topic Hi Mohammad,I replicated your in Network Access Control

AAA and ASA issue

MOHAMMAD ALHAJ EID — Mon, 11 Mar 2019 05:32:28 GMT

Hi Team

Once I configured the ASA AAA commands , hence I am not able to do any command including the show commands , And following message came once I accessed through serial through SSH..

Fallback authorization. Username 'enable_15' not in LOCAL database

For more information Following are AAA configuration in the ASA.

aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authorization command TACACS-SERVER LOCAL

Hi Mohammad,It has to do with

Adeolu Owokade — Fri, 13 Mar 2015 04:01:18 GMT

Hi Mohammad,

It has to do with the command authorization you enabled.

Do you have any AAA server configured under the TACACS-SERVER server-group? It seems the ASA tries to contact the TACACS-SERVER for command authorization and it fails so it falls back to the LOCAL database.

Since you configured these commands after logging in via SSH, the ASA tries to perform command authorization for the "enable_15" username and it fails because there is no username like that in the LOCAL database.

Do you have access to the ASA via some other means? What kind of TACACS+ server are you using?

Do you have multiple context

Jatin Katyal — Fri, 13 Mar 2015 04:20:48 GMT

Do you have multiple context configured with command authorization?

It seems that authentication request is failing over to local database and unable to find "enable_15" user in it.

The solution is to create a username called "enable_15" or use "login".

It's explained here

Regards,

Jatin

Dear Adeolu/JatinI have

MOHAMMAD ALHAJ EID — Fri, 13 Mar 2015 09:09:23 GMT

Dear Adeolu/Jatin

I have created the username enable_15 with privilege 15 in both contexts with no luck; I would thank you for your prompt response.

Since I configured a couple of boxes in A/A mode ( CTX-1 active in the first ASA and standby in the second ASA, Then CTX-2 is Active in second ASA and standby in the first ASA) I did following as troubleshooting and have doubt why IPs ( 10.32.0.1 and 10.32.0.12) are reachable but IPs( 10.32.0.2 and 10.32.0.11) are not reachable at all, even 10.32.0.11 is in active mode and this may occurring this issue.. For more information first box have no errors once I access the box through serial but the second box have the message of once I accessed through serial...

(Fallback authorization. Username 'enable_15' not in LOCAL database)

Following are the troubleshooting done.

First box ( CTX-1) :

First-ASA-CONTEXT-1# show failover
Failover On
Last Failover at: 01:05:08 UTC Mar 12 2015
        This context: Active
                Active time: 9701 (sec)
                  Interface VLAN812-IN (10.32.0.1😞 Normal (Not-Monitored)

Peer context: Standby Ready
Active time: 0 (sec)
Interface VLAN812-IN (10.32.0.2😞 Normal (Not-Monitored)

First-ASA-CONTEXT-1#sh run int po8.812

interface Port-channel8.812
nameif VLAN812-IN
security-level 100
ip address 10.32.100.1 255.255.255.0 standby 10.32.100.2

First-ASA-CONTEXT-1 # sh ip add
System IP Addresses:
Interface                            Name                   IP address      Subnet mask     Method
Port-channel8.812        VLAN812-IN             10.32.0.1     255.255.255.0   CONFIG

Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel8.812 VLAN812-IN 10.32.0.1 255.255.255.0 CONFIG

________________________________________________________________

Second box,

Second- ASA( CTX-2)# show failover
Failover On
Last Failover at: 01:07:26 UTC Mar 12 2015
        This context: Standby Ready
                Active time: 137 (sec)
                  Interface VLAN812-IN (10.32.0.12😞 Normal (Not-Monitored)

        Peer context: Active
                Active time: 9657 (sec)
                  Interface VLAN812-IN (10.32.0.11😞 Normal (Not-Monitored)

Second- ASA( CTX-2)# sh run int po8.812

interface Port-channel8.812
nameif VLAN812-IN
security-level 100
ip address 10.32.100.11 255.255.255.0 standby 10.32.100.12

Second- ASA( CTX-2)# sh ip add
System IP Addresses:
Interface                            Name                   IP address      Subnet mask     Method
Port-channel8.812        VLAN812-IN             10.32.0.11      255.255.255.0   CONFIG

Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel8.812 VLAN812-IN 10.32.0.12 255.255.255.0 CONFIG

Following are TACACS-SERVER configuration in both boxes :

aaa-server 10.32.0.100 protocol tacacs+
aaa-server TACACS-SERVER protocol tacacs+
aaa-server TACACS-SERVER (VLAN812-IN) host 10.32.0.100
key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting command privilege 15 TACACS-SERVER
aaa accounting enable console TACACS-SERVER
aaa accounting ssh console TACACS-SERVER
aaa authorization exec authentication-server

Hi Mohammad,Before dealing

Adeolu Owokade — Fri, 13 Mar 2015 17:29:54 GMT

Hi Mohammad,

Before dealing with AAA, can you check that your A/A failover configuration is correct? I see something about 10.32.100.X instead of 10.32.0.X in your configuration. Was this a posting error?

Please paste your failover configuration for the system context and the interface configuration for CTX1 and CTX2. You can remove any revealing information.

Hi Andrew, Please find brief

MOHAMMAD ALHAJ EID — Fri, 13 Mar 2015 18:05:34 GMT

Hi Andrew,

Please find brief attached for the failover configuration for both ASAs.

Hi Mohammad,You are sharing

Adeolu Owokade — Fri, 13 Mar 2015 19:54:11 GMT

Hi Mohammad,

You are sharing interfaces between contexts so you should either have unique MAC addresses or a NAT configuration to help the ASA classify packets per contexts correctly. This link explains more: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/contexts.html#wp1124172

What version of the ASA are you using? Starting from version 8.5(1), automatic MAC address generation is enabled. Check the MAC addresses on the interface just to be sure.

Hello Anddrew, I am using the

MOHAMMAD ALHAJ EID — Fri, 13 Mar 2015 21:07:41 GMT

Hello Adeolu Owokade,

I am using the version 9.1, Shared interfaces are enabled and I am using the following command :

MAC-ADDRESS AUTO PREFIX 1

Since I am configuring this command under the System context , It will replicate to the other ASA but it could be the prefix issue, Is it ?

Hi Mohammad,I replicated your

Adeolu Owokade — Fri, 13 Mar 2015 21:09:19 GMT

Hi Mohammad,

I replicated your configuration in a lab environment and I was able to ping all IP addresses, both active and standby.

Perhaps you should troubleshoot why you can't ping those addresses.

appreciate your efforts

MOHAMMAD ALHAJ EID — Fri, 13 Mar 2015 22:06:35 GMT

appreciate your efforts Adelou,

I will do further troubleshooting on this case and keep you updated, But I have doubt may be because I created multiple pairs before this sub interface and this may a limitation, If you created more than two or three pairs other than the po8.812 , With different ips will other active and standby kept in reachable scenarios ?

Jatin, Can you chime in on

james.king14 — Tue, 06 Oct 2015 20:47:07 GMT

Jatin,

Can you chime in on another ticket something similar to this one? Anyconnect Client Certificate from me. I would like to hear your advisement on the subject.