[SRX] Root password recovery not working with Junos release versions 10.0R1, 10.0R2, and 10.1R1

  [KB17565] Show Article Properties


Summary:
This article describes a procedure to recover the root password for SRX Branch devices running on Junos release versions 10.0R1, 10.0R2, and 10.1R1 when they fail to reach the point where the root password can be changed, or the Junos root-password recovery procedure does not work.
 
Symptoms:
The information in this article applies to the following Junos platforms:
  • SRX100
  • SRX110
  • SRX210
  • SRX220
  • SRX240
  • SRX550
  • SRX650

KB15725 describes the root password recovery method for Junos platforms. However, on SRX Branch platforms and Junos 10.0R1, 10.0R2, and 10.1R1, there is a condition in which the password recovery process does not work. After issuing recovery command, the system never reaches the point where the root password can be changed; instead, the system reboots.
Cause:
 
Solution:
To resolve the issue, use the following procedure to recover the root password for SRX Branch devices running on Junos release versions 10.0R1, 10.0R2, and 10.1R1. This involves disabling watchdog functionality to allow the system to properly boot into single-user mode.
 
  1. Press the power button on the front panel to power on the router.  Verify that the POWER LED on the front panel turns green. The console should continuously display the boot message.
  2. When the prompt appears, press the spacebar to access the router’s bootstrap loader and type these commands:
    Hit [Enter] to boot immediately, or space bar for command prompt.
    Booting [kernel] in 9 seconds...


    Loader>
    Loader> watchdog disable
    Loader> boot –s
  3. The firewall starts up in single-user mode. In single-user mode, a multiuser operating system such as Junos boots into a single superuser. Single-use mode is mainly used for maintenance of multi-user environments such as network servers.
  4. At the prompt, enter "recovery" to start the root password recovery procedure.
    System watchdog timer disabled
    Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:
    recovery
  5. The device directly enters operational mode without asking for an user ID or password..
    Starting CLI ...
    root@host> edit
  6. When in configuration mode, set the root password.
    root@host# set system root-authentication plain-text-password
  7. On pressing the return key, type in the new root password.  Reenter the new root password when the second prompt appears.
    New password: juniper1
    Retype new password: juniper1
  8. Commit the changes.
    root@host# commit
    commit complete
  9. Reboot the device again.
    root@host# run request system reboot
    Reboot the system ? [yes,no] (no) yes

    The boot messages display on the console.
  10. Press the spacebar one time, to access the router’s bootstrap loader prompt. This sequence appears on the console:
    Hit [Enter] to boot immediately, or space bar for command prompt.
    Booting [kernel] in 9 seconds...


    Loader>
    Loader> watchdog enable
    Loader>
    boot
  11. The device reboots again and this time it asks for an user ID and password.  Enter the newly configured password. 
    Wed Jun 16 14:20:21 UTC 2010
    Amnesiac (ttyu0)
    login: root
    Password:
    juniper1

For more information, refer to PR499745.

Related Links: