Locked Out of Router — Enable Secret Unknown
Presenting Symptom
Unable to enter privileged EXEC mode on a Cisco router; the enable secret password is unknown and the password recovery process fails.
Network Context
A small branch office router (Cisco 4321, IOS XE 16.9) is used to connect the LAN to the WAN. The router has been in service for years, and the original enable secret password has been lost. The network engineer needs to regain administrative access to make configuration changes.
Diagnostic Steps
Attempt to enter privileged EXEC mode
enablePassword:
The router prompts for a password. Since the password is unknown, the engineer cannot proceed. This confirms the problem is a lost enable secret.
Attempt password recovery via console
Power cycle the router and send a break sequence during startup (Ctrl+Break)rommon 1 >
If the router enters ROMmon mode, password recovery is possible. If it does not, the router may have password recovery disabled (no service password-recovery).
Check if password recovery is enabled
confreg 0x2142 (in ROMmon) then resetRouter> (after reload, no startup config loaded)
Setting the configuration register to 0x2142 bypasses the startup configuration, allowing access without a password. If the router still prompts for a password, password recovery is disabled.
Confirm password recovery is disabled
show version | include Configuration registerConfiguration register is 0x2102
The configuration register shows 0x2102 (normal boot). If password recovery is disabled, the router will not enter ROMmon with break. The only option is to use the ROMMON password reset procedure if available, or replace the router.
Root Cause
The enable secret password is unknown, and the router has the 'no service password-recovery' command configured, which disables the standard password recovery procedure (break sequence during boot). Without the password and with recovery disabled, the router cannot be accessed via console to make configuration changes.
Resolution
Verification
After resolution, verify by entering privileged EXEC mode: 'enable' then entering the new password. Expected output: 'Router#' indicating successful access to privileged EXEC mode.
Prevention
1. Always document enable secret passwords in a secure password manager. 2. Avoid disabling password recovery unless absolutely necessary; if disabled, ensure multiple backup access methods (e.g., AAA server, management access). 3. Implement role-based access control (RBAC) with AAA to reduce reliance on local enable passwords.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests knowledge of password recovery procedures and the 'service password-recovery' command. Expect multiple-choice questions about the effect of 'no service password-recovery' or troubleshooting steps when locked out. Key fact: 'no service password-recovery' prevents break sequence during boot, making password recovery impossible.
Exam Tips
Memorize the default configuration register value (0x2102) and the recovery value (0x2142).
Know that 'no service password-recovery' is a global configuration command that disables the break sequence; it cannot be removed without knowing the enable secret.
Understand that if password recovery is disabled, the only option is to replace the router (or use ROMMON reset if supported).
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions