[c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl

Jared Mauch jared at puck.nether.net
Mon Aug 26 09:09:55 EDT 2019 

I’ll say this in public (now) - Changing the security posture on the VTYs is a great reason to not use this product at the moment.  I’ve seen many people not monitor their devices for these types of changes, and this is a great case to study.

Time for some retraining of people.

- Jared

> On Aug 26, 2019, at 9:07 AM, Aaron <dudepron at gmail.com> wrote:
> 
> Any unexpected config change should be an automatic tac case.
> Totally unexpected. Reminds me of the days when swapping a flash card on a
> gsr could crash it.
> This is a new one .
> 
> On Monday, August 26, 2019, Gert Doering <gert at greenie.muc.de> wrote:
> 
>> Hi,
>> 
>> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is?
>> 
>> We have an ASR920 that grew an unexpected config change upon insertion
>> of a DAC cable into port ten0/0/12, and "unexpected config change" always
>> triggers an investigation here (who, why, what).  One part of it was
>> somewhat related
>> 
>> interface TenGigabitEthernet0/0/12
>>  description ...
>>  no ip address
>> + negotiation auto
>>  service instance 200 ethernet
>> 
>> ... but the other part was more interesting
>> 
>> line vty 0 4
>>  access-class 9 in
>> - exec-timeout 240 0
>>  ipv6 access-class VTY-v6 in
>> - transport input telnet ssh
>> + transport preferred none
>> + transport input none
>> + transport output none
>>  escape-character 3
>> 
>> "uh, what?".  So we investigated and found a few log messages about that
>> script...
>> 
>> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED:  F0: iomd:  transceiver
>> module inserted in TenGigabitEthernet0/0/12
>> <SNIP>
>> Aug 20 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE:
>> TenGigabitEthernet0/0/12: MODE_1G
>> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty0
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED:  F0: iomd:  Transceiver
>> module removed from TenGigabitEthernet0/0/12
>> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
>> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1
>> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
>> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was granted
>> to user <anon>; Trace file: , /harddisk/tracelogs/system_
>> shell_R0-0.2264_0.20190820134619.bin
>> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl:
>> DUAL_RATE_CHANGE Re-configuration of interface TenGigabitEthernet0/0/12 to
>> start re-configuring
>> Aug 20 13:46:28 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is Modified
>> 
>> 
>> ... and 441 (!!) lines in the tacacs command accounting log, which
>> mostly looked like "it replayed the whole config, line by line"...
>> until it hit the vty section, which then got messed up...
>> 
>> Aug 20 13:47:08 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2166    timezone=CEST   service=shell
>> start_time=1566301628    priv-lvl=15     cmd=configure terminal <cr>
>> Aug 20 13:47:09 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2167    timezone=CEST   service=shell
>> start_time=1566301629    priv-lvl=15     cmd=line vty 0 4 <cr>
>> Aug 20 13:47:09 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2168    timezone=CEST   service=shell
>> start_time=1566301629    priv-lvl=15     cmd=no login authentication <cr>
>> Aug 20 13:47:09 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2169    timezone=CEST   service=shell
>> start_time=1566301629    priv-lvl=15     cmd=no authorization exec <cr>
>> Aug 20 13:47:09 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2170    timezone=CEST   service=shell
>> start_time=1566301629    priv-lvl=15     cmd=no authorization commands 15
>> <cr>
>> Aug 20 13:47:10 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2171    timezone=CEST   service=shell
>> start_time=1566301630    priv-lvl=15     cmd=no transport preferred <cr>
>> ...
>> Aug 20 13:47:10 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2174    timezone=CEST   service=shell
>> start_time=1566301630    priv-lvl=15     cmd=no exec-timeout <cr>
>> Aug 20 13:47:11 router     unknown tty3    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2175    timezone=CEST   service=shell
>> start_time=1566301631    priv-lvl=1      cmd=no length <cr>
>> Aug 20 13:47:11 router     unknown tty2    EEM:Mandatory.dualrate_eem.tcl
>> stop    task_id=2177    timezone=CEST   service=shell
>> start_time=1566301631    priv-lvl=15     cmd=write memory <cr>
>> 
>> 
>> shall I state that I find this a somewhat surprising behaviour?
>> 
>> Haven't opened a TAC case yet (no time) but hopefully someone here
>> has see this before and found some more useful results.
>> 
>> gert
>> --
>> "If was one thing all people took for granted, was conviction that if you
>> feed honest figures into a computer, honest figures come out. Never
>> doubted
>> it myself till I met a computer with a sense of humor."
>>                             Robert A. Heinlein, The Moon is a Harsh
>> Mistress
>> 
>> Gert Doering - Munich, Germany
>> gert at greenie.muc.de
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list