Chassis Synchronization; Protection Of Passwords - Cisco ASR 5000 Administration Manual

Chassis Synchronization

Important
The configuration file contains a one-way encrypted value of the chassis key (the chassis key identifier) and
the version number in a comment header line. These two pieces of data determine if the encrypted passwords
stored within the configuration will be properly decrypted.
While a configuration file is being loaded, the chassis key used to generate the configuration is compared
with the stored chassis key. If they do not match the configuration is not loaded.
The user can remove the chassis key identifier value and the version number header from the configuration
file. Also, the user may elect to create a configuration file manually. In both of these cases, the system will
assume that the same chassis key will be used to encrypt the encrypted passwords. If this is not the case, the
passwords will not be decrypted due to resulting non-printable characters or memory size checks. This situation
is only recoverable by setting the chassis key back to the previous value, editing the configuration to have the
encrypted values which match the current chassis key, or by moving the configuration header line lower in
the configuration file.
Beginning with Release 15.0, the chassis ID will be generated from an input chassis key using the SHA2-256
algorithm followed by base36 encoding. The resulting 44-character chassis ID will be stored in the same
chassisid file in flash.
Release 14 and Release 15 chassis IDs will be in different encryption formats. Release 15 will recognize a
Release 14 chassis ID and consider it as valid. Upgrading from 14.x to 15.0 will not require changing the
chassis ID or configuration file.
However, if the chassis key is reset in Release 15 through the setup wizard or chassis-key CLI command, a
new chassis ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will
not recognize the 44-character chassis ID. If the chassis is subsequently downgraded to Release 14, a new
16-character chassis ID will be generated. To accommodate the old key format, you must save the configuration
file in pre-v12.2 format before the downgrade. If you attempt to load a v15 configuration file on the downgraded
chassis, StarOS will not be able to decrypt the password/secrets stored in the configuration file.
Chassis Synchronization
Both SMCs in the same chassis must contain the same chassis key. If they do not, a failover from one SMC
to another would result in the configuration containing encrypted passwords which cannot be decrypted.
Chassis synchronization occurs as follows:
• When a secondary SMC comes up, it copies the chassis key from the primary SMC.
• When a primary SMC changes its key, it also changes the key on the secondary SMC.
• Whenever a user requests that the two SMCs synchronize, the chassis key on the secondary SMC is

Protection of Passwords

Users with privilege levels of Inspector and Operator cannot display decrypted passwords in the configuration
file via the ASR 5x00 command line interface (CLI).
ASR 5000 System Administration Guide, StarOS Release 21.1
112
To make password configuration easier for administrators, the chassis key should be set during the initial
chassis set-up.
forced to match the chassis key on the primary SMC.
System Security