Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
3
Replies

ASDM Password expired

Go to solution
Hammer
Level 1
Level 1

‎01-25-2024 02:49 AM

Hi All

I am hoping someone out there can help me. I have been battling for 4 days to try and recover the ASA password with out any success.

I am currently running a Cisco 5516-X and when trying to access the ASDM I get a message that the password has expired. There is no option allowing me to reset/change it even though I have the current password.

After searching the internet I have tried several option to reset the password via the rommon menu.

confreg

Do you wish to change the configuration? y/n [n]:  y
Accept the defaults for all except the question, enable "ignore system configuration"? y/n [n]:  y
rommon2 > boot  -> here I get an error, that I don't fully understand and not sure if it is related to my original password problem.
rommon 10 > boot

Located '.boot_string' @ cluster 37890.

#

Directory asa981-lfbff-k8.SPA not found
Unable to load asa981-lfbff-k8.SPA
boot: error executing "boot"

If I use the "reload" command the system reboots into 0x41 anyway.
rommon 11 > reload
Resetting .......

Once it is finished booting I am able to enter the privilege mode with the "enable" command with no password [enter]
I can then copy the startup-config to the running-config. 
Enter the configuration menu with command "conf t"
I then reset the password with command "enable password new_password" and save settings with " wr mem" command.
I then change the config registisry back to 0x01 from 0x41 with command "config-register 0x01".
Verify that my next reload will boot from the correct registry with "show version" command.
exit out of conf menu
For good measure I save the current setting to make changes persistent "copy run start"
"reload" the system.
Once up again the password that I have just set does not work!
ciscoasa> en
Password: *************
Invalid password
Password: ************
Invalid password
Password:
Invalid password
Access denied.

I attempt to connect to the ASDM and get the same error about password expired.

I have tried a couple of other options in the rommon prompt
disabling the aaa authentication
Using commands "show run aaa"
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history

then "no aaa authentication enable console LOCAL" for each of the above
no aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
no aaa authentication login-history

Get the same result, that the new password still fails.
I have also done a factory reset and then restored from our latest backup. Straight after factory reset I was able to access the ASDM application using default credentials, and used it to do a restore from backup file, but as soon as I restore the backup I have the same issue, when I need to re-authenticate .... password expired.

Does any one know how I can reset the password for the admin user that is used to access the ASDM?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Hammer
Level 1
Level 1

‎01-26-2024 10:00 AM

Hi All

I have managed to resolve this on my own.

Resolution Steps for anyone else who gets caught out in the future.

  • Follow the normal recommended steps to get into 0x41 config and boot system into the password change config.
  • Enter the configuration menu with command "conf t"
  • Reset the password with command “enable password new_password”
  • What I did extra here, was to set the password policy lifetime to zero “password-policy lifetime 0”
  • Saved everything to disk to make persistent “wr mem”
  • I then switch the config back to 0x01 “config-register 0x01”
  • reboot the system “reload”
  • Once boot is completed, I was able to get into the ASDM using the new password and blank user. (Not my admin user that I was expecting to reset)
  • Before restoring the backup, I then went into the zip file and located the two text files Startup-config.cfg and running-config.
  • In here I edited the dates for the aaa users to be more current than the 120 days expiry date. The backup would have restored this lifetime/password back to something expired and then locking me out again.
  • I also changed the password-policy lifetime with in these 2 files to zero
  • Then proceeded to do my backup restore using this edited copy.
  • Once back onto the ASDM with my latest backup copy, I could reset aaa user password as I normally would.

Whether this is right or not, it is what worked for me and got me back online, after more hours than I would like to admit of battling.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎01-25-2024 02:53 AM

Can i see all asa config 

MHM

0 Helpful

Go to solution
Hammer
Level 1
Level 1

‎01-26-2024 10:00 AM

Hi All

I have managed to resolve this on my own.

Resolution Steps for anyone else who gets caught out in the future.

  • Follow the normal recommended steps to get into 0x41 config and boot system into the password change config.
  • Enter the configuration menu with command "conf t"
  • Reset the password with command “enable password new_password”
  • What I did extra here, was to set the password policy lifetime to zero “password-policy lifetime 0”
  • Saved everything to disk to make persistent “wr mem”
  • I then switch the config back to 0x01 “config-register 0x01”
  • reboot the system “reload”
  • Once boot is completed, I was able to get into the ASDM using the new password and blank user. (Not my admin user that I was expecting to reset)
  • Before restoring the backup, I then went into the zip file and located the two text files Startup-config.cfg and running-config.
  • In here I edited the dates for the aaa users to be more current than the 120 days expiry date. The backup would have restored this lifetime/password back to something expired and then locking me out again.
  • I also changed the password-policy lifetime with in these 2 files to zero
  • Then proceeded to do my backup restore using this edited copy.
  • Once back onto the ASDM with my latest backup copy, I could reset aaa user password as I normally would.

Whether this is right or not, it is what worked for me and got me back online, after more hours than I would like to admit of battling.

0 Helpful
Customers Also Viewed These Support Documents