GNS3 – Routers Lose their Certificates When Restarted

KB ID 0000955 

Problem

I was doing some work with PKI and routers today, and after spending ages enrolling all my routers for certificates, I thought I’d save my hard work and return to it later. When I started the project up again, I was less than happy all the devices certificates had ‘Disappeared’!

Solution

This is default behavior, to change this select Edit > Preferences > Dynamips > Locate ‘Automatically clean the working directory’ and DESELECT it > Apply >OK.

Related Articles, References, Credits, or External Links

NA

Cisco Router – Password Recovery /Bypass

KB ID 0000931 

Problem

If you have a Cisco router that you have forgotten the password for, or have been given one, or simply bought one from ebay, you may not know the password. In fact many years ago an ISP was going to charge me a ridiculas amount of money to put an entry in a routers routing table, this procedure ‘ahem’ would have allowed to to do it myself, for free, and then reload the router.

Solution

The reason you are able to do this is because of the router’s configuration register, this is the setting that decides how the system boots and how it operates. Usually it’s set to 0x2102 you can see this on a working router by running a ‘show version‘ command.

There are a number of different config register settings;

Configuration Register

Router Behavior

0x102 Ignores break, 9600 console baud
0x1202 1200 baud rate
0x2101 Boots into bootstrap, ignores break, Boots into ROM if initial boot fails, 9600 console baud rate
0x2102 Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default value for most platforms
0x2120 Boots into ROMmon, 19200 console speed
0x2122 Ignores break, Boots into ROM if initial boot fails, 19200 console baud rate
0x2124 NetBoot, Ignores break, Boots into ROM if initial boot fails, 19200 console speed
0x2142 Ignores break ,Boots into ROM if initial boot fails, 9600 console baud rate, Ignores the contents of Non-Volatile RAM (NVRAM) (ignores configuration)
0x2902 Ignores break, Boots into ROM if initial boot fails, 4800 console baud rate
0x2922 Ignores break, Boots into ROM if initial boot fails, 38400 console baud rate
0x3122 Ignores break, Boots into ROM if initial boot fails, 57600 console baud rate
0x3902 Ignores break, Boots into ROM if initial boot fails, 2400 console baud rate
0x3922 Ignores break, Boots into ROM if initial boot fails, 115200 console baud rate

The one we are interested in I’ve emboldened above (0x2142), if we can boot the router, without loading the config, we can manually load the config whilst we have administrative access, which means we can do what we like, (including changing the passwords).

1. Connect a console cable to the router and connect to it using some terminal emulation software (like PuTTy)*. Power cycle the router and as it starts to boot press the ‘break’ key (on some keyboards press Ctrl+Break, on others you can simply press the Esc Key. You will know you are successful if the router boots into ROMMON mode. Issue the following commands;

[box]

rommon 1 > confreg 0x2142
rommon 2 > reset 

[/box]

*Typically at Baud 9600, 8 bits, 1 Stop Bit, No parity, No flow control.

2. The router will reboot, when prompted select no to not enter the setup dialog. (Don’t panic your config is safe in NVRAM!).

3. Now you can go to enable mode without entering a password, and load the routers startup-configuration into memory.

[box]

Router> enable
Router# copy startup-conig running-config
Destination filename [running-config]? {Enter}

[/box]

4. You can at this point make any changes you like, but we are here to change the passwords. On this router I want to reset the enable password, and I protect console access with a username and password, so I want to add a new one for myself. Set the configuration register back to its default setting of 0x2101, save the changes. Then reload the router and make sure you can now get access.

[box]

Petes-Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Petes-Router(config)# enable secret P@ssword123
Petes-Router(config)# username petelong privilege 15 password P@ssword123
Petes-Router(config)# config-register 0x2102
Petes-Router(config)# end
Petes-Router# write memory
Petes-Router# reload
Proceed with reload? [confirm] {Enter}

[/box]

5. And we are in.

Related Articles, References, Credits, or External Links

Cisco Catalyst Password Recovery / Reset

Cisco ASA – Password Recovery / Reset

Cisco PIX (500 Series) Password Recovery / Reset

 

Cisco ASA 5500 – Reset / Recycle VPN Tunnels

KB ID 0000586 

Problem

I’ve been asked this before and it came up on EE today, basically you have a site to site VPN tunnel and you either want to restart it or reset it.

Solution

Cisco ASA Reset ALL VPN Tunnels

1. Connect to your ASA, then to reset ALL your ISAKMP VPN tunnels use the following command;

[box] clear crypto isakmp sa [/box]

In the example below I’ve reset ALL my tunnels. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

WARNING: This will reset ALL ISAKMP VPN tunnels (both site to site, and client to gateway).

Cisco ASA Reset One VPN Tunnel

1. If you just want to reset one site to site VPN then you need to reset the IPSEC SA to the peer (IP Address of the other end of the tunnel). Use the following command;

[box] clear ipsec sa peer X.X.X.X [/box]

Unlike above, in the example below I’ve reset just ONE tunnel. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

Cisco ASA Check VPN Uptime

Just to prove this isn’t all smoke an mirrors, after the tunnel has re-connected you can check its uptime with the following command;

[box] show vpn-sessiondb detail l2l [/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA5500 Site to Site VPN from ASDM

 

Cisco ASA 5500-X Restart the FirePOWER Service Module

KB ID 0001101 

Problem

I’ve only just recently started to work with these, the advantage of them is they are great for SOHO and SMB, and they don’t need additional SSD drives installing.

Note: This also procedure works on the larger ASA5500-X firewalls that have Firepower installed on an internal SSD drive, (i.e. 5512,5515,5525, and 5545 etc.)

While getting them to work with a Sourcefire appliance, I had to ‘bounce’ the module a few times.

Note: the following procedure will not affect traffic flowing through the firewall unless you have your SFR module set to ‘fail-closed’.

Solution

1. First things first, check the status of the module.

[box]

Petes-ASA> enable
Password: *******
Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD1912XXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD1912XXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 a46c.2a99.dfbe to a46c.2a99.eeee  1.0          1.1.1        9.3(2)2
 sfr a46c.2a99.dfbd to a46c.2a99.ffff  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up               Up

[/box]

2. To reload the module issue the following command;

[box]

Petes-ASA# sw-module module sfr reload

Reload module sfr? [confirm] {Enter}
Reload issued for module sfr.
Petes-ASA#

[/box]

3. It usually only takes a couple of minutes but you can use the show module command to keep an eye on it.

[box]

Petes-ASA# show module
-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Reload             Not Applicable
-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Init             Not Applicable


-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up               Up

[/box]

 

Related Articles, References, Credits, or External Links

NA