Latest Updates

Device management and management tool troubleshooting - Part III

Password Encryption Level
All passwords are stored in plain text by default in the IOS configuration. It is recommended to encrypt or do hash for passwords when considering security. Let’s see #show run | section username command output.


0 = no encryption, level 4 = SHA256, level 5 = MD5 was used. The level of strongest to weakest are 4, 5, 7 and then 0. To implement level 7 = #service password-encryption command. 4 = secret keyword. IOS 15.0 and later if the default for secret keyword. If you want level 5 (default in IOS 12.4 and earlier), you will have to use secret 5 keyword and specify the md5 hash and not the clear text password.

Remote Transfer Troubleshooting
If you want to upgrade the IOS or other files stored in the device, you need protocols like TFTP, SCP, HTTP, and HTTPS. 

TFTP – unsecure file transfer protocol, can use to transfer files to the Cisco device or from a Cisco device using the TFTP server. UDP port 69. Unreliable protocol. If you want a reliable protocol to transfer files between devices, you better to use TCP based protocols. Consider below things when troubleshooting TFTP issues.
  • When copying, make sure TFTP has enough storage space.
  • When copying from TFTP to cisco device, make sure the cisco device has enough free space. Use the #show flash command to verify the amount of free space. If the copying file size is bigger than available free space, the IOS will copy and appear the message -> ‘’buffer overflow – xxxx/xxxx’’ first x = byes from the source, /x for bytes available on the destination.
  • Ensure the reachability of TFTP to router.
  • ACL – may be blocking TFTP traffic.
  • If you are using mgt interface for TFTP traffic, use the #ip tftp source-interface interface_type interface_number command to specify the mgt interface which uses for sourcing tftp traffic.
  • Checked you used copy command correctly > copy source destination. 
  • #copy tftp://10.0.3.8/cisco_ios_file/c3900-universalk9-mz.SPA.156-3.M6a.bin flash:c3900-universalk9-mz.SPA.156-3.M6a.bin 
  • #copy flash:c3900-universalk9-mz.SPA.156-3.M6a.bin http://10.0.3.8/cisco_ios_file/c3900-universalk9-mz.SPA.156-3.M6a.bin 
  • When copying to flash > make sure the file size is not longer than 63 characters. 63 the character limit on flash names in flash memory. 
HTTP(S)
HTTP unsecure protocol uses TCP port 80. HTTPS (443) more secure which used to copy Cisco IOS image files, core files, configuration files, logs and more from a remote web server. Let’s see what needs to be considered when troubleshooting https.
  • Make sure router support http client. #show ip http client all command. If the command works, the client is supported.
  • Check your router can connect to the webserver (PING command).
  • Check correct URL/IP configured in copy command. Copy command needs to specify the source and destination. Ex: when copying from the webserver to flash, the source should be webserver > #copy http://10.0.3.8/cisco_ios_file/c3900-universalk9-mz.SPA.156-3.M6a.bin flash:c3900-universalk9-mz.SPA.156-3.M6a.bin 
  • When copying to webserver from flash, the destination should be the webserver > #copy flash:c3900-universalk9-mz.SPA.156-3.M6a.bin http://10.0.3.8/cisco_ios_file/c3900-universalk9-mz.SPA.156-3.M6a.bin 
  • Check the correct file name specified in the copy command.
  • Correct username/password, here username = user1 and password = mypassword > #copy http://user1:mypassword@10.0.3.8/cisco_ios_file/c3900-universalk9-mz.SPA.156-3.M6a.bin flash:c3900-universalk9-mz.SPA.156-3.M6a.bin
  • You can also use authentication credentials with the #ip http client username username command and #ip http client password password command. Note: the username/password used in the copy command override these commands.
  • Check the correct port is specified in copy command. By default, http (80), but you can be configured to use whatever port in your webserver to use and the port. Ex: 8080. #copy http://user1:mypassword@10.0.3.8:8080/cisco_ios_file/c3900-universalk9-mz.SPA.156-3.M6a.bin flash:c3900-universalk9-mz.SPA.156-3.M6a.bin 
  • Checked that packet to webserver from router is being sourced from correct source IP. If not, ACL will be there and ACL dropping the packets. To configure source IP > #ip http client source-interface interface-id command.
  • Make sure the correct protocol. Ex: if you are connecting to http web server, the URL is beginning with http and for https use https protocol.
  • For additional http troubleshooting and copy issues, use > #debug ip http client all command.
SCP (Secure Copy Protocol)
Can copy files from the storage location to a router. It relies on SSH to provide an authenticated method of transferring files. In addition, it requires AAA to be enabled. The router knows the user is authorized to copy. Let’s see a sample SCP configuration on cisco router.

Let’s consider what needs when troubleshooting SCP.
  • Check SSH, authentication and authorization configured correctly.
  • Check RSA key as available and can be used for encryption.
  • Check AAA configured correctly and is functioning.
  • Check SCP is enabled on the router. If not use > #ip scp server enable command to enable it
  • Check the copy command used correctly.
  • Verify the correct username/password used correctly in copy command. If you are using an external authentication server, verify the credentials on the server.
  • Additional troubleshooting, use > debug ip scp command.
  • Below shows a copy from flash to SCP (10.0.3.8) using the username =ENARSI. Even if you didn’t configure the password for copy command, the CLI prompts you for the password.


Next Part IV - We will discuss Management Tools Troubleshooting and so on. Subscribe to our blog and keep in touch with the latest articles.

Cheers!

No comments