Password Recovery in Cisco UCS

So, it’s no secret that almost any Cisco device can easily have the master password restored. It’s a disruptive process, but it’s well documented for each type of device (as it should be). Cisco UCS is no different. We document the procedure in two places (latest versions linked):

Cisco UCS Manager CLI Configuration Guide, Release 2.0

Cisco UCS Manager GUI Configuration Guide, Release 2.0

It’s pretty simple to follow, but it assumes one crucial piece of data that you may not have – an existing valid login. It expects that the reader is able to login to UCS Manager using some existing account (does not need admin rights) and collect some basic information (system, kickstart, and mgmt. image versions, etc) to start the procedure. But sometimes you may not have this info – and you just need to reset UCS manager back to defaults so you can start over, but you just can’t login to get there. My procedure below also assumes you want to reset UCS Manager back to defaults and start over. If this is you, this is your lucky day! If you don’t want to lose your configuration, you can most likely use this procedure and just stop short of erasing the configuration – but I haven’t tested that so your mileage may vary.

The only thing you’ll need is a console cable for the fabric interconnect(s) that you want to recover the passwords on. When you’ve got a connection to the console port of the FI, here are the basic steps:

  1. Reboot the FI
    1. Since you cannot login, you need to remove power to the FI by either removing the PSU’s or the power cords (whichever are easiest for you to reach)
  2. Press ctrl+shift+r a few times as the interconnect boots to interrupt the boot process

    <side note> In a normal boot, the FI is programmed to load three specific images:

  • kickstart (kernel)
  • system (system)
  • management (UCSM)

This is pre-programmed to happen automatically. If something goes wrong with the boot process, the FI may stop after, before, or during any of these three stages. Depending on where it stops, you will have varying levels of functionality at the command line. But that’s a whole different story….

By interrupting the boot process as described in the steps above, you must individually load the 3 images yourself. If you were to reboot at any stage, the FI will default back to its programmed boot sequence.

</side note>

  1. This should leave you at the extremely useful, yet very unfriendly <loader> prompt. The good news is that we won’t be here long.

    The loader has a very limited command list (below):

    loader> help

    ? Print the command list

    boot Boot an image

    dir List the directory content

    help Print the command list or

    reboot Reboot the system

    resetcmos Reset CMOS to factory defa

    serial Serial console settings

    set Set network configuration

    show Show loader configuration

  2. First, we need to know what kickstart we can invoke via the “boot” command. To get that, type the following:

    dir

    You will see output similar to the following:

    loader> dir

    bootflash:

    lost+found


    ucs-6100-k9-kickstart.4.0.1a.N2.1.1e.bin

    ucs-6100-k9-system.4.0.1a.N2.1.1e.bin

    sysdebug

    chassis.img

    nuova-sim-mgmt-nsg.0.1.0.001.bin

    [output truncated]

  3. The kickstart is in bold above. To boot off of this image, I would type:

    Boot ucs-6100-k9-kickstart.4.0.1a.N2.1.1e.bin

  4. This will load kickstart and stop at the boot prompt. Form here type:

    switch(boot)# config terminal

    Enter configuration commands, one per line. End with CNTL/Z.

    switch(boot)(config)# admin-password mypassword (where mypassword is the password you want to use)

  5. The password is now changed. So we just need to finish loading the FI. Again, “dir” is your friend here. Type the following:

    dir

    which will display output similar to this:

    switch(boot)# dir

    72 Feb 01 2010 21:28:24 ..tmp-kic

    …[output truncated]

    4096 Feb 23 2011 19:22:37 sysdebug/

    4096 Feb 25 2011 09:07:11 techsupport/

    21021184 Oct 01 2009 16:35:40 ucs-6100-k9-kickstart.4.0.1a.N2.1.1e.bin

    105025752 Oct 01 2009 16:38:21 ucs-6100-k9-system.4.0.1a.N2.1.1e.bin

  6. You are interested in the system image in bold in the output above. At the (boot) prompt, type the following:

    switch(boot)# load ucs-6100-k9-system.4.0.1a.N2.1.1e.bin

    The FI will now boot the system image and then load the UCS manager image bringing you to the login prompt.

    Note: You are most likely not running the most current version of UCS at this time. It is not suggested that you attempt to actually use this running instance, even though you will be able to login again.

  7. Login using your new password and type the following:

    UCS-6100-A# connect local-mgmt

    …[output truncated]

    UCS-6100-A(local-mgmt)# erase configuration

    This will erase the configuration of the FI and will reboot it to the default startup wizard.


Hopefully you will find this useful at a time when you really need it. Thanks for stopping by…

-Jeff


10 thoughts on “Password Recovery in Cisco UCS

  1. Thanks for writing this up. Used it yesterday at a customer. FYI – got everything back up and going after copying over the correct file to make it boot up 1.2 again, then erasing and upgrading from there. Thanks for the help on Friday !

  2. This worked great on the B FI of the cluster, but the A node won’t accept the reset password. I’ve traced it back to an issue wherein the node was pre-configured to use an LDAP login first.

  3. Nice job done.
    This will surely help me out in future. You made the talk appear much easier then it really is.

    Thank you

  4. Hi,
    I am new in a cisco networking, I am triying to configure a UCS 6100 XP 40 and I have a problem to login.

    I connected by console and I change the IP address, then I configured to use GUI. When I entered in a GUI I choose Express Setup and in admin ip field I choose the same IP that it had and user and password. After configured, I tried to connect but I can`t, and I don’t understand why in prompt login I see admin-A: field. My doubt is my username is admin-A or admin?

    I’ve followed this instructions but I can’t enter in my UCS.

    Can you help me?

    Thanks in advance

Leave a Reply

Your email address will not be published. Required fields are marked *