[c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl

Aaron dudepron at gmail.com
Mon Aug 26 10:00:29 EDT 2019 

And to not reset the configuration back... How is that for security....

On Mon, Aug 26, 2019 at 9:21 AM Brian Turnbow <b.turnbow at twt.it> wrote:

> The dualrate script is for changing from 1G to 10G  and vice versa.
> So asr920 needs a vty access to run the script in telnet and since there
> is
> not one available it removes ssh
> Nice workaround!
>
> More info here
>
> https://www.cisco.com/c/en/us/td/docs/routers/asr920/b_Chassis_Guide_asr920/console-port.html
>
>
>
>
> Brian
>
> > -----Original Message-----
> > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > Jared Mauch
> > Sent: lunedì 26 agosto 2019 15:10
> > To: Aaron
> > Cc: Gert Doering; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
> >
> > I’ll say this in public (now) - Changing the security posture on the
> VTYs
> > is a
> > great reason to not use this product at the moment.  I’ve seen many
> people
> > not monitor their devices for these types of changes, and this is a
> great
> > case
> > to study.
> >
> > Time for some retraining of people.
> >
> > - Jared
> >
> > > On Aug 26, 2019, at 9:07 AM, Aaron <dudepron at gmail.com> wrote:
> > >
> > > Any unexpected config change should be an automatic tac case.
> > > Totally unexpected. Reminds me of the days when swapping a flash card
> > > on a gsr could crash it.
> > > This is a new one .
> > >
> > > On Monday, August 26, 2019, Gert Doering <gert at greenie.muc.de> wrote:
> > >
> > >> Hi,
> > >>
> > >> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is?
> > >>
> > >> We have an ASR920 that grew an unexpected config change upon
> > >> insertion of a DAC cable into port ten0/0/12, and "unexpected config
> > >> change" always triggers an investigation here (who, why, what).  One
> > >> part of it was somewhat related
> > >>
> > >> interface TenGigabitEthernet0/0/12
> > >>  description ...
> > >>  no ip address
> > >> + negotiation auto
> > >>  service instance 200 ethernet
> > >>
> > >> ... but the other part was more interesting
> > >>
> > >> line vty 0 4
> > >>  access-class 9 in
> > >> - exec-timeout 240 0
> > >>  ipv6 access-class VTY-v6 in
> > >> - transport input telnet ssh
> > >> + transport preferred none
> > >> + transport input none
> > >> + transport output none
> > >>  escape-character 3
> > >>
> > >> "uh, what?".  So we investigated and found a few log messages about
> > >> that script...
> > >>
> > >> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED:  F0: iomd:
> > >> transceiver module inserted in TenGigabitEthernet0/0/12 <SNIP> Aug 20
> > >> 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE:
> > >> TenGigabitEthernet0/0/12: MODE_1G
> > >> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by  on
> > >> vty1
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by  on
> > >> vty1
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by  on
> > >> vty0
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED:  F0: iomd:
> > Transceiver
> > >> module removed from TenGigabitEthernet0/0/12 Aug 20 13:46:20 CEST:
> > >> %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
> > >> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1 Aug 20 13:46:20
> > >> CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
> > >> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was
> > >> granted to user <anon>; Trace file: , /harddisk/tracelogs/system_
> > >> shell_R0-0.2264_0.20190820134619.bin
> > >> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl:
> > >> DUAL_RATE_CHANGE Re-configuration of interface
> > >> TenGigabitEthernet0/0/12 to start re-configuring Aug 20 13:46:28
> > >> CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is
> > >> Modified
> > >>
> > >>
> > >> ... and 441 (!!) lines in the tacacs command accounting log, which
> > >> mostly looked like "it replayed the whole config, line by line"...
> > >> until it hit the vty section, which then got messed up...
> > >>
> > >> Aug 20 13:47:08 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2166    timezone=CEST   service=shell
> > >> start_time=1566301628    priv-lvl=15     cmd=configure terminal <cr>
> > >> Aug 20 13:47:09 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2167    timezone=CEST   service=shell
> > >> start_time=1566301629    priv-lvl=15     cmd=line vty 0 4 <cr>
> > >> Aug 20 13:47:09 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2168    timezone=CEST   service=shell
> > >> start_time=1566301629    priv-lvl=15     cmd=no login authentication
> > >> <cr>
> > >> Aug 20 13:47:09 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2169    timezone=CEST   service=shell
> > >> start_time=1566301629    priv-lvl=15     cmd=no authorization exec
> <cr>
> > >> Aug 20 13:47:09 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2170    timezone=CEST   service=shell
> > >> start_time=1566301629    priv-lvl=15     cmd=no authorization commands
> > 15
> > >> <cr>
> > >> Aug 20 13:47:10 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2171    timezone=CEST   service=shell
> > >> start_time=1566301630    priv-lvl=15     cmd=no transport preferred
> > >> <cr>
> > >> ...
> > >> Aug 20 13:47:10 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2174    timezone=CEST   service=shell
> > >> start_time=1566301630    priv-lvl=15     cmd=no exec-timeout <cr>
> > >> Aug 20 13:47:11 router     unknown tty3
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2175    timezone=CEST   service=shell
> > >> start_time=1566301631    priv-lvl=1      cmd=no length <cr>
> > >> Aug 20 13:47:11 router     unknown tty2
> > EEM:Mandatory.dualrate_eem.tcl
> > >> stop    task_id=2177    timezone=CEST   service=shell
> > >> start_time=1566301631    priv-lvl=15     cmd=write memory <cr>
> > >>
> > >>
> > >> shall I state that I find this a somewhat surprising behaviour?
> > >>
> > >> Haven't opened a TAC case yet (no time) but hopefully someone here
> > >> has see this before and found some more useful results.
> > >>
> > >> gert
> > >> --
> > >> "If was one thing all people took for granted, was conviction that if
> > >> you feed honest figures into a computer, honest figures come out.
> > >> Never doubted it myself till I met a computer with a sense of humor."
> > >>                             Robert A. Heinlein, The Moon is a Harsh
> > >> Mistress
> > >>
> > >> Gert Doering - Munich, Germany
> > >> gert at greenie.muc.de
> > >>
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list