Skiping console port connection

[JayTheLooser]

Hi!
I have a "little" problem:
the console port of one of my switch is down, and I can't make it work. The other problem is that I can't connect through telnet because there is no password configured...
what can I do? Is there a way to connect with telnet anyway? or by any other means?
thx a lot!

 

[NMCman]

Sounds like you are having fun. If tyhe console port is down it has probably been done on purpose for security reasons. This will only now let you telnet but again if you have no VTY password then the switch will prompt for a password but as none is configured none will be correct and will not let you in.

Your way out of this situation is a password reset.

Can you do this or do you need some help. What kind of switch are you looking at?

 

[JayTheLooser]

I have a catalyst 2950.
but, if it is for security reasons, wouldn't it be said when I connect to it? because right now, the connection through the console port prints nothing on my screen
As for the connection by telnet, it even doesn't ask me a password, it says: "Password required, but none set", and then the connection is lost...
to finish, i've read the password recovery from the cisco site, but it requires a connection through the console port.

in either case, I'm fucked
If you have any solution, except throwing the switch through the window, please let me know

 

[vipergg]

To me it sounds like you aren't using the correct cable to get into the switch . If you have the correct cable you should get something out of the console , whether it's password protected or not .

 

[JayTheLooser]

well, I'm sure I'm using the correct cable, because it is the one I got in the package, and it is working on other catalyst switches...So, I'm totally sure of my config and the cable.

 

[gaveeve]

I read your other post and I wonder if you might try varying the baud rate when you connect. Just a long shot.

 

[NMCman]

To clarify. There is a command that can be entered that stops the device sending information to teh console port. The result is that if you connect you will get nothing. The only way to reverse this is to negate the command. I will check what this is and get back. This means that nobody can gain physical connectivity to the device. I would not use this but that is not to say that somebody else would.

Telnetting to the device. WHen configuring the device, with particular emphasis to the VTY. if the command login is entered the device will prompt for a password. However if one has not been set it is a catch 22. The device has to ask for the password, there is no password, then the password is not correct and access is not granted.

As I said in my earlier posting the only way out is to perform a password recovery on the box. To do this you break into the box whilst it is in startup before it has loaded its config. In this time it will be sending its actions to the console port and you can press the break button to get in.

This should put you in rommon where you can change to conf reg. Once this is changed you reboot the device. By changing the conf reg you tell the unit to load the ios but not the config (config is saying ignore the console port and deny telnet). Once here you can get into enable mode, there will be no password as there is no config. Put in a VTY password and use the copy start run to copy the startup config to running config and you can telnet to the device.

If you reply with the type of switch and your mail address I will forward full details of how to do this.

Steve

 

[InDenial]

JayTheLooser,

If you know the community strings you might try: faq558-862

that faq talks about letting the switch reboot from a configfile on a tftpserver.

From experience this is not necessary. It is possible to just create a file with the settings you want to change like:

config terminal
enable secret cisco
line vty 0 4
password cisco
end

and have these configuration changes be added to teh running configuration without rebooting the switch and having no impact.

I am not sure what the OID for that one is though(have it at work) Maybe someone else here knows...

InDenial

 

[JayTheLooser]

First, thx a lot for your advices, and sorry for the delay of this answer
gaveeve> It wasn't a bad idea to try other baud rates, but I didn't work better. bad luck

NMCman> the switch is a catalyst 2950_12, and my mail is jay2001@caramail.com .If you can send me the details, I'll try them, cause it could be a good idea.

InDenial> <i>&quot;and have these configuration changes be added to teh running configuration&quot;</i> Are you sure you can change the running configuration without having access (either by telnet or console) to the switch? If yes, how?

thx again!

 

[InDenial]

JayTheLooser,

It works in a similar way as desribed in the faq. You need to know the set community strings though. I will lookup the OID at work and post it here....

InDenial

 

[InDenial]

Ok here it is:

Like it says in the faq. the following does the trick:

&quot;snmpset -c <write community string> <switchIP/name> .1.3.6.1.4.1.9.2.1.50.ip.address.of.tftpserver octetstring <filename on server>&quot;

Although the faq talks about rebooting I am positive that this does not need a switch reset. You don't even have to download the config. You just have to create a file with the settings you want to change. like:

setpass.txt:

config terminal
enable secret cisco
line con 0
password cisco
line vty 0 4
password cisco
end

this resets all the passwords to cisco.

You need to know the snmpset community string though and you do need a tftp server wich supports the snmp command.

Also.. the command given might not work on your system even if it supports snmp. You just have to find out what the command should be like.

example:

snmpset -c private switch1 .1.3.6.1.4.1.9.2.1.50.192.168.213.40 octetstring setpass.txt

that's what the command should look like using the needed information.

private = write community string
192.168.213.40 = tftpserver ip-address
setpass.txt = the file name of the configuration you want to change.

I used this to be able to access switches wich were placed accross country where the passwords were not set.

good luck...

InDenial

 

[InDenial]

Errr correction...

you just need a tftp server and a machine that supports snmp. It does not have to be the same machine..



InDenial

 

[bierhunter]

The key here is &quot;password required but none set.&quot; It is just what it says.

The LOGIN command is set for line con 0, but no password has been configured for it. That is a way to lock out the console port.

You will need to follow the password recovery procedures to get into the unit. Then you can set a password for the console port.

 

[JayTheLooser]

bierhunter> thx, but I know that; and when I try the password recovery procedures, nothing is printed in my hyper terminal window where it should...so, it is a little bit harder to follow the rest of the procedure. That's why I'm looking for something else.

InDenial> thx for all your advices, but as I know almost nothing, I don't know how to set a machine to support snmp. Is there a software to download or something like that?
And, by the way, I was wondering: what is a community string??

 

[JayTheLooser]

oups, forget about the community string...I'll learn to first search, and THEN ask...not the opposite
as for the snmp, I'll search too

 

[InDenial]

JayTheLooser,

check this thread: thread558-613179

It mentions some tools wich could come in handy to you.

InDenial