FPR9300/4100シリーズのFXOSのパスワードリカバリ方法について

Ryuji Nozaka · ‎2024-02-19

FPR9300/4100シリーズの FXOS パスワードリカバリー方法を紹介します。

本記事は、FPR9300 シリーズに FXOS 2.12.1.48 のパスワードリカバリー手順となります。(FPR4100 シリーズも同じ手順となります)

パスワードリカバリーを行うと FXOS のコンフィグが初期化されます。そのため、本手順の最後には FXOS の初期設定を行います。

また、FXOS の初期化を行うと ASA FTD の設定も削除されますのでご注意ください。

必要な物

コンソールアクセス
対象機器に適用されている kickstart_image name と system_image name (それぞれの image file name は reboot 時に表示されます)

大まかな流れ

電源 OFF/ON で rommon> モードへ移行
ROMMON から kickstart file を load
config terminal mode から password reset を実施
system_image を load
FXOS 初期設定

以下はCLI上で行う作業の詳細となります

##### Power OFF/ON 後

Cisco System ROMMON, Version 1.0.15, RELEASE SOFTWARE
Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Thu 04/11/2019 21:15:59.58 by builder
Current image running: Boot ROM0
Last reset cause: ResetRequest
DIMM Slot 0 : Present
DIMM Slot 1 : Present
No USB drive !!
BIOS has been locked !!

Platform FPR9K-SUP with 16384 Mbytes of main memory
MAC Address: b0:aa:77:2f:90:4c

##### kickstart_image name と system_image name が以下に表示される
find the string ! boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.4.120.761.SPA bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.4.120.761.SPA

Use BREAK, ESC or CTRL+L to interrupt boot.
Use SPACE to begin boot immediately.

##### 手順1: 電源 OFF/ON で rommon> モードへ移行
##### Escapeキーを押して Boot を中断させる

Boot in 10 seconds.

##### 手順2: ROMMON から kickstart file を load

rommon 1 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.4.120.761.SPA ##### 以下フォーマットに合わせて入力

##### フォーマット
##### boot bootflash:/installables/switch/<kickstart file name>

!! Kickstart Image verified successfully !!

Linux version: 4.18.40 (pvasapur@sjc-vms-vm0198) #1 SMP Tue Sep 20 09:03:51 PDT 2022
linuxrc.ext Wed Jan 11 18:27:47 UTC 2012
1+0 records in
POST INIT Starts at Wed Jan 11 18:27:55 UTC 2012
S10mount-ramfs.supnuovaca Mounting /isan 4000m
Mounted /isan
Creating /callhome..
Mounting /callhome..
Creating /callhome done.
Callhome spool file system init done.
FPGA Version 0x00020000 FPGA Min Version 0x00000600
lspci: Unable to load libkmod resources: error -12
Checking all filesystems.r.r.r.r.rrr done.
Checking NVRAM block device ... done
.
FIPS power-on self-test passed
Unpack CMC Application software
1
Loading system software
No system image [3J[H[J INIT: Sending processes the TERM signal
INIT: Sending processes the KILL signal
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2023, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php

##### 手順3: config terminal mode から password reset を実施

switch(boot)# config terminal ##### config terminal を入力
Enter configuration commands, one per line. End with CNTL/Z.
switch(boot)(config)# admin-password erase ##### admin-password erase を入力
Your password and configuration will be erased!
Do you want to continue? (y/n) [n] y ##### y を入力
switch(boot)(config)# exit ##### exit を入力

##### 手順4: system_image を load

switch(boot)# load bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.4.120.761.SPA ##### 以下フォーマットに合わせて入力

##### フォーマット
##### load bootflash:/installables/switch/<system file name>

Uncompressing system image: bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.4.120.761.SPA

Manager image digital signature verification successful
C
12+1 records in
12+1 records out
9900 bytes (9.9 kB, 9.7 KiB) copied, 6.8371e-05 s, 145 MB/s
snm mode on SUP
INIT: Switching to runlevel: 3
INIT: Sending processes the TERM signal
switch(boot)# INIT: cmcmon: 160:cmcl

find: '/bootflash/sysdebug/coremgmt/tmp_logs/': No such file or directory
---------------------
enabled fc feature
---------------------
[ 174.586241] OBFL Error: (line 1002):Open of /bootflash/logs/plog/kernel.log failed with result = -2
2012 Jan 11 18:30:44 %$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: loading cmd files begin - clis
2012 Jan 11 18:30:53 %$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: loading cmd files end - clis
2012 Jan 11 18:30:53 %$ VDC-1 %$ %USER-2-SYSTEM_MSG: CLIS: init begin - clis
2012 Jan 11 18:30:54 %$ VDC-1 %$ %USER-2-SYSTEM_MSG: %SMART_LIC-2-PLATFORM_ERROR:Smart Licensing has encountered an internal software error. Contact TAC: The platform provided UDI list has invalid values: ; udi_pid is emp - SMART_AGENT[4963]
System is coming up ... Please wait ...
System is coming up ... Please wait ...
System is coming up ... Please wait ...
System is coming up ... Please wait ...
2012 Jan 11 18:31:34 %$ VDC-1 %$ %USER-0-SYSTEM_MSG: Starting bcm_attach, unit 0 - bcm_usd
System is coming up ... Please wait ...
System is coming up ... Please wait ...
System is coming up ... Please wait ...
System is coming up ... Please wait ...
2012 Jan 11 18:31:56 %$ VDC-1 %$ %USER-0-SYSTEM_MSG: Finished bcm_attach..., unit 0 - bcm_usd
System is coming up ... Please wait ...
2012 Jan 11 18:31:56 %$ VDC-1 %$ %USER-0-SYSTEM_MSG: Enabling Filter on CPU port - bcm_usd
2012 Jan 11 18:32:00 %$ VDC-1 %$ %VDC_MGR-2-VDC_ONLINE: vdc 1 has come online
System is coming up ... Please wait ...
nohup: appending output to 'nohup.out'
2012 Jan 11 18:32:12 switch %$ VDC-1 %$ %-2-MMU_RECONFIGURATION: Traffic disruption might be seen on the switch due to PFC MMU hardware configuration event
2012 Jan 11 18:32:13 switch %$ VDC-1 %$ %ETHPC-2-PORTS_UP:

---- Basic System Configuration Dialog ----

This setup utility will guide you through the basic configuration of
the system. Only minimal configuration including IP connectivity to
the FXOS Supervisor is performed through these steps.

Type Ctrl-C at any time for more options or to abort configuration
and reboot system.
To back track or make modifications to already entered values,
complete input till end of section and answer no when prompted
to apply configuration.

##### 手順5: FXOS 初期設定

Type Ctrl-C at any time for more options
or to abort configuration and reboot system.
You have chosen to setup a new Security Appliance.
Continue? (yes/no): yes ##### yes を入力

Enforce strong password? (yes/no) [y]: n ##### 環境に合わせて選択

Enter the password for "admin": ***** ##### admin パスワードを入力
Confirm the password for "admin": ***** ##### admin パスワードを再入力
Enter the system name: firepower9300 ##### system name を入力

Supervisor Mgmt IP address : 10.70.73.67 ##### IP アドレスを入力

Supervisor Mgmt IPv4 netmask : 255.255.255.0 ##### ネットマスクを入力

IPv4 address of the default gateway : 10.70.73.254 ##### デフォルトゲートウェイを入力

The system cannot be accessed via SSH if SSH Mgmt Access is not configured.
Do you want to configure SSH Mgmt Access Network? (yes/no) [y]: ##### 環境に合わせて選択

SSH Mgmt Access host/network address (IPv4/IPv6): 0.0.0.0 ##### 環境に合わせて選択

SSH Mgmt Access IPv4 netmask: 0.0.0.0 ##### 環境に合わせて選択

Firepower Chassis Manager cannot be accessed if HTTPS Mgmt Access is not configured.
Do you want to configure HTTPS Mgmt Access? (yes/no) [y]: ##### 環境に合わせて選択

HTTPS Mgmt Access host/network address (IPv4/IPv6): 0.0.0.0 ##### 環境に合わせて選択

HTTPS Mgmt Access IPv4 netmask: 0.0.0.0 ##### 環境に合わせて選択

Configure the DNS Server IP address? (yes/no) [n]: ##### 環境に合わせて選択

Configure the default domain name? (yes/no) [n]: ##### 環境に合わせて選択

Following configurations will be applied:

Switch Fabric=A
System Name=firepower9300
Enforced Strong Password=no
Supervisor Mgmt IP Address=10.70.73.67
Supervisor Mgmt IP Netmask=255.255.255.0
Default Gateway=10.70.73.254
SSH Mgmt Access Configured=yes
SSH Mgmt Access IP Address=0.0.0.0
SSH Mgmt Access IPv4 Netmask=0.0.0.0
HTTPS Mgmt Access Configured=yes
HTTPS Mgmt Access IP Address=0.0.0.0
HTTPS Mgmt Access IPv4 Netmask=0.0.0.0

Apply and save the configuration (select 'no' if you want to re-enter)? (yes/no): yes ##### 設定に問題がなければ yes を入力
Applying configuration. Please wait................................. Configuration file - Ok
..............

firepower9300 login: admin ##### admin を入力
Password: ***** ##### 設定したパスワードを入力
Successful login attempts for user 'admin' : 2
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2023, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.

Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.

firepower9300#

参考情報