cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4005
Views
15
Helpful
1
Comments
Bryan Garland
Cisco Employee
Cisco Employee

Introduction

This document will give you some ways to recover your CRS running IOS-XR if you are locked out due to a forgotten password or AAA configuration change.

Core Issue

First is if you have forgotten your username/password you can do the following steps which is documented fairly well already:

Password Recovery


The other issue is if you have mistakenly locked yourself out after doing some AAA commands.  Usually after configuring authorization without a   fallback method.  To see how to make sure you have fallback methods and configure them refer to the AAA configuration guides.

AAA configuration guide

Resolution

There are a couple of ways to do this. 

If you have access to the aux port then you can do the following:

Gain access on the AUX port which should drop you into the Korn Shell (ksh).  If challenged with a username/password this would be a local username/password.  Not tacacs/radius. 

     Note:  This can by bypassed with the following:

Bypassing Ksh Authentication

rommon1> AUX_AUTHEN_LEVEL=0

rommon2> sync

rommon2> boot tftp:/ ... 

Once in the ksh you can try to do the following command to do a configuration rollback for the last change:

config_rollback -n 0x1

     Note: You can change the last number if you needed to rollback more than 1 change.

If you don't have access to the AUX port for some reason but do have a configuration backed up or are willing to reconfigure the router you can do the following from the console.  This will tell the router to boot up with a  blank configuration. 

Reload the router and keep both RPs down in ROMMON by sending a break signal during boot process. 

Then boot the active RP with the following type of command:

boot <image> -a bogus-config-file-path

For example, on my CRS running 4.0.3 the command would look like this:

boot bootflash:/disk0/hfr-os-mbi-4.0.3/mbihfr-rp.vm -a blah

The router will then boot loading the right version but will come up with a blank config. 

You can then reconfigure or cut/paste the configuration. 

In case it's needed you can do the same for the Admin configuration with the following switch:

boot <image> -o bogus-config-file-path

Related Information

Password Recovery

AAA configuration guide

ASR9k Password Recovery


Comments
eteksoy
Cisco Employee
Cisco Employee

very nice! thanks for doing this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links