Undo last command(s) in case of losing connection to a Cisco Router

Question

I would like to configure an interface on a remote Cisco router (ISR 4000 series) with IPsec. The only way to connect to it is through the interface that I am trying to encrypt.

I want to ensure that I would not lose connection due to misconfiguration.

I would like to know if there is a way to make the router undo the last command(s) that caused the ssh session to drop.

What model device is it? You may be able to use the auto-rollback feature. Much faster than rebooting. — Ron Trunk, Nov 16 '20 at 19:56
Nothing beats OOB access to the console. ('tho that's not always possible) — Ricky, Nov 17 '20 at 01:44

score 16 · Accepted Answer · answered Nov 16 '20 at 20:05

16

You can configure the auto rollback feature to revert to a previous configuration in case you lose access.

First, you need to configure configuration archive on the router. For example:

archive
path flash:
write-memory

This stores the recent configuration in flash.

Then when you're ready to make changes, type

configure term revert time 5
<new configuration lines>
end

If you're happy with the changes, type

configure confirm

If you don't type config confirm in five minutes, the router will revert to the previous configuration. This happens much faster and is less disruptive than rebooting the router.

answered Nov 16 '20 at 20:05

Ron Trunk

66,852
5
65
126

It seems like something that will do the job. Especially the fact that I can choose the time that revert happens. I will try it and post the results. – iokarag Nov 16 '20 at 20:11
1

When was `configure term revert` introduced? – chrylis -cautiouslyoptimistic- Nov 17 '20 at 07:45
This way couldn't be more to the point. It worked great. I also used the idle parameter so that the timer resets whenever I interact whith the cli. Thanks Ron – iokarag Nov 17 '20 at 13:25

Zac67 · Answer 2 · 2020-11-17T08:26:27.540

4

While an undo last is only supported by few devices, there are few alternatives:

Before doing the tricky part, run a reload in 5:00. If you lose contact, the router will reboot a few minutes later. If everything does work out you cancel the reload: reload cancel.
Instead of redefining a live connection, configure a new one and connect in parallel. Make sure you configure static routes accordingly, with increased metric/cost on one link. With dynamic routing, increase the cost on the interface.
For the tricky part, allow SSH sessions from the outside, but only from certain source IP addresses (SSH is permanently attacked). Don't forget to remove afterwards.

edited Nov 17 '20 at 08:26

answered Nov 16 '20 at 19:53

Zac67

81,287
3
67
131

Until now I was using reload command, but it takes a lot of time to reload in case of an error. I will definitely try the second way you propose. Sounds interesting. – iokarag Nov 16 '20 at 20:08
@iokarag Define "a long time". Cisco devices boot within 3-5 minutes typically. – Jesse P. Nov 16 '20 at 21:57
Tell that to the 7513 that would take 1.5hrs to return from a "reload" or power-on. (and 20min if you direct "boot slot0:ios" instead of the usual rommon-boothelper-ios route.) Or the 7401 that would reboot so fast the monitors never saw it crash. :-) – Ricky Nov 17 '20 at 01:42
@Jesse P. Well you are correct. But long and short time is relative some times. – iokarag Nov 17 '20 at 08:49
@Ricky Yeah, that's fair. Wasn't counting chassis-type devices like the 6509. – Jesse P. Nov 17 '20 at 13:14

Undo last command(s) in case of losing connection to a Cisco Router

2 Answers2