Showing results for 
Search instead for 
Did you mean: 
Bryan Garland
Cisco Employee
Cisco Employee


This document will give you some ways to recover your CRS running IOS-XR if you are locked out due to a forgotten password or AAA configuration change.

Core Issue

First is if you have forgotten your username/password you can do the following steps which is documented fairly well already:

Password Recovery

The other issue is if you have mistakenly locked yourself out after doing some AAA commands.  Usually after configuring authorization without a   fallback method.  To see how to make sure you have fallback methods and configure them refer to the AAA configuration guides.

AAA configuration guide


There are a couple of ways to do this. 

If you have access to the aux port then you can do the following:

Gain access on the AUX port which should drop you into the Korn Shell (ksh).  If challenged with a username/password this would be a local username/password.  Not tacacs/radius. 

     Note:  This can by bypassed with the following:

Bypassing Ksh Authentication


rommon2> sync

rommon2> boot tftp:/ ... 

Once in the ksh you can try to do the following command to do a configuration rollback for the last change:

config_rollback -n 0x1

     Note: You can change the last number if you needed to rollback more than 1 change.

If you don't have access to the AUX port for some reason but do have a configuration backed up or are willing to reconfigure the router you can do the following from the console.  This will tell the router to boot up with a  blank configuration. 

Reload the router and keep both RPs down in ROMMON by sending a break signal during boot process. 

Then boot the active RP with the following type of command:

boot <image> -a bogus-config-file-path

For example, on my CRS running 4.0.3 the command would look like this:

boot bootflash:/disk0/hfr-os-mbi-4.0.3/mbihfr-rp.vm -a blah

The router will then boot loading the right version but will come up with a blank config. 

You can then reconfigure or cut/paste the configuration. 

In case it's needed you can do the same for the Admin configuration with the following switch:

boot <image> -o bogus-config-file-path

Related Information

Password Recovery

AAA configuration guide

ASR9k Password Recovery

Cisco Employee
Cisco Employee

very nice! thanks for doing this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links