Introduction
This document will give you some ways to recover your CRS running IOS-XR if you are locked out due to a forgotten password or AAA configuration change.
Core Issue
First is if you have forgotten your username/password you can do the following steps which is documented fairly well already:
Password Recovery
The other issue is if you have mistakenly locked yourself out after doing some AAA commands. Usually after configuring authorization without a fallback method. To see how to make sure you have fallback methods and configure them refer to the AAA configuration guides.
AAA configuration guide
Resolution
There are a couple of ways to do this.
If you have access to the aux port then you can do the following:
Gain access on the AUX port which should drop you into the Korn Shell (ksh). If challenged with a username/password this would be a local username/password. Not tacacs/radius.
Note: This can by bypassed with the following:
Bypassing Ksh Authentication
rommon1> AUX_AUTHEN_LEVEL=0
Once in the ksh you can try to do the following command to do a configuration rollback for the last change:
config_rollback -n 0x1
Note: You can change the last number if you needed to rollback more than 1 change.
If you don't have access to the AUX port for some reason but do have a configuration backed up or are willing to reconfigure the router you can do the following from the console. This will tell the router to boot up with a blank configuration.
Reload the router and keep both RPs down in ROMMON by sending a break signal during boot process.
Then boot the active RP with the following type of command:
boot <image> -a bogus-config-file-path
For example, on my CRS running 4.0.3 the command would look like this:
boot bootflash:/disk0/hfr-os-mbi-4.0.3/mbihfr-rp.vm -a blah
The router will then boot loading the right version but will come up with a blank config.
You can then reconfigure or cut/paste the configuration.
In case it's needed you can do the same for the Admin configuration with the following switch:
boot <image> -o bogus-config-file-path
Related Information
Password Recovery
AAA configuration guide
ASR9k Password Recovery