Cisco IOS和Cisco IOS XE路由器中的口令恢复故障排除

简介

本文档介绍在Cisco IOS®和Cisco IOS® XE路由器中执行密码恢复的过程。

先决条件

要求

• 本文档适用于来自ISRG2、ISR4000、ASR1000和ISR1000系列的思科路由器。
  对于运行不同Cisco IOS和Cisco IOS XE系列的路由器，此过程可能会更改。
•  要执行密码恢复，您必须具有设备控制台连接。

注意：无法使用与设备的远程连接（SSH或Telnet）执行密码恢复过程。如果终端服务器用于控制台连接，则进程无法运行。建议使用直接控制台连接。

• 您必须具有物理设备访问权限或可用性才能远程管理受影响设备的电源。
• 您必须使用终端仿真程序才能发送中断序列。

注：某些PC键盘有break键，可用于发送信号。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 运行Cisco IOS XE 16.12.4的路由器ISR4331
• Putty终端会话版本0.71

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

背景信息

此步骤可用于恢复用户名和密码凭证以及启用密码。
根据当前设备配置，可以提取密码，也可以直接用新密码替换。

Cisco IOS和Cisco IOS XE路由器将配置保存在启动配置和运行配置中。

默认情况下，启动配置文件存储在NVRAM中，运行配置（实际设备配置）存储在DRAM中。

口令恢复过程的主要目的是使用默认配置引导设备，一旦可以访问设备，加载当前配置并更改凭证。

注：如果路由器配置了no service password-recovery功能，则无法恢复口令。设备启动时可以识别此配置。您可以查看此文档以获得有关无服务密码恢复功能的更多详细信息。

Cisco IOS和Cisco IOS XE路由器中的口令恢复

步骤1:重新启动设备。您需要从电源/交换机重新启动设备，因为您无法通过命令行访问该设备。

第二步：当设备启动时，您必须发出中断序列。

对于Putty，导航到Special Command > Break选项，如图所示。

1. 您必须发送多个中断信号。在POST通过后，紧接在Cisco IOS完成启动之前识别中断信号：

Initializing Hardware ...

Checking for PCIe device presence...done
System integrity status: 0x610
Rom image verified correctly

System Bootstrap, Version 16.12(2r), RELEASE SOFTWARE
Copyright (c) 1994-2019 by cisco Systems, Inc.

Current image running: Boot ROM1

Last reset cause: LocalSoft
ISR4331/K9 platform with 4194304 Kbytes of main memory

........
Located isr4300-universalk9.16.12.04.SPA.bin
################################################################################ 

Failed to boot file bootflash:isr4300-universalk9.16.12.04.SPA.bin

.......
rommon 1 >

第三步：登录设备。在rommon模式下，您必须将配置寄存器配置为0x2142，以便在下一次重新加载时使用默认配置进行引导。
您可以使用reset命令重新加载。您必须像往常一样保持设备启动。

rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect
rommon 2 > reset

Resetting .......

Initializing Hardware ...

Checking for PCIe device presence...done
System integrity status: 0x610
Rom image verified correctly


System Bootstrap, Version 16.12(2r), RELEASE SOFTWARE
Copyright (c) 1994-2019 by cisco Systems, Inc.


Current image running: Boot ROM1

Last reset cause: LocalSoft
ISR4331/K9 platform with 4194304 Kbytes of main memory


........
Located isr4300-universalk9.16.12.04.SPA.bin
################################################################################

Package header rev 3 structure detected
IsoSize = 609173504
Calculating SHA-1 hash...Validate package: SHA-1 hash:
calculated 9E1353EB:8A02B6C4:C7B841DC:7A78BA24:5D48AA9B
expected 9E1353EB:8A02B6C4:C7B841DC:7A78BA24:5D48AA9B
RSA Signed RELEASE Image Signature Verification Successful.
Image validated

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Thu 09-Jul-20 21:44 by mcpre

This software version supports only Smart Licensing as the software licensing mechanism.

PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR
LICENSE KEY PROVIDED FOR ANY CISCO SOFTWARE PRODUCT, PRODUCT FEATURE,
AND/OR SUBSEQUENTLY PROVIDED SOFTWARE FEATURES (COLLECTIVELY, THE
"SOFTWARE"), AND/OR USING SUCH SOFTWARE CONSTITUTES YOUR FULL
ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU
ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN.

Your use of the Software is subject to the Cisco End User License Agreement
(EULA) and any relevant supplemental terms (SEULA) found at
http://www.cisco.com/c/en/us/about/legal/cloud-and-software/software-terms.html.

You hereby acknowledge and agree that certain Software and/or features are
licensed for a particular term, that the license to such Software and/or
features is valid only for the applicable term and that such Software and/or
features may be shut down or otherwise terminated by Cisco after expiration
of the applicable license term (for example, 90-day trial period). Cisco reserves
the right to terminate any such Software feature electronically or by any
other means available. While Cisco may provide alerts, it is your sole
responsibility to monitor your usage of any such term Software feature to
ensure that your systems and networks are prepared for a shutdown of the
Software feature.

All TCP AO KDF Tests Pass
cisco ISR4331/K9 (1RU) processor with 1694893K/3071K bytes of memory.
Processor board ID FLM1922W1BZ
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Press RETURN to get started!

第四步：此时，路由器具有默认配置。您必须备份running-config中的配置，您需要使用存储在startup-config文件或其他文件中的配置。  要使用startup-config文件，您必须将文件复制到全局模式下的running-confg。

1.  备份后，您可以进入配置模式并更改/检查凭证。
2. 必须将配置寄存器修改为0x2102。之后，您可以保存更改并重新启动设备。

Router#copy startup-config running-config
Destination filename [running-config]?
% Please write mem and reload
% The config will take effect on next reboot

2793 bytes copied in 0.363 secs (7694 bytes/sec)

Router#show running-config | sec password
enable password cisco
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password cisco123
Router(config)#config-register 0x2102

Router(config)#exit
Router#show running-config | sec password
enable password cisco123
Router#write
Building configuration...

[OK]
Router#reload

第五步：为了确认配置寄存器修改正确，您可以运行show version命令，并从show version输出中检查最后一行。

Router#show version
Cisco IOS XE Software, Version 16.12.04
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Thu 09-Jul-20 21:44 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: 16.12(2r)

Router uptime is 19 minutes
Uptime for this control processor is 22 minutes
System returned to ROM by Reload Command at 21:14:19 UTC Tue Apr 13 2021
System image file is "bootflash:isr4300-universalk9.16.12.04.SPA.bin"
Last reload reason: Reload Command


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None Smart License None
securityk9
appxk9

AdvUCSuiteK9 None Smart License None
uck9
cme-srst
cube


Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Smart License appxk9
uck9 uck9 Smart License uck9
securityk9 None Smart License None
ipbase ipbasek9 Smart License ipbasek9

The current throughput level is 300000 kbps

Smart Licensing Status: UNREGISTERED/EVAL MODE

cisco ISR4331/K9 (1RU) processor with 1694893K/3071K bytes of memory.
Processor board ID FLM1922W1BZ
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2142 (will be 0x2102 at next reload)

注意：不同的配置寄存器可能会产生意外行为。

模拟中断信号

默认串行/控制台配置可以在Putty配置中查看，如图所示。

如果路由器无法正确识别中断信号，可以使用Putty模拟该信号，以便进入rommon模式。

步骤1:为了模拟中断信号，您必须按如下方式设置串行/控制台配置：

• 速度：1200。
• 数据位：8。
• Srop位：1。
• 奇偶校验：无。
• 流量控制：无。

此串行配置的配置如图所示。

使用之前的配置连接设备后，您将不再看到控制台的任何输出。这是预料之中的行为。

第二步：您必须重新启动设备并按空格键10-15秒，以便在路由器中生成中断信号。

之后，路由器处于rommon模式，但您无法看到rommon提示符。

第三步：使用默认值打开Putty会话，然后再次尝试连接到控制台。它显示rommon提示符。