topic ASA5520 username password invalid,what is the reason? in Network Security

ASA5520 username password invalid,what is the reason?

CSCO11685325 — Tue, 12 Mar 2019 00:18:52 GMT

Two 5520 firewall configuration of the failover and SSH, the first remote landing SSH, can use user and password successful landing, again landing, to prompt the user name password is invalid, what is the reason?

ASA5520 username password invalid,what is the reason?

Jennifer Halim — Sun, 04 Nov 2012 13:49:33 GMT

Are you saying that when you try to SSH, the first time you can successfully login, however, when you try to access the same ASA the second time, it doesn't?

Which interface are you trying to SSH on?

Can you pls share your configuration.

Re: ASA5520 username password invalid,what is the reason?

CSCO11685325 — Sun, 04 Nov 2012 15:43:27 GMT

HI,

Password must be true, because just used, interval minute again remote landing, SSH authentication password is invalid, access through HTTPS ASDM, also prompts the user password error.

ASA Version 8.2(5)

hostname FIREWALL

domain-name cife.com

enable password ciscocc

passwd ciscocc

names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.240 standby 1.1.1.2

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.5 255.255.255.248 standby 10.1.1.6

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

dns server-group DefaultDNS

domain-name cife.com

access-list 115 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface failoverint GigabitEthernet0/3

failover replication http

failover link failoverint GigabitEthernet0/3

failover interface ip failoverint 192.168.10.1 255.255.255.0 standby 192.168.10.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 115 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 3

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 30

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ciscocc password ciscocc

Cryptochecksum:62171bdb273626844a351aecee7e4ed7

: end

ASA5520 username password invalid,what is the reason?

Marvin Rhoads — Sun, 04 Nov 2012 16:49:04 GMT

I am surprised to see the output above with plain text passwords. I would expect the output of "show run" to include encrypted (hashed) values for passwords. How did you generate the output - using "more:system running-config"?

ASA5520 username password invalid,what is the reason?

Jennifer Halim — Mon, 05 Nov 2012 09:23:58 GMT

You have the following configured:

aaa local authentication attempts max-fail 3

Which will only allows 3 fails attempt, and it won't allow you to connect anymore after 3 fails attempt.

To check if your username is locked out, you can issue:

show aaa local user

If the user is locked out, you can clear it by using:

clear aaa local user lockout username ciscocc