6200networks.com

by Joe Harris, CCIE# 6200

Today is Friday, July 03rd, 2009

About the Author

Joe Harris, CCIE No. 6200 (R&S, Security & SP) is a Systems Engineer with Cisco Systems® specializing in Security. In addition to authoring Cisco Network Security Little Black Book, Joe has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He also assists various Certification Partners by beta testing their newest CCIE certification workbooks and has been recognized by Cisco as a 2-Time SE Wall of Fame award winner.

See All Posts by This Author

IOS Configuration Lock

September 9th, 2008 • Related • Filed Under

So I've been sitting in meetings for the last couple of weeks (this is the reasoning behind the lack of posts lately) :-( reading over each of the new features contained in each of the IOS 'T' train releases (so you may guess that I'm not a huge meeting fan) and I came across the Configuration Lock feature in 12.3(14)T which allows you to have exclusive change access to the Cisco IOS running configuration, preventing multiple users from making concurrent configuration changes. This feature is/would be handy for environments that have multiple users managing the network whereby the left hand is not aware of what the right hand is doing :-) ...

So let's examine first how we enable configuration lock and view it's status. Initially not much is needed to enable the feature, in fact the only command you need to use is the configuration mode exclusive {auto | manual} from global configuration mode. The auto keyword automatically locks the configuration session whenever the configure terminal command is used and this is the default option. The inverse manual keyword allows you to choose to lock the configuration session manually or simply leave it unlocked. In the configuration example below I will first enable manual configuration lock mode.

R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#configuration mode exclusive manual
R1(config)#end
R1#

Once I enable configuration lock mode, I can view its status using the show configuration lock command. This is shown below:

R1#sh config lock
Parser Configure Lock
---------------------
Owner PID             : -1
User                  : 6200networks
TTY                   : -1
Type                  : NO LOCK
State                 : FREE
Class                 : unknown
Count                 : 0
Pending Requests      : 0
User debug info       :
Session idle state    : TRUE
No of exec cmds getting executed   : 0
No of exec cmds blocked   : 0
Config wait for show completion   : FALSE
Remote ip address    : Unknown
Lock active time (in Sec)   : 0
Lock Expiration timer (in Sec)   :0
R1#

Notice the status displays free and the type display that no lock is in place because no user has initiated the feature yet. I will next initiate the configuration lock feature and then run the same command again, this time expecting different results.

R1#config terminal ?
lock Lock configuration mode
revert Parameters for reverting the configuration

R1#config terminal lock
Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit.

Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
*Sep 9 17:22:31.531: %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user '6200networks' from terminal '0' -Process= "Exec", ipl= 0, pid= 184
R1(config)#

Notice that after enable configuration lock and move into configuration lock mode, the parser tells me that exculsive lock has been acquired for my configuration session. Once I'm in configuration lock mode I will view the status of the lock session:

R1(config)#do sh config lock
Parser Configure Lock
---------------------
Owner PID             : 184
User                  : 6200networks
TTY                   : 0
Type                  : EXCLUSIVE
State                 : LOCKED
Class                 : EXPOSED
Count                 : 1
Pending Requests      : 0
User debug info       : configure terminal lock
Session idle state    : TRUE
No of exec cmds getting executed   : 0
No of exec cmds blocked   : 0
Config wait for show completion   : FALSE
Remote ip address   : Unknown
Lock active time (in Sec)   : 47
Lock Expiration timer (in Sec)   : 599
R1(config)#

Upon moving into configuration mode, the parser diplays that the sesion is exclusively locked and this time when I view the status of the lock mode it displays that there is an exclusive lock on the terminal session. Now lets examine what happens when I try and telnet into R1 from R2 while I have the configuration session locked on R1 and I attempt to move into configuration mode.

R2#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
...
User Access Verification
...
Password:
R1>en
Password:
R1#config t
Configuration mode locked exclusively by user '6200network' process '184' from terminal '0'. Please try later. Rollback confirmed change timer is canceled due to configuration lock error.
R1#

Obviously the router performed as expected and denied my request to move into configuration mode because of the locked session via the console on R1. Upon exiting the configuration session on R1 you will receive the following display painted via the parser informing you that the session lock has been released.

*Sep 9 17:33:19.647: %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "Exec", ipl= 0, pid= 184

There Are 5 Responses So Far. »

Comment by Andrew Mulheirn on 2 October 2008:

Hi Joe. That’s very interesting - thanks for the write up.

Just wondered if you knew what the message “Rollback confirmed change timer is canceled due to configuration lock error” refers to? (Seen you tried to get into config mode and there was a lock).
Comment by Joe Harris on 2 October 2008:

Yep, It has to do with archiving of the config’s & it’s rollback parameters:

CCIE6200-1841(config-archive)#?
Archive configuration commands:
rollback Rollback parameters
Comment by Ana on 9 February 2009:

Hi Joe, I was looking for a solution to my problem and I came up with this site. I’m not sure if this is the right forum to ask this, I applogize if it’s not. I am trying to install Cisco VPN from my Windows Vista computer (to connect from home to my work) and during the installation process, I get the following error message:
“Error 27855. Another application is holding the Network Configuration Lock. Close all applications and run Setup again. If this message re-appears after closing all applications, reboot then re-try the install (the application holding the install lock may be hung)”. I have closed all applications, closed the internet, disconnected my firewall and antivirus, even uninstalled Vista SP1 because I read something about incompatibilities, but nothing works. I also asked the computer managers at my work and they told me they never saw this problem before. Any idea what the problem is and how I could solve it? How can I see which program is holding the network configuration lock, how do I access this network configuration lock? I have very little idea of computers, so I hope it’s not too complicated. Million thanks to anyone who can give a hand…
Comment by Joe Harris on 9 February 2009:

Ana, please uninstall the ‘Deterministic Network Enhancer’ first from the network properties then install the VPN client again and it should work.
Comment by Joe Harris on 22 February 2009:

Ana, did you get this to work?