Announcement

Collapse
No announcement yet.

The private-config.text file on a cisco 3750 switch

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The private-config.text file on a cisco 3750 switch

    Hello,
    I purchased a used cisco 3750 switch. I can set it up with no issue. When I do a show run, I can see that a crypto pki trustpoint and certificate was added. I can try removing it, but it will just add itself back in after a reload. After some searches, I believe that this self-signed cert is coming from the private-config.text file. If I delete it, it will just come back after a reload. I cannot copy it to tftp either (permission denied). I wanted to back it up and see if I can edit or at least look at it.

    I have tried to wipe out the switch by holding down the mode button. It will clear the switch and rename the config files in flash. The crypto lines are gone until I decide to make some config changes and do a reload. The crypto lines come back and the private-config.text file comes back again. Another file also comes back in flash; the multiple-fs file. I believe that this is just to access the switch via SDM. Any suggestions? Thank you.

  • #2
    Re: The private-config.text file on a cisco 3750 switch

    Resetting the switch using the mode button sometimes is not the same as doing a wr erase or delete:flash. With the reset the actual config files still remain just renamed. The same goes with the vlan.dat file.

    Since the private-config.text file contains private crypto keys, that file cant be moved or opened as that would be a security risk.

    To get rid of all configs just do a write erase. Then to delete the vlan.dat

    delete flash:vlan.dat

    Per Cisco:

    Only the Cisco IOS software can read and write a copy of the private configuration file. You cannot read, write, delete, or display a copy of this file.
    Last edited by auglan; 17th April 2012, 20:16.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: The private-config.text file on a cisco 3750 switch

      Thanks for the post. The write erase had the same result. As soon as I slap a config to the switch and reload it, the crypto commands are back. I can delete the trustpoint, but when I try to delete the certificate chain, it says I have to delete the trustpoint (that I just deleted). A show run will will bring up the config without the crypto information, but when I copy changes to the startup-config and reload...they are back. Ugg!

      Comment


      • #4
        Re: The private-config.text file on a cisco 3750 switch

        When you did a write erase and issued the reload command, did it prompt you to save the config? If it did say no and just let it reload. If that doesn't work will it let you delete the file from flash?


        delete flashrivate-config.txt

        reload
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: The private-config.text file on a cisco 3750 switch

          It did not prompt to save the config. I mentioned in the first post that I can delete the file from flash. It will remain deleted after a reload. Once I add few commands and save the config, the file will reappear after reload and the crypto lines are back.

          Comment


          • #6
            Re: The private-config.text file on a cisco 3750 switch

            Okay after the wr erase do you get this:


            System configuration has been modified. Save? [yes/no]: no
            Proceed with reload? [confirm]


            I think this switch may have been part of a switch stack. When part of the stack all switches in the stack have the same config. The stack master will overwrite the config.text on all switches. From what I have been reading the original configs on the switches before the overwrite will be saved as private-config.text. Since the switch is no longer a stack member it may be defaulting to the private-config.text as the startup config. Not sure whey the wr erase isn't wiping that file out. Last resort would be to backup the IOS of the switch to tftp then erase flash. Once you reboot it should drop you into rommon mode. From there you can restore the IOS via xmodem (very slow) or tftp option.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: The private-config.text file on a cisco 3750 switch

              Just thought of something. You may try this:

              Connect serial console cable to switch, press "Mode" button on the
              front, insert the power cord and keep button pressed until the first
              interface LED is lit. Release the button. Enter the following commands:

              # flash_init
              # load_helper
              # del flash:config.text
              # del flashrivate-config.text
              # del flash:vlan.dat
              # boot
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: The private-config.text file on a cisco 3750 switch

                After the write erase, I do not get "System configuration has been modified. Save? [yes/no]". This would only happen if I were to modify the running config. The write erase command deletes files, but does not modify config in memory, right?

                Anyways, the wipe deletes files and they are gone after a reload. The private-config is gone as well, but after altering the running config and saving changes, the private config comes back after a reload and adds the crypto commands. I will try your other suggestion tomorow when I am back at that location. I would hate to have to erase the flash. I have the IOS backed up already. How would I go about connecting to the tftp server from rommon? I've only gotten into rommon before for password recoveries. Thanks again for all your help; much appreciated.

                Comment


                • #9
                  Re: The private-config.text file on a cisco 3750 switch

                  It appears cisco didnt add the tftp option from rommon for the 3750 for some reason. I think the only option is via xmodem. Just make sure you turn up the baudrate to make it go a little faster.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: The private-config.text file on a cisco 3750 switch

                    I tried your last suggestion. The load_helper command is not present, but I was able to delete a couple flash files. The private config and config.text files were not present as I did a write erase before leaving a couple of days ago. After booting, the files were not in flash as expected. When I add changes to the config and save to start-up config, I can see that the private-config and the multiple-fs files are back in flash. The private-config is a smaller in size so I know it's a basic config. I deleted the multiple-fs file and reloaded. Once reloaded, the private-config size went back the the larger size and the multiple-fs file was back. Needless to mention...the crypto commands are back. I did notice something though. At login, two lines popped up before I could enter my password.

                    *Mar 1 00:01:50.419: %SSH-5-ENABLED: SSH 1.99 has been enabled
                    *Mar 1 00:01:53.313: %PKI-6-AUTOSAVE: Running configuration saved to NVRAM

                    Are there any hidden files that could run this or maybe something saved to the IOS? This is very puzzling. It looks like I will need to erase flash and reinstall the IOS. It will be a learning experience...

                    Comment


                    • #11
                      Re: The private-config.text file on a cisco 3750 switch

                      OK, those lines got me curious. I figured out the sh dir nvram: command and revealed the files below.

                      506 -rw- 2597 <no date> startup-config
                      507 ---- 1934 <no date> private-config
                      1 ---- 35 <no date> persistent-data
                      2 -rw- 582 <no date> IOS-Self-Sig#3232.cer
                      3 -rw- 0 <no date> ifIndex-table

                      I was able to delete the private-config file and the IOS-Self_sig file; could not delete the persistent-data file (permission denied). I then did a write erase. I reloaded, added a config, reloaded again, and bam...crypto is back. This is crazy. Any suggestions here. If I erase the flash, the nvram stays in tact, right? Sorry, not very strong in cisco, but I am learning...

                      Comment


                      • #12
                        Re: The private-config.text file on a cisco 3750 switch

                        Correct erase flash should just erase the IOS software


                        erase nvram: Should erase any configuration files etc. This basically just like wr erase
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: The private-config.text file on a cisco 3750 switch

                          Resolved! It was the IOS. I deleted the IOS and copied over an IOS that I had backed up from another switch. After a reload, it came up with a few errors referencing the certs. I did a write erase, a reload, slapped a config on there, saved, and reloaded again. No error messages and no self-signed certs! Thanks for your suggestions. I hope this helps out others that are having similar issues.

                          Comment


                          • #14
                            Re: The private-config.text file on a cisco 3750 switch

                            Cool. Glad you got it worked out
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment


                            • #15
                              Re: The private-config.text file on a cisco 3750 switch

                              I think auglan is right about the stack, and I think the IOS pushed from the stack master is new enough to include the crypto instructions. Hadn't thought of it before, but we use 3750G-models exclusively in our system, running at Layer 3 throughout. Recently paired a new switch in a new stack with one about 6 years old, and now the running config of the stack has the same crypto entries in it. It isn't hurting anything and hasn't had any effect on traffic, but I think it's part of the IPBASE IOS.
                              *RicklesP*
                              MSCA (2003/XP), Security+, CCNA

                              ** Remember: credit where credit is due, and reputation points as appropriate **

                              Comment

                              Working...
                              X