Re: Potential bug in vShield zones? (can't change ...

pcorrea117 · ‎09-21-2010

I have two different vShield installations where I'm trying to change the privileged mode password on the service VM that runs on each ESX or ESXi host. However, whenever I try to change it, I get the following errors and the password is not changed. Also, the syntax given in the documentation is totally incorrect. I thought it was a problem with just my specific installation for some weird reason, but I'm finding this is true at all places where I've installed vShield Zones or vShield App 4.1

See below:

Note that in this example, I try changing the "enable" password to test with the commands:

vShield_FW_xxxxxxxxxxxxxxx# config terminal

vShield_FW_xxxxxxxxxxxxxxx(config)# enable password plaintext test <-- this is what the documentation says is the correct syntax

% Unknown command.

vShield_FW_xxxxxxxxxxxxxxx(config)# enable password test

Could not open CLI password file

Password changed

vShield_FW_xxxxxxxxxxxxxxx(config) # exit

vShield_FW_xxxxxxxxxxxxxxx# exit

vShield_FW_xxxxxxxxxxxxxxx login: admin

Password:

vShield_FW_xxxxxxxxxxxxxxx> enable

Password: <--- I try "test" here

Authentication failed!

vShield_FW_xxxxxxxxxxxxxxx> enable

Password: <~~- I try "default" here <~~- default password for new installs

vShield_FW_xxxxxxxxxxxxxxx#

Anybody have any ideas?

pcorrea117 · ‎09-21-2010

Note that this problem is happening just on the service machines. On the vShield Manager console I can change the "enable" password, but note that the syntax is the same (you don't need "plaintext"). However, I don't know why this is not working on the service VMs on each ESX/ESXi host.

manager# config terminal

manager(config)# enable password plaintext test <-- this is what the documentation says is the correct syntax

% Unknown command.

manager(config)# enable password test

Password changed

manager(config)# write memory

manager(config)# exit

ddurand · ‎09-21-2010

This is strange is just tried this in my firewall app and was able to change the password. On the firewall VM here's what i did,

switched to enable mode

conf terminal

enable password test

write memory

exit (twice)

Logged backed in and when i switched to enable mode it accepted my new password.

Let me know if your doing something different.

pcorrea117 · ‎09-21-2010

This is strange is just tried this in my firewall app and was able to change the password.
Logged backed in and when i switched to enable mode it accepted my new password.
Let me know if your doing something different.

I'm doing the exact same thing as you are. Are you running 4.1?

ddurand · ‎09-21-2010

Yes 4.1. I'm guessing its because of this error that you get , Could not open CLI password file i dont think the password is getting updated.

pcorrea117 · ‎09-21-2010

Yes 4.1. I'm guessing its because of this error that you get , Could not open CLI password file i dont think the password is getting updated.

Yes.. now the question is why am I getting the "Could not open CLI password file" error, and why is this showing up at two totally different places where I've installed vShield that have totally different ESX servers, networks, IP addressing schemes, etc. ?

pcorrea117 · ‎09-21-2010

Just a thought. What build of vShield Zones or vShield App do you have?

I am running 2.0.0-285928. Perhaps you are running an older or newer

build that does not exhibit this issue?

ddurand · ‎09-22-2010

Yes i'm using vShield App 2.0.0-285928, vShield Manager 4.1-287872

JoshHogle · ‎10-03-2010

I am having the same issue on my vShield Manager. If anyone figures out what's going on, I'd like to know as well. Or is there a way anyone knows to get to a Bourne shell prompt?

pcorrea117 · ‎10-04-2010

Seems that on three different installations of vShield Manager and vShield Zones in completely different environments, I'm having the same problem. The really weird thing is that sometimes if I return to a FW instance running on a specific ESX/ESXi host days later, it will suddenly allow me to change the privileged mode password, but this behavior is erratic and doesn't always work.

I put in a few support tickets to VMware about this issue, but still haven't received any sort of remedy one week later.

kgb77 · ‎04-08-2011

Were you ever able to find out why this was happening? I have the same issue on 1 of 3 service VMs. I have no problems whatsoever on the first 2, but when I try change the enable password on the third I get:

Could not open CLI password file

Password changed

But, as in your case, the password is not updated.

Regards,

Kyle

kgb77 · ‎04-15-2011

In case anyone else runs into this:

I opened a case with VMWare support and they told me it is a known bug in 2.0.0-307200 and will be fixed in the next release.

If you change the enable password prior to deleting and recreating the admin account (in order to change the password) everything will work correctly.

I had success with the following order:

Install vShield on the host.

Login with the admin account and immediately change the enable password.

Delete the admin account and recreate with the new password.

Save the config.

Apparently when you recreate the admin account it is not added with the correct permissions to write to the CLI password file. Since my host wasn't in production I simply uinstalled vShield and reinstalled to get a new service vm.

Kyle

All

Potential bug in vShield zones? (can't change privileged mode password)