cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


2707
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA5520 username password invalid,what is the reason?

Two 5520 firewall configuration of the failover and SSH, the first remote landing SSH, can use user and password successful landing, again landing, to prompt the user name password is invalid, what is the reason?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA5520 username password invalid,what is the reason?

You have the following configured:

aaa local authentication attempts max-fail 3

Which will only allows 3 fails attempt, and it won't allow you to connect anymore after 3 fails attempt.

To check if your username is locked out, you can issue:

show aaa local user

If the user is locked out, you can clear it by using:

clear aaa local user lockout username ciscocc

4 REPLIES 4
Cisco Employee

ASA5520 username password invalid,what is the reason?

Are you saying that when you try to SSH, the first time you can successfully login, however, when you try to access the same ASA the second time, it doesn't?

Which interface are you trying to SSH on?

Can you pls share your configuration.

Beginner

Re: ASA5520 username password invalid,what is the reason?

HI,

      Password must be true, because just used, interval minute again remote landing, SSH authentication password is invalid, access through HTTPS ASDM, also prompts the user password error.

ASA Version 8.2(5)

!

hostname FIREWALL

domain-name cife.com

enable password ciscocc

passwd ciscocc

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.240 standby 1.1.1.2

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.5 255.255.255.248 standby 10.1.1.6

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name cife.com

access-list 115 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface failoverint GigabitEthernet0/3

failover replication http

failover link failoverint GigabitEthernet0/3

failover interface ip failoverint 192.168.10.1 255.255.255.0 standby 192.168.10.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group  115 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 3

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 30

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ciscocc password ciscocc

!

!

Cryptochecksum:62171bdb273626844a351aecee7e4ed7

: end

Hall of Fame Master

ASA5520 username password invalid,what is the reason?

I am surprised to see the output above with plain text passwords. I would expect the output of "show run" to include encrypted (hashed) values for passwords. How did you generate the output - using "more:system running-config"?

Cisco Employee

ASA5520 username password invalid,what is the reason?

You have the following configured:

aaa local authentication attempts max-fail 3

Which will only allows 3 fails attempt, and it won't allow you to connect anymore after 3 fails attempt.

To check if your username is locked out, you can issue:

show aaa local user

If the user is locked out, you can clear it by using:

clear aaa local user lockout username ciscocc