Risky Router Business

Started by config t, January 25, 2020, 07:56:21 PM

Previous topic - Next topic

config t

I want to start by saying I REALLY didn't want to do this ASI.

We have an old 3845 serving as a core router and tunnel termination point. Unfortunately nobody can get into it and there is no known backup config for it.

Enter the risky business - nobody here has ever logged into it so I can't say for certain that whatever changes were last made were even saved to the startup config. Still, they wanted to push forward with a password recovery ASI.

In the wee hours of this morning I went through the motions, powered it down, removed the SD card, powered it back on, changed confreg, put the SD card back in, power cycle..

Loaded the startup config to running config.. none of the tunnels came back up and the EIGRP adjacency didn't come up  :eek: Wasn't too worried about that since I've seen that happen before when loading start to run.

I was able to get to privilege exec mode but from there i got a "unauthorized" error for any other command (show run, config t, etc). I am guessing this is misconfigured AAA and tacacs commands.

Luckily when I went through the motions again and let it load properly everything came back up and I was able to get it back into production.

So, any ideas on how I can recover this router? My first thought is to do another ASI and try to copy the config from NVRAM to a laptop, edit it and then replace it. Still feels risky, though.



:matrix:

Please don't mistake my experience for intelligence.

config t

I answered my own question..

Going to change the confreg and boot it without the startup config, slap a quick config on it to tftp the file to my laptop, then put it back into production.
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Basically, like what we do with gear we get off eBay that hasn't had its config wiped. :smug:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

config t

Actually I ended up learning something.

Now that I know "show startup-config" is a thing I configured putty for "terminal length 0" and printed the output to a text file.

Then it was as simple as using that to config the router and leave out the naughty bits.

Turned out that the router was configured to validate every command with TAC+ but there was no server IP address configured (As I suspected).
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Quote from: config t on February 03, 2020, 12:35:37 AM
Turned out that the router was configured to validate every command with TAC+ but there was no server IP address configured (As I suspected).

:caine:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.