on 03-30-2011 06:36 AM - edited on 05-06-2019 06:22 PM by Kelli Glass
This document shows you how to reset a lost password or when you have locked yourself out due to a problematic AAA configuration.
Because IOS-XR is substantially different in the way config files are managed, the standard trick of conf-reg 0x2142 will not work for IOS-XR.
You can lock yourself out if you are configuring aaa authentication to tacacs with no local fall back, if the tacacs server is unavailable there
is no way for you to get in.
eg:
aaa authentication login default groupt tacacs
Also this procedure is good when you have forgotten the password to your super user in IOS-XR to manage your machine.
The following step through guide can be tried, the details of each step are listed below with more explanation:
There are 2 steps to this process.
1) Override the BASE running configuration
When you configure the problematic AAA statement sample as above.
2) Override the admin configuration that stores local usernames and passwords
When you don't remember any of the local usernames/passwords you have defined locally.
In rommon set the following variable:
rommon> IOX_CONFIG_FILE=/harddisk:/no-config
the file no-config is just a non existent file, you can give any name here really.
Note: This ROMMON variable will persist and needs to be removed after password recovery. Check the 'clean up' section.
And issue 'sync', this will make the change persistent in the rommon config vars.
rommon> sync
Issue 'i' or 'reset' and when the rsp is booting up, it should ignore the config file, since there's no config file found on /harddisk: called no-config
rommon> reset
or
rommon> i
In Admin configuration we store all the local usernames and passwords.
Similarly you can do the same thing for admin config:
IOX_ADMIN_CONFIG_FILE=/disk0:/none
You should get prompted for root user/pass and will have a blank config on the box.
You need to load your config and do your modification.
Note: This ROMMON variable will persist and needs to be removed after password recovery. Check the 'clean up' section.
are the same as for the base xr config file.
Another way of recoveryof the password is to enable the following again in rommon:
rommon> AUX_AUTHEN_LEVEL=0
Which will allow the aux port to drop to ksh upon the RSP bootup with no prompt for login.
At the prompt you can either type:
/pkg/bin/exec -a
Which will give you a router prompt: Or simply
# Config
Which drops you into EXEC config mode.
# uname -a
QNX node0_RSP0_CPU0 6.4.0 2009/12/10-13:43:22PST asr9k ppcbe
# config
RP/0/RSP0/CPU0:RO-A(config)#exit
#
# /pkg/bin/exec -a
RP/0/RSP0/CPU0:RO-A#
RP/0/RSP0/CPU0:RO-A#
RP/0/RSP0/CPU0:RO-A#exit
#
Make sure that after you're done with your changes, in case you made the rommon vars persistent, you may want to unset
the variables to get back to the normal files that are used.
rommon> unset IOX_ADMIN_CONFIG_FILE
rommon> unset IOX_CONFIG_FILE
rommon> sync
All set!
If you forget the cleanup, you might see these lines:
RP/0/RSP1/CPU0:Oct 28 07:18:37.141 : locald_DSC[301]: %SECURITY-LOCALD-3-LWA_ADD_FAIL : Failed to add the username admin to lightweight authentication password database: No such file or directory
Another way to clear the variable:
more nvram:/classic-rommon-var location 0/RSP1/CPU0
run iox_on 0/RSP1/CPU0 nvram_rommonvar IOX_CONFIG_FILE ""
XR-VM Username/Password reset procedure using Sysadmin VM
Note: This is not a process to hack router but user need sysadmin username / password for the accessibility of box by bypass XR credentials.
Steps to perform this activity:
1. login to router : I was having console access to the box.
bgl-xdm-009:112> telnet 10.67.30.20 2037
Trying 10.67.30.20...
Connected to 10.67.30.20.
Escape character is '^]'.
User Access Verification
Password:
Password OK
2. Pass interrupts "ctrl + o" to toggle to sysadmin
sysadmin-vm:0_RP0#
*** IDLE TIMEOUT ***
System Admin Username:
3. enter sysadmin username and password
System Admin Username: xxxxx
Password:
xxxxx connected from 127.0.0.1 using console on sysadmin-vm:0_RP0
sysadmin-vm:0_RP0#
4. with this login you can access "sysadmin- VM prompt"
sysadmin-vm:0_RP0#
5. From Sysadmin VM to access XR - VM perform following action
i. list sdr ips
sysadmin-vm:0_RP0# show sdr
Tue Apr 3 05:12:47.110 UTC
SDR: default-sdr
Location IP Address Status Boot Count Time Started
-----------------------------------------------------------------------------
0/RP0/VM1 192.0.0.4 RUNNING 1 03/01/2019 02:10:28
0/RP0/VM2 192.0.0.6 RUNNING 1 03/01/2019 02:10:56
ii. ssh SDR VM1 address
[sysadmin-vm:0_RP0:~]$ssh 192.0.0.4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
<>
Last login: Fri Mar 1 02:14:39 2019 from 192.0.0.4
iii. Now you are at XR-VM and to disable credential pass "ctrl + a" interrupt
[xr-vm_node0_RP0_CPU0:~]$exec -a
6. After disabling credential you can access XR-VM
RP/0/RP0/CPU0:customer2#
at this stage you can create/ delete / modify user credentials to access router at XR-VM directly.
P/0/RP0/CPU0:customer2#show running-config
Tue Apr 3 05:13:02.445 UTC
Building configuration...
!! IOS XR Configuration version = 6.3.3
!! Last configuration change at Sun Feb 17 23:31:51 2019 by ZTP
!
hostname customer2 >>>
username asd
group root-lr
group cisco-support
secret 5 $1$rdaY$qJt7aNcc8uFKqhP/rK11V1
!
It has been seen that sometimes a system autonomously enters password recovery mode. This is identified with:
“enter root-system username”
This is due to a ddts known as CSCth03923
You end up providing what you think is a known username and password combination and it failes to get you in.
The solution is simple, just enter a fake username/password that you know for sure has not been configured yet and you're in!
Xander Thuijs - CCIE #6775
Sr Tech Lead ASR9000
hi mirko!
the config in XR is not in a (text) file format like it was in IOS. In XR there is a sysdb (system database) that holds all configuration(s) and parameters and operational data that is queried by components on show commands and configs.
the step 2 to set the no-config is effectively pointing the system to a new database (sort of speak).
this means that the config will be empty on load, upon which you can load a new config, commit it and next time it reboots it will leverage that new config.
a rollback would only be to the previous empty config, so you will lose your commit history.
"sync" is a directive in rommon to save the rommon variables. this gets put in a flat file on the nvram (classic-rommon-variables is the filename).
I would recommend to boot the system with the no-config directive, but not sync (save it). this way when the system boots empty and on the first commit, we basically push it to the database and on next reload the config from the database will be loaded, which is what you saved without losing too much history.
cheers!
xander
hi xander, very tnx for your kind reply as usual. so to resume:
1) reboot asr and via console CTRL-C to access ROMMON
2) in ROMMON: IOX_CONFIG_FILE=/harddisk:/no-config
3) in ROMMON: reset (this will reboot asr)
4) the asr will boot with the admin config untouched but without base config
5) login with a root user (i suppose the system with an empty base config fallback automatically to local users, thus checking users in the admin config)
6) rollback configuration last 1/2... and commit
mirko
Hi Xander, do you have the process for XRv password recovery? Thank you in advance.
Hi Xander,
I'm trying to reset my local username/pwd on my lab ASR9901, but the options (2 & 3) doesn't seem to work.
When I reset after change, it boots as normal, ignoring nothing. Also I have to give the option -s (soft) -h (hard) for the reset command. Is there a different procedure for ASR9901?
Booting IOS-XR 64 bit Boot previously installed image - Press Ctrl-c to stop
S
Please select the operating system and the boot device:
1) Boot to ROMMON
2) IOS-XR 64 bit Boot previously installed image
3) IOS-XR 64 bit Mgmt Network boot using DHCP server
4) IOS-XR 64 bit Mgmt Network boot using local settings (iPXE)
(Press 'p' for more option)
Selection [1/2/3/4]: 1
rommon 1 > unset IOX_CONFIG_FILE
rommon 2 > IOX_ADMIN_CONFIG_FILE=/disk0:/none
rommon 3 > sync
rommon 4 > reset
rommon 5 > reset -h
Resetting hard .......
˜!ý ÎaÿBooting Main Processor
Transferring Console
˜žùŒŒŒŒŒ)”ŒŒ
á
CPU reset reason = 13 (CPU_RESET_AUTO_RESET)
Missing Parameter SERVER_URL
##########################################################
System Bootstrap, Version 22.24 [ASR9K x86 ROMMON],
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled on Tue 07/16/2019 15:41:43.70
BOARD_TYPE : 0x101014
Rommon : 22.24 (Primary)
Board Revision : 5
PCH EEPROM : 0.0
IPU FPGA(PL) : 0.20.1 (Primary)
IPU INIT(HW_FPD) : 2.5.1
IPU FSBL(BOOT.BIN) : 1.104.0
IPU LINUX(IMAGE.FPD) : 1.104.0
DRAX FPGA : 0.35.1
CBC0 : Part 1=54.10, Part 2=54.10, Act Part=2
Product Number : ASR-9901-RP
Chassis : ASR-9901
Chassis Serial Number : FOC2346NBP2
Slot Number : 0
Pxe Mac Address LAN 0 : 6c:31:0e:26:d5:b0
Pxe Mac Address LAN 1 : 6c:31:0e:26:d5:b1
==========================================================
Got EMT Mode as IOS-XR Boot
Got Boot Mode as Disk Boot
Booting to ROMMON - Press Ctrl-c to stop
Y
Please select the operating system and the boot device:
1) Boot to ROMMON
2) IOS-XR 64 bit Boot previously installed image
3) IOS-XR 64 bit Mgmt Network boot using DHCP server
4) IOS-XR 64 bit Mgmt Network boot using local settings (iPXE)
(Press 'p' for more option)
Selection [1/2/3/4]: 2
Selected IOS-XR 64 bit Boot previously installed image, Continue ? Y/N: y
For ASR 9901 the process changed
Opened a TAC, this is the process:
lease note that this procedure will need to be carried out during a maintenance window as the router will need to be reloaded twice.
After the procedure below, the router will reload with no username/password, but also with no configuration and it needs to be re-applied.
Step 1 - First you need the utility (link below) to boot from USB:
https://software.cisco.com/download/home/286322162/type/280805694/release/7.0.2
Filename: asr9k-x64-usb_boot-7.0.2.zip
Step 2 - Once the utility is downloaded, the contents MUST be extracted directly into root of the USB drive. Make sure your USB drive is formatted to FAT32.
This step is extremely important, otherwise it will not work. The content of the zipped file ("EFI" and "boot" directories) should be extracted directly into root of the USB drive. If the unzipping application places the extracted files in a new folder, move the "EFI" and "boot" directories to root of the USB drive.
Step 3 - Proceed to plug the USB to the USB port on the router. Connect physically to the console and Manually reload the device.
Step 4 - Press ESC or “CTRL + C” to go to ROMMON menu, the following options will be display. Select Option 7.
Please select the operating system and the boot device:
1) IOS-XR (32 bit Classic XR)
2) IOS-XR 64 bit Boot previously installed image
3) IOS-XR 64 bit Mgmt Network boot using DHCP server
4) IOS-XR 64 bit Mgmt Network boot using local settings (iPXE)
5) IOS-XR 64 bit Internal network boot from RSP/RP
6) IOS-XR 64 bit Local boot using embedded USB media
7) IOS-XR 64 bit Local boot using front panel USB media ,<<<<<<<<<< we will use this option
If for some reason you only see 4 options being displayed, there should be an option to display all the options.
Step 5 - After selecting option 7, the recovery will automatically begin and will end with a device without any configuration or password.
Step 6 - You will be able to setup the admin username and password.
Hi Xander,
Does this method support all the XR platform such as NCS4K?
Thanks.
Stan
Hi
I am stuck with NCS560 and not able to login. I can login to Sysadmin though
Can you please guide how can I recover the password or enter RP in ROMMON mode?
sysadmin-vm:0_RP0# sh ver
Wed Sep 29 14:49:31.167 UTC+00:00
Cisco IOS XR Admin Software, Version 7.1.2
Copyright (c) 2013-2020 by Cisco Systems, Inc.
Build Information:
Built By : ahoang
Built On : Sat Aug 29 12:43:12 PDT 2020
Build Host : iox-ucs-026
Workspace : /auto/srcarchive13/prod/7.1.2/ncs560/ws
Version : 7.1.2
Location : /opt/cisco/calvados/packages/
Label : 7.1.2
System uptime is 15 minutes
sysadmin-vm:0_RP0#
Regards
Bharat
I solve the issue of forgetting local password withe USB Boot using below
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-6/system-setup/configuration/guide/b-system-setup-cg-asr9000-76x/bring-up-the-router.html#Cisco_Task.dita_fd1052f1-ff82-442b-b6b0-9e3cd2822621
but after that i faced issue with the package I didn't find any package like ISIS ,MPLS and multicast
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: