|
|
A common problem for any newly installed system is its inability to initialize itself correctly. This chapter addresses the following common router startup problems:
Although this publication focuses on troubleshooting overall internetworking problems, the tables that follow provide some suggestions for diagnosing router hardware problems. Your hardware installation and maintenance publications provide information about specific light-emitting diode (LED) indicators.
This discussion does not provide a step-by-step procedure. It is included as a checklist and should be used as a starting point for troubleshooting. The following discussion suggests a three-stage process:
Each of these stages is discussed separately.
When you are initially evaluating a router that is having a problem, keep the following three rules in mind:
At this stage, concentrate on problems that are obvious. Follow these inspection steps.
Step 1 Skip this step if you are troubleshooting an access router (Cisco 2000 series, Cisco 2500 series, Cisco 3000 series, Cisco 4000 series or IGS). For modular systems (except the Cisco 4000 and Cisco 7000), switch the power off and inspect the system for loose cards, cables, and port adapters. Reseat any that are loose. When cards are new, a thin film of carbon or oxidation buildup can prevent good contact. After reseating each card once or twice, you should achieve good contact.
For the Cisco 4000 series systems, look for a loose network interface module (NIM). For the Cisco 7000 series systems, look for a loose Route Processor (RP), Switch Processor (SP), Silicon Switch Processor (SSP), or interface processor. Reseat any that are unseated. Be sure to use the ejector levers properly and to tighten all captive installation screws on the RPs, SPs, SSPs, interface processors, and power supplies. After reseating each card and tightening the captive installation screws, you should achieve good contact. For more information, refer to your hardware installation manual.
Step 2 Remove the chassis access panel and inspect the interior. Are the wires to the power supply connected correctly? Are wires burned or otherwise damaged?
Step 3 For systems other than Cisco 7000 series systems, look for damaged cards, backplanes, and ribbon cables. Are there any visibly crimped or shorted wires or cables?
Step 4 Check for missing or loose parts, incorrectly connected cables, and anything that appears out of place. Does the unit need to be cleaned? Is there damage to the interior or exterior?
After you inspect the system, apply power to the unit and observe its behavior. If you suspect a hardware problem, follow these steps to evaluate operational conditions upon power-up:
Step 1 Power up the system (with system disconnected from a network).
(When you power up a Cisco 7000 series system, the enabled LED on an SP, SSP, or interface processor will eventually go on if the card is seated correctly. If any enabled LEDs do not go on, power down the system and be sure that the cards are properly seated as discussed in the previous section, "Inspecting Your Router.")
Step 2 Compare system behavior against symptoms outlined in Table 2-1.
Step 3 If a failure does not fit the examples in Table 2-1, verify that the software in the processor and the microcode in the various cards are compatible with the individual card revisions within the chassis. Refer to the release document provided with your system.
Step 4 If the system boots, use the show controllers {token | mci | fddi | cbus} EXEC command to ensure that the interface hardware addresses are nonzero. Hardware addresses of all zeros will cause problems in a network.
(For Cisco 7000 series systems, use the show controllers cxbus EXEC command and check the output of the show configuration privileged EXEC command. With downloadable microcode and software images stored in Flash memory, the system might be configured to load incompatible software or microcode.)
Step 5 As a last resort, for systems other than Cisco 7000 series systems, you can use a voltmeter to ensure that all the power supply direct current (DC) voltages are within specifications. Refer to the configuration note (if one has been provided) for your power supply model.
For Cisco 7000 series systems, LEDs on the power supplies indicate whether power is within specification: the green alternating current (AC) power LED should be on and the red DC fail LED should be off. You can also use the show environment EXEC command to obtain a reading of the power supply voltages.
If you are replacing a part or card to remedy a suspected problem, remember the following rules:
Use Table 2-2 as the next step in evaluating hardware. The problems listed are not all of the possible failures for each product, but do represent commonly encountered symptoms. Where applicable, possible error messages associated with failure symptoms are also listed.
If you determine that a part or card replacement is required, contact your sales or technical support representative. Specific instructions concerning part or card installation are included with the configuration note provided with the replacement.
If a part replacement appears to solve a problem, make certain to reinstall the suspect part to verify the failure. Always double-check a repair.
Table 2-3 through Table 2-6 summarize general problem-solving guidelines for common media (Ethernet, Token Ring, serial lines, and FDDI).
| Media Problem | Suggested Actions |
|---|---|
| Nonfunctional serial line | Step 1 Use the show interfaces serial EXEC command to determine the status of the interface.
Step 2 If the show interfaces serial command indicates that the interface and line protocol are up, use the ping EXEC command between routers to test connectivity. Isolate possible circuit problems by looping the local DTE back to the RTS interface pin. Step 3 If routers do not respond to the ping test, follow the troubleshooting techniques as discussed in the "Troubleshooting Serial Line Problems" chapter. Step 4 If clock and data signals are out of phase, invert the clock signal. |
Routers allow for system initialization (booting) using several methods. Systems can be booted in any of four ways:
The material that follows addresses problems that might arise during the booting process.
If you are unable to resolve your booting problem, collect the following information for the technical support representative:
Routers support netbooting via both the Trivial File Transfer Protocol (TFTP) and the DEC Maintenance Operation Protocol (MOP) across all supported media types such as Ethernet, FDDI, serial lines, Token Ring, and High-Speed Serial Interface (HSSI). During netbooting sessions, routers behave like hosts: they route via proxy Address Resolution Protocol (ARP), Serial Line Address Resolution Protocol (SLARP) information, Internet Control Message Protocol (ICMP) redirects, or a default gateway. When netbooting, routers ignore dynamic routing information, static IP routes, and bridging information. As a result, intermediate routers are responsible for handling ARP and User Datagram Protocol (UDP) requests correctly. For serial and HSSI media, ARP is not used.
If you need to netboot from a server, you should first ping the server from the ROM software. If you are unable to ping the server, first look for a solution in Table 2-7. If none of the problems described in Table 2-7 explains the ping failure, there is probably a problem with the server configuration or hardware. Contact your router or TFTP server technical support representative for assistance.
Network failures can make netbooting impossible. After Flash memory is installed and configured, configure the router to boot in the following order to reduce the effects of a server or network failure:
The order of the commands needed to implement this strategy is illustrated in the following sample output:
klamath#configure terminalEnter configuration commands, one per line. End with CNTL/Z. klamath(config)#boot system flashgsxxklamath(config)#boot systemgsxx131.108.1.101klamath(config)#boot system romklamath(config)#^Zklamath# %SYS-5-CONFIG_I: Configured from console by console klamath#write memory[ok] klamath#
Using this strategy, a router has three sources from which to boot: Flash memory, netboot, or ROM. Providing alternative sources can help to mitigate any potential failure of the TFTP server or the network.
When netbooting, it is not unusual for a client to retransmit requests before receiving a response to an initial ARP request. The retransmissions can result in timeouts, out-of-order packets, and multiple responses. Timeouts (shown as periods in a netbooting display) and out-of-order packets (shown as uppercase Os) do not necessarily prevent a successful boot. It is acceptable to have either or both of these in the first few packets. Exclamation points represent good packets. The following examples show successful netbooting sessions even though timeouts and out-of-order packets have occurred:
Booting gs3-bfx from 131.108.1.123: !.!!!!!!!!!!!!!!!!!!!!!! Booting gs3-bfx from 131.108.1.123: !O.O!!!!!!!!!!!!!!!!!!!!!!
If your session has many out-of-order packets and timeouts, the problem will require some attention. Problems that might result in timeouts and out-of-order packets and recommended solutions are discussed in the troubleshooting tables that follow.
Booting problem symptoms are discussed in the following sections:
Symptom: In the most general case, a router tries to obtain its system image over the network, but fails. Netbooting failures can result from several problems. Following is an example display generated by the system when it cannot boot:
Booting gs3-bfx..........[failed]
Table 2-7 outlines possible causes and suggests actions for when a router cannot boot from a TFTP server. Other specific symptoms and problems are outlined in subsequent discussions.
| Possible Causes | Suggested Actions |
|---|---|
| Network is disconnected or isolated | Step 1 Boot the router from ROM or Flash memory if possible.
Step 2 Use the ping EXEC command to send a message to the broadcast address (255.255.255.255). Step 3 Look for an ICMP Echo Reply response for a TFTP server. Step 4 If no response occurs, use the show arp EXEC command to look for an entry associated with the server. Step 5 Use the show ip route EXEC command to look for an entry listing the network or subnet for the server. If a path to a boot server exists, a disconnected network is not the problem. If no path exists, make sure that a path is available before continuing to attempt router netbooting. |
| TFTP server is down | Step 1 Check the intended server system to determine whether the TFTP server is running. You can do this by attempting to make a TFTP connection from the boot server to itself. The connection will be successful if the TFTP server is running.
Step 2 If the TFTP server is not running, initialize it. The actual initialization process varies depending on the type of boot server. (For a BSD UNIX server, check the /etc/inetd.conf file. If the TFTP server is not included in this file, add the appropriate line and cause inetd to reload its configuration.) |
| Misconfigured server (router image in wrong directory) | Step 1 Look at the server configuration file to see if it points to the directory in which the router image resides.
Step 2 Move the router image to the correct directory if necessary. Step 3 Make sure the /tftpboot directory is reachable over the network. |
| Misconfigured server (router system image file permission is incorrect) | Step 1 Check the permission of the file.
Step 2 If necessary, change the permission. For example, for a UNIX boot server, set the permission for the file to owner read/write, group read, and global read (the UNIX command for setting this permission is chmod 0644). |
| Misconfigured server (bad protocol address) | Step 1 Check the server configuration file for the IP address of the host.
Step 2 Change if incorrect. |
| Server requires default gateway configuration | Step 1 Check the router configuration file for the ip default-gateway global configuration command, which defines a default gateway.
Step 2 Refer to the section "IP Default Gateway Configuration Notes" later in this chapter for more information about configuring default gateway support. |
| Misconfigured router (bad server address specification in boot system global configuration command) | Step 1 Check the router configuration file for the boot server address (IP address of a TFTP server or MAC address of a MOP server).
Step 2 Change if necessary. |
| Misconfigured router (bad router address specification) | Step 1 Check the router configuration file for the router address (IP address only).
Step 2 Change if not correct. |
| Misconfigured router (wrong filename) | Step 1 Check the router configuration file for boot filename.
Step 2 Change as necessary. (Check the host's documentation for details about setting the name of the system image on the TFTP server.) Note that some versions of the ROM are case sensitive. Contact your router technical support representative for specific details. |
| Misconfigured router (wrong configuration register setting)
| Step 1 Check the configuration register setting for your system.
(If you want to boot from a server over the network, you must set the configuration register appropriately. The specific configuration for netbooting depends on the platform that is being booted.) Step 2 Determine whether you want to manually or automatically netboot from a TFTP server. To manually netboot, the configuration register must set to 0x0; otherwise, you will be netbooting automatically using the default system image name or one specified with the boot system global configuration command. Refer to your configuration, command reference, and hardware installation and maintenance publications for more details about setting the configuration register. |
| Incorrect filename
| Step 1 Compare the router image filename on the boot server with the name specified in the router configuration.
Step 2 Make sure they match. |
Symptom: Timeouts (shown as periods on a netbooting display) and out-of-order packets (shown as uppercase Os) might prevent systems from netbooting. Depending on the cause, the number of timeouts and out-of-order packets indicated on the router's console display can vary--suggesting different underlying problems.
The following example shows a netbooting session that contains excessive timeouts and out-of-order packets:
Booting gs3-bfx from 131.108.1.123: !O.O!.O..O!!!OOO.O!!.O.O.....
It is possible that the client router will boot under this situation. However, when excessive timeouts and out-of-order packets are occurring, there is probably some kind of problem on the network, and netbooting (as well as network service availability) may be inconsistent.
Table 2-8 outlines possible causes and suggests actions to take when timeouts or out-of-order packets prevent a netboot.
Symptoms: As a TFTP client, the router can determine the path to a TFTP server using ARP. Using this technique, the router sends TFTP packets over the same path from which it received an ARP response. If this path becomes invalid, packets sent from the router to the server might fail even though the router has successfully received an ARP response to its ARP request. If the router is sending packets over an invalid path, a message similar to one of the following is displayed on the console:
Booting gs3-bfx!OOOO..........[timed out] Booting gs3-bfx!.O.O.O.O..........[timed out] Booting gs3-bfx!!!!!!!!!!OOOOOOOOOO..........[timed out]
In some cases, you also might notice that there is an initial response from a server, but that the netboot sequence still fails. The boot message would be similar to the following:
Booting gs3-bfx!..........[failed]
Table 2-9 outlines possible causes and suggests actions when invalid routing paths prevent netbooting.
| Possible Cause | Suggested Actions |
|---|---|
| Bad routing paths on neighbor routers | Step 1 Verify that neighbor routers can ping the server.
Step 2 Use the trace EXEC command to determine their paths to the server. Step 3 Use the show arp or show ip route EXEC command to examine the ARP tables or IP routing tables of the neighbor routers to verify that the server is listed and that the routing table entries are appropriate. Step 4 Use the clear arp-cache and clear ip-route privileged EXEC commands as necessary. Step 5 Attempt to netboot the router again. |
| Problems caused by multiple paths | Step 1 Shut down all extra interfaces except the one over which you intend to netboot the router.
Step 2 Use the no ip proxy-arp interface configuration command on all neighboring routers to shut down their ability to provide proxy ARP responses. Make this change with care because it can cause problems for other network traffic. As an alternative, boot the router from ROM and configure the ip default-gateway global configuration command if you do not want to disable proxy ARP. Use of this command is discussed briefly in the following section "IP Default Gateway Configuration Notes." Step 3 Try to netboot the router. |
To send IP packets to other stations on the same network, an end station must have an IP address and a network mask. A router discovery protocol, such as the ICMP Router Discovery Protocol (IRDP) or the Gateway Discovery Protocol (GDP), can be used to learn new addresses. Another way to facilitate communication is to use proxy ARP, which, when supplied by a router, allows an end station to believe that other stations are on the same network, even though the other stations are actually behind the router that is supplying proxy ARP.
Some system images do not support IRDP, GDP, and proxy ARP. The system images that do not support IRDP, GDP, and proxy ARP are the igs-rxboot image, which is the system image stored in the Cisco 3000 EPROM, and the xx-rxboot image, which is the system image stored in the Cisco 4000 EPROM. These system images do not contain the IP routing software found in the EPROMs of other router models. Instead, they are smaller images that are capable of booting from Flash memory and of netbooting. When Flash memory does not contain a valid image, use the copy tftp flash privileged EXEC command to copy a fully functional system image from a TFTP server to Flash memory.
If you have booted a local router using the igs-rxboot image or the xx-rxboot image, and you need to obtain a system image from a TFTP server that is on a different network and the intervening router does not support IRDP, GDP, or proxy ARP for the port adjacent to the local router, the local router must have the ip default-gateway global configuration command in its configuration to identify the IP address of the intervening router.
Consider a case in which the Flash memory of a Cisco 2500, a Cisco 3000, or a Cisco 4000 has no usable image due to an error, such as copying an incorrect image to it. If a reboot occurs, the only image available to run is the xx-rxboot image. Use the copy tftp flash privileged EXEC command to copy a new system image to the Cisco 4000. Before you can use the copy tftp flash command, you must include the ip default-gateway global configuration command in the Cisco 4000's configuration to reach a remote TFTP server. A sample session illustrating the use these commands follows:
router(boot)#configure terminalEnter configuration commands, one per line. End with CNTL/Z.ip default-gateway 130.108.1.7^Z%SYS-5-CONFIG_I: Configured from console by console router(boot)#copy tftp flashIP address or name of remote host [255.255.255.255]?server1Name of tftp filename to copy into flash []? IJ09140Z copy IJ09140Z from 131.131.101.101 into flash memory? [confirm]<Return>xxxxxxxx bytes available for writing without erasure. erase flash before writing? [confirm]<Return>Clearing and initializing flash memory (please wait)####... Loading from 131.131.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!... [OK - 324572/524212 bytes] Verifying checksum... VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV... Flash verification successful. Length = 1204637, checksum = 0x95D9
Symptoms: When netbooting via a path that requires the client to use proxy ARP, the router being netbooted sends an ARP request to the server over every available network interface configured for IP. The router expects the server or an intermediate system to return an ARP response. If the router does not receive an ARP response, a message similar to the following is displayed at the console:
Booting gs3-bfx..........[timed out]
Table 2-10 outlines possible causes and suggests actions when client ARP requests time out during a netboot.
| Possible Cause | Suggested Actions |
|---|---|
| Wrong filename or other configuration problem | Step 1 Check the filename definition and path specified on the server.
Step 2 Check the problems discussed earlier in this section under the symptom "Router Cannot Netboot from TFTP Server." |
| Intermediate routers have ARP filtering enabled | Step 1 Boot the router from ROM.
Step 2 Make sure you can ping the server from the router. Step 3 Try the write network privileged EXEC command to test TFTP connectivity with the server. Step 4 If these steps are successful, at the intermediate router check the configuration using the show arp EXEC command. Step 5 Enable the debug arp privileged EXEC command to determine whether neighbor proxy ARP responses are being generated. Step 6 If the neighbor is not sending proxy ARP responses and its configuration contains the no ip proxy-arp interface configuration command, disable ARP filtering by removing the entry. Note that proxy ARP is enabled by default. Step 7 If you need to have a no ip proxy-arp entry in the neighbor router configurations, use the ip default-gateway global configuration command in the router. Use of this command is discussed briefly in the section "IP Default Gateway Configuration Notes," earlier in this chapter. |
| Configuration of the serial interface on the router being netbooted includes a broadcast destination, but an intermediate router does not have the required IP helper address defined to point to the TFTP server | Step 1 Check the configurations of all routers in the path.
Step 2 Include helper addresses as required using the ip helper-address interface configuration command. If you are unicasting to your server, you do not need to use the IP helper address, but if you are broadcasting to 255.255.255.255 (by omitting the IP address of the server), add the ip helper-address command on the neighboring router interface used in the netbooting broadcast. |
Symptom: For an IGS attempting netbooting, console display indicates "vector errors." Figure 2-1 illustrates an example of the kind of message that will appear.
Table 2-11 outlines a possible cause and suggests actions when vector errors occur during a netboot.
Symptom: When netbooting a router, the console display indicates that "buffer overflow" has occurred, and the router is unable to boot. Table 2-12 outlines possible causes and suggests actions when buffer overflows occur during the netboot process.
Symptom: When netbooting a router, the console display indicates "undefined load module" error, and the router is unable to boot. Table 2-13 outlines a possible cause and suggests actions when an undefined load module error occurs during a netboot.
Symptom: When booting a router from another router acting as a TFTP server, the router is unable to initialize properly. This symptom can be caused by any of the problems outlined in the preceding netbooting symptom discussions.
This section focuses on the problems of routers that are acting as TFTP servers. Table 2-14 outlines possible causes and suggests actions when a router cannot boot from other routers.
| Possible Cause | Suggested Actions |
|---|---|
| Misconfigured TFTP server/router (missing or incorrect tftp-server global configuration command) | Step 1 Use the write terminal privileged EXEC command to determine whether the tftp-server system global configuration command is missing or incorrectly specified.
Step 2 Add or modify the tftp-server system global configuration command as necessary on the router intended to be the TFTP server. Specify the name of a file in Flash memory. |
| Wrong/incomplete image in Flash memory | Step 1 Use the show flash EXEC command to determine whether the image is incomplete. This display might show that the image is deleted and indicate the reason. Figure 2-2 shows an example of show flash output.
Figure 2-3 illustrates the "wrong system software" message that is displayed when a router attempts to boot an incorrect image. In this case, the router is being booted from the ROM monitor. Step 2 Obtain the correct image. (If necessary, contact your router technical support representative to determine which image is correct.) Step 3 When you identify the correct image, use the privileged EXEC command copy tftp flash at the router to retrieve the image. |
Symptom: When a router is booting from ROM, the processor might be unable to access a portion of the system memory. If this is the case, the router will be unable to complete its boot process and will not start the ROM monitor. Table 2-15 outlines a possible cause and suggests actions when local timeouts occur when booting from ROM.
Symptom: When booting a Cisco 7000 series, AGS+, AGS, ASM-CS, MGS, IGS, or CGS router from ROM, the systems might hang after the ROM monitor initializes.
Table 2-16 outlines possible causes and suggests actions when a router hangs after the ROM monitor initializes.
Symptom: When booting a router from ROM, the system boots into ROM monitor mode, but does not boot the complete system image. Table 2-17 outlines possible causes and suggests actions when a router is stuck in ROM monitor mode.
Symptom: When booting from ROM, the router displays indecipherable textual output on the monitor. Table 2-18 outlines possible causes and suggests actions when output is scrambled while booting from ROM.
| Possible Cause | Suggested Actions |
|---|---|
| Wrong terminal speed setting or wrong configuration register setting | Step 1 Use the monitor setup menu to check the terminal line speed setting for the monitor.
Step 2 Check the terminal speed configured on the router as specified in the configuration register setting (default is 9600 baud, 8 databits, 2 stop bits, and no parity). Step 3 If the terminal speed of the monitor and the router do not match, modify as necessary. (Refer to your hardware installation and maintenance documentation for details about setting up the monitor.) |
| Bad router hardware
An example is a bad dual universal asynchronous receiver transmitter (DUART). The DUART controls the system console and auxiliary ports. A failed DUART causes the far left LED on a CSC/3 or CSC/4 card to blink repeatedly. | Step 1 Troubleshoot router hardware as discussed in the section "Diagnosing Router Hardware Problems," earlier in this chapter. |
Symptom: When booting a router from Flash memory, the system display indicates that a vector error occurred. Table 2-19 outlines possible causes and suggests actions when vector errors occur when booting from Flash memory.
Symptom: When booting a router from Flash memory, the boot process halts and the router displays the boot [router(boot)>] prompt. In addition, the router will not route, although the EXEC commands may appear to be operational. This symptom only applies to Cisco 2000, Cisco 2500, Cisco 3000, and Cisco 4000 routers.
Table 2-20 outlines possible causes and suggests actions when a router boots partially and displays the router(boot)> prompt on the console.
| Possible Cause | Suggested Actions |
|---|---|
| No system image in Flash memory | Step 1 Use the show flash EXEC command to determine whether an image exists in Flash memory.
Step 2 If no image exists, use the copy tftp flash privileged EXEC command to copy the system image from your TFTP server to the router's Flash memory. See the section "IP Default Gateway Configuration Notes," earlier in this chapter, for extra steps that you might have to perform. Step 3 Enter the privileged EXEC command reload to boot the router. |
| Misconfigured router (missing boot system flash global configuration command) | Step 1 Enter enabled mode.
Step 2 Use the write terminal privileged EXEC command to determine whether the active configuration includes an entry for the boot system flash global configuration command. Use the show configuration privileged EXEC command to determine if the boot system flash command is included in the configuration stored in NVRAM. Step 3 Check the order of the boot system commands. For the recommended ordering, refer to the section "Using a Fault-Tolerant Boot Strategy" earlier in this chapter. Step 4 Add the boot system flash command or reorder the boot system commands if necessary. Step 5 Save the configuration change to NVRAM using the write memory privileged EXEC command. |
| Misconfigured configuration register | Step 1 Check the configuration register setting; make sure it is set to boot from Flash memory (for example, 0x102).
Step 2 Refer to your hardware installation and maintenance publication for details regarding configuration register settings. |
Symptom: When booting a router from Flash memory, the boot process appears to complete, but the router does not route traffic or communicate with neighbors. The EXEC might or might not function. Table 2-21 outlines possible causes and suggests actions when a router fails to boot from Flash memory.
Symptom: A terminal connected to the console port of an unconfigured Cisco access server (currently, the Cisco 2500 series access servers are the only Cisco devices that have an RJ-45-based console port) displays bootup banners and begins the Setup routine, but the user cannot input commands from the terminal keyboard. Table 2-22 describes possible causes and suggests actions for an unresponsive terminal connection to an unconfigured access server.
The following procedures describe the steps required to recover a lost login or enable password. The procedure differs depending on the platform and the software used, but in all cases, password recovery requires that the router be taken out of operation and powered down. Should you need to perform one of the following procedures, make certain that there are secondary systems that can temporarily serve the functions of the router undergoing the procedure. If this is not possible, advise all potential users and, if possible, perform the procedure during low use hours. Finally, be aware of the possible consequences of removing and reinserting a router on a functioning network.
All of the procedures for recovering lost passwords depend upon changing the configuration register of the router. Depending on the platform and software you are using, this will be done by reconfiguring the router software or by physically moving a jumper or dual inline package (DIP) switch on the router. Table 2-23 shows which platforms have configuration registers in software and which require that you change the jumper or DIP switch position to change the configuration register.
The more recent platforms produced by Cisco run from Flash memory or are netbooted and have the capability to ignore the contents of NVRAM upon booting. (Cisco 7000 series routers that boot from Flash memory or netboot have this capability as well; a Cisco 7000 that boots from ROM has this capability if it is running Cisco IOS Release 10.0 or later.) Ignoring the contents of NVRAM permits you to bypass the configuration file (which contains the passwords) and gain complete access to the router. You can then recover the lost password(s) or configure new ones.
Figure 2-4 shows a flow chart describing the password recovery procedure for the following platforms:
Figure 2-4 illustrates the password recovery procedure for all of these platforms. Some of these platforms are configurable in software and do not require a hardware change. Others require that you physically change the position of the configuration register jumper on the processor card. Figure 2-4 shows diverging paths, when necessary, to take you through the steps required for the platform and software with which you are working. Refer to Table 2-23 to determine if the platform with which you are working is configurable in the software, or if it requires you to physically move the jumper.
The following procedure describes the password recovery process for the following platforms only:
For the platforms listed, be certain to follow the path shown in the flowchart (see Figure 2-4) labeled "Cisco 2000, 2500, 3000, 4000 series; Cisco 7000 series running Software Release 9.17(4) or later (Flash/netboot) or Cisco IOS Release 10.0 or later (ROM); IGS running Software Release 9.1 or later."
For the step-by-step password recovery sequence for other platforms, see one of the following sections: "Password Recovery Procedure," "Password Recovery Procedure," "Password Recovery Procedure," or "Password Recovery Procedure."
Following is the password-recovery procedure for Cisco platforms running current Cisco IOS software:
Step 1 Power cycle the router. (This consists of turning off the power to the router and turning it back on again.)
Step 2 Issue the break key sequence for your terminal or terminal emulation software within 60 seconds of turning on the power.
The ROM monitor (>) prompt will appear.
Step 3 Enter the command, e/s 2000002. (For Cisco 7000 series routers, enter e/s XXXXXXXX.) This command examines the short (16 bit) memory location for the software configuration register.
Record the output resulting from this command. This is the software configuration register value.
Step 4 Enter the q (quit) command to return to the ROM monitor (>) prompt.
Step 5 Enter the o/r 0x42 command. (For a Cisco 2500, use the command 0x041.) The value 42 (or 41 on a Cisco 2500) sets the software configuration register bit to position 6, which allows the router to ignore the contents of NVRAM when booting. (Be sure to enter 0x followed by the configuration register value.)
Step 6 Enter the i (initialize) command at the ROM monitor (>) prompt. The router will reboot.
Step 7 Answer no to all of the Setup questions.
Step 8 Enter the enable EXEC command at the Router> prompt.
Step 9 If your password is clear text (is not encrypted), proceed to Step 13.
or
If your password is encrypted, continue with Step 10.
Step 10 If your password is encrypted, enter the configure memory privileged EXEC command. This writes the stored configuration into running memory.
Step 11 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 12 If you lost the enable password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
or
If you lost the login password, configure the console line using the login and password line configuration commands. Enter ^Z to exit configuration mode and proceed to Step 15.
Step 13 If your password is clear text (is not encrypted), enter the show configuration privileged EXEC command to view the current configuration.
Step 14 If you lost the enable password, locate the enable-password global configuration command entry in the configuration and record the password.
or
If you lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command.
Step 15 Issue the write memory privileged EXEC command to write the configuration into running memory.
 | Caution Issuing the write memory command at this point on a Cisco 2500, Cisco 3000, or Cisco 4000 will overwrite the configuration. Make certain you have a backup of your configuration file. |
Step 16 The router is now fully functional, and you can use your recovered or reconfigured password(s) as usual.
Step 17 In privileged EXEC mode, enter router configuration mode using the configure terminal privileged EXEC command.
Step 18 Change the software configuration register to its original value using the config-register global configuration command. You must enter 0x and then the software configuration register value that you recorded in Step 3. Using the example value of 2102, the command would be config-register 0x2102.
Step 19 Exit from router configuration mode by entering ^Z.
The next time the router is power cycled or restarted with the reload privileged EXEC command, the bootup process will proceed as normal. Use your new or recovered password to gain access to the router after it reboots.
The Cisco CGS, MGS, AGS, and AGS+ platforms, and Cisco 7000 series routers running software prior to Cisco IOS Release 10.0 from ROM, all have their configuration registers in hardware, so you must physically change the position of the configuration register jumper during the password recovery process. It may be necessary to remove the processor card from the router chassis in order to access the hardware configuration register jumper. Consult your hardware documentation for detailed instructions on removing and inserting the processor card from the router chassis if necessary.
Moving the hardware configuration register jumper to bit position 6 allows the router to ignore the contents of NVRAM while booting. This permits you to bypass the configuration file (and therefore the passwords) and gain complete access to the router. You can then recover the lost password(s) or configure new ones.
Figure 2-4 shows a flow chart describing the password recovery procedure for the following platforms:
Figure 2-4 illustrates the password recovery procedure for all of these platforms. Some of these platforms are configurable in software and do not require a hardware change. Others require that you physically change the position of the configuration register jumper on the processor card. Figure 2-4 takes you through the steps required for the platform and software with which you are working, and shows diverging paths when necessary to account for platform-specific requirements. Refer to Table 2-23 to determine if the platform on which you are working is configurable in the software, or if it requires you to physically move the jumper.
The following textual procedure describes the password recovery process for the following platforms only:
For these platforms, follow the path shown in the flowchart (see Figure 2-4) labeled "Cisco CGS, MGS, AGS, AGS+ running Software Release 9.1(7) or later; Cisco 7000 series running Software Release 9.17(4) through 9.21 from ROM."
For the step-by-step password recovery sequence for other platforms, see one of the following sections: "Password Recovery Procedure," "Password Recovery Procedure," "Password Recovery Procedure," or "Password Recovery Procedure."
Following is the password-recovery procedure for Cisco platforms running recent software releases:
Step 1 Power down the router.
Step 2 Change the hardware configuration register by moving the jumper from bit position 0 (zero) or 1 to bit position 6.
This will force the router to ignore the contents of NVRAM, and therefore the configuration file, after it loads the operating system. Note the original position of the jumper.
Step 3 Power up the router.
The router will boot but will ignore the contents of NVRAM and enter the Setup routine.
Step 4 Answer no to all of the Setup questions.
The Router> prompt appears.
Step 5 Enter the enable EXEC command.
Step 6 If the password is clear text (is not encrypted), go to Step 10. If the password is encrypted, continue with Step 7.
Step 7 If the password is encrypted, enter the configure memory privileged EXEC command. This writes the stored configuration into running memory.
Step 8 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 9 If you have lost the enable password, use the enable-password global configuration command to configure a new password. If you have lost the login password, configure the console line with a new login password using the login and password line configuration commands. Press ^Z to exit configuration mode. Proceed to Step 12.
Step 10 If your password is clear text (is not encrypted), enter the show configuration privileged EXEC command.
Step 11 If you have lost the enable password, locate the enable-password global configuration command entry and record the password. If you have lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command.
Step 12 Issue the write memory privileged EXEC command to write the configuration into running memory.
Step 13 The router is now fully functional and you can use your recovered or reconfigured password(s) as usual.
Step 14 Power down the router.
Step 15 Move the hardware configuration register jumper from bit position 6 to its original position (the position you noted in Step 2).
It might be necessary to remove the processor card to gain access to the jumper. Consult your hardware documentation for complete instructions on removing and inserting the processor card if necessary. If you had to remove the processor card, reinsert it before continuing.
Step 16 Power up the router. Use your new or recovered password to gain access to the router.
Cisco CGS, MGS, AGS, and AGS+ platforms, and Cisco 7000 series routers running software prior to Cisco IOS Release 10.0 from ROM, all have their configuration registers in the hardware, so you must physically change the position of the configuration register jumper during the password recovery process. It might be necessary to remove the processor card from the router chassis in order to access the hardware configuration register jumper. Consult your hardware documentation for detailed instructions on removing and inserting the processor card from the router chassis if necessary.
Figure 2-5 shows a flowchart that describes the password recovery procedure for the following platforms:
The step-by-step procedure that follows and the password recovery flow chart shown in Figure 2-5 apply only to the indicated platforms running the indicated software. There is another procedure for recovering a password on these platforms if they are running more recent software. See the previous section, "Password Recovery Procedure."
Following is the password-recovery procedure for Cisco platforms running earlier software releases:
Step 1 Power down the router.
Step 2 Change the hardware configuration register by moving the jumper from bit position 0 (zero) or 1 to bit position 15.
Note the original position of the jumper.
Step 3 Power up the router. The ROM monitor (>) prompt appears.
Step 4 Enter the b (bootstrap) command at the (>) prompt.
Step 5 Press the Return key until the Test-System> prompt appears.
Step 6 Enter privileged mode by issuing the enable EXEC command.
Step 7 If the password is clear text (is not encrypted), go to Step 12.
or
If the password is encrypted, continue with Step 8.
Step 8 If the password is encrypted, enter the configure memory privileged EXEC command.
This writes the stored configuration into running memory.
Step 9 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 10 If you have lost the enable password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
or
If you have lost the login password, configure the console line with a new password using the login and password line configuration commands. Press ^Z to exit configuration mode.
Step 11 Issue the write memory privileged EXEC command to write the configuration into running memory. Proceed to Step 14.
Step 12 If your password is clear text (is not encrypted), enter the show configuration privileged EXEC command.
Step 13 If you have lost the enable password, locate the enable-password global configuration command entry in the configuration and record the password.
or
If you have lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command. Do not make configuration changes or use the write memory command at this time.
Step 14 Power down the router.
Step 15 Remove the processor card and move the hardware configuration register jumper from bit position 15 to its original position (the position you noted in Step 2).
Step 16 Power up the router. Use your new or recovered password to gain access to the router.
Cisco IGS routers have a bank of DIP switches located on the rear panel. These DIP switches are used to set the hardware configuration register and must used in the password recovery process if the router is running system software prior to Software Release 9.1.
Figure 2-6 shows the password recovery procedure for the Cisco IGS running software prior to Software Release 9.1. There is another procedure for the IGS platform if it is running Software Release 9.1 or later. See the section, "Password Recovery Procedure."
Following is the password-recovery procedure for IGS routers running software prior to Software Release 9.1:
Step 1 Power down the router.
Step 2 Record the settings of the DIP switches located on the rear panel of the router. You will need to return these switches to their original positions after you have recovered your password.
Step 3 Set switch number 7 to the ON position (down).
Step 4 Set switches 0-3 to the OFF position (up).
Step 5 Power up the router.
The router will boot up, and the terminal will display the ROM monitor (>) prompt.
Step 6 Enter the b (bootstrap) command at the (>) prompt.
Step 7 Press the Return key until the Test-System> prompt appears.
Step 8 Enter the enable privileged EXEC command at the Test-System> prompt.
Step 9 If the password is clear text (is not encrypted), go to Step 14.
or
If the password is encrypted, continue with Step 10.
Step 10 If the password is encrypted, enter the configure memory privileged EXEC command. This writes the stored configuration into running memory.
Step 11 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 12 If you have lost the enable password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
or
If you have lost the login password, configure a new password on the console line using the login and password line configuration commands. Press ^Z to exit configuration mode.
Step 13 Enter the write memory privileged EXEC command to write the configuration changes into stored memory. Proceed to Step 16.
Step 14 If your password is clear text (is not encrypted), enter the show configuration privileged EXEC command.
Step 15 If you have lost the enable password, locate the enable-password global configuration command entry in the configuration and record the password.
or
If you have lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command. Do not make configuration changes or issue the write memory command at this time.
Step 16 Power down the router.
Step 17 Return the hardware configuration register DIP switches located on the back panel of the router to their original settings (the settings you noted in Step 2).
Step 18 Power up the router. Use your new or recovered password to gain access to the router.
Lost passwords cannot be recovered from Cisco 500-CS communication servers. The only way to recover from a lost password is to return the communication server to its factory default configuration using the reset button located on the top of the case.
The following procedure describes how to restore the Cisco 500-CS to its default configuration:
Step 1 Power down the communication server.
Step 2 Press and hold down the reset button on the top of the case while turning on the power to the communication server.
Step 3 The 500-CS is returned to its factory default configuration.
You must reconfigure the communication server. For information on configuring a Cisco 500-CS communication server, consult the Access and Communication Servers Configuration Guide and the Access and Configuration Servers Command Reference publications.
|
|