[c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
Brian Turnbow
b.turnbow at twt.it
Mon Aug 26 09:21:42 EDT 2019
The dualrate script is for changing from 1G to 10G and vice versa.
So asr920 needs a vty access to run the script in telnet and since there is
not one available it removes ssh
Nice workaround!
More info here
https://www.cisco.com/c/en/us/td/docs/routers/asr920/b_Chassis_Guide_asr920/console-port.html
Brian
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Jared Mauch
> Sent: lunedì 26 agosto 2019 15:10
> To: Aaron
> Cc: Gert Doering; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
>
> I’ll say this in public (now) - Changing the security posture on the VTYs
> is a
> great reason to not use this product at the moment. I’ve seen many people
> not monitor their devices for these types of changes, and this is a great
> case
> to study.
>
> Time for some retraining of people.
>
> - Jared
>
> > On Aug 26, 2019, at 9:07 AM, Aaron <dudepron at gmail.com> wrote:
> >
> > Any unexpected config change should be an automatic tac case.
> > Totally unexpected. Reminds me of the days when swapping a flash card
> > on a gsr could crash it.
> > This is a new one .
> >
> > On Monday, August 26, 2019, Gert Doering <gert at greenie.muc.de> wrote:
> >
> >> Hi,
> >>
> >> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is?
> >>
> >> We have an ASR920 that grew an unexpected config change upon
> >> insertion of a DAC cable into port ten0/0/12, and "unexpected config
> >> change" always triggers an investigation here (who, why, what). One
> >> part of it was somewhat related
> >>
> >> interface TenGigabitEthernet0/0/12
> >> description ...
> >> no ip address
> >> + negotiation auto
> >> service instance 200 ethernet
> >>
> >> ... but the other part was more interesting
> >>
> >> line vty 0 4
> >> access-class 9 in
> >> - exec-timeout 240 0
> >> ipv6 access-class VTY-v6 in
> >> - transport input telnet ssh
> >> + transport preferred none
> >> + transport input none
> >> + transport output none
> >> escape-character 3
> >>
> >> "uh, what?". So we investigated and found a few log messages about
> >> that script...
> >>
> >> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED: F0: iomd:
> >> transceiver module inserted in TenGigabitEthernet0/0/12 <SNIP> Aug 20
> >> 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE:
> >> TenGigabitEthernet0/0/12: MODE_1G
> >> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by on
> >> vty1
> >> (EEM:Mandatory.dualrate_eem.tcl)
> >> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by on
> >> vty1
> >> (EEM:Mandatory.dualrate_eem.tcl)
> >> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by on
> >> vty0
> >> (EEM:Mandatory.dualrate_eem.tcl)
> >> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED: F0: iomd:
> Transceiver
> >> module removed from TenGigabitEthernet0/0/12 Aug 20 13:46:20 CEST:
> >> %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20
> >> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1 Aug 20 13:46:20
> >> CEST: %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20
> >> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was
> >> granted to user <anon>; Trace file: , /harddisk/tracelogs/system_
> >> shell_R0-0.2264_0.20190820134619.bin
> >> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl:
> >> DUAL_RATE_CHANGE Re-configuration of interface
> >> TenGigabitEthernet0/0/12 to start re-configuring Aug 20 13:46:28
> >> CEST: %SYS-5-CONFIG_I: Configured from console by on vty1
> >> (EEM:Mandatory.dualrate_eem.tcl)
> >> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is
> >> Modified
> >>
> >>
> >> ... and 441 (!!) lines in the tacacs command accounting log, which
> >> mostly looked like "it replayed the whole config, line by line"...
> >> until it hit the vty section, which then got messed up...
> >>
> >> Aug 20 13:47:08 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2166 timezone=CEST service=shell
> >> start_time=1566301628 priv-lvl=15 cmd=configure terminal <cr>
> >> Aug 20 13:47:09 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2167 timezone=CEST service=shell
> >> start_time=1566301629 priv-lvl=15 cmd=line vty 0 4 <cr>
> >> Aug 20 13:47:09 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2168 timezone=CEST service=shell
> >> start_time=1566301629 priv-lvl=15 cmd=no login authentication
> >> <cr>
> >> Aug 20 13:47:09 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2169 timezone=CEST service=shell
> >> start_time=1566301629 priv-lvl=15 cmd=no authorization exec <cr>
> >> Aug 20 13:47:09 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2170 timezone=CEST service=shell
> >> start_time=1566301629 priv-lvl=15 cmd=no authorization commands
> 15
> >> <cr>
> >> Aug 20 13:47:10 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2171 timezone=CEST service=shell
> >> start_time=1566301630 priv-lvl=15 cmd=no transport preferred
> >> <cr>
> >> ...
> >> Aug 20 13:47:10 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2174 timezone=CEST service=shell
> >> start_time=1566301630 priv-lvl=15 cmd=no exec-timeout <cr>
> >> Aug 20 13:47:11 router unknown tty3
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2175 timezone=CEST service=shell
> >> start_time=1566301631 priv-lvl=1 cmd=no length <cr>
> >> Aug 20 13:47:11 router unknown tty2
> EEM:Mandatory.dualrate_eem.tcl
> >> stop task_id=2177 timezone=CEST service=shell
> >> start_time=1566301631 priv-lvl=15 cmd=write memory <cr>
> >>
> >>
> >> shall I state that I find this a somewhat surprising behaviour?
> >>
> >> Haven't opened a TAC case yet (no time) but hopefully someone here
> >> has see this before and found some more useful results.
> >>
> >> gert
> >> --
> >> "If was one thing all people took for granted, was conviction that if
> >> you feed honest figures into a computer, honest figures come out.
> >> Never doubted it myself till I met a computer with a sense of humor."
> >> Robert A. Heinlein, The Moon is a Harsh
> >> Mistress
> >>
> >> Gert Doering - Munich, Germany
> >> gert at greenie.muc.de
> >>
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list