cli command "file prompt quiet"

action 1.3 cli command "crypto key generate rsa modulus 2048"

action 1.4 cli command "interface GigabitEthernet0/0"

action 1.5 cli command "no shut"

action 1.6 cli command "exit"

action 1.7 cli command "end"

action 1.8 cli command "write mem"

I think this is what you're trying to do.

View solution in original post

Change action 1.4 to:

 

action 1.4 cli command "write mem" pattern "confirm|#"

 

Then it should work.

View solution in original post

16 Replies 16

Richard Clayton
Level 1
Level 1

I worked out why the 'wr mem' wasnt working, I changed the IOS as part of the commissioning and the 'wr mem' needed an interactive answer.

Warning: Attempting to overwrite an NVRAM configuration previously written

by a different version of the system image.

I added "file prompt quiet" as an action and it worked fine, still interested to know if anybody is doing something similar or better.

Thanks

Rick

This is the final script which works under both conditions (IOS changed requiring confirmation and IOS not changed), big thanks to Joseph Clarke for helping me with this.

!
event manager applet crypto_key
event action cron cron-entry "@reboot" maxrun 60
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "crypto key generate rsa modulus 2048"
action 1.3 cli command "interface FastEthernet4"
action 1.4 cli command "no shut"
action 1.5 cli command "end"
action 1.6 cli command "write mem" pattern ".*"
action 1.7 regexp "confirm" $_cli_result
action 1.8 if $_regexp_result eq 1
action 1.9 cli command "y"
action 2.0 end
action 2.1 cli command "config t"
action 2.2 cli command "no event manager applet crypto_key"
action 2.3 cli command "end"
action 2.4 cli command "write mem"
!

Joe Clarke
Cisco Employee
Cisco Employee

You could use the pattern keyword after the write mem action to match on ".*".  Then, check $_cli_result to see if you have a prompt, and if so, send another command to confirm.  That's a bit of overkill, though.  You'll likely be okay with the file prompt quiet, or just remembering that you may need a manual write mem if/when you upgrade again.

Joseph

My EEM is still hanging on the 'wr mem'  action as the IOS has changed so the "file prompt quiet" is obviously  not working for this type of prompt, can you provide a config example  for your solution.
When I manualy run 'wr mem' I get the following prompt

Warning: Attempting to overwrite an NVRAM configuration previously written

by a different version of the system image.

Overwrite the previous NVRAM configuration?[confirm]

So my question is, how do I get the EEM script to confim the 'wr mem' prompt.

Thanks

Rick

Message was edited by: Richard Clayton

Hi

I've been using the below script for the last 8 months on an 881 with 15.1-4M7 but the original 881 has now been replaced with a new 881 model and we are now using 15.3-3M3, the script no longer works and I can't work out why, I have included debug at the bottom.

I can see the 'wr mem' warning re different IOS version is not being confirmed as it was originally but don't know what the fix will now be, I assume something has changed EEM wise with the newer IOS release?

event manager applet crypto_key
 event none maxrun 60
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "crypto key generate rsa modulus 2048"
 action 1.3 cli command "end"
 action 1.4 cli command "write mem" pattern "Warning*"
 action 1.5 regexp "confirm" "$_cli_result"
 action 1.6 if $_regexp_result eq "1"
 action 1.7  cli command "y"
 action 1.8 end
 action 1.9 cli command "config t"
 action 2.0 cli command "no event manager applet crypto_key"
!

 

 

DEBUG

 

000286: *Oct 31 14:06:42.798 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01>
000287: *Oct 31 14:06:42.798 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01>enable
000288: *Oct 31 14:06:42.798 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000289: *Oct 31 14:06:42.798 GMT: eem_no_scan flag set, skipping scan of command_string=enable
000290: *Oct 31 14:06:42.810 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01#
000291: *Oct 31 14:06:42.810 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01#config t
000292: *Oct 31 14:06:42.810 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000293: *Oct 31 14:06:42.810 GMT: eem_no_scan flag set, skipping scan of command_string=configure terminal
000294: *Oct 31 14:06:42.826 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
000295: *Oct 31 14:06:42.826 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01(config)#
000296: *Oct 31 14:06:42.826 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01(config)#crypto key generate rsa modulus 2048
000297: *Oct 31 14:06:42.830 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000298: *Oct 31 14:06:42.830 GMT: eem_no_scan flag set, skipping scan of command_string=crypto key generate rsa modulus 2048
000299: *Oct 31 14:06:42.830 GMT: %SSH-5-DISABLED: SSH 2.0 has been disabled
000300: *Oct 31 14:06:44.606 GMT: %SSH-5-ENABLED: SSH 2.0 has been enabled
000301: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % You already have RSA keys defined named CES00002463-01.gamma.co.uk.
000302: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % They will be replaced.
000303: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT :
000304: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % The key modulus size is 2048 bits
000305: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % Generating 2048 bit RSA keys, keys will be non-exportable...
000306: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : [OK] (elapsed time was 2 seconds)
000307: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT :
000308: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01(config)#
000309: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01(config)#end
000310: *Oct 31 14:06:44.718 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000311: *Oct 31 14:06:44.718 GMT: eem_no_scan flag set, skipping scan of command_string=end
000312: *Oct 31 14:06:44.718 GMT: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:crypto_key)
000313: *Oct 31 14:06:44.730 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01#
000314: *Oct 31 14:06:44.730 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01#write mem
000315: *Oct 31 14:06:44.730 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000316: *Oct 31 14:06:44.730 GMT: eem_no_scan flag set, skipping scan of command_string=write memory
000317: *Oct 31 14:06:45.018 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : Warning: Attempting to overwrite an NVRAM configuration previously written
000318: *Oct 31 14:06:45.018 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : config t
000319: *Oct 31 14:06:45.038 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : by a different version of the system image.
000320: *Oct 31 14:06:45.038 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : Overwrite the previous NVRAM configuration?[confirm]c
000321: *Oct 31 14:06:45.038 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : No action taken because command was not confirmed

Write mem is now interactive.  If you manually run "write mem" and acknowledge the prompt, then the policy will work again.

I wanted the EEM to confirm rather than the confirm being manual, trying to automate as much as possible.

Change action 1.4 to:

 

action 1.4 cli command "write mem" pattern "confirm|#"

 

Then it should work.

Hi Joseph

That worked perfect under both conditions (new IOS and same IOS) can you please explain what this part of the script is actually doing.

 action 1.4 cli command "write mem" pattern "confirm|#"
 action 1.5 regexp "confirm" "$_cli_result"
 action 1.6 if $_regexp_result eq "1"
 action 1.7  cli command "y"

It matches either "confirm" or "#" in the prompt.  If confirm is found, it sends y, else it goes on with the script.

Richard Clayton
Level 1
Level 1

I've updated it now as on some routers the default maximum run time was being exceeded.  Also changed the action numbers as when it got to action '10' it apeared second in the list instead of tenth.

Rick

!

kron occurrence crypto_key in 2 oneshot

policy-list crypto_key

!

kron policy-list crypto_key

cli event manager run crypto_key

!

event manager applet crypto_key

event none sync yes maxrun 40

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 1.2 cli command "file prompt quiet"

action 1.3 cli command "crypto key generate rsa modulus 2048"

action 1.4 cli command "interface GigabitEthernet0/0"

action 1.5 cli command "no shut"

action 1.6 cli command "exit"

action 1.7 cli command "exit"

action 1.8 cli command "write mem"

action 1.9 cli command "end"

!

This looks like a big hack.  I would not do this.  Instead, do:

event manager applet crypto_key

event timer cron cron-entry "@reboot"

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 1.2 cli command "file prompt quiet"

action 1.3 cli command "crypto key generate rsa modulus 2048"

action 1.4 cli command "interface GigabitEthernet0/0"

action 1.5 cli command "no shut"

action 1.6 cli command "exit"

action 1.7 cli command "end"

action 1.8 cli command "write mem"

I think this is what you're trying to do.

Hi

Thanks for the reply, I like your version as its just using EEM and removes the kron, the same issue exists though, how do I get the EEM to respond to the below prompt to stop the "wr mem" failing.

Warning: Attempting to overwrite an NVRAM configuration previously written

by a different version of the system image.

Overwrite the previous NVRAM configuration?[confirm]

Thanks

Rick

I would try:

action 1.8 cli command "write mem" pattern ".*"

action 1.9 regexp "confirm" $_cli_result

action 2.0 if $_regexp_result eq 1

action 2.1  cli command "y"

action 2.2 end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: