01-21-2024 02:47 PM
Subject: Accidentally set Password Recovery Functionality to Disabled for Cisco ASA 5506-X Firewall After Following Guide with Conflicting Instructions
Good day from Singapore,
On 12 Jan 2024 Friday, my colleague Danial Robinson asked me to go to our customer office at Paya Lebar Square, Singapore to reset the password for Cisco ASA 5506-X firewall.
When I putty into the console of Cisco ASA 5506-X firewall, I knew I was able to reset the password.
But alas! I had followed a guide with conflicting instructions.
The following is the guide with conflicting instructions.
Reference Guide: Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)
Link: https://www.networkstraining.com/password-recovery-for-the-cisco-asa-5500-firewall/
When I came to Step 7 in the guide, it gave conflicting instructions.
Step 7 says: "Accept the default values for all settings (at the prompt enter Y)", which is apparently contradictory.
Step 7 asks you to accept the default values for all settings and yet it contradicts itself by asking you to enter Y at the prompt.
Due to my carelessness and lack of careful thought, I had accidentally entered Y when I was asked about setting password recovery to disabled. I had never thought my action would be permanent and irreversible.
This was a complete disaster. After the reboot, I could no longer reset the password for Cisco ASA 5506-X firewall. The change was permanent and irreversible.
Every time I try to break into ROMMON mode, I was asked to permanently erase disk0, which is the flash.
<CODE>
Rom image verified correctly
Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE
Copyright (c) 1994-2018 by Cisco Systems, Inc.
Compiled Tue 06/05/2018 22:45:19.61 by builder
Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present
Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 74:88:bb:c8:72:bf
INFO: PASSWORD RECOVERY functionality is disabled.
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.
Permanently erase 'disk0:'? no
</CODE>
Dear Cisco TAC support,
Is there any way to recover the startup-config without forcing me to permanently erase the flash? Which will erase everything?
The following console output shows that I could not enter ROMMON mode at all, after accidentally setting password recovery to disabled.
<CODE>
securevpn> reload
^
ERROR: % Invalid input detected at '^' marker.
securevpn>
Rom image verified correctly
Cisco Systems ROMMON, Version 1.1.14, RELEASE SOFTWARE
Copyright (c) 1994-2018 by Cisco Systems, Inc.
Compiled Tue 06/05/2018 22:45:19.61 by builder
Current image running: Boot ROM0
Last reset cause: PowerOn
DIMM Slot 0 : Present
Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 74:88:bb:c8:72:bf
INFO: PASSWORD RECOVERY functionality is disabled.
WARNING: Password recovery and ROMMON command line access has been
disabled by your security policy. Answering YES below will cause ALL
configurations, passwords, images in 'disk0:' to be erased.
ROMMON command line access will be re-enabled, and a new image must be
downloaded via ROMMON.
Permanently erase 'disk0:'? no
Located '.boot_string' @ cluster 997554.
#
Attempt autoboot: "boot disk0:/asa984-22-lfbff-k8.SPA"
Located 'asa984-22-lfbff-k8.SPA' @ cluster 969854.
###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
^[^[^[^[^[^[dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
Starting check/repair pass.
Starting verification pass.
/dev/sdb1: 138 files, 947320/1919830 clusters
dosfsck(/dev/sdb1) returned 0
Mounting /dev/sdb1
IO Memory Nodes: 1
IO Memory Per Node: 387973120 bytes
Global Reserve Memory Per Node: 314572800 bytes Nodes=1
LCMB: got 387973120 bytes on numa-id=0, phys=0x38800000, virt=0x2aaaaae00000
LCMB: HEAP-CACHE POOL got 312475648 bytes on numa-id=0, virt=0x2aaac2000000
LCMB: HEAP-CACHE POOL got 2097152 bytes on numa-id=0, virt=0x2aaad4a00000
Processor memory: 1638667399
M_MMAP_THRESHOLD 65536, M_MMAP_MAX 25004
M_MMAP_THRESHOLD 65536, M_MMAP_MAX 25004
POST started...
POST finished, result is 0 (hint: 1 means it failed)
Compiled on Fri 29-May-20 00:37 PDT by builders
Total NICs found: 14
i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: 7488.bbc8.72bf
ivshmem rev03 Backplane Data Interface @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 12 MAC: 0000.0000.0000
en_vtun rev00 Backplane Tap Interface @ index 13 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
WARNING: Attribute already exists in the dictionary.
Verify the activation-key, it might take a while...
Running Permanent Activation Key:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
^[^[Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Cisco Adaptive Security Appliance Software Version 9.8(4)22
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2019 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!!!!...........
Cryptochecksum (unchanged): a44c49c9 4217b655 7de33b81 70c47440
INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to securevpn
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
securevpn>
</CODE>
The following is the "show version" console output.
<CODE>
securevpn> show version
Cisco Adaptive Security Appliance Software Version 9.8(4)22
Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.8(2)151
Compiled on Fri 29-May-20 00:37 PDT by builders
System image file is "disk0:/asa984-22-lfbff-k8.SPA"
Config file at boot was "startup-config"
securevpn up 126 days 8 hours
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
1: Ext: GigabitEthernet1/1 : address is 7488.bbc8.72c0, irq 255
2: Ext: GigabitEthernet1/2 : address is 7488.bbc8.72c1, irq 255
3: Ext: GigabitEthernet1/3 : address is 7488.bbc8.72c2, irq 255
4: Ext: GigabitEthernet1/4 : address is 7488.bbc8.72c3, irq 255
5: Ext: GigabitEthernet1/5 : address is 7488.bbc8.72c4, irq 255
6: Ext: GigabitEthernet1/6 : address is 7488.bbc8.72c5, irq 255
7: Ext: GigabitEthernet1/7 : address is 7488.bbc8.72c6, irq 255
8: Ext: GigabitEthernet1/8 : address is 7488.bbc8.72c7, irq 255
9: Int: Internal-Data1/1 : address is 7488.bbc8.72bf, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 7488.bbc8.72bf, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number:
Running Permanent Activation Key:
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration has not been modified since last system restart.
</CODE>
*************************************************************
Technical specifications of Cisco ASA 5506-X firewall
*************************************************************
Processor: CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Memory: 4 GB RAM
Storage: 8 GB Internal ATA Compact Flash
*************************************************************
The following is the "show flash" console output.
<CODE>
securevpn> show flash
--#-- --length-- -----date/time------ path
122 108563072 Jan 25 2019 22:53:16 asa982-lfbff-k8.SPA
123 26970456 Jan 25 2019 22:53:46 asdm-782.bin
124 93 Jun 17 2020 18:50:42 .boot_string
11 4096 Jan 25 2019 22:56:56 log
144 1375 Mar 09 2020 12:54:10 log/asa-appagent.log
19 4096 Jan 25 2019 22:57:48 crypto_archive
20 4096 Jan 25 2019 22:57:50 coredumpinfo
21 59 Jan 25 2019 22:57:50 coredumpinfo/coredump.cfg
125 26916144 Mar 09 2020 16:39:48 asdm-781-150.bin
126 28672 Jan 01 1980 08:00:00 FSCK0000.REC
127 45961535 Mar 05 2020 20:34:28 anyconnect-win-4.7.01076-webdeploy-k9.pkg
128 53129667 Mar 05 2020 20:34:48 anyconnect-macos-4.7.01076-webdeploy-k9.pkg
129 12511 Mar 05 2020 23:07:36 oldconfig_2020Mar05_1451.cfg
130 34033084 Mar 05 2020 23:09:02 asdm-7131.bin
131 111281312 Mar 05 2020 23:29:58 asa984-8-lfbff-k8.SPA
132 12851 Mar 05 2020 23:30:06 oldconfig_2020Mar05_1513.cfg
133 26975568 Mar 05 2020 23:35:10 asdm-782-151_2.bin
134 111290512 Jun 17 2020 14:46:10 asa984-10-lfbff-k8.SPA
135 23506 Jun 17 2020 14:46:22 oldconfig_2020Jun17_0631.cfg
136 23509 Jun 17 2020 15:07:42 backup_170620.cfg
137 111383904 Jun 17 2020 18:25:30 asa984-22-lfbff-k8.SPA
138 23674 Jun 17 2020 18:25:38 oldconfig_2020Jun17_1010.cfg
139 4096 Jan 01 1980 08:00:00 FSCK0001.REC
7863623680 bytes total (3983400960 bytes free)
</CODE>
Looks like Cisco ASA 5506-X firewall operating system is also based on Linux and open source software.
Regards,
Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
Solved! Go to Solution.
01-25-2024 03:26 PM
Unfortunately there is no way to enter ROMMON to reset the password once password-recovery is set. The only way to remove it is to enable password recovery in the CLI, meaning you need to have the username / password and enable password to login and change it. Other than that you would need to erase the Flash file system, load a new image, and then restore a backup.
01-25-2024 03:26 PM
Unfortunately there is no way to enter ROMMON to reset the password once password-recovery is set. The only way to remove it is to enable password recovery in the CLI, meaning you need to have the username / password and enable password to login and change it. Other than that you would need to erase the Flash file system, load a new image, and then restore a backup.
01-26-2024 09:16 PM
Oh sigh....
Mr. Turritopsis Dohrnii Teo En Ming
01-25-2024 04:10 PM
Normally you can change password when you disable password recovery but that depending on platform and ver.
Share ver. And exact model let me check
MHM
01-26-2024 01:28 AM
No you cannot change the password when password recovery is disabled. It is the whole purpose of disabling password recovery. The only way around it is to enable password recovery again (but you would need to log into the device for this), or erase the flash file system and boot for a new image.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide