Access Recovery-Config Mode in the Diagnostic CLI

You can use the diagnostic CLI recovery-config mode to make out-of-band configuration changes when the management connection is down. Be sure to make the same changes in the management center; local changes will always be overwritten by the management center deployment.

For high availability and clustering, make your changes on the active/control node. This mode is not supported in multi-instance mode.

Procedure

Step 1

Connect to the device CLI using either the console port or SSH.

See Log Into the Command-Line Interface on the Device.

Step 2

Access the diagnostic CLI.

system support diagnostic-cli

enable (Press enter without entering a password when prompted.)

Example:


> system support diagnostic-cli
firepower> enable
Password:

Step 3

Show the current running configuration for reference.

show runing-config

Note	You cannot enter show commands in recovery-config mode.

Step 4

Enter recovery-config mode.

configure recovery-config

Example:

firepower# configure recovery-config

 CAUTION: The config CLI is for emergency use only. Use the config CLI if the management center is
unreachable, and use it only under exceptional circumstances, such as loss of connectivity or
to restore manager access. Do not change management center's auto-generated configurations.

 After your management center is reachable, manually make the same configuration changes in the
management center. The management center cannot implement them automatically. When you deploy
from the management center, out-of-band configuration changes will be overwritten. Also, node join
will be blocked till config CLI session is active, so make sure to exit from the config CLI after
changes are made.

Would you like to proceed ? [Y]es/[N]o: y
firepower(recovery-config)#

Step 5

You can now enter select configuration commands.

Enter ? to view available commands.

See Guidelines for Out-of-Band Configuration for supported feature areas.

See the ASA configuration guides or command reference for details about the commands.

Tip	Keep track of all of the commands you changed. Although the management center will show you the differential later, it's good practice to keep a record of your command changes in case you need to make iterative changes to restore the management connection.

Example:


firepower(recovery-config)# ?

  access-list           Configure an access control element
  as-path               BGP autonomous system path filter
  bfd                   BFD configuration commands
  bfd-template          BFD template configuration
  cluster               Cluster configuration
  community-list        Add a community list entry
  crypto                Configure IPSec, ISAKMP, Certification authority, key
  end                   Exit from configure mode
  exit                  Exit from config mode
  extcommunity-list     Add a extended community list entry
  group-policy          Configure or remove a group policy
  interface             Select an interface to configure
  ip                    Configure IP address pools
  ipsec                 Configure transform-set, IPSec SA lifetime and PMTU
                        Aging reset timer
  ipv6                  Configure IPv6 address pools
  ipv6                  Global IPv6 configuration commands
  isakmp                Configure ISAKMP options
  jumbo-frame           Configure jumbo-frame support
  management-interface  Management interface
  mtu                   Specify MTU(Maximum Transmission Unit) for an interface
  no                    Negate a command or set its defaults
  policy-list           Define IP Policy list
  prefix-list           Build a prefix list
  route                 Configure a static route for an interface
  route-map             Create route-map or enter route-map configuration mode
  router                Enable a routing process
  sla                   IP Service Level Agreement
  sysopt                Set system functional options
  tunnel-group          Create and manage the database of connection specific
                        records for IPSec connections
  vpdn                  Configure VPDN feature
  vrf                   Configure a VRF
  zone                  Create or show a Zone
firepower(recovery-config)#

Step 6

Exit recovery-config mode to be prompted to save your changes. Enter exit to exit each submode until you return to enable mode.

You can choose to save your changes to the startup configuration or keep changes only in the running configuration by not saving. Running configuration changes won't be retained after a reboot. If you make additional changes later and decide to save the configuration, all of your previous changes are also saved, since the entire running configuration is saved.

Deployment will be blocked while the recovery-config-mode session is open.

Example:


firepower(recovery-config)# interface Ethernet0/1
firepower(config-if)# ip address 10.0.0.2 255.0.0.0
firepower(config-if)# exit
firepower(recovery-config)# exit
Unsaved changes are not kept if you reboot. Save changes to memory ? [Y]es/[N]o: y

Cryptochecksum: 81a9073e f9535916 9c333d7e 9a3e5e76 

3756 bytes copied in 0.70 secs
firepower#  

Unsaved changes are not kept if you reboot. Save changes to memory ? [Y]es/[N]o: 

Cryptochecksum: 81a9073e f9535916 9c333d7e 9a3e5e76 

3756 bytes copied in 0.70 secs
firepower#

Step 7

Return to the threat defense CLI by typing Ctrl+a, then d, or you can enter exit to exit each mode.

Note	If you type Ctrl+a, then d to return to the threat defense CLI without first exiting recovery-config mode, the recovery-config-mode session will remain open, and deployment will be blocked.

Example:


firepower# exit

Logoff

User enable_1 logged in to firepower
Logins over the last 1 days: 4.  Last login: 20:42:51 UTC Dec 4 2024 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
firepower> exit
Console connection detached.
>