How to Replace a Faulty Cisco Router
Introduction
Replacing a faulty Cisco router is one of the most time-sensitive tasks a network engineer faces. Done correctly, it is a structured process: back up configuration and the IOS image from the old router, prepare the replacement unit, transfer the image, load the configuration, verify licenses, and restore connectivity. Done incorrectly, a router replacement can turn a hardware fault into an extended outage.
This guide covers the complete replacement procedure for Cisco ISR (Integrated Services Routers — 1900, 2900, 3900, 4000 series) and ASR (Aggregation Services Routers — 1000 series) platforms running IOS or IOS-XE. It includes a dedicated section on the often-overlooked requirement to specify a TFTP source interface when transferring files on routers.
Supported Platforms
The procedure in this guide applies to the following Cisco router families, with notes where behaviour differs:
- ISR G2 — 1941, 2901, 2911, 2921, 2951, 3925, 3945: Classic IOS; single flash; TFTP source interface required
- ISR 4000 — 4321, 4331, 4351, 4431, 4451: IOS-XE; bootflash and harddisk storage; supports install and bundle mode
- ASR 1000 — ASR1001, 1002, 1004, 1006: IOS-XE; RP-based architecture; image in bootflash on each RP
- ISR 1000 — C1111, C1117, C1121: IOS-XE; compact flash; same procedure as ISR 4000
Note: License handling differs significantly between platforms and is covered in its own section below.
Overview of the Replacement Workflow
A router replacement follows this high-level sequence:
- Gather information and back up from the faulty router (if still accessible)
- Prepare the replacement unit — physical installation and basic access
- Set the TFTP source interface on the replacement router
- Transfer the IOS / IOS-XE image from TFTP server to flash
- Set the boot variable to the new image
- Load the saved configuration
- Migrate or activate licenses
- Verify and restore full connectivity
Phase 1 — Pre-Replacement Preparation (Faulty Router)
If the faulty router is still partially accessible via console or SSH, extract as much information as possible before swapping hardware.
Step 1.1: Record System Information
Document the exact IOS version, feature set, and hardware to ensure you source a matching or compatible image for the replacement:
show version show inventory show license show license udi
The show version output will tell you the exact image filename currently running, for example:
System image file is "flash:isr4400-universalk9.17.06.05.SPA.bin"
The show license udi output gives you the Unique Device Identifier (UDI) — you will need this to transfer licenses to the new unit.
Step 1.2: Back Up the Running Configuration
Save to TFTP server:
copy running-config tftp://192.168.10.10/faulty-router-running-config.txt
Save to local flash as a fallback:
copy running-config flash:running-config-backup.txt
If the router is completely unresponsive, retrieve the startup configuration from flash using ROMMON (covered in the Troubleshooting section).
Step 1.3: Back Up the IOS Image from Flash
If the replacement unit needs the same IOS image and you have it on the faulty router's flash, copy it to the TFTP server now — while you still have access:
copy flash:isr4400-universalk9.17.06.05.SPA.bin tftp://192.168.10.10/
Note on TFTP Source Interface: If this copy fails, the router may not be able to route packets out the management interface using a default source. See Phase 3 for how to fix this.
Step 1.4: Note Interface Names and Physical Cabling
Photograph or document the physical port connections on the faulty router. Interface naming (GigabitEthernet0/0, GigabitEthernet0/0/0, etc.) varies by platform — a replacement unit of a different sub-model may use different interface names, requiring a config adjustment.
show ip interface brief show interfaces description
Phase 2 — Physical Installation of Replacement Router
Step 2.1: Power Off and Remove the Faulty Unit
- Notify stakeholders and open a maintenance window
- Label all cables before disconnecting
- Power off the faulty router gracefully if possible:
reload
- Remove and rack the replacement unit
Step 2.2: Connect Console and Management Cables
- Connect a console cable to the replacement router
- Connect the management port (or Gi0/0) to a switch port with access to your TFTP server
- Do not connect WAN or production interfaces yet
Step 2.3: Initial Power-On
Power on the replacement router and connect via console. If this is a brand-new unit, it will boot the factory IOS image and may prompt you with the setup wizard. Answer no to the setup wizard:
--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no
You will be dropped into the Router> prompt. Enter privileged mode:
enable
Phase 3 — Configure Basic IP and Set TFTP Source Interface
Before you can transfer any files, the replacement router needs a reachable IP address and — critically — the correct TFTP source interface configured.
Why Routers Require a TFTP Source Interface
Unlike switches, routers have multiple interfaces and use routing to determine the source IP of outbound packets. When you run a copy tftp flash: command, the router selects the source IP based on its routing table, which on a freshly booted router may point to the wrong interface or produce no route at all. The TFTP server will receive a connection from an unexpected source IP and may reject it, or the packets may simply not route correctly.
The solution is to explicitly tell the router which interface to use as the source for TFTP traffic using the ip tftp source-interface command. This ensures the TFTP session originates from the interface connected to your management network, where the TFTP server is reachable.
Step 3.1: Assign an IP Address to the Management Interface
Enter global configuration mode and assign a temporary IP to the interface connected to your TFTP server network. On most ISR platforms this is GigabitEthernet0/0 or GigabitEthernet0/0/0:
For ISR G2 (1900/2900/3900) — interface naming:
configure terminal interface GigabitEthernet0/0 ip address 192.168.10.2 255.255.255.0 no shutdown exit
For ISR 4000 / ASR 1000 / ISR 1000 — interface naming:
configure terminal interface GigabitEthernet0/0/0 ip address 192.168.10.2 255.255.255.0 no shutdown exit
If using a dedicated Management port (ISR 4000, ASR 1000):
configure terminal interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.10.2 255.255.255.0 no shutdown exit
Note: ISR 4000 and ASR 1000 routers have a dedicated out-of-band management port (GigabitEthernet0) that operates in a separate VRF named Mgmt-intf. If you use this port, you must also specify the VRF in the TFTP source interface command (see Step 3.2).
Step 3.2: Set the TFTP Source Interface
This is the critical command that prevents TFTP transfer failures on routers.
If using a regular in-band interface (e.g., GigabitEthernet0/0 or GigabitEthernet0/0/0):
ip tftp source-interface GigabitEthernet0/0
or for ISR 4000:
ip tftp source-interface GigabitEthernet0/0/0
If using the dedicated management port with Mgmt-intf VRF (ISR 4000 / ASR 1000):
ip tftp source-interface GigabitEthernet0
And also specify the VRF when running the copy command (Step 4.1).
Step 3.3: Add a Default Route to Reach the TFTP Server
If the TFTP server is not on the same subnet as the management interface, add a temporary static default route:
ip route 0.0.0.0 0.0.0.0 192.168.10.1
Verify reachability to the TFTP server before proceeding:
ping 192.168.10.10
If you are using the Mgmt-intf VRF, use:
ping vrf Mgmt-intf 192.168.10.10
Phase 4 — Transfer IOS Image to Flash
Step 4.1: Check Available Flash Space
Before copying the image, confirm you have enough space:
ISR G2:
show flash: | include bytes
ISR 4000 / ASR 1000:
show bootflash: | include bytes dir bootflash:
Cisco ISR IOS images range from 100 MB to over 1 GB. Ensure there is adequate free space. If not, delete any existing large files you do not need:
delete bootflash:old-image.bin
Step 4.2: Copy the IOS Image from TFTP Server
For ISR G2 (copies to flash:):
copy tftp://192.168.10.10/isr-universalk9-mz.155-3.M9.bin flash:
For ISR 4000 / ISR 1000 (copies to bootflash:):
copy tftp://192.168.10.10/isr4400-universalk9.17.06.05.SPA.bin bootflash:
If using the Mgmt-intf VRF on ISR 4000 / ASR 1000:
copy tftp://192.168.10.10/isr4400-universalk9.17.06.05.SPA.bin bootflash: vrf Mgmt-intf
The transfer will begin and display progress. Depending on image size and network speed, this may take several minutes:
Destination filename [isr4400-universalk9.17.06.05.SPA.bin]? Accessing tftp://192.168.10.10/isr4400-universalk9.17.06.05.SPA.bin... Loading isr4400-universalk9.17.06.05.SPA.bin from 192.168.10.10: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 588251136 bytes]
Step 4.3: Verify Image Integrity
Always verify the MD5 checksum after transfer. Compare the result against the value published on Cisco's software download page:
ISR G2:
verify /md5 flash:isr-universalk9-mz.155-3.M9.bin
ISR 4000 / ASR 1000:
verify /md5 bootflash:isr4400-universalk9.17.06.05.SPA.bin
If the checksum does not match, delete the file and re-copy it. Do not proceed with a mismatched image.
Phase 5 — Set Boot Variable and Reload
Step 5.1: Configure the Boot System Variable
Remove any existing boot system entries and point the router to the new image.
ISR G2:
configure terminal no boot system flash:<old-image.bin> boot system flash:isr-universalk9-mz.155-3.M9.bin exit
ISR 4000 / ISR 1000:
configure terminal no boot system bootflash:<old-image.bin> boot system bootflash:isr4400-universalk9.17.06.05.SPA.bin exit
ISR 4000 using Install Mode (if applicable):
If your environment uses install mode on ISR 4000, use the install command instead of setting the boot variable manually:
install add file bootflash:isr4400-universalk9.17.06.05.SPA.bin activate commit
Step 5.2: Save Configuration and Verify Boot Variable
copy running-config startup-config show boot
Confirm the correct image filename is listed as the boot variable before reloading.
Step 5.3: Reload the Router
reload
After the router comes back up, verify the correct IOS version is running:
show version
Phase 6 — Load the Saved Configuration
Step 6.1: Re-apply the TFTP Source Interface
After the reload, the router will have come back up with only its boot configuration. Before loading the full configuration from TFTP, re-apply the management IP and TFTP source interface commands so the router can reach your TFTP server:
configure terminal interface GigabitEthernet0/0/0 ip address 192.168.10.2 255.255.255.0 no shutdown exit ip tftp source-interface GigabitEthernet0/0/0 ip route 0.0.0.0 0.0.0.0 192.168.10.1 exit
Step 6.2: Copy Configuration from TFTP to Startup Config
Load the backed-up configuration directly into the startup configuration, then reload — this is the cleanest method and avoids partial configuration states:
copy tftp://192.168.10.10/faulty-router-running-config.txt startup-config
Alternatively, copy it into the running configuration for immediate application (may cause partial disruption if routing changes occur mid-copy):
copy tftp://192.168.10.10/faulty-router-running-config.txt running-config
Step 6.3: Reload to Apply Startup Configuration (Recommended)
If you loaded to startup-config in Step 6.2, reload to ensure a clean boot with the full configuration:
reload
Step 6.4: Verify Configuration After Reload
show running-config show ip interface brief show ip route
At this point the router should have all its interfaces configured, routing protocols starting, and VPN or service configurations in place.
Phase 7 — License Migration
Cisco IOS licenses are tied to the hardware UDI (Unique Device Identifier) of each router. Moving a configuration to a new router does not automatically transfer the licenses. The procedure differs based on the licensing model in use.
Determine the Licensing Model
show license show license udi show version | include License
Classic PAK Licensing (ISR G2 — 1900/2900/3900 Series)
ISR G2 routers use Product Activation Keys (PAKs) tied to the hardware. To relicense the replacement unit:
- Note the UDI of the replacement router:
show license udi - Log in to Cisco License Manager at cisco.com/go/license
- If the PAK was registered to the faulty unit and you have an RMA, initiate an RMA license transfer at the same portal
- Generate new license files for the replacement UDI
- Transfer the license file to flash:
copy tftp://192.168.10.10/replacement-router.lic flash:
- Install the license:
license install flash:replacement-router.lic
- Verify licenses:
show license show license detail
- Accept the license EULA if prompted and reload if required
Smart Licensing (ISR 4000, ISR 1000, ASR 1000 — IOS-XE 16.x and later)
ISR 4000 and ASR 1000 series running IOS-XE 16.x and later use Cisco Smart Licensing. Licenses are managed centrally via Cisco Smart Software Manager (CSSM) and are not locked to hardware UDI in the same way.
- Verify Smart Licensing status:
show license status show license summary
- If the router can reach Cisco's cloud licensing servers, register it:
license smart register idtoken <your-token-from-CSSM>
- If operating in a disconnected environment, use the Smart Licensing transport gateway or CSSM On-Prem
- Verify after registration:
show license status show license summary
Smart Licensing Using Policy — SLP (IOS-XE 17.3 and later)
Routers running IOS-XE 17.3 or later use Smart Licensing Using Policy (SLP), which allows devices to operate and report usage within a reporting period without immediate registration. The router will still need eventual CSSM reporting:
show license status show license tech support | include Policy
Tip: If you have an active Cisco TAC case for the RMA, Cisco can assist with license transfer directly through the case portal.
Phase 8 — Final Verification and Restoration
Step 8.1: Connect Production Interfaces
Once the IOS, configuration, and licenses are confirmed, physically connect the WAN and LAN production interfaces. Replace the management IP with the router's correct production IP as defined in the loaded configuration.
Step 8.2: Verify Routing and Connectivity
show ip route show ip bgp summary show ip ospf neighbor show ip eigrp neighbors
Step 8.3: Verify WAN and Tunnel Interfaces
show interfaces show crypto isakmp sa show crypto ipsec sa show dmvpn
Step 8.4: Verify NAT and Services
show ip nat translations show ip nat statistics show policy-map interface
Step 8.5: Check System Health
show processes cpu | include five show memory statistics show logging | include ERROR|WARN
Step 8.6: Verify System Clock and NTP
show clock show ntp status show ntp associations
Troubleshooting Common Issues
TFTP Transfer Fails — Timeout or No Response
This is almost always a source interface issue. Verify:
show ip tftp show running-config | include tftp
Ensure the ip tftp source-interface is set to the interface that can reach the TFTP server. Confirm the interface is up and has an IP:
show interfaces GigabitEthernet0/0/0 ping 192.168.10.10 source GigabitEthernet0/0/0
Also confirm the TFTP server is listening and the firewall allows UDP port 69 from the router's management IP.
Router Fails to Boot After Image Transfer
Access ROMMON and manually boot the image to diagnose:
rommon 1 > dir flash: rommon 2 > boot flash:isr4400-universalk9.17.06.05.SPA.bin
If the image loads successfully from ROMMON, the boot variable was not set correctly. Fix it after booting:
configure terminal no boot system bootflash:<wrong-entry> boot system bootflash:isr4400-universalk9.17.06.05.SPA.bin exit copy running-config startup-config
Configuration Loaded but Interfaces Have Wrong Names
If the replacement is a different sub-model, interface names may differ (e.g., the faulty router had GigabitEthernet0/0 but the replacement uses GigabitEthernet0/0/0). You will need to edit the configuration before or after loading it:
configure terminal interface GigabitEthernet0/0/0 ip address <address from old config> <mask> no shutdown exit
Retrieving Startup Configuration from Dead Router via ROMMON
If the faulty router's IOS is corrupted but the flash is intact, boot into ROMMON and read the startup-config file:
rommon 1 > dir flash: rommon 2 > more flash:startup-config
Copy the output manually from the console to a text file on your workstation for later use.
License Shows as Uncompliant After Replacement
For Classic PAK licensing, confirm the PAK has been reassigned to the new UDI at cisco.com/go/license. For Smart Licensing, verify the token is valid and the router can reach CSSM:
show license status ping vrf Mgmt-intf tools.cisco.com
Quick Reference: Platform-Specific Storage and Interface Names
ISR G2 — 1941 / 2901 / 2911 / 2921 / 2951 / 3925 / 3945
Flash location : flash: Image type : .bin (monolithic IOS) Management interface: GigabitEthernet0/0 TFTP source command : ip tftp source-interface GigabitEthernet0/0 Boot variable : boot system flash:<image.bin> Licensing : Classic PAK (cisco.com/go/license)
ISR 4000 — 4321 / 4331 / 4351 / 4431 / 4451
Flash location : bootflash: Image type : .bin (bundle) or packages.conf (install mode) Management interface: GigabitEthernet0 (VRF: Mgmt-intf) TFTP source command : ip tftp source-interface GigabitEthernet0 TFTP copy with VRF : copy tftp://server/image.bin bootflash: vrf Mgmt-intf Boot variable : boot system bootflash:<image.bin> Licensing : Smart Licensing / SLP (IOS-XE 17.3+)
ASR 1000 — ASR1001-X / ASR1002-X / ASR1004 / ASR1006
Flash location : bootflash: (per RP) Image type : .bin (bundle) or packages.conf Management interface: GigabitEthernet0 (VRF: Mgmt-intf) TFTP source command : ip tftp source-interface GigabitEthernet0 TFTP copy with VRF : copy tftp://server/image.bin bootflash: vrf Mgmt-intf Boot variable : boot system bootflash:<image.bin> Licensing : Smart Licensing / SLP
ISR 1000 — C1111 / C1117 / C1121
Flash location : bootflash: Image type : .bin (bundle) or packages.conf Management interface: GigabitEthernet0 (VRF: Mgmt-intf) or GigabitEthernet0/0/0 TFTP source command : ip tftp source-interface GigabitEthernet0/0/0 Boot variable : boot system bootflash:<image.bin> Licensing : Smart Licensing / SLP
Best Practices and Recommendations
Before a Failure Happens
- Maintain a regularly updated backup of every router's running configuration in your TFTP server or NMS
- Keep a copy of each router's IOS image on the TFTP server — do not rely on extracting it from the live router during an outage
- Record the UDI and license details for every router in your inventory system
- Label physical cabling with interface identifiers to simplify reconnection after a hardware swap
- Test your TFTP server periodically to confirm it is reachable and serving files correctly
During the Replacement
- Always set
ip tftp source-interfacebefore attempting any TFTP transfer on a router - Verify MD5 checksums on every image transfer — never skip this step
- Load the configuration into startup-config and reload, rather than merging into running-config, for a cleaner result
- Do not connect WAN and production interfaces until the IOS, configuration, and licenses are confirmed
- Keep console access open throughout the entire procedure
After the Replacement
- Monitor the replacement router for 24–48 hours for any stability issues
- Validate all services: routing protocols, VPN tunnels, NAT, QoS, and access control
- Update your inventory and network documentation with the new unit's serial number and UDI
- Initiate the RMA return for the faulty unit promptly to avoid charges
- Update your TFTP server with the latest configuration backup from the replacement unit
Conclusion
Replacing a faulty Cisco router is a structured process that, when followed in the correct sequence, can restore full network services with minimal downtime. The steps are consistent across the ISR and ASR families: prepare and back up, install the replacement, configure basic IP connectivity, set the TFTP source interface, transfer and verify the IOS image, load the configuration, and migrate licenses.
The ip tftp source-interface command is one of the most important — and most commonly forgotten — steps when working with Cisco routers. Unlike switches, routers do not automatically know which interface to use for management traffic, and a missing source interface setting is the single most common reason TFTP transfers fail during a router replacement.
Thorough pre-failure preparation — particularly maintaining current configuration backups and keeping IOS images on a TFTP server — is what separates a 30-minute router replacement from a multi-hour outage. Build these practices into your standard operations and every router replacement will be a manageable, predictable procedure.