Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1794
Views
0
Helpful
2
Replies

Can I do a Cisco ASA – Password Recovery / Reset on a HA pair?

jeggleston
Level 1
Level 1

‎12-04-2020 08:09 AM

I am familiar with the Process to Recover / Reset the Console password on my ASA5508x HA pair of firewalls.

They are running in an Active/Active Failover configuration.  Can I perform the reset procedure on the standby, reload and come back online without interrupting my Anyconnect clients?  If I can, is the new console password synced to both, or do I have to failover and then perform the process on the new standby?

 

Thank you,

 

Jeffegg

 

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-04-2020 09:20 AM

Are you running multiple contexts? That's the only way you can have Active-Active on ASAs. That would be unusual on a pair of 5508-X.

In the case of overall Active-Standby (or a given context in Active-Active), the password would be synced from Active to Standby. So you can't just make the change on the Standby unit as it would be overwritten once it resyncs to the Active unit.

I think you'd have to break the failover and fix the issue on both units.

0 Helpful

timpetro
Level 1
Level 1

‎03-24-2022 08:19 AM

Resetting a password on an HA pair is quite easy and doesnt need to even interrupt services.

1. Connect to the console on the secondary unit

2. Power it off and hit ESC when booting to enter ROMMON mode

3. rommon #1> confreg 0x41 (to set the configuration register to ignore the startup config

4. rommon #1> boot (to boot the system up. It will have no config but the active unit will still be working

5. type ENABLE (you will have to set a password and enable password.. just use something simple)

6. copy start run (which will copy the saved config into ram and the standby unit will start to pair up with the active. WAIT until a "show fail" shows a health active unit and a standby ready on the unit you are consoled into .. do not exit enable mode.

7. Once the HA pair is healthy, just make the standby unit (the one your on) the active "failover active"

8. Now you can reset the password because your already in enable mode and put the config-register back

     config t

     no config-register

     username admin password ?????? priv 15

     wr mem

9. Now move the active unit the unit back to the original one "failover exec standby failover active"

10. Test you can now get into the active unit with the password you set ????????

That should do it

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card