Is there a way i can set privilage to only allow reload? I dont want to give the user level 15 access. I just want them to be able to reboot if the vpn tunnel hangs. They are dumb users so if I allow them write we are all in a world of hurt.
Thanks.
Why reboot if the vpn tunnel hangs you should try " clear crypto isa sa " and " clear crypto ipsec sa" and see if that fixes it. (I am assuming your talking about a remote site perspective) If you have many tunnels attached you can be more specific with your clear commands to clear specific sessions. You can configure like so
This sample configuration I made up off the top of my head so syntax may not be perfect.
username reset password reset username reset priv 5
privilege exec level 5 clear crypto isakmp privilege exec level 5 clear crypto ipsec sa privilege exec level 5 clear crypto privilege exec level 5 clear
then have them telnet in with username reset
If you have tacacs or radius this can all be done there (I'm taking local login into account)
you can also do some fancy automations with the autocommand keyword as well its all in the configuration guide google site search the index to find the commands
Bob Watson Implementation Engineer II ATT Datacomm
Thanks I'll try that.
Give them access to the power switch :)
They are dumb users so if I
Have you considered tracking down whatever is hanging the VPNs and fixing that? Once you get users rebooting routers to fix a problem you are opening Pandora's box and they'll be rebooting your routers left and right whenever anything does not work right, making it next to impossible to track down real issues.
VPNs should not randomly hang, which is not to say that they don't, just that they should not. When they do it is usually due to a configuration error or software defect that can and should be fixed.
Good luck and good hunting.
I added "privilege exec level 5 clear crypto isa sa" and "privilege exec level 5 reload" I did not see reload in the original doc so i didnt think that it could be done. Thanks for the tips on that Bob.
The routers are in a locked room so power switch is not an option.
We had a pair of 2600 series routers in there prior we just upgraded to the 2800 series with more memory. I hope that upgrading helps. I think the old 2600 were being over run, which caused the need to reload. We are using Hot Standby so reloading the primary router forces them to the secondary.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.