09-28-2022 04:47 AM
Dear guys, we have two devices that are in a HA environment. The problem is that secondary FP can connect using AD credentials, but when you run the command, you get an "error retrieving user privileges" and your admin credentials are gone. Both AD and admin have also been gone from the primary unit. So we decided to proceed with password recovery using the document below.
switch(boot)# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(boot)(config)# admin-password erase Your password and configuration will be erased! Do you want to continue? (y/n) [n] y
Is it completely accurate that it will reset all configurations to factory defaults, including policies?
Cisco FPR-4100 Appliances
09-28-2022 05:40 AM
Correct it will wipe the config on your Box. as per the document mentioned and showed the configuration.
09-28-2022 06:05 PM
Thank you for your response @Sheraz.Salim
how can I recover the policies into secondary because we don't have a backup? Since the primary worked properly, only cant log in to the device and will sync and obtain the current policies after HA is restored?
09-29-2022 01:11 AM - edited 09-29-2022 01:29 AM
@ezzhar891202 Are you managed these FTD from FMC? as this appliances is secondary once you re-image/reset/factory-rest and you make the HA pair the configuration will syn from the Primary FTD (This include all the policies and configuration) to the secondary appliance and make the HA pair.
This procedure as mentioned above returns your Firepower 4100/9300 chassis system to its default configuration settings, including the admin password. Use this procedure to reset the configurations on your device when the admin password is not known. This procedure erases any installed logical devices as well.
also bear in find if you going that route make sure this procedure requires console access to the Firepower 4100/9300 chassis.
09-30-2022 01:36 AM
@Sheraz.Salim CSM was used to manage both boxes. According to the Cisco documentation, we can update the password from CSM.
If we truly need to do password recovery, can we just do it or do we need to disconnect the HA first and then do the procedure? Will restoring the HA then sync the policies? Any policies deployed on CSM for user authorization and password recovery will not solve the login problem, correct?
09-30-2022 01:53 AM
@ezzhar891202 The cisco documentation is very clear for FTD4100 if you going to password recovery you requires console access to the Firepower 4100/9300 chassis. Remember This procedure erases any installed logical devices as well.
The best approach would be discount your secondary standby firewall (Break -HA) and follow the password recovery document. once the box is factory reset and when box will come up clean when you have the HA pair the policies from the primary ftd will push to secondary standby firewall. just make sure your recovery password FTD configured as secondary standby.
Also have a look on this document you will find it very useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide