10 Replies Latest reply on Dec 20, 2010 12:27 PM by gdstafford

    Enable Mode Fails on Cisco router

    vmvineeth

      Hi ,

       

      I am new to Kiwi tools . I am not able to take  the backup of  my cisco router using Kiwi .  I am getting the error message like "enable mode failed" . I have tried to capture the error but when I checkd the Debug folder it was empty  .

      I am using a TACACS Login .  and seprate password for enable prompt

      Login look like as follows

      Username: test.1985
      Password:******

      TEST-Cisco-7206>enable
      Password:*******
      TEST-Cisco-7206#

      your help for solve this issue will be highly appreciate

       

      Regards

      Vineeth

        • Re: Enable Mode Fails on Cisco router
          Steve Welsh

          Hi Vineeth,

          Which version of CatTools are you using?

          Steve

            • Re: Enable Mode Fails on Cisco router
              vmvineeth

              Hi Steve ,


              Thanks for your replay

              I am using version 3.3.11 . If you want any more logs let me know

              Thanks & Regards

              Vineeth

                • Re: Enable Mode Fails on Cisco router
                  Steve Welsh

                  In the device set-up form 'Passwords' tab (where you are setting your enable password), do you have the 'Privilege Level' field set?

                  If so, you may want to try clearing any values from this field because, from your device capture example, it is appears that CatTools only needs to send 'enable' rather than (for example) 'enable 15' in order to enter enable mode.

                  If this doesn't work, then select 'Enable Capture Mode' from the File menu.   (You may want to go back in to the File menu again after selecting this option to ensure the tick mark is still set, as sometimes it doesn't hold the setting - this is a bug which is fixed in version 3.4).   With capture mode on, run the activity again and then check the \Debug folder for a debuglog .txt file created for the device.  Open the file to see what data CatTools is sending and receiving.  You may be able to spot the problem. 

                  For reference the text following a <W... > tag in a debuglog file is the data being sent by CatTools to the device; <R... > is being received back from the device.

                  Note: Because the device debuglog file contains sensitive security information about the device (login/enable password, etc), you may not want to post it here in a public forum.

                  Please let me know how you get on.

                  Steve

                    • Re: Enable Mode Fails on Cisco router
                      vmvineeth

                           

                      Hi Steve ,

                       

                      Thanks for your detailed replay.   I guess We have half way completed.  And  our debug logs shows that  I am able to authenticate  with the TACACS  user id and password . after that  script is running please find the below out put of script

                       

                       

                      <NEWSESSION Kiwi CatTools 3.3.11 8/20/2009 11:56:01 AM>

                      <PROTOCOL=Telnet>

                      <DEVICE TYPE=Cisco.Router.General>

                      <ACTIVITY TYPE=Device.Backup.Running Config>

                      <ACTIVITY SCRIPT=D:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>

                      <USERS NAME FOR DEVICE=192.168.0.1>

                      <C OK 11:56:01 AM><R-11:56:01 AM>CCCCC[13][10] +---------------------------------------------------------------+[13][10]  |    This system is for the use of authorized users only.      |[13][10] |Individuals using this system without authority or in excess   |[13][10] |of their authority, are subject to having all of the activities|[13][10]  |on this system monitored and recorded by system personnel.    |[13][10]  |                                                              |[13][10]  |     In the course of monitoring individuals improperly using  |[13][10]  |system, or in the course of syst<R-11:56:01 AM>em maintenance, the activities |[13][10]  |of authorized users may also be monitored.                    |[13][10]  |                                                              |[13][10]  |     Anyone using this system expressly consents to such       |[13][10]  |monitoring and is advised if such monitoring reveals possible  |[13][10]  |evidence of criminal activity, system personnel may provide    |[13][10]  |the evidence to law enforcement officials.                    |[13][10] +---------------------------------------------------------------[13][10][13][10][13][10]User Access Verification[13][10][13][10]Username: <W-11:56:01 AM>test.1985[13]<R-11:56:02 AM>test.1985<R-11:56:02 AM>[13][10]Password: <W-11:56:02 AM>******[13]<R-11:56:02 AM>[13][10][13][10]TEST-Cisco-7206><W-11:56:02 AM>[13]<R-11:56:02 AM>[13][10]TEST-Cisco-7206><W-11:56:02 AM>enable<R-11:56:03 AM>enable<W-11:56:03 AM>[13]<R-11:56:03 AM>[13][10]<R-11:56:03 AM>Password: <W-11:56:03 AM>******[13]<R-11:56:03 AM>[13][10]TEST-Cisco-7206#<W-11:56:03 AM>term no mon<R-11:56:03 AM>term no mon<W-11:56:03 AM>[13]<R-11:56:03 AM>[13][10]<R-11:56:03 AM>Authorization - Failed command[13][10]                                    ^[13][10]% Invalid input detected at '^' marker.[13][10][13][10]TEST-Cisco-7206#<W-11:56:04 AM>term len 0<R-11:56:04 AM>term len 0<W-11:56:04 AM>[13]<R-11:56:04 AM>[13][10]<R-11:56:04 AM>Authorization - Failed command[13][10]                               ^[13][10]% Invalid input detected at '^' marker.[13][10][13][10]TEST-Cisco-7206#<W-11:56:04 AM>show running<R-11:56:04 AM>show running<W-11:56:04 AM>[13]<R-11:56:05 AM>[13][10]<R-11:56:05 AM>Building configuration...[13][10]<R-11:56:05 AM>[13][10]Current configuration : 72809 bytes[13][10]![13][10]! Last configuration change at 04:45:09 IST Thu Aug 20 2009 by clockwatch[13][10]! NVRAM config last updated at 19:04:18 IST Wed Aug 19 2009 by clockwatch[13][10]![13][10]version 12.3[13][10]service tcp-keepalives-in[13][10]service timestamps debug datetime msec localtime show-timezone[13][10]service timestamps log datetime msec localtime show-timezone[13][10]service password-encryption[13][10]![13][10]hostname TEST-Cisco-7206[13][10]![13][10]boot-start-marker[13][10]boot system disk2:c7200-js-mz.123-14.T7.bin[13][10]boot system disk2:c7200-js-mz.123-8.T8.bin[13][10]boot-end-marker[13][10]![13][10]enable secret 5 1235564465464^%*&*&^%% .[13][10]enable password 7 1501020A1D78[13][10]![13][10]aaa new-model[13][10] --More-- <D 11:59:08 AM>

                      <SCRIPT VALUES>

                      <HOSTNAME="TEST-Cisco-7206">

                      <PROMPT VTY="TEST-Cisco-7206>">

                      <PROMPT ENABLE="TEST-Cisco-7206#">

                      <PROMPT CONFIG="">

                       

                      after login it is applying one command “terminal no monitor”  which exactly not required  and the sh running-config command’s are not getting completed properly  . The process was used to run long time after running it long time I ma not getting any replay .  When I checked the D:\Program Files\CatTools3\Configs folder it shows the folder is  empty . could you please  put some light on this problem and help me to  solve this issues

                       

                      Thanks and Regards

                      Vineeth

                        • Re: Enable Mode Fails on Cisco router
                          Steve Welsh

                          Vineeth,

                          The device debuglog is showing me that for the 'term no mon' and 'term len 0' commands, the device is responding with:

                          Authorization - Failed command     %Invalid input detected at '^' marker

                          This suggests that you haven't been granted the necessary permissions to execute these commands.

                          The 'term len 0' is used to turn off the --More-- paging prompts (which will occur in the response from the 'show running' command).  Because this command is not being executed, the paging is still turned on which is why your backup is not completing.

                          Steve

                            • Re: Enable Mode Fails on Cisco router
                              vmvineeth

                              Hi Steve Welsh ,

                               

                              Thank you for all the help from user  side . I have created a Static user in My Tacacs and given Privillages . So  I am able to take the Backup now .. ..  and I have all ready tried the Same for My Fortigate Box's also . It seems  to be working fine  . But some of the area  there is a mismatch when i compare with the manually taken backup's . 

                              With Current backup is ok for me Let me see after  restoring it one testing Box .

                               

                              When I debug The  FG Bkp Process I found the following  Log's . If  you dont mind could you please let me know the wht all is the process I have update in  red Color on Below log message .

                               

                              With The current script runs by Kiwi cat tools I can not take the  Backup of the Fortigate  Firewall  Which is in Vdom . So please let me know is there any way we can change the commend which script will Execuit  in to Fortigate Box .. Very..Very Thanks in Advance

                               

                              Once again Thanks for all the  help's I am enjoying with The Kiwi Cat tools because of You

                               

                              Best Regards

                              Vineeth

                               

                                   

                              <NEWSESSION Kiwi CatTools 3.3.11 8/23/2009 4:35:03 AM>

                              <PROTOCOL=Telnet>

                              <DEVICE TYPE=Fortinet.FortiOS.General>

                              <ACTIVITY TYPE=Device.Backup.Running Config>

                              <ACTIVITY SCRIPT=D:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>

                              <USERS NAME FOR DEVICE=10.10.1.25>

                              <C OK 4:35:03 AM><R-4:35:04 AM>[13][10]FG-3600A-Master login: <W-4:35:04 AM>admin[13]<R-4:35:04 AM>a<R-4:35:04 AM>dmin[13][10]Password: <W-4:35:04 AM>************[13]<R-4:35:04 AM>*<R-4:35:04 AM>***************** [13][10]Welcome ![13][10][13][10]No entry for terminal type "vt100";[13][10]using dumb terminal settings.[13][10]FG-3600A-Master # <W-4:35:05 AM>         <R-4:35:05 AM> <R-4:35:05 AM>         <W-4:35:05 AM>[13]<R-4:35:05 AM>[13][00][13][10]<R-4:35:06 AM>FG-3600A-Master # <W-4:35:06 AM>[13]<R-4:35:06 AM>[13][00][13][10]<R-4:35:06 AM>FG-3600A-Master # <W-4:35:06 AM>[13]<R-4:35:06 AM>[13][00][13][10]<R-4:35:06 AM>FG-3600A-Master # <W-4:35:06 AM>config system console<R-4:35:06 AM>c<R-4:35:07 AM>onfig system console<W-4:35:07 AM>[13]<R-4:35:07 AM>[13][00][13][10]<R-4:35:07 AM>[13][10]FG-3600A-Master (console) #

                              ================================================================================

                              WFMDRetVal=1 Waiting for: "(console)#"

                              WFMDRetVal=2 Waiting for: "global #"

                              WFMDRetVal=3 Waiting for: "(global) #"

                              WFMDRetVal=4 Waiting for: "FG-3600A-Master#"

                              WFMDRetVal=5 Waiting for: "FG-3600A-Master $"

                              WFMDBuffer="config system console[13][00][13][10][13][10]fg-3600a-master (console) # "

                              ================================================================================

                              <W-4:35:13 AM>config global<R-4:35:13 AM>c<R-4:35:13 AM>onfig global<W-4:35:13 AM>[13]<R-4:35:13 AM>[13][00][13][10]<R-4:35:13 AM>Unknown action 0[13][10][13][10]FG-3600A-Master (console) #

                              ================================================================================

                              WFMDRetVal=1 Waiting for: "(console)#"

                              WFMDRetVal=2 Waiting for: "global #"

                              WFMDRetVal=3 Waiting for: "(global) #"

                              WFMDRetVal=4 Waiting for: "FG-3600A-Master#"

                              WFMDRetVal=5 Waiting for: "FG-3600A-Master $"

                              WFMDBuffer="config global[13][00][13][10]unknown action 0[13][10][13][10]fg-3600a-master (console) # "

                              ================================================================================

                              <W-4:35:43 AM>set output standard<R-4:35:43 AM>s<R-4:35:44 AM>et output standard<W-4:35:44 AM>[13]<W-4:35:44 AM>end<R-4:35:44 AM>[13][00][13][10]<R-4:35:44 AM>[13][10]FG-3600A-Master (console) # <R-4:35:44 AM>end<W-4:35:44 AM>[13]<W-4:35:44 AM>show<R-4:35:44 AM>[13][00][13][10]<R-4:35:44 AM>[13][10]FG-3600A-Master # <R-4:35:44 AM>show<W-4:35:44 AM>[13]<R-4:35:44 AM>[13][00][13][10]<R-4:35:44

                                • Re: Enable Mode Fails on Cisco router
                                  Steve Welsh

                                  Vineeth,

                                  For the Fortinet script, CatTools will also attempt to turn off the paging prompts (as it does for the Cisco's) to prevent it from hanging when the data is being received.  For Fortinet, CatTools will issue the set output standard command.

                                  In order to issue this command, CatTools first needs to get the device into the correct context (say the equivalent of 'enable' mode for Cisco).  The command CatTools issues for this is config system console, however for VDOM it may be necessary to issue the config global command first.

                                  It appears after successfully executing the 'config system console' command, your device is returning a hostname prompt ending in '(console) #'   - note the 'space' in-front of the '#' -  which CatTools isn't recognizing as a valid return prompt. CatTools assumes the command has failed, so tries 'config global' (which does fails).  It appears from the device debuglog that you are using CatTools 3.3.11? If so, then upgrading to the latest release of CatTools should fix this problem as we have added '...(console) #' to the list of valid prompts.

                                  Try upgrading CatTools to see if the backup is more successful and let me know how you get on.

                                  We are aware that for certain Fortigate devices, the 'show' command may not return the full device configuration (i.e. including VDOM).  Some devices support the 'show full-configuration' command; but if this also doesn't work then the only other solution may be to backup via TFTP (using a Device.CLI.Send Commands activity in CatTools) - unless you know of an alternative 'show...' command which works?

                                   

                                  Finally, with regards to the No entry for terminal type "vt100";[13][10]using dumb terminal settings message; the Telnet/SSH connection client used in CatTools uses 'vt100' terminal type emulation, which your device appears to not be able to handle, hence the message.

                                    • Re: Enable Mode Fails on Cisco router
                                      vmvineeth

                                      Hi Steve ,

                                       

                                      It's Nice to See  your replay . I will check the same and update . but I may require some time .  Thank you very much for your update 

                                       

                                      Regards

                                      Vineeth

                                        • Re: Enable Mode Fails on Cisco router

                                          Greetings all,

                                          I'm sorry to have to report I am experiencing a similar problem. Here is my setup.

                                          CatTools 3.6 Freeware + Cisco lab - 3 2500s, 2 Catalyst IOS switches

                                          I just enabled TACACS on one of the routers. I intended to experiment with a push to the remaining devices to enable the same. The VTY (no-TACACS) only configuration using Cisco.Router.general continues to work as expected. The same configuration fails on the TACACS device. My configuration for the TACACS device is as follows:

                                          AAA Username: <username>

                                          AAA Password: <login_pw>

                                          Enable Password: <enable_pw>

                                          Enable mode uses AAA username/password fields: ticked.

                                          In the prime problem-reproducing setup all other defaults are left at default.

                                          When running the activity Device.Backup.Running.Config all the non-TACACS devices (configured as such in CatTools) complete successfully while the TACACS router fails with the error "Aborting: Unable to enter enable mode".

                                          A Wireshark capture from a point between the server with CatTools and the router in question shows that all works fine up to this point. The failure occurs when the router asks for the enable password and CatTools passes the AAA Password. instead of the enable password. A debug from CatTools reveals the same.

                                          I have played with setting several of the options for the device TACACS configuration on and off in addition to the configuration I have described. I would be happy to forward the Wireshark trace and CatTools debug to help if you wish.

                                          Thanks,

                                          GDS

                                            • Re: Enable Mode Fails on Cisco router

                                              Team,

                                               

                                              Corrected my understanding of this configuration by unticking "Enable mode uses AAA username/password fields" box and ticking "Initial login requires username/password" box. Misread the third option and thought there was a difference between local login and TACACS login for Cisco devices (from CatTools perspective).

                                              Sorry to be a bother.

                                              Working just fine now.

                                              Cheers,

                                              GDS