"Orchestrator Blues" Part 2: VCO and VCG password traps and recovery actions

 
When you set up new Orchestrator and Gateways it typically takes some time until you need to relogin via SSH or via Console in order to do for example an upgrade to a new version.

Default password expiration is typically set to 90 days.

Normally when for an account the password is expired you still can login via console and specifiy a new password afterwards.

Unfortunately VMware SD WAN Orchestrator and Gateways have a specific setting, that completely disables login of vcadmin after the first 90 days without any password change even on console.

In that case you are left with unreachable VCO and VCGs regarding CLI.

So the only way to overcome is a password reset procedure:

And there are as far as I have seen, 2 ways to do such a password reset:

  1.  Password Reset via GRUB Recovery Mode 
  2.  Reconnect of Disk to separate Unix System and doing Password  Reset from there

As the first method is much simpler you should always try that one, before using the 2nd one.

WARNING: Be careful and have a Snapshot or backup done before attempting the following procedures, the author takes no responsibility for the correctness of the following commands and sequences. 

Password Reset via GRUB Recovery Mode

a.) Connect to VCO (VCG) via Console
b1.) Send <CTRL+ALT+DEL> to Console
or
b2.) Reboot Virtual Machine
c.) press <SHIFT> during reboot until GRUB screen turns up
d.) by using the drop-down menu select the OS version stating recovery mode and press <Enter>
e.) after starting of the mode wait until it prompt you to select recovery mode
f.) when the root@<VCO> prompt is there remount the disk in RW mode by using
     mount -o remount,rw /
g.) now you can set a new password by entering passwd vcadmin
h.) finish by using  reboot to start the device in normal mode. 

ALTERNATION for method 1 after step e:
If the system asks you for a root password in maintenance mode or asks you to press <CTRL> D then:
1.reboot again
2.press <SHIFT>
3. when in GRUB menu highlight the recovery line but do not press <Enter>
4. Press e to go into edit mode
5. scroll down to a line starting with linux
6. near the end of the line replace ro with rw and at the end of line add init="/bin/bash"
7, press F10 or <CTRL> X to continue
8. when prompted enter passwd vcadmin and set the new password
9. boot the VCO again and all should be okay

Reconnect of Disk to separate Unix System and doing Password  Reset from there

a.) shutdown the device
b.) mount the disk on another linux system as second disk
c.) start that system 
d.) Activate the correct LVM partition of VCO or VCG
     pvscan --cache -aay /dev/nbd0p2
e.) Mount the root volume
     mount /dev/vols/root1 /mnt
f.) change root and set new root password
     chroot /mnt
     passwd root
g.) exit and unmount the disk
     umount /mnt
     vgchange -an vols 
h.) shutdown the linux system and reconnect disk to original VCO or VCG VM 
i.) start up the VCO or VCG and login via root and the specified password
j.) reset the vcadmin password lock and set new vcadmin password
     pam_tally2 --reset
     passwd -w -1 -x 99999 vcadmin
     passwd vcadmin
 

 

Both methods presented allow you to continue without needed to reapply and reconfigure the whole device.

Comments

Post a Comment

Popular posts from this blog

Deep Dive on DMPO and its Performance Features (available and missing) Part 1

Image
 In the last year I got quite deep insight into ther vendors SD-WAN implementation and also have seen what various vendors are critizising about the VMware DMPO features. Also there are a lot of misconceptions on the market around some of these features. So let´s try and evaluate and look a little bit deeper into typical performance features and the VMware implementation of them Features discussed in this Blog (Part 1) Per Packet Load Balancing Forward Error Correction (FEC) Packet Replication Latency Remediation The following Features will be discussed in Part 2 of my blog TCP Optimization Techniques Dejitter Buffering SAAS Application Monitoring   Per Packet Load Balancing  Unfortunately this term can be quite easily misinterpreted, when you Google for the term and get the following result:  This behaviour (often criticized by other vendors about VMware) as described above would only work quite well when you have very similar or equal connections. If for example 2 ...
Read more

Deep Dive on DMPO and its Performance Features (available and missing) Part 2

Image
  The following Features will be discussed in this second part of my blog TCP Optimization Techniques Dejitter Buffering SAAS Application Monitoring   Before diving into the mechanism here an important basic fact:     Remediation is never done for applications classified as LOW priority     TCP optimization TCP has some embedded traffic management capabilities for reliable traffic delivery  (window.size, slow-start, RTT handling,...)  But there are a bunch of factors which can negatively influence the performance, like Latency TCP-slow-start Last Mile network problems Out of Sequence packets Busty losses end host TCP limitations (missing fatures like SACK, windows scaling or timestamp options)  Typically TCP optimization helps on the transmission side and improve the download time for large data transfers over latency-high and lossy WAN links. But it can also be used for improving perfomance when on the receiver side the amount ...
Read more

Secure Edge CLI Access: Addditional Useful Commands and Parameter

Image
 additionally to the possible commands and paramteres described in the docu Secure Edge CLI: Output Examples V5.2 there are a lot of useful commands and procedures you can use  Here some of the commands which does not have a direct representation in the Remote Diagnostics debug --dec  <shows the actual detailed status and QOE for each path RX and TX>   debug --peer_stats all <shows packet counts and peer-is for all peers> the peer-id is needed for a detailed dump of peer statistics per peer diag PATHS_DUMP --peer <peer-id> <shows counter and QOE parameters for all paths to a specific peer> for a nice display you need a terminal window of 350 chars/line if you have priviledged shell access you can also use cd /opt/vc/bin in this directory you find a lot of internal but useful prgrams, phyton or shell scripts like...  ./dispcnt here an example for usage:   ./dispcnt -s  bgp -t 15 -z   shows all non-zero bgp counter updated e...
Read more