03-11-2015 10:11 AM - edited 03-10-2019 10:32 PM
Hi Team
Once I configured the ASA AAA commands , hence I am not able to do any command including the show commands , And following message came once I accessed through serial through SSH..
Fallback authorization. Username 'enable_15' not in LOCAL database
For more information Following are AAA configuration in the ASA.
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authorization command TACACS-SERVER LOCAL
03-12-2015 09:01 PM
Hi Mohammad,
It has to do with the command authorization you enabled.
Do you have any AAA server configured under the TACACS-SERVER server-group? It seems the ASA tries to contact the TACACS-SERVER for command authorization and it fails so it falls back to the LOCAL database.
Since you configured these commands after logging in via SSH, the ASA tries to perform command authorization for the "enable_15" username and it fails because there is no username like that in the LOCAL database.
Do you have access to the ASA via some other means? What kind of TACACS+ server are you using?
03-13-2015 02:09 AM
Dear Adeolu/Jatin
I have created the username enable_15 with privilege 15 in both contexts with no luck; I would thank you for your prompt response.
Since I configured a couple of boxes in A/A mode ( CTX-1 active in the first ASA and standby in the second ASA, Then CTX-2 is Active in second ASA and standby in the first ASA) I did following as troubleshooting and have doubt why IPs ( 10.32.0.1 and 10.32.0.12) are reachable but IPs( 10.32.0.2 and 10.32.0.11) are not reachable at all, even 10.32.0.11 is in active mode and this may occurring this issue.. For more information first box have no errors once I access the box through serial but the second box have the message of once I accessed through serial...
(Fallback authorization. Username 'enable_15' not in LOCAL database)
Following are the troubleshooting done.
First box ( CTX-1) :
First-ASA-CONTEXT-1# show failover
Failover On
Last Failover at: 01:05:08 UTC Mar 12 2015
This context: Active
Active time: 9701 (sec)
Interface VLAN812-IN (10.32.0.1): Normal (Not-Monitored)
Peer context: Standby Ready
Active time: 0 (sec)
Interface VLAN812-IN (10.32.0.2): Normal (Not-Monitored)
First-ASA-CONTEXT-1#sh run int po8.812
interface Port-channel8.812
nameif VLAN812-IN
security-level 100
ip address 10.32.100.1 255.255.255.0 standby 10.32.100.2
First-ASA-CONTEXT-1 # sh ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel8.812 VLAN812-IN 10.32.0.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel8.812 VLAN812-IN 10.32.0.1 255.255.255.0 CONFIG
________________________________________________________________
Second box,
Second- ASA( CTX-2)# show failover
Failover On
Last Failover at: 01:07:26 UTC Mar 12 2015
This context: Standby Ready
Active time: 137 (sec)
Interface VLAN812-IN (10.32.0.12): Normal (Not-Monitored)
Peer context: Active
Active time: 9657 (sec)
Interface VLAN812-IN (10.32.0.11): Normal (Not-Monitored)
Second- ASA( CTX-2)# sh run int po8.812
interface Port-channel8.812
nameif VLAN812-IN
security-level 100
ip address 10.32.100.11 255.255.255.0 standby 10.32.100.12
Second- ASA( CTX-2)# sh ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel8.812 VLAN812-IN 10.32.0.11 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel8.812 VLAN812-IN 10.32.0.12 255.255.255.0 CONFIG
Following are TACACS-SERVER configuration in both boxes :
aaa-server 10.32.0.100 protocol tacacs+
aaa-server TACACS-SERVER protocol tacacs+
aaa-server TACACS-SERVER (VLAN812-IN) host 10.32.0.100
key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting command privilege 15 TACACS-SERVER
aaa accounting enable console TACACS-SERVER
aaa accounting ssh console TACACS-SERVER
aaa authorization exec authentication-server
03-13-2015 10:29 AM
Hi Mohammad,
Before dealing with AAA, can you check that your A/A failover configuration is correct? I see something about 10.32.100.X instead of 10.32.0.X in your configuration. Was this a posting error?
Please paste your failover configuration for the system context and the interface configuration for CTX1 and CTX2. You can remove any revealing information.
03-13-2015 11:05 AM
03-13-2015 12:54 PM
Hi Mohammad,
You are sharing interfaces between contexts so you should either have unique MAC addresses or a NAT configuration to help the ASA classify packets per contexts correctly. This link explains more: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/contexts.html#wp1124172
What version of the ASA are you using? Starting from version 8.5(1), automatic MAC address generation is enabled. Check the MAC addresses on the interface just to be sure.
03-13-2015 02:07 PM
Hello Adeolu Owokade,
I am using the version 9.1, Shared interfaces are enabled and I am using the following command :
MAC-ADDRESS AUTO PREFIX 1
Since I am configuring this command under the System context , It will replicate to the other ASA but it could be the prefix issue, Is it ?
03-13-2015 02:09 PM
Hi Mohammad,
I replicated your configuration in a lab environment and I was able to ping all IP addresses, both active and standby.
Perhaps you should troubleshoot why you can't ping those addresses.
03-13-2015 03:06 PM
appreciate your efforts Adelou,
I will do further troubleshooting on this case and keep you updated, But I have doubt may be because I created multiple pairs before this sub interface and this may a limitation, If you created more than two or three pairs other than the po8.812 , With different ips will other active and standby kept in reachable scenarios ?
03-12-2015 09:20 PM
Do you have multiple context configured with command authorization?
It seems that authentication request is failing over to local database and unable to find "enable_15" user in it.
The solution is to create a username called "enable_15" or use "login".
It's explained here
Regards,
Jatin
10-06-2015 01:47 PM
Jatin,
Can you chime in on another ticket something similar to this one? Anyconnect Client Certificate from me. I would like to hear your advisement on the subject.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide