dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2877
share rss forum feed

Nano_Magnus

join:2011-10-19

Help with Cisco 1921 - not booting

Hi,

I had a Cisco 1921 /K9 and sys led started to blinking, then I connected the router with a console using Hyper Terminal, and it looks that there is no file for booting.

I configured this router long time ago following some step by step guides, and I need some help to rebuild it.

Sorry for my poor english, it's not my primary language.

Here is what I get from Hyper Terminal:

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: »www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB
CISCO1921/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC disabled

Readonly ROMMON initialized
program load complete, entry point: 0x80903000, size: 0x4c4a0
open(): Open Error = -13
loadprog: error - on file open
boot: cannot load "flash:c1900-universalk9-mz.SPA.151-4.M1.bin"

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: »www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.

Total memory size = 512 MB
CISCO1921/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC disabled

Readonly ROMMON initialized
program load complete, entry point: 0x80903000, size: 0x4c4a0
boot: cannot determine first executable file name ondevice "usbflash0:"

HELLFIRE
Premium
join:2009-11-25
kudos:19
You're going to have to break into ROMMON mode and check a couple things :

a) is there a file called "c1900-universalk9-mz.SPA.151-4.M1.bin"? Either the file's missing or borked.

b) secondly you'll want to check to make sure where the 19xx is booting from. FLASH: and USBLFLASH:
are two different locations.

c) you might want to check what the config register is.

Regards

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Thanks for answering me, I'm not sure what commands you want me to use, but maybe this information it's usefull:

Readonly ROMMON initialized
rommon 1 > dev
Devices in device table:
id name
flash: usbflash0
bootflash: boot flash
usbflash0: usbflash0
usbflash1: usbflash1
eprom: eprom
rommon 2 > dir flash:
program load complete, entry point: 0x80903000, size: 0x4c4a0
Directory of flash:

rommon 3 > dir usbflash0:
program load complete, entry point: 0x80903000, size: 0x4c4a0
Directory of usbflash0:

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Nano_Magnus
said by Nano_Magnus:

rommon 2 > dir flash:
program load complete, entry point: 0x80903000, size: 0x4c4a0
Directory of flash:

said by Nano_Magnus:

rommon 3 > dir usbflash0:
program load complete, entry point: 0x80903000, size: 0x4c4a0
Directory of usbflash0:

The problem's right in front of you... there's nothing present on the flash: device (likely the CompactFlash card)
or in the USB flash drive (if you have one present). Either the code got deleted or the file's no longer readable
by the router.

You're basically going to have to dowload "c1900-universalk9-mz.SPA.151-4.M1.bin" back onto the device. Hope you
have a CCO ID and valid support contract to obtain Nano_Magnus See Profile.

Regards

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Thanks alot, I just wanted to be sure what to do before change anything.

I don't have a support contract

I'm going to serch for a copy of the bin file, and send it to the router with Tftp server.

What do I need to do if I can't fin it, do I need to contract support from Cisco?

bigsy

join:2001-07-18
ireland
kudos:1
said by Nano_Magnus:

I'm going to serch for a copy of the bin file, and send it to the router with Tftp server.

Assuming you can get the file, I think you can boot off an external USB flash (i.e. usbflash1:) in ROMMON on this model which should be quicker than a TFTP transfer.

See »www.cisco.com/en/US/docs/routers ··· p1014739

s_tux_g

join:2012-03-03
reply to Nano_Magnus
Search for CON-SNT-1921. It is a Cisco SMARTnet extended service agreement for 1921 routers. Price is about $70 for a year. You'll get permissions to download IOS software from cisco.com (don't forget to register first) for your router. For instance, I buy my contracts at this company: www.cdw.com.

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Nano_Magnus
said by Nano_Magnus:

What do I need to do if I can't fin it, do I need to contract support from Cisco?

To get the software legitimately, yes you will.

Regards

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Ok, I found my license File and the IOS and a backup of my runnig configuration, but I can't copy anything to Flash0: so I copied everithing to Usbflash0:

And when I configure Http acces using telnet it works until I shutdown the router, and when I startup the router again there is no Http acces again and all the configuration back to 0

I'm not sure what to do, so i need help.

Thanks

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
a) save the config (wr mem)
b) set the conf-reg to actually load the startup config

"A" you may be doing already. "B" may be necessary if anyone has half-way "recovered" the device.

HELLFIRE
Premium
join:2009-11-25
kudos:19
2nd what cramer See Profile has said.

Definately keep a copy of said IOS and licence in a place you can find it in case this happens again.

Regards

bigsy

join:2001-07-18
ireland
kudos:1
reply to Nano_Magnus
said by Nano_Magnus:

Ok, I found my license File and the IOS and a backup of my runnig configuration, but I can't copy anything to Flash0: so I copied everithing to Usbflash0:

usbflash0: and flash: are the same. Note that it is not flash0:

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
I'm checking my Configuration register and is 0xC402, now I'm checking "Troubleshooting when the Configuration Register Value is Not Known" to solve this and continue to the conf-reg


Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Using the Cisco Output Interpreter

-------------------------------
CONFIGURATION REGISTER ANALYSIS
-------------------------------
Current Value (in hexadecimal): 0xC402
Current Value (in binary): 1100 0100 0000 0010
Default Value (in hexadecimal): 0x2102
Default Value (in binary): 0010 0001 0000 0010

I will try changing to 0x2102

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Nano_Magnus
»www.cisco.com/en/US/products/hw/ ··· 3f.shtml

should still be valid for the x9xx series routers.

Regards

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
The Router it's booting Ok and I'm using CCP to edit the running configuration.

All in the internal net it's working OK, but I'm having problems with accesing Internet and connecting the VPN, it looks like my internal DNS can't pass the router.

Here it's my running configuration:

hostname router01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
enable secret 5 xxxxx.
enable password xxxx
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
clock timezone Caracas -4 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name dominio.local
ip name-server "DC-DNS-DHCP Server IP"
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-xxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxx
revocation-check none
rsakeypair TP-self-signed-xxx
!
!
crypto pki certificate chain TP-self-signed-xxx
certificate self-signed 01
30820229 30820192 A0030201
x
x
x
x
84CE0B7B DC
quit
license udi pid CISCO1921/K9 sn FTXxx
!
!
username "user" privilege 15 secret 5 xxxxx
!
redundancy
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
lifetime 3600
crypto isakmp key "Shared Key" address "VPN endpoint IP"
!
!
crypto ipsec transform-set "VPN name" esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to"VPN endpoint IP"
set peer "VPN endpoint IP"
set transform-set "VPN name"
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address "Router Local IP" 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address "Router External IP" 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
ip default-gateway "Internet gateway"
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp "Published server IP" 80 interface GigabitEthernet0/1 80
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 "Internet Gateway IP"
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit "Red Lan" 0.0.255.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit "Red Lan" 0.0.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip "Red Lan" 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip "Red Lan" 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip "Red Lan" 0.0.255.255 any
!
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
snmp-server community public RO
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password xxxx
login
transport input all
!
scheduler allocate 20000 1000

I'm not sure if I missing something, any observation would be appreciated

Thanks a lot for all the help

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Nano_Magnus
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
 
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit "Red Lan" 0.0.255.255
 
route-map SDM_RMAP_1 permit 1
 

So that looks like the config for your NAT'ing, and you have NAT inside (Gi0/0) and outside (Gi0/1) defined
properly from the looks of it. I haven't ever used a route-map for NATing myself. I'd stick to the
tried and true

ip nat inside source list 1 interface Gi0/0 overload
 
ip access-list 1 permit "Router Local IP"
 

and make sure that works. If it does, something's not right with the rest of it.

Also, as an observation, if you're using RFC1918 addresses on your LAN, no reason to hide em when posting them up here.

Regards


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by HELLFIRE:

I haven't ever used a route-map for NATing myself.

if i recall correctly (and i drink a lot of whiskey -- so i can't always say that i do), a route-map nat was required for access to local networks from a vpn.
i'd have to see if i can find the document buried -- but it may be fixed/solved in newer versions of code. this was along the 12.4([some single digit number])t days (something like 6-7 years ago). i had a bitch of a time setting up nat with a remote-access vpn on my 871w until i found this -- then as soon as i used the route-map -- it worked.

in a nutshell -- a route-map isn't much different than an acl (just an extra step, but you can do "fancy things" with the route-map if you need to). set an acl to match on, create the route-map to match on the acl, then reference the route-map in the nat statement.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Still no Internet acces, and not sure what to do next

not sure what's wrong on my running configuration

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Nano_Magnus
Did you do the modification I suggested?

Can you repost your existing config again for review?

Regards

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
Sorry, I'm out on bussines trip, I would try this when return

Thanks


kamikatze

join:2007-11-02
kudos:2
reply to tubbynet
I remember seeing this stuff somewhere in the official cisco literature.
Then i've seen it in action on an old 1751, the VPN subnet was next-hopped to a Loopback interface with a route-map to escape NAT.
route-map dostuff
    match vpn_subnet
    set ip next-hop Loopback0
 

It worked but my god it made every damn packet get process switched. As soon as i removed the route-map and just denied the subnet in the NAT ACL, that box.. like.. WOKE UP.

Nano_Magnus

join:2011-10-19
reply to Nano_Magnus
I solved the problem with a different implementation.

First.- Cisco 1921 it's working only for VPN site to site with IPSec

Second.- DMZ, DNS requests, Web Acces, Server publishing and VPN clients are managed by TMG 2010

Thanks for all the help, and sorry for my poor english