Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
6
Replies

Unable to pull config from Cisco ASAs using Cisco Prime 4.1

Go to solution
Ben Sanderson
Level 1
Level 1

‎05-06-2014 05:53 AM

Hello,

 

I am having a issue pulling configs from Cisco ASAs (5520s and 5540s) using Cisco Prime 4.1.

 

When I do a Reachable Status it passes SSHv2, but when I check the Sync Archive job I get this error....

CM0151 PRIMARY RUNNING Config fetch failed for 5520-ASA Cause: SSH: Failed to establish SSH connection to xx.xx.xx.xx - Cause: Authentication failed on device 3 times.

Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.

 

Any ideas?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ben Sanderson

‎05-06-2014 11:23 AM

Sure - that's expected on an ASA: ssh login always starts you out in user exec mode. 

However, a given Primary or Secondary login credential in Prime LMS includes username, password, and enable password. (Reference the Admin guide.) Perhaps the enable password hasn't been included in the credential set being used?

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-06-2014 06:31 AM

I've definitely successfully backed up ASAs with Prime LMS. Odd that your reachable status passes - is ssh set as the preferred transport protocol?

From your other question you were looking to do a packet capture. You could do it on the ASA end when the failure occurs as well as examine the ASA logs, possibly debugging AAA if necessary.

Also check that you have a strong rsa key (mypubkey) on the ASA and that whether ssh version 2 is enforced there.

0 Helpful

Go to solution
Ben Sanderson
Level 1
Level 1
In response to Marvin Rhoads

‎05-06-2014 06:36 AM

Nope two separate questions - just noticed that packet capture was not working, lol. 

We use two factor for our ASAs is there a setting in Cisco Prime to factor this in?

Yes SSHv2 is enforced.

 

Thanks,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ben Sanderson

‎05-06-2014 07:15 AM

I don't believe LMS supports device access using two-factor authentication methods.

0 Helpful

Go to solution
Ben Sanderson
Level 1
Level 1
In response to Marvin Rhoads

‎05-06-2014 07:24 AM

I might be saying that incorrectly, when I state two-factor, I meant that you have to put in a password in to get enabled. 

 

Is there a setting in Prime to put this in?

 

Thanks for the response. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ben Sanderson

‎05-06-2014 11:23 AM

Sure - that's expected on an ASA: ssh login always starts you out in user exec mode. 

However, a given Primary or Secondary login credential in Prime LMS includes username, password, and enable password. (Reference the Admin guide.) Perhaps the enable password hasn't been included in the credential set being used?

0 Helpful

Go to solution
Ben Sanderson
Level 1
Level 1
In response to Marvin Rhoads

‎05-06-2014 11:30 AM

Yeah I feel dumb, lol, I rechecked all of the credentials and not only was I missing the enable, but they were incorrect also.

Thanks for the help, now still need to figure out the packet capture. Even thou I do not think I will be able to get it to work on a Solris system.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card