Field Notice: FN - 62758 - Authentication Fails and Unable to Login to a Factory Fresh Router with Security Device Manager (SDM) 2.3.3

Products Affected

Products Affected	Comments
SDM Security Configuration 2.3.3	Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers running 12.3(21), 12.3(22), 12.4(12), 12.4(12a), 12.4(13), 12.4(13a), 12.4(11)T, 12.4(11)T1, 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ

Problem Description

Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers from the factory containing any of the following Cisco IOS images, with Cisco SDM 2.3.3 in flash and Cisco SDM factory default IOS configuration in start-up configuration.
- 12.3(21), 12.3(22)
- 12.4(12), 12.4(12a), 12.4(13), 12.4(13a)
- 12.4(11)T, 12.4(11)T1
- 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ
Authentication will fail and the user will not be able to login to the router through HTTPS, HTTP, SSH, telnet, console, or any management application.

Background

If Cisco 800, 1700, 1800, 2700, 2800, 3700, 3800 routers are ordered with Cisco SDM software and Cisco SDM factory default IOS configuration, then manufacturing will load Cisco SDM default IOS configuration to the start-up configuration in NVRAM, so customers can quickly invoke and use Cisco SDM. The settings of this default IOS configuration will configure local authentication on HTTP, VTY and console lines and will configure a one-time credential (username = cisco and password = cisco) that can be used by the customer to login to the router through SDM or through HTTPS, HTTP, SSH, telnet, or console for the first time. This one-time credential will be removed from the running configuration after the user logs on to the router.
Due to a bug in Cisco IOS versions 12.3(21), 12.3(22), 12.4(12), 12.4(12a), 12.4(13), 12.4(13a), 12.4(11)T, 12.4(11)T1, 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ (CSCsi13896), during the process of copying and verifying Cisco SDM factory default configuration in factory, the one-time credential is removed from the start-up configuration, resulting in customers getting a router with local authentication configured but without a user credential to login to the router. Consequently, the customer will be unable to log into the router.

Problem Symptoms

The customer will be asked to enter username and password for authentication when invoking SDM on a factory fresh router or when accessing the router through HTTPS, HTTP, SSH, telnet, or console. However, authentication will not succeed in spite of entering cisco/cisco, as said in Cisco SDM quick start guide, or any other user credential.

Workaround/Solution

The workaround is to run the password recovery procedure.
Follow these steps in order to recover your password:

1.      Attach a terminal or PC with terminal emulation to the console port of the router.

Use these terminal settings:

o        9600 baud rate

o        No parity

o        8 data bits

o        1 stop bit

o        No flow control

2.      If you can access the router, type show version at the prompt, and record the configuration register setting. 

Note: The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router because of a lost login or TACACS password, you can safely assume that your configuration register is set to 0x2102.

3.      Use the power switch in order to turn off the router, and then turn the router back on.

4.      Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON. If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.

5.      Type confreg 0x2142 at the rommon 1> prompt in order to boot from flash.

This step bypasses the startup configuration where the passwords are stored.

6.      Type reset at the rommon 2> prompt.

The router reboots, but ignores the saved configuration.

7.      Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.

8.      Type enable at the Router> prompt. You are in enable mode and should see the Router# prompt.

9.      Type configure memory or copy startup-config running-config in order to copy the nonvolatile RAM (NVRAM) into memory.

Important: Do not type copy running-config startup-config or write . These commands erase your startup configuration.

10.  Type show running-config .

The show running-config command shows the configuration of the router. In this configuration, the shutdown command appears under all interfaces, which indicates all interfaces are currently shut down.

11.  Type configure terminal .

The yourname(config)# prompt appears.

12.  Type username privilege 15 password in order to create a new user account with privilege 15.

For example:

yourname(config)#username cisco privilege 15 password cisco

13.  Issue the no shutdown command on every interface that you use.

If you issue a show ip interface brief command, every interface that you want to use should display up up.

14.  Type config-register , where configuration_register_setting is either the value you recorded in step 2 or 0x2102 .

For example:

yourname(config)#config-register 0x2102

15.  Press Ctrl-z or end in order to leave the configuration mode.

The yourname# prompt appears.

16.  Type write memory or copy running-config startup-config in order to commit the changes.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS	Description
CSCsi13896 (registered customers only)	Authentication fails and unable to login to a factory fresh router

Affected Serial Number and Hardware Version

Below is a list of Serial Numbers/Products which may be affected by this Field Notice. The list may not be a complete list of all Serial Numbers affected and will be updated if new information supports adding or removing Serial Numbers from the list. The list is sorted by Serial Number in ascending order.

SECONDARY STORAGE

It is consist of a read/write mechanism and a storage medium. Device controller provides interface and Provide long-term storage of programs and data. In this type of memory the cost per bit of storage is low. However, the operating speed is slower than that of the primary storage. Huge volume of data are stored here on permanent basis and transferred to the primary storage as and when required. Most widely used secondary storage devices are magnetic disk and optical disk.

Magnetic Disk

•         Circular platter (metal/plastic) coated with magnet sable material

o   Iron oxide (rust!) - Older drives, thick layer, low density, soft

o   Thin film - newer drives, durable, thinner and higher density

•         Different Range of packaging

•          Non-removable disk

o   Permanently mounted in the drive

o   Removable disks

o   Can be removed from drive and replaced with another disk

o   Provides unlimited storage capacity

o   Easy data transfer between systems

Non-removable magnetic Disk:

HARD DRIVES

Most Hard drives have the following common features:

•   the disk and read/write heads are enclosed in a sealed airtight unit;

•    the disk(s) spin at a high speed, one such speed may be 7200 revolutions per minute;

•         the read/write head do not actually touch the disk surface;

•         the disk surface contains a magnetic coating;

•      The data on disk surface (platter) are arranged in the series of concentric rings. Each ring is called a track, is subdivided into a number of sectors, each sector holding a specific number of data elements called bytes or characters.

•      The smallest unit that can be written to or read from the disk is a sector. The storage capacity of the disk can be determined as the number of tracks, number of sectors, byte per sector and number of read/write heads.

Characteristics of Storage Devices

•         Drive Speed

•         Access Time

•         Rotation Speed

•         Tracks and Sectors

•         Bad Blocks

•         Sector Interleave

•         Drive Speed

•         Bandwidth

•         Access latency

Partitioning and Formatting:

•         FAT, FAT16, FAT32

•         NTFS

•         Inode

Hard Drive Interface:

•         IDE

•         SCSI

•         EIDE

•         Ultra DMA

•         ATA/66

REMOVABLE DRIVES

·         Floppy Drives

·         Zip Drive

·         Jaz Drive

·         Cartridge Drive

Floppy Drives

A small removable disk made up of plastic coated with magnetic recording material. The disk rotates at 360RPM. Floppies can be accessed from both the sides of the disk.

Characteristics of Floppy Drives

•         Average data transfer rate

•         Size Capacity

•         Tracks and Sectors

Zip Drive:

 The Zip drive is a special high-capacity disk drive that uses a 3.5-inch Zip disk which can store 100MB of data. It allows an easy and rapid shift of the data from desktop to laptop.

Jaz Drive:

The Jaz drive size is 2GB and its use in graphic design and publishing, 3D CAD/CAM, enterprise management systems and entertainment authorizing markets by giving them unlimited space for dynamic digital content. It has an impressive sustained transfer rate of 8.0 MB/s - fast enough to run applications or deliver full-screen, full-motion video.

Cartridge Drive:  

A cartridge is a protective case or covering, used to hold a disk, magnetic tape, a printer ribbon or toner. The contents are sealed inside a plastic container so that they cannot be damaged.

Optical Storage Disks

Optical storage has been a popular form of storage media due to its low cost, ease in manufacturing and portable size. Optical storage media is generally available on a standard size disc measuring 12 cm in diameter.CD-ROM can be used as an optical storage device. Optical disks store data by changing the reflective properties of a plastic disk. Binary computer data (0s and 1s) are represented by the way the disk reflects light when a low power laser is shown at it. A 0 stored on a disk reflects light differently to a 1 stored on a disk. Like floppy disks, optical disks can be moved from one computer to another. They have much larger storage capacities than floppy disks but cannot store as much data as a hard disk. Data can be read from an optical disk more quickly than from a floppy disk but hard disks are much quicker. As with a hard disk the drive head in an optical drive can move directly to any file on the disk so optical disks are direct access.

There are four types of optical disks that are currently in use:

·         CD-ROM

·         WORM

·         CD-R

·         CD-RW

·         DVD

·         HD-DVD

·         Blu-ray

CD-ROM (Compact Disk - Read Only Memory):

This is by far the most widely used type of optical disk. A CD-ROM disk can store up to 650Mb of data. The data is written onto the CD-ROM disk before it is sold and cannot be changed by the user. Because of this CD-ROMs are often described as Write Once Read many times (WORM) disks. CD-ROMs are used for applications such as distributing software, digital videos or multimedia products.

CD-R (Compact Disc - Recordable):

 A CD-R disk can store up to 650Mb of data. A CD-R disk is blank when it is supplied. The user can write data to it just once. After data has been written to the disk it cannot be changed. A special CD-R drive which contains a higher powered laser than a CD-ROM drive is required to write to the disk. CD-Rs are often used for making permanent backups of data and distributing software when only a small number of copies are required.

CD-RW (Compact Disc - Read / Write):

A CD-RW disk can store up to 650Mb of data. CD-RW disks can be read from and written to just like a hard disk. CD-RWs can be used for any application that a hard disk can be used for but the time taken to access data is much longer than that for a hard disk.

DVD (Digital Versatile Disk or Digital Video Disk):

DVD is the new standard for optical disks. By using a shorter wavelength laser, storing data on both sides of the disk and having more than one layer of data on each side of a disk DVD disks are able to store much more data than CD disks. The DVD standard includes disk capacities up to 18Gb. Current DVD disks store far less than this. There are two types of DVD disks. DVD-ROM disks can be read from but not written to whilst DVD-RAM disks can be read from and written too.

 HD-DVD (High Definition DVD):

HD-DVD offered enough storage space for full-length, high-definition movies on a single disc. HD-DVD discs were capable of holding 15 GB per layer with a maximum of two layers. It was released by Toshiba HD-DVD drives use a blue wavelength laser that is able to read smaller pits on the optical media.

 Blu-ray:

Blu-ray is the newest high-definition optical format. Developed by Sony, Blu-ray discs offer 25 GB per layer with up to two layers per disc. Blu-ray discs have a protective coating that reduces the number of scratches and makes the disc durable. Like HD-DVD, Blu-ray offers a full-length, high-definition movie on one disc. Blu-ray recordable, or BD-R, drives are becoming more common in home computers. The BD-R drives allow for up to 50 GB of storage on one disc. Blu-ray drives use the same type of laser as HD-DVD drives to allow for greater storage on the optical disc.

Magneto-Optical DISK

Magneto-optical disk drive is a computer storage device which utilizes both an optical laser and magnetic field to record data on a special removable optical disk. This recording technology has a number of benefits for the user including high reliability and low cost per megabyte of storage. Magneto Optical disks are coated with a special material which can be magnetized, but only at a relatively high temperature of approximately 300 degrees, called the Curie point. Data is recorded by changing the magnetic field of the spot being heated by the laser. When the spot cools, it retains the orientation of the magnetic field, which represents a data bit. A magneto-optical drive is a kind of optical disc drive capable of writing and rewriting data upon a magneto-optical disc. Both 130 mm (5.25 in) and 90 mm (3.5 in) form factors exist. Magneto-optical, appear as hard disk drives to the operating system and do not require a special file system. They can be formatted as FAT, HPFS, NTFS, etc.

Process of Magneto-Optical DISK:

      Magneto-optical discs are hybrid storage medium. In reading, spots with different directions of magnetization give different polarization in the reflected light of a low-power laser beam. In writing, every spot on the disk is first heated by a strong laser beam and then cooled under a magnetic field, magnetizing every spot in one direction, to store all 0s and 1s.

What is the Internet? And its brief history.

THE INTERNET 

The Internet is a network of a large number of computer networks around the world. It is a data communication system. Through this system millions of computers have been linked together. The Internet consists of both the hardware and the software. The hardware comprises the computer and the connections between them. The software consists of programs that let these computers communicate with each other. More than 65,000 computer networks and 20 million computers are permanently attached to the Internet. Connections to the Internet are available in about 150 countries and 50 million people have access to it. All three major media of communication are use to connect the networks and the computers in the Internet.

(1) Telephone Lines

(2) Fiber-optic cables

(3) Satellite communications

There are generally three types of computers in the Internet. These are hosts servers and users.

• Hosts store information in the form of text pictures sound and video films.
• Servers allow users to connect to the Internet. Servers also help the to store and share information on the Internet.
• Users use information stored on the hosts and pass messages to gather computers attached to the Internet.

Who Developed the Internet?

The Government of the United States started a project in 1960s to develop an efficient system of data communication. Under this project a network of 4 computers was established in September 1969 in the United States. The idea of computer networking soon became popular. Several universities and research organizations developed their own computer networks. They joined their networks to the US Government network. The original communication network became a network of networks. This network of computer networks was called the Internet.

Who Owns the Internet?

There is no single organization or government who control the available on the Internet. Millions of people now have access to the Internet. They use it to get information play game and communication also use the Internet to advertise and sell goods.

How to connect to the Internet?

The Internet can be accessed by connecting a personal computer to the Server of an Internet Service Provider (ISP) through telephone lines. To link up an ISP following is required:

A computer

Any computer can be used but it is easier to use a computer running under Windows Operating System.

A modem

It is an electronic device that links a user computer to the Server of the ISP via telephone lines.

Dial Up Software

Dial Up Networking software establishes connection between the personal computer and the Server of the ISP. This software is built into the Windows Operating System.

Web Browser 

A browser is required for browsing or surfing the Internet.

Membership of an ISP

Membership of an ISP permits a member to connect to its Server.

THE WORLD WIDE WEB

The millions of linked documents stored on compute permanently connected to the Internet throughout the world are called the World Wide Web. It is abbreviated as www or 3w. The documents on the Web contain information in the form of texts graphics videos clips and sounds. These documents are also called Web page and are stored on computers permanently connected to the Internet. The computers containing these documents are called Web sites or sites. Each web site has a unique name called site address. Site addresses are also called domain name or URL (Universal Resource Locator). A domain name or URL is made up of two or more names separated by dots.

HOW TO CREATE A WEB PAGE

Web pages are written in hypertext. Hypertext provides several facilities that are not available in conventional text documents. A hypertext document can:

1. Show text in different founts and colors.
2. Have sounds video clips and animations.
3. Provide links to other documents on the web.

The links to other documents or pages are called hyperlinks. Hyperlinks in web pages connect all pages available on the web and make it the World Wide Web. The user can directly go to the linked page just by clicking on the hyperlink. Hypertext documents are prepared using special languages. The most popular hypertext languages include XMGL, WML and WAP.

HOW TO LOCATE A PAGE

Each web is stored on a computer permanently connected to the Internet in a file. Each file is given a unique address. It is called Universal Resource Locator or URL. URL is sometime pronounced as earl. It has particular format. http://The URL begins with the protocol. http stands for Hypertext Transfer Protocol.

SMTP Services

The SMTP Service processes incoming traffic from any SMTP host. SMTP is also used in most communications between Exchange Servers (except Exchange 5.x Servers which use RPC for message transferring). SMTP is also responsible for some advanced Exchange Server functions like Message Journaling. During the Exchange installation, the built in SMTP Service from Windows Server 2003 will be extended with several new functions. Some of the Enhancements are:

• Moving the Message Queue Directories to the Exchange installation Directory
• Providing support for the LSA (Link State Algorithm) in SMTP
• Moving SMTP Messaging from IIS to the Exchange System Manager

Message Flow

• MAPI client sends a message to a remote recipient
• Information Store (Store.exe) receives the message
• The created MailMsg object is forwarded to the Advanced Queue Engine (AQE)
• The Message Categorizer from the AQE processes the MailMsg object and splits it into MIME or RTF as necessary
• The Message Categorizer expands groups and checks defined Message limits on Exchange
• The MailMsg object is then transferred to the Remote Destination Domain within the AQE
• The AQE passes the destination address to the Exchange Routing Engine
• The AQE passes the destination address to the Exchange Routing Engine
• SMTP initiates an SMTP session with the remote SMTP host
• After the SMTP session with the remote host has been established, the information store retrieves the body of the message and converts the message as necessary
• SMTP sends the Message from the Queue to the Remote Host

The following Exchange Features require the use of SMTP:

• Intra Server Message Delivery
• Inter Server Message Delivery
• Message Delivery to the Internet
• Exchange of Routing Information

Diagnostic Logging

One other troubleshooting helper is the Diagnostic Logging of Exchange Server 2003. Diagnostic Logging sets the details that are logged in the Event Viewer for specific Exchange components to a higher level, so more information will be logged in the Event Viewer Application Log .

Diagnostic Logging should only be enabled when troubleshooting specific problems because Diagnostic Logging quickly fills the Event Log. The Logging Level can be set from None to Maximum in the GUI but there is also a Registry Key for setting the Logging Level to Level 7 for SMTP Logging purposes.

Diagnostic Logging must be enabled in the Exchange System Manager under the Exchange Server object.

After enabling the Diagnostic Logging feature the Event Viewer can be analyzed for specific problems.

How To Configure InterVLAN Routing on Layer 3 Switches?

Introduction

VLANs divide broadcast domains in a LAN environment. Whenever hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them. This is known as inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual interfaces (SVI) ). This document provides the configuration and troubleshooting steps applicable to this capability.

Note: This document uses a Catalyst 3550 as an example. However, the concepts can also be applied to other Layer 3 switches that run Cisco IOS® (for example, Catalyst 3560, 3750, Catalyst 4500/4000 Series with Sup II+ or later, or Catalyst 6500/6000 Series that run Cisco IOS System software).

Prerequisites

Requirements

Catalyst switch models 3560, 3750, Catalyst 4500/4000 Series with Sup II+ or later, or Catalyst 6500/6000 Series that run Cisco IOS system software support basic InterVLAN routing features in all their supported software versions. Before you attempt this configuration on a 3550 series switch, ensure that you meet these prerequisites:

· InterVLAN routing on the Catalyst 3550 has certain software requirements to support interVLAN routing on the switch. See this table to determine whether your switch can support interVLAN routing.

Image Type and Version	InterVLAN Routing Capability
Enhanced Multilayer Image (EMI) - All Versions	Yes
Standard Multilayer Image (SMI) - prior to Cisco IOS Software Release12.1(11)EA1	No
Standard Multilayer Image (SMI) - Cisco IOS Software Release 12.1(11)EA1 and later	Yes

Components Used

The information in this document is based on these software and hardware versions:

· Catalyst 3550-48 that runs Cisco IOS Software Release 12.1(12c)EA1 EMI

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configure InterVLAN Routing

Task

In this section, you are presented with the information to configure the features described in this document.

This logical diagram explains a simple interVLAN routing scenario. The scenario can be expanded to include a multi-switch environment by first configuring and testing inter-switch connectivity across the network before configuring the routing capability. For such a scenario that uses a Catalyst 3550, refer to Configuring InterVLAN Routing with Catalyst 3550 Series Switches.

Broadband Troubleshooting Tips

Home networks not designed and/or implemented by Honeywell GTS, are not within of the scope of the support model for iPass/Remote Access. The following tips are offered as a resource for working with your ISP or network provider to resolve any connectivity problems.

The following Ports are required to be open on your local router (wired or wireless) for iPass and CheckPoint VPN-1 SecureClient:

Port 80 for iPassConnectEngine.exe (iPass destination server IP 216.239.109.200)

TCP 443 for Visitor Mode

Protocol 50 for ESP

UDP 10000 for UDP Encapsulation

UDP 500 for IKE

TCP 500 for IKE over TCP

TCP 18231 for Policy Server logon when the client is inside the network

UDP 18233 for Keep alive protocol when the client is inside the network

TCP 18232 for Distribution Server when the client is inside the network

TCP 264 for topology downloads

UCP 259 for MEP configuration

UDP 18234 for performing tunnel test when the client is inside the network

TCP 18264 for ICA certificate registration

Ports 500 & 10,000 (both TCP and UDP) need to be opened for the VPN tunnel by the ISP. Please contact them. Make sure that your personal router has these same ports opened.  IPSEC needs to be enabled. This includes offices, hotels and homes. (Direct connect or wireless)

Cable Modem

Single Direct Connection - For stand-alone PCs that do not use routing device.

Ensure the ISP supports IPSec and is configured to allow IPSec traffic to pass 

Connect the PC directly to the cable modem 

Power up the cable modem, then the PC 

Test for Internet connectivity before launching iPass. 

See the hardware documentation for configuration details or contact the hardware vendor or ISP for additional troubleshooting recommendations. 

Sharing connection with a router (Wired or Wireless)

In general, routing devices used to network other PCs to a cable modem are the primary source of VPN connectivity problems. These devices may have the capability to act as a firewall, router and may provide Network Address Translation (NAT). 

Ensure the ISP supports IPSec and is configured to allow IPSec traffic to pass 

Bypass the router by connecting the PC directly to the cable modem 

Power up the cable modem then the PC 

Test for Internet connectivity before launching IPASS 

After successfully connecting to IPASS while bypassing the routing device, you can reconnect the PC and router in the correct manner. You may need to reboot everything.  Be sure to first start up the cable modem, then the router, then the PC.

Ensure your router supports IPSec, (sometimes referred to as IPSec pass through or VPN pass through), and it is enabled. See your hardware documentation for configuration details or contact your hardware vendor or ISP for more information. 

You may have to disable any firewall feature on your router. 

Make sure your router firmware is current. Even though the configuration looks like it supports IPSec traffic, a firmware upgrade may be necessary to get connected. Check your hardware vendor's website for the latest firmware updates and instructions to update your hardware. 

See the hardware documentation for configuration details or contact the hardware vendor or ISP for additional troubleshooting recommendations. 

DSL

DSL devices are usually routing devices as well, and are frequently the target of connectivity problems. As with cable modems, successful DSL connections require that the ISP support IPSec and be configured to allow IPSec traffic to pass. See your hardware documentation for configuration details or contact your hardware vendor or ISP for additional troubleshooting recommendations.

Recommended Wireless Routers:

LinkSys and Netgear.  Wired and wireless.

Routers known to not work with IPASS/CheckPoint Client:

DLink routers

EMEA:

Any router that connects via USB cable and shows up as a dial up device cannot be used.  We found this specifically in some of the BT Voyager modems/routers (British Telecom 105).  If it can be configured with manufacturer firmware to show up as a broadband device it should be configurable in the IPASS product.

Any AOL provided broadband solution:  (such as RoadRunner).

USA:

Any router that connects via USB cable and shows up as a dial up device cannot be used unless it truly has a dial up option. 

ADSL routers utilizing PPPOa cannot be used because they are not able to been configured as a broadband device.

Any AOL provided broadband solution:  (such as RoadRunner).