Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Crypto Generate script

HI

My goal

- crypto key generated by startup config

- 'no shut' a specifc interface

- save the config to nvram

My Script

!

kron occurrence crypto_key in 2 oneshot

policy-list crypto_key

!

kron policy-list crypto_key

cli event manager run crypto_key

!

event manager applet crypto_key

event none sync yes

action 1 cli command "enable"

action 2 cli command "config t"

action 3 cli command "crypto key generate rsa modulus 2048"

action 4 cli command "interface GigabitEthernet0/0"

action 5 cli command "no shut"

action 6 cli command "exit"

action 7 cli command "exit"

action 8 cli command "write mem"

action 9 cli command "end"

!

The result

- The key is generated

- The interface is 'no shut'

- The config is not saved so each reboot starts the process again

Any ideas why the save isn't working or if there is a better way of achieving my goals.

Thanks

Rick

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Crypto Generate script

This looks like a big hack.  I would not do this.  Instead, do:

event manager applet crypto_key

event timer cron cron-entry "@reboot"

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 1.2 cli command "file prompt quiet"

action 1.3 cli command "crypto key generate rsa modulus 2048"

action 1.4 cli command "interface GigabitEthernet0/0"

action 1.5 cli command "no shut"

action 1.6 cli command "exit"

action 1.7 cli command "end"

action 1.8 cli command "write mem"

I think this is what you're trying to do.

Cisco Employee

Change action 1.4 to: action

Change action 1.4 to:

 

action 1.4 cli command "write mem" pattern "confirm|#"

 

Then it should work.

16 REPLIES
New Member

Crypto Generate script

I worked out why the 'wr mem' wasnt working, I changed the IOS as part of the commissioning and the 'wr mem' needed an interactive answer.

Warning: Attempting to overwrite an NVRAM configuration previously written

by a different version of the system image.

I added "file prompt quiet" as an action and it worked fine, still interested to know if anybody is doing something similar or better.

Thanks

Rick

New Member

This is the final script

This is the final script which works under both conditions (IOS changed requiring confirmation and IOS not changed), big thanks to Joseph Clarke for helping me with this.

!
event manager applet crypto_key
event action cron cron-entry "@reboot" maxrun 60
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "crypto key generate rsa modulus 2048"
action 1.3 cli command "interface FastEthernet4"
action 1.4 cli command "no shut"
action 1.5 cli command "end"
action 1.6 cli command "write mem" pattern ".*"
action 1.7 regexp "confirm" $_cli_result
action 1.8 if $_regexp_result eq 1
action 1.9 cli command "y"
action 2.0 end
action 2.1 cli command "config t"
action 2.2 cli command "no event manager applet crypto_key"
action 2.3 cli command "end"
action 2.4 cli command "write mem"
!

Cisco Employee

Crypto Generate script

You could use the pattern keyword after the write mem action to match on ".*".  Then, check $_cli_result to see if you have a prompt, and if so, send another command to confirm.  That's a bit of overkill, though.  You'll likely be okay with the file prompt quiet, or just remembering that you may need a manual write mem if/when you upgrade again.

New Member

Re: Crypto Generate script

Joseph

My EEM is still hanging on the 'wr mem'  action as the IOS has changed so the "file prompt quiet" is obviously  not working for this type of prompt, can you provide a config example  for your solution.
When I manualy run 'wr mem' I get the following prompt

Warning: Attempting to overwrite an NVRAM configuration previously written

by a different version of the system image.

Overwrite the previous NVRAM configuration?[confirm]

So my question is, how do I get the EEM script to confim the 'wr mem' prompt.

Thanks

Rick

Message was edited by: Richard Clayton

New Member

HiI've been using the below

Hi

I've been using the below script for the last 8 months on an 881 with 15.1-4M7 but the original 881 has now been replaced with a new 881 model and we are now using 15.3-3M3, the script no longer works and I can't work out why, I have included debug at the bottom.

I can see the 'wr mem' warning re different IOS version is not being confirmed as it was originally but don't know what the fix will now be, I assume something has changed EEM wise with the newer IOS release?

event manager applet crypto_key
 event none maxrun 60
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "crypto key generate rsa modulus 2048"
 action 1.3 cli command "end"
 action 1.4 cli command "write mem" pattern "Warning*"
 action 1.5 regexp "confirm" "$_cli_result"
 action 1.6 if $_regexp_result eq "1"
 action 1.7  cli command "y"
 action 1.8 end
 action 1.9 cli command "config t"
 action 2.0 cli command "no event manager applet crypto_key"
!

 

 

DEBUG

 

000286: *Oct 31 14:06:42.798 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01>
000287: *Oct 31 14:06:42.798 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01>enable
000288: *Oct 31 14:06:42.798 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000289: *Oct 31 14:06:42.798 GMT: eem_no_scan flag set, skipping scan of command_string=enable
000290: *Oct 31 14:06:42.810 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01#
000291: *Oct 31 14:06:42.810 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01#config t
000292: *Oct 31 14:06:42.810 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000293: *Oct 31 14:06:42.810 GMT: eem_no_scan flag set, skipping scan of command_string=configure terminal
000294: *Oct 31 14:06:42.826 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
000295: *Oct 31 14:06:42.826 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01(config)#
000296: *Oct 31 14:06:42.826 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01(config)#crypto key generate rsa modulus 2048
000297: *Oct 31 14:06:42.830 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000298: *Oct 31 14:06:42.830 GMT: eem_no_scan flag set, skipping scan of command_string=crypto key generate rsa modulus 2048
000299: *Oct 31 14:06:42.830 GMT: %SSH-5-DISABLED: SSH 2.0 has been disabled
000300: *Oct 31 14:06:44.606 GMT: %SSH-5-ENABLED: SSH 2.0 has been enabled
000301: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % You already have RSA keys defined named CES00002463-01.gamma.co.uk.
000302: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % They will be replaced.
000303: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT :
000304: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % The key modulus size is 2048 bits
000305: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : % Generating 2048 bit RSA keys, keys will be non-exportable...
000306: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : [OK] (elapsed time was 2 seconds)
000307: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT :
000308: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01(config)#
000309: *Oct 31 14:06:44.718 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01(config)#end
000310: *Oct 31 14:06:44.718 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000311: *Oct 31 14:06:44.718 GMT: eem_no_scan flag set, skipping scan of command_string=end
000312: *Oct 31 14:06:44.718 GMT: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:crypto_key)
000313: *Oct 31 14:06:44.730 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : CES00002463-01#
000314: *Oct 31 14:06:44.730 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : CES00002463-01#write mem
000315: *Oct 31 14:06:44.730 GMT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000316: *Oct 31 14:06:44.730 GMT: eem_no_scan flag set, skipping scan of command_string=write memory
000317: *Oct 31 14:06:45.018 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : Warning: Attempting to overwrite an NVRAM configuration previously written
000318: *Oct 31 14:06:45.018 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : IN  : config t
000319: *Oct 31 14:06:45.038 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : by a different version of the system image.
000320: *Oct 31 14:06:45.038 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : Overwrite the previous NVRAM configuration?[confirm]c
000321: *Oct 31 14:06:45.038 GMT: %HA_EM-6-LOG: crypto_key : DEBUG(cli_lib) : : OUT : No action taken because command was not confirmed

Cisco Employee

Write mem is now interactive.

Write mem is now interactive.  If you manually run "write mem" and acknowledge the prompt, then the policy will work again.

New Member

I wanted the EEM to confirm

I wanted the EEM to confirm rather than the confirm being manual, trying to automate as much as possible.

Cisco Employee

Change action 1.4 to: action

Change action 1.4 to:

 

action 1.4 cli command "write mem" pattern "confirm|#"

 

Then it should work.

New Member

Hi JosephThat worked perfect

Hi Joseph

That worked perfect under both conditions (new IOS and same IOS) can you please explain what this part of the script is actually doing.

 action 1.4 cli command "write mem" pattern "confirm|#"
 action 1.5 regexp "confirm" "$_cli_result"
 action 1.6 if $_regexp_result eq "1"
 action 1.7  cli command "y"

Cisco Employee

It matches either "confirm"

It matches either "confirm" or "#" in the prompt.  If confirm is found, it sends y, else it goes on with the script.

New Member

Crypto Generate script

I've updated it now as on some routers the default maximum run time was being exceeded.  Also changed the action numbers as when it got to action '10' it apeared second in the list instead of tenth.

Rick

!

kron occurrence crypto_key in 2 oneshot

policy-list crypto_key

!

kron policy-list crypto_key

cli event manager run crypto_key

!

event manager applet crypto_key

event none sync yes maxrun 40

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 1.2 cli command "file prompt quiet"

action 1.3 cli command "crypto key generate rsa modulus 2048"

action 1.4 cli command "interface GigabitEthernet0/0"

action 1.5 cli command "no shut"

action 1.6 cli command "exit"

action 1.7 cli command "exit"

action 1.8 cli command "write mem"

action 1.9 cli command "end"

!

Cisco Employee

Re: Crypto Generate script

This looks like a big hack.  I would not do this.  Instead, do:

event manager applet crypto_key

event timer cron cron-entry "@reboot"

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 1.2 cli command "file prompt quiet"

action 1.3 cli command "crypto key generate rsa modulus 2048"

action 1.4 cli command "interface GigabitEthernet0/0"

action 1.5 cli command "no shut"

action 1.6 cli command "exit"

action 1.7 cli command "end"

action 1.8 cli command "write mem"

I think this is what you're trying to do.

New Member

Crypto Generate script

Hi

Thanks for the reply, I like your version as its just using EEM and removes the kron, the same issue exists though, how do I get the EEM to respond to the below prompt to stop the "wr mem" failing.

Warning: Attempting to overwrite an NVRAM configuration previously written

by a different version of the system image.

Overwrite the previous NVRAM configuration?[confirm]

Thanks

Rick

Cisco Employee

Crypto Generate script

I would try:

action 1.8 cli command "write mem" pattern ".*"

action 1.9 regexp "confirm" $_cli_result

action 2.0 if $_regexp_result eq 1

action 2.1  cli command "y"

action 2.2 end

New Member

Re: Crypto Generate script

This looks perfect but I have two questions

1. Does the "@reboot" cover all boot reasons, i.e. reload, power cycle etc.

2. The reson I ran the kron to trigger the EEm was because I wanted it to be a one time event which the kron 'oneshot' allowed me to do, I didn't want a new crypto key generated at every boot, is there the equivalent of the kron 'oneshot' in EEM?

Our CPE commissioning process is as follows

1. format flash.

2. copy selected IOS and verify.

3. enable licensing and wr mem.

4. copy new startup-config over existing startup-config.

6. power off router and ship to customer.

7. when the router is first powered on it, creates the crypto key, no shuts the WAN interface and does a wr mem.

Thanks for your time btw.

Rick

Cisco Employee

1. Yes, it covers all reload

1. Yes, it covers all reload reasons.

 

2. I assume this is veyr new code.  So you can just add an action to remove the applet from the config once it runs.  After removing it, exit config t and do your write mem, then you're set.

1047
Views
5
Helpful
16
Replies
CreatePlease to create content