Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
one_co_il
New Contributor

Lock Out of My FG800C, Missing "admin" User

I have a FG 800C that was working fine

I Backup my configuration, edit it and restore it

now I cannot login to the unit,

every try resolve i wrong user and password

I Try to Login using Fortiexplorer with user "maintainer" to recover my password.

I can login, but when trying to reset password i get this massage:

 

FG800C # config system admin

FG800C (admin) # edit admin 'maintainer' account can only edit existing admins. node_check_object fail! for name admin

value parse error before 'admin' Command fail. Return code -37

 

It seems like there is no user name "admin"

is there any way to recover the user? or even restore everything to default?

 

2 Solutions
ede_pfau
SuperUser
SuperUser

You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).

Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.

 

Then I would

- reboot

- interrupt boot sequence

- format flash disk

- reload the same firmware via TFTP

- reload the config

 

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
ede_pfau

Not bad, well spotted! I wonder how that happened...

 

For the boot sequence rebuild you need to have a serial console connection and terminal emulation running. Then you can see the messages on boot and interrupt the process by hitting <SPACE> (or any key, haven't tried).

You will enter a small menu where you select items by their first letter.

Proceed from there, it's obvious.

 

One more caveat: you need to have a TFTP server running in your LAN, to reload the firmware image. I recommend 'tftpd32' from Philippe Junot for a Windows host.

 

Actually there is a second way to restore firmware and config: via USB stick. Requirement is that this is enabled in the config (which you can probably do via 'maintainer'):

config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file fgt_system.conf
set default-image-file image.out
end

You put the config file and firmware image file onto a USB stick (FAT32 formatted) and connect that to the USB port of the FGT. On reboot, firmware version and config file are compared to the existing ones, and reloaded if different. This might take a couple of reboots.

In essence, you're not required to set up a TFTP server this way.

In the code above, I've given the default filenames. Just rename yours and you're good.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
5 REPLIES 5
ede_pfau
SuperUser
SuperUser

You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).

Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.

 

Then I would

- reboot

- interrupt boot sequence

- format flash disk

- reload the same firmware via TFTP

- reload the config

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

I would double check that admin is or is not present

 

show sys admin | grep admin

 

It would not hurt to see what other accounts are present at the same time.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
one_co_il

ede_pfau wrote:

You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).

Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.

 

Then I would

- reboot

- interrupt boot sequence

- format flash disk

- reload the same firmware via TFTP

- reload the config

 

Thank you for replaying

I found the mistake in the config file

there was a wrong type of quotes in one of the Vlans

It seem to ignore all the setting that is writing after the quotes like the 'config system admin' parts

 

Wrong:

edit "Vlan10" set vdom "root" set ip 10.10.10.1 255.255.255.0 set role lan set snmp-index 35 set interface "port4 set vlanid 10 Right:

edit "Vlan10" set vdom "root" set ip 10.10.10.1 255.255.255.0 set role lan set snmp-index 35 set interface "port4" set vlanid 10

 

 

I don't have experience with this process (interrupt boot sequence | reload firmware via TFTP

Can you please refer me to some details instructions?

ede_pfau

Not bad, well spotted! I wonder how that happened...

 

For the boot sequence rebuild you need to have a serial console connection and terminal emulation running. Then you can see the messages on boot and interrupt the process by hitting <SPACE> (or any key, haven't tried).

You will enter a small menu where you select items by their first letter.

Proceed from there, it's obvious.

 

One more caveat: you need to have a TFTP server running in your LAN, to reload the firmware image. I recommend 'tftpd32' from Philippe Junot for a Windows host.

 

Actually there is a second way to restore firmware and config: via USB stick. Requirement is that this is enabled in the config (which you can probably do via 'maintainer'):

config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file fgt_system.conf
set default-image-file image.out
end

You put the config file and firmware image file onto a USB stick (FAT32 formatted) and connect that to the USB port of the FGT. On reboot, firmware version and config file are compared to the existing ones, and reloaded if different. This might take a couple of reboots.

In essence, you're not required to set up a TFTP server this way.

In the code above, I've given the default filenames. Just rename yours and you're good.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
one_co_il

Thank you!

I manager to get my system up and running again using the TFTP

note user maintainer cannot set "config system auto-install"

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors