Password recovery with HSRP PIX firwalls

bjenner · ‎04-05-2004

I need to recovery the enable password on a couple of PIX firewalls running HSRP. Can anybody advise me if I need to adapt the standard recovery procedure? What I was considering was shutting both firwalls down, bring the primary one up, recovering the password, set a new on and then bring up the second firewall. Will the second PIX the sync with the primary to get the new password or do I need to both separately?

Incidentally, nobody knows of any problems with HSRP and setting passwords. I basically changed the Telnet password but not the Enable one. However when I came to access the firewalls the next day I found that the Telnet password had been correctly changed but I could no longer enter enable mode.

Thanks.

scoclayton · ‎04-05-2004

Unfortunately, you are going to br down for a period of time to accomplish this. Here is my suggestion that would provide for the least impact:

1. Power off the primary and force the stand-by PIX to an active role.

2. Disconnect the failover cable between the 2 PIX's and follow the instructions from http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml#pix_without to recover the password on the primary PIX.

3. Once this is complete, power down the stand-by PIX and bring the primary back on-line. Make sure that the primary PIX (the one with the recovered password) becomes active and starts passing traffic.

4. Re-connect the failover cable and power on the stand-by PIX. During the bootup, the stand-by PIX should sync with the primary and get the new confic changes.

As for known issues, not that I am aware of. Would probably need to see exactly what you changed. Make sure you are always making the changes on the active PIX.

Scott