Showing results for 
Search instead for 
Did you mean: 

CRS password recovery and AAA lock out recovery



This document will give you some ways to recover your CRS running IOS-XR if you are locked out due to a forgotten password or AAA configuration change.

Core Issue

First is if you have forgotten your username/password you can do the following steps which is documented fairly well already:

Password Recovery

The other issue is if you have mistakenly locked yourself out after doing some AAA commands.  Usually after configuring authorization without a   fallback method.  To see how to make sure you have fallback methods and configure them refer to the AAA configuration guides.

AAA configuration guide


There are a couple of ways to do this. 

If you have access to the aux port then you can do the following:

Gain access on the AUX port which should drop you into the Korn Shell (ksh).  If challenged with a username/password this would be a local username/password.  Not tacacs/radius. 

     Note:  This can by bypassed with the following:

Bypassing Ksh Authentication


rommon2> sync

rommon2> boot tftp:/ ... 

Once in the ksh you can try to do the following command to do a configuration rollback for the last change:

config_rollback -n 0x1

     Note: You can change the last number if you needed to rollback more than 1 change.

If you don't have access to the AUX port for some reason but do have a configuration backed up or are willing to reconfigure the router you can do the following from the console.  This will tell the router to boot up with a  blank configuration. 

Reload the router and keep both RPs down in ROMMON by sending a break signal during boot process. 

Then boot the active RP with the following type of command:

boot <image> -a bogus-config-file-path

For example, on my CRS running 4.0.3 the command would look like this:

boot bootflash:/disk0/hfr-os-mbi-4.0.3/mbihfr-rp.vm -a blah

The router will then boot loading the right version but will come up with a blank config. 

You can then reconfigure or cut/paste the configuration. 

In case it's needed you can do the same for the Admin configuration with the following switch:

boot <image> -o bogus-config-file-path

Related Information

Password Recovery

AAA configuration guide

ASR9k Password Recovery

Cisco Employee

very nice! thanks for doing this.

Content for Community-Ad