If you lose the password of a Catalyst 8000V or CSR1000V running on Azure, and you would like to perform a password recovery on it, this post might be for you.
The Basics of Password Recovery
There are
useful techniques to authenticate an SSH session on a router without using a password. Yet, there are cases where we might have to use password authentication nonetheless.
If the password is lost, the next step would be entering ROMmon and perform the usual
configuration register change.
You would basically:
- restart the Router,
- interrupt its normal boot sequence with a Break signal,
- change the ROMmon value to
0x2142, - reboot (this time ignoring the startup configuration),
- perform password reset and restore normal booting.
Virtualized routers are essentially not very different from the above. In fact, there is a virtualized ROMmon environment in the latest Catalyst 8000v platforms too.
You can find all the official details
here.
The Problem
There is a “but” to all the above (you wouldn’t be reading this otherwise).
In Azure you don’t have enough time to send that “Break” signal. In fact, Cisco documentation alludes to this scenario in a Note:
And if this has happened to you, and you raised a support ticket, chances are Cisco TAC provided a simple solution: reinstall.
But if you still need to access that router and can not just reinstall from scratch, keep reading.
The Solution
Since we can’t access the console in the cloud, this is my suggestion:
- Download a copy of the router’s disk from the cloud,
- Boot it locally on a compatible hypervisor,
- Set the configuration register value to 0x2142,
- Poweroff the router before it actually bootstraps,
- Load the modified disk back into Azure cloud storage, and assign it to the VM as new OS disk,
- Finally boot the VM, and perform the password recovery as usual.
What you’ll need:
- About 20GB of disk space on a local storage (or less, depending on the type of virtual router),
- Plenty of available bandwidth for downloading/uploading the disks,
- An hypervisor where you can boot the router (I used VirtualBox, but it’s possible others would work too).
Note: performing this procedure will likely generate additional costs on your Azure account. Just wanted to spell that out to avoid surprises :-)
Powering off and exporting the disk
Stop and deallocate the VM as you normally do. Once it’s done, download the disk image. There are multiple ways to do that (Azure Portal, PowerShell or Azure CLI). All of them are described here in details for your reference.
Boot on a local Hypervisor
In VirtualBox I created a new VM with the following specs:
- Type “Linux”
- Version “Other Linux (64-bit)”
- Chipset ICH9
- 2 vCPUs
- 4GB of RAM
- VMSVGA Graphics Controller (no 3D acceleration)
- SATA AHCI Storage Controller
Change config-register
Once the VM is configured, start it and be on the lookout for the GRUB menu. As soon as you are presented with the menu, type c to enter the GRUB command line.
Use the confreg command to set the value 0x2142:
grub> confreg 0x2142
Configuration Register: 0x2142
grub>
Once this is done, power off the VM, and never move past the GRUB menu.
Upload and reboot
Now we need to ship the OS Disk back to Azure.
For this task I use
azcopy and the target in my case is a blob container. Surely there are better/smarter techniques, you can use whichever technique works best for you :)
From the blob container I create a new Managed Disk into the same Resource Group where the router is, and finally attach it as the OS disk for the VM:
Conclusion
Once the router has finished loading, you will be able to login without a password and recover the lost access.
I hope this post was interesting, or maybe useful! :-)
Send me a
message if you want to propose improvements to this procedure, or if know completely alternative techniques.
I will attribute and credit on this page any valuable contribution.