My PIX broke, well.. kinda

So, one my pixen started acting funny. I SSH'ed into it and found that it wasn't passing traffic correctly, uptime was well over 1 year so I deceided to reboot it. It came back up just fine, traffic started flowing again but now I cannot get into it! Syslog server tells me the following:

################################################################# %PIX-7-710002: TCP access permitted from X.X.X.X/1291 to outside:Y.Y.Y.Y/ssh

%PIX-3-315004: Fail to establish SSH session because PIX RSA host key retrieval failed.

%PIX-6-315011: SSH session from 0.0.0.0 on interface outside for user "" disconnected by SSH server, reason: "Internal error" (0x00)

%PIX-7-710001: TCP access requested from X.X.X.X/1292 to outside:Y.Y.Y.Y/ssh #################################################################

Only way's I can get into it are via SSH and SNMP. SSH is broken at this point, is there a way I can turn on telnet via SNMP so I can troubleshoot?

Version is 6.3.3

Thanks!

-Wil

Reply to
Wil
Loading thread data ...

Either the key got corrupted somehow, or it is no longer present.

If it happened to be the case that during the previous boot, someone had done a ca generate key, but they had not done a ca save, then the generated key would have been valid for the rest of the boot but would not be present upon the reboot.

In PIX 6.x, there are no SNMP SET operations (at least none that do anything useful.) You won't be able to use SNMP to control the state of the PIX.

You will have to find an alternative way to get console access or telnet access and recreate the key. If you can connect to a device inside the PIX and you can use that device to telnet to the PIX (providing telnet access is configured) then you can work remotely; otherwise you will need access to the console port.

You might wish to consider installing one of the various remote console devices, which allow serial access over telnet (or ssh). Price for such devices depends on how many ports you need, and on whether you want remote power control (e.g., so you could force a reboot by remotely powercycling), and upon what level of security you need on the remote device. If you need the remote access to be encrypted, you can expect to pay several times what you could find if you did not need encryption.

Reply to
Walter Roberson

The only option would be getting there and access it through the Console port. Or ask somebody to install a modem and connect it to the Console port.

I'm not sure why your RSA key is broken - one possibility is that your config and RSA key was not saved (or config not saved at all). Another thing - your RSA key could be generated by the external CA authority and could be just expired.

Good luck,

Mike

formatting link

Reply to
CiscoHeadsetAdapter.com

Fun stuff... I'll send a console cable and do the phone support gig. Not a huge deal.

I have console devices on most of my gear, unfortunately this is a one off. Thanks for the info!

-Wil

Reply to
Wil

Console access it is...

-Wil

Reply to
Wil

Blasted the keys and recreated them (and saved them ;) ), seems fine now.

-Wil

Reply to
Wil

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.