恢復XE-SDWAN上的密碼
下載選項
已更新: 2023 年 5 月 8 日
文件 ID:214980
無偏見用語
本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
關於此翻譯
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
簡介
本檔案將說明在XE-SDWAN上復原密碼的程式。
必要條件
需求
本文件沒有特定需求。
採用元件
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
問題
在XE-SDWAN(版本16.10.3以後)中,由於安全原因,存在預設的一次性管理員密碼,使用者可輕易忽略該密碼,並可能進入使用者鎖定狀態。
在未建立與vManage控制器的控制連線的情況下,這在初始路由器設定期間尤其危險;您不能簡單地附加設定了使用者名稱和密碼的新模板。
本文詳細介紹如何恢復。
Username: admin Password: Router#
Sep 23 20:36:03.133: SDWAN INFO: WARNING: Please configure a new username and password; one-time user admin is removed.
這是使用預設admin/admin憑據登入後控制檯上出現的新消息。
注意:此過程會清除當前配置,因此請儘可能對配置進行備份,然後再繼續操作。
解決方案
這是一個裝置在忽略控制檯日誌中的一次性密碼消息時如何被鎖定的示例。
rommon 2 > boot bootflash:asr1000-ucmk9.16.10.3a.SPA.bin File size is 0x2f7f66c6 Located asr1000-ucmk9.16.10.3a.SPA.bin Image size 796878534 inode num 17, bks cnt 194551 blk size 8*512 ################################################################################################################################################################################################################################################################################################################################################################################################################################ Boot image size = 796878534 (0x2f7f66c6) bytes <<<<<<<< OUTPUT TRIMMED >>>>>>>>> Press RETURN to get started!
<<<<<<<< OUTPUT TRIMMED >>>>>>>>>
*Sep 23 20:35:33.558: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon vdaemon @ pid 2218 in vpn 0 *Sep 23 20:35:33.635: %Cisco-SDWAN-Router-TTMD-6-INFO-1200001: R0/0: TTMD: Starting *Sep 23 20:35:33.725: %Cisco-SDWAN-Router-CFGMGR-6-INFO-300001: R0/0: CFGMGR: Starting *Sep 23 20:35:33.823: %Cisco-SDWAN-Router-FPMD-6-INFO-1100001: R0/0: FPMD: Starting *Sep 23 20:35:33.953: %Cisco-SDWAN-Router-FTMD-6-INFO-1000020: R0/0: FTMD: SLA class '__all_tunnels__' added at index '0': loss = 128%, latency = 2147483647 ms *Sep 23 20:35:34.424: %Cisco-SDWAN-Router-FTMD-4-WARN-1000007: R0/0: FTMD: Connection to TTM came up. p_msgq 0x7fe1b3235500 p_ftm 0x9a3020 *Sep 23 20:35:41.475: %DMI-5-INITIALIZED: R0/0: syncfd: process has initialized. *Sep 23 20:35:44.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback65528, changed state to up *Sep 23 20:35:44.991: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (262144) *Sep 23 20:35:45.025: SDWAN INFO: Received ENABLE_CONSOLE message from sysmgr *Sep 23 20:35:45.025: Console Enabled *Sep 23 20:35:45.025: SDWAN INFO: PNP start, status: success *Sep 23 20:35:45.023: %DMI-5-ACTIVE: R0/0: nesd: process is in steady state. *Sep 23 20:35:45.888: EXEC mode enabled on console User Access Verification Username: admin Password: Router# *Sep 23 20:36:03.133: SDWAN INFO: WARNING: Please configure a new username and password; one-time user admin is removed. *Sep 23 20:36:03.240: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by system, transaction-id 14 Router#exit Press RETURN to get started. User Access Verification Username: admin Password: % Login invalid Press RETURN to get started. User Access Verification Username: Login incorrect Username:
步驟1.使用以下步驟啟動流程
- 關閉並重新啟動路由器,然後強制其進入ROMmon模式(按ctrl+break,按ctrl+c)。
- 將配置暫存器更改為0xA102或0x8000。
註:我們建議0xA102,因為它不易出現使用者錯誤。例如,如果您錯誤地將配置暫存器設定為0x800而不是0x8000(兩個零而不是三個),則控制檯波特率將設定為4800而不是配置旁路。有關配置暫存器的詳細資訊,請參閱https://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/50421-config-register-use.html
注意:在Cisco IOS® XE軟體中,無法使用0x2142配置暫存器執行配置旁路,因為Cisco IOS® XE SD-WAN軟體以不同方式在快閃記憶體的配置資料庫(CDB)中儲存配置。 從Cisco IOS® XE SD-WAN軟體16.10.1開始,第15位可設定為1以繞過配置,因此配置暫存器例如0xA102。這是位15 at(0x8000)與預設暫存器0x2102的十六進位制值組合的結果。
3.重設方塊(檢查命令輸出)。
Initializing Hardware ... System integrity status: 90170400 12030117 U System Bootstrap, Version 16.3(2r), RELEASE SOFTWARE Copyright (c) 1994-2016 by cisco Systems, Inc. Current image running: Boot ROM1 Last reset cause: PowerOn Warning: Octeon PCIe lanes not x2 width: sts=0x5011 ASR1001-HX platform with 16777216 Kbytes of main memory rommon 1 > confreg 0x8000 You must reset or power cycle for new config to take effect rommon 2 > i Reset ....... Initializing Hardware ... System integrity status: 90170400 12030117 Trixie configured CaveCreek Link Status reg: Bus/Dev/Func: 0/28/1, offset 0x52, status = 00003011Times left ms:0000005C Initializing DS31408... Read MB FPGA Version: 0x16051716 DS31408 locked to local Oscillator Taking Yoda out of reset... Yoda VID enabled... Crypto enabled... Warning: Octeon PCIe link width not x2: sts=00001001 requesting link retrain Astro enabled... Astro PLL/bandgap init... NP5c out of reset... U System Bootstrap, Version 16.3(2r), RELEASE SOFTWARE Copyright (c) 1994-2016 by cisco Systems, Inc. CPLD Version: 16033009 ASR1001-HX Slot:0 Current image running: Boot ROM1 Last reset cause: LocalSoft Reading confreg 0x8000 Enabling interrupts Initializing SATA controller...done Checking for PCIe device presence... Warning: Octeon PCIe lanes not x2 width: sts=0x5011 done ASR1001-HX platform with 16777216 Kbytes of main memory autoboot entry: NVRAM VALUES: bootconf: 0x0, autobootstate: 0 autobootcount: 0, autobootsptr: 0x0
步驟2.從rommon啟動XE-SDWAN .bin映像。
rommon 3 > boot bootflash:asr1000-ucmk9.16.10.3a.SPA.bin Warning: filesystem is not clean File size is 0x2f7f66c6 Located asr1000-ucmk9.16.10.3a.SPA.bin Image size 796878534 inode num 17, bks cnt 194551 blk size 8*512 ####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### File is comprised of 200 fragments (0%) <<<<<< OUTPUT TRIMMED >>>>>>>> Press RETURN to get started!
<<<<<< OUTPUT TRIMMED >>>>>>>> *Sep 23 20:47:34.124: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon cfgmgr @ pid 5018 in vpn 0 *Sep 23 20:47:34.125: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon fpmd @ pid 5019 in vpn 0 *Sep 23 20:47:34.125: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon ftmd @ pid 5020 in vpn 0 *Sep 23 20:47:34.126: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon ompd @ pid 5021 in vpn 0 *Sep 23 20:47:34.127: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon ttmd @ pid 5022 in vpn 0 *Sep 23 20:47:34.127: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon vdaemon @ pid 5023 in vpn 0 *Sep 23 20:47:34.214: %Cisco-SDWAN-Router-TTMD-6-INFO-1200001: R0/0: TTMD: Starting *Sep 23 20:47:34.307: %Cisco-SDWAN-Router-CFGMGR-6-INFO-300001: R0/0: CFGMGR: Starting *Sep 23 20:47:34.382: %Cisco-SDWAN-Router-FPMD-6-INFO-1100001: R0/0: FPMD: Starting *Sep 23 20:47:34.525: %Cisco-SDWAN-Router-FTMD-6-INFO-1000020: R0/0: FTMD: SLA class '__all_tunnels__' added at index '0': loss = 128%, latency = 2147483647 ms *Sep 23 20:47:41.143: %ONEP_BASE-6-CONNECT: [Element]: ONEP session Application:com.cisco.syncfd Host:Router ID:726 User:a has connected. *Sep 23 20:47:41.997: %DMI-5-INITIALIZED: R0/0: syncfd: process has initialized. *Sep 23 20:47:45.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback65528, changed state to up *Sep 23 20:47:45.495: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (262144) *Sep 23 20:47:45.534: SDWAN INFO: Received ENABLE_CONSOLE message from sysmgr *Sep 23 20:47:45.534: Console Enabled *Sep 23 20:47:45.534: SDWAN INFO: PNP start, status: success *Sep 23 20:47:45.531: %DMI-5-ACTIVE: R0/0: nesd: process is in steady state. *Sep 23 20:47:45.945: EXEC mode enabled on console
步驟3.使用預設管理員憑據登入。
User Access Verification Username: admin Password: Router# *Sep 23 20:48:16.659: SDWAN INFO: WARNING: Please configure a new username and password; one-time user admin is removed. *Sep 23 20:48:16.767: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by system, transaction-id 14 Router#
Router#sh ver | i Configuration register
Configuration register is 0x8000
步驟4.這是強制步驟。
- 將配置暫存器改回0x2102並執行sdwan軟體重置。這會清除存在的所有配置。
- 路由器會在此步驟中重新引導,並使用packages.conf組態檔中指定的軟體進行引導。
Router#request platform software sdwan software reset *Sep 23 20:52:17.400: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate bootflash:asr1000-ucmk9.16.10.3a.SPA.bin *Sep 23 20:52:23.919: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Router# *Sep 23 20:52:47.943: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install activate PACKAGESep 23 20:53:04.302: Initializing Hardware ... System integrity status: 90170400 12030117 U System Bootstrap, Version 16.3(2r), RELEASE SOFTWARE Copyright (c) 1994-2016 by cisco Systems, Inc. Current image running: Boot ROM1 Last reset cause: LocalSoft Warning: Octeon PCIe lanes not x2 width: sts=0x5011 ASR1001-HX platform with 16777216 Kbytes of main memory File size is 0x00001a47 Located packages.conf Image size 6727 inode num 1120114, bks cnt 2 blk size 8*512 # File size is 0x01e7df8e Located asr1000-rpboot.16.10.3a.SPA.pkg Image size 31973262 inode num 1120126, bks cnt 7806 blk size 8*512 ######################################################################################################################################################################################################################################################################################################################## Boot image size = 31973262 (0x1e7df8e) bytes ROM:RSA Self Test Passed ROM:Sha512 Self Test Passed
<<<<<< OUTPUT TRIMMED >>>>>>>>
*Sep 23 20:57:13.347: %ONEP_BASE-6-CONNECT: [Element]: ONEP session Application:com.cisco.syncfd Host:Router ID:8029 User:a has connected. *Sep 23 20:57:15.226: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon cfgmgr @ pid 4435 in vpn 0 *Sep 23 20:57:15.227: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon fpmd @ pid 4436 in vpn 0 *Sep 23 20:57:15.228: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon ftmd @ pid 4437 in vpn 0 *Sep 23 20:57:15.229: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon ompd @ pid 4438 in vpn 0 *Sep 23 20:57:15.229: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon ttmd @ pid 4439 in vpn 0 *Sep 23 20:57:15.230: %Cisco-SDWAN-Router-SYSMGR-6-INFO-200017: R0/0: SYSMGR: Started daemon vdaemon @ pid 4440 in vpn 0 *Sep 23 20:57:15.308: %Cisco-SDWAN-Router-TTMD-6-INFO-1200001: R0/0: TTMD: Starting *Sep 23 20:57:15.391: %Cisco-SDWAN-Router-CFGMGR-6-INFO-300001: R0/0: CFGMGR: Starting *Sep 23 20:57:15.484: %Cisco-SDWAN-Router-FPMD-6-INFO-1100001: R0/0: FPMD: Starting *Sep 23 20:57:15.620: %Cisco-SDWAN-Router-FTMD-6-INFO-1000020: R0/0: FTMD: SLA class '__all_tunnels__' added at index '0': loss = 128%, latency = 2147483647 ms *Sep 23 20:57:16.092: %Cisco-SDWAN-Router-FTMD-4-WARN-1000007: R0/0: FTMD: Connection to TTM came up. p_msgq 0x7f5815c35500 p_ftm 0x9a3020 *Sep 23 20:57:27.380: %DMI-5-INITIALIZED: R0/0: syncfd: process has initialized. *Sep 23 20:57:35.032: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback65528, changed state to up *Sep 23 20:57:35.048: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (262144) *Sep 23 20:57:35.081: SDWAN INFO: Received ENABLE_CONSOLE message from sysmgr *Sep 23 20:57:35.081: Console Enabled *Sep 23 20:57:35.081: SDWAN INFO: PNP start, status: success *Sep 23 20:57:35.079: %DMI-5-ACTIVE: R0/0: nesd: process is in steady state. *Sep 23 20:57:35.682: EXEC mode enabled on console
步驟5.現在,再次提示您輸入一次性管理員憑據。執行此步驟後,不要忘記更改預設密碼。建議同時新增其他使用者。如果您錯過此步驟而被鎖定,則需要再次重複所有步驟。
User Access Verification Username: admin Password: Router# *Sep 23 20:58:18.048: SDWAN INFO: WARNING: Please configure a new username and password; one-time user admin is removed. *Sep 23 20:58:18.155: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by system, transaction-id 18 Router#confi Router#config-tr System is still initializing. Wait for PnP to be completed or terminate PnP with the command: pnpa service discovery stop Router#pnpa service discovery stop PNP-EXEC-DISCOVERY (1): Stopping PnP Discovery... Waiting for PnP discovery cleanup .. Router# *Sep 23 20:58:48.997: %PNP-6-PNP_DISCOVERY_ABORT_ON_CLI: PnP Discovery abort on CLI input *Sep 23 20:58:48.999: %DMI-5-SYNC_START: R0/0: syncfd: External change to running configuration detected. The running configuration will be synchronized to the NETCONF running data store. *Sep 23 20:58:54.955: %DMI-5-SYNC_COMPLETE: R0/0: syncfd: The running configuration has been synchronized to the NETCONF running data store. *Sep 23 20:58:54.955: %DMI-5-ACTIVE: R0/0: syncfd: process is in steady state. *Sep 23 20:58:55.150: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by system, transaction-id 181 *Sep 23 20:58:55.676: %Cisco-SDWAN-Router-SYSMGR-5-NTCE-200050: R0/0: SYSMGR: System status solid green (reason: All daemons up) Router# *Sep 23 20:59:00.083: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install commit PACKAGE *Sep 23 20:59:00.327: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install commit PACKAGE Router#sh ver | i register Configuration register is 0x2102 Router#sh sdwan ver *Sep 23 20:59:12.640: %PNP-6-PNP_DISCOVERY_ABORT_ON_CLI: PnP Discovery abort on CLI input *Sep 23 20:59:12.640: %PNP-6-PNP_DISCOVERY_STOPPED: PnP Discovery stopped (Discovery Aborted)16.10.3a Router# Router#sh sdwan ver 16.10.3a Router# Router#conf Router#config-tr admin connected from 127.0.0.1 with console on Router Router(config)# username admin privilege 15 secret <your password> Router(config)# username sdwan privilege 15 secret <your password> Router(config)# comm Commit complete. Router(config)# *Sep 23 21:00:59.270: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by admin, transaction-id 204 Router(config)# end
步驟6.確認您仍然可以使用新建立的使用者名稱和密碼訪問裝置。
Router#exit Router con0 is now available Press RETURN to get started. User Access Verification Username: admin Password: Router>en Router# Router#exit Router con0 is now available Press RETURN to get started. User Access Verification Username: sdwan Password: Router>en Router#
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
3.0 |
08-May-2023 |
重新認證 |
1.0 |
21-Oct-2019 |
初始版本 |
由思科工程師貢獻
- Chandu GuttiCisco Engineering
- Eugene KhabarovCisco TAC Engineer
意見