Monthly Archives: June 2014

Cisco Preshared Key recovery options

The other day I had to copy the config of an ASA and a PIX to other devices. They both had VPNS to different sites and I had to have those keys as no one documented them.

A few different ways to get those keys are:

ASA

Option 1: Login using ASDM and make a full backup including preshared keys

Option 2: Run the cli command :

more system:running-config

Option 3: Copy running config to a TFTP/FTP server

PIX

The above options exist for the PIX as well. I have read that the more command will work , but it did not for me. Then I found this option to get the Keys on the pix:

Enable http server, create a username and go to https://pix-ip/config  the key is then shown in clear text.

Commands to do that:

config t

http server enable

http 0.0.0.0 0.0.0.0 inside

username admin password password

The go to the web interface.

 

Fortigate option to bypass hardware comparison for HA

Today I had an issue while configuring two 60c’s in an HA configuration. This usually takes about 2 minutes and is extremely easy. Unless your hardware doesn’t match. HA requires that hardware matches on the two different units. When these were purchased the hardware did match, but at sometime in the past, one was RMAed and we received one with a hard drive. This broke the HA capability.

The error I kept seeing was about the hardware not being the same. The error was: “slave and master have different hdisk status. Cannot work with HA master. Shutdown the box! The system is halted.”

This command can get you past that:

exec ha ignore-hardware-revision enable

This will allow the HA cluster to ignore the hardware-revision for the frigates and come up.

There are a lot more things that will cause problems, for example if your drives have been formatted with a pervious version of fortios. You might need to run :

exe formatlogdisk