Password reset on Cisco ASA without idle for active / standby failover scheme

Recently faced a problem: the client has two Cisco ASA 5512-x, which work in active / standby mode. The client forgot to update the passwords, and all users have expired password. ASA when trying to log in only informs about the expiration date and does not give the opportunity to change the password. Since all users have expired, it was not possible to connect and change the password in any way. There has always been an iron variant to reset the password by changing the register, but there is no idleness here. This option did not fit. It was decided to use standby ASA to avoid downtime. But there were some nuances:

1) If you just restart standby ASA, go into ROMMON mode, change the register and boot, then we will get access and be able to change the passwords, but as soon as we execute

copy startup-configrunning-config

then immediately standby ASA will find the active node and will already synchronize the config from there.

2) If you disable synchronization and only then load the configuration, then standby ASA will take active ip addresses and we will have a conflict.

After thinking, the following plan was invented:

1. Reboot standby ASA, go to ROMMON, change the register to 0x41 and boot:

rommon#1> confreg 0x41

rommon#2> boot

2. Now disable all standby ASA interfaces (you can on the switch where the ASA is connected or simply pull out all the network cables from the ASA itself).

3. Enter privileged EXEC mode:

hostname> enable

and load the working configuration:

hostname# copy startup-configrunning-config

Here standby ASA without active interfaces will not be able to either synchronize data or harm the ip address conflict if it considers itself an active node. Go to the configuration and add a new user for further access:

hostname# configure terminal
hostname(config)# username test password test

4. Here you can do differently, do not connect the cables, only at the end physically connect, disconnect the cables, or connect them, but before that disconnect all interfaces from the configuration. At this stage, it was decided to disable all interfaces through the configuration and prepare for inclusion.

hostname(config)# interface interface_id
hostname(config-if)# shutdown

5. We return the register to the default, save the configuration and reboot.

hostname(config)# no config-register
hostname(config)# write

Now standby ASA after restart will boot with the config and the test user we need. ASA will not be able to find the active node for synchronization of standby, since the interfaces are turned off, and becoming active will not spoil anything for the same reason.

6. Now, after booting with the desired configuration, we can connect using the test user. Connect and enter privileged EXEC mode. Next, turn on the interface or interfaces that were intended to failover. After that, our standby ASA will find the active node, synchronize configs and go into standby mode. In this case, our user test will be deleted, but since at this moment we already find in privileged EXEC mode, our session will remain. If we go out at this moment, then we will not be able to enter, therefore we must be extremely careful here. All other interfaces will also turn on due to configuration synchronization from the active node.

We can change user passwords only on the active node, but we still do not have access to it. Exit to make our stanby ASA active with our existing access. When our standby ASA goes into standby ready state after synchronization with the active node, we can make the switch. You can view the status using the command:

hostname(config)# show failover state

And with the help of the second team, let's switch from Active ASA to Standby ASA:

hostname(config)# failover active

7. Now, we have access on the active node. Here you can change user passwords and, if necessary, switch back (if it is critical).

Thus, we can reset passwords without downtime in this scheme. It is necessary to take into account only the delay when switching from the active node to the backup.

Also popular now: