Solved: Password Recovery for ASA on FXOS

zekebashi · ‎11-08-2019

Hello,

I have an ASA running on a FirePower2110 . I applied a config of another decommissioned ASA and, now, I can't log in. This is an old password that no one seems to remember. I've searched online for any information or Cisco documentation on how to recover the ASA's password where the ASA is running on a FirePower but couldn't find any information. When I reboot the device and perform the Ctrl+Esc combo keys to get to the ROMMON, I can reset the password for the FirePower but no the ASA. Does anyone know how to reset the password for the ASA and not the FirePower FXOS?

Thanks in advance.

Thanks in advance, ~zK

Marvin Rhoads · ‎11-19-2019

Yes - you would re-image.

Use the original ASA configuration file and manually edit prior to loading it to change to enable password to a known value. Everything else will be the same.

View solution in original post

Marvin Rhoads · ‎11-10-2019

I don't have a lab one to test on right now, but have you tried this:

Connect to the serial console port on the 2100 chassis.

Then connect to the logical device console from there ("connect asa").

Issue reload command and break in during that reload sequence.

If that fails you can reinstall the ASA configuration but first enter a new password in the config before you upload.

zekebashi · ‎11-12-2019

Then connect to the logical device console from there ("connect asa"). ----> the issue is that we don't have the "enable" password to get to the privlege exec mode.

If that fails you can reinstall the ASA configuration but first enter a new password in the config before you upload.---> This is our dilemma, we can get past the cisco> since we don't have the "enable" password.

Any other ideas?

Best, ~zK

Marvin Rhoads · ‎11-13-2019

So you loaded the imported configuration in as a text file - correct?

If so, you should just be able to first edit the text file to change or remove the enable password. Then load it in anew and use the newly configured enable password or create one.

zekebashi · ‎11-18-2019

Sorry, I have a mistype in my previous post. I meant to say that "

.---> This is our dilemma, we can NOT get past the cisco> since we don't have the "enable" password.

There is no way to get to the ASA's ROMMON. Once I am on the FXOS' cli and type connect asa, I get to the ASA's cli > command line (asa_01>). Since we don't have the "enable" password, we can not go beyond this level. According to Cisco's TAC, I will need to reimage the ASA on the FXOS.

Thanks for your input!

Marvin Rhoads · ‎11-19-2019

Yes - you would re-image.

Use the original ASA configuration file and manually edit prior to loading it to change to enable password to a known value. Everything else will be the same.

zekebashi · ‎11-20-2019

Thanks for the input, Marvin!

Much appreciated.

Best, ~zK

zafsyed083 · ‎06-26-2020

Hello Marvin,

I got the same same problem. I cut and past configuration from an old ASA to newly installed Cisco 2130 Firwpower. I intentationally Omit the all user name and passwords (since the password was Encrypted), but some how I mised TACAS password and paste with other configurations. Yesterday when I try to login it asking me user name and password at (ASA) mode.

I save all configuration I (Paseed) offcourse different Interface but I do have config. It's 65page long config. I don't want to go for factory default, if I can break the user name and Password. If there is no option than what is the process to have it on Factory Default.

Thanks in advanced.

Zafar Syed

Marvin Rhoads · ‎06-27-2020

Go back to the text file you used for configuration and correct the oversight you made the first time.

Then delete and rebuild the ASA logical device using the corrected configuration file.