cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3823
Views
5
Helpful
9
Replies

ASA 5505 locked out

BlueMCisco
Level 1
Level 1

Hi,

I have an ASA 5505 that was previously using an AAA server for authentication/authorization. This AAA Server is gone. Now, I'd like to log in locally. However, I do not know any local passwords. I used the Cisco guide to reset the password (confreg 0x40) and I am able to boot into privileged mode as directed. However, when I try to copy the start config to the running config I get:

Fallback authorization. username 'enable_15' not in LOCAL database

Command authorization failed

It seems the enable_15 local user is missing.

Any idea how I can reset the password now?

Thanks.

9 Replies 9

jumora
Level 7
Level 7

you need to create local user privilege 15 first and then copy the configuration over.

Value our effort and rate the assistance!

Value our effort and rate the assistance!

lcambron
Level 3
Level 3

Hello,

You can just create the user:

username admin password password privilege 15

If you are no longer using the AAA server, I would suggest removing those commands.

Regards,

Felipe.

Remember to rate useful posts.

SHIBI V DEV
Level 1
Level 1

Create local user in the ASA with priv 15 , login with that user  and remove the AAA configs and try to save config

try this command also :  aaa authentication ssh console LOCAL

Thank you all for the replies. My problem is that the ACS server that the ASA  was using is no longer available to me (I cut ties with the company that was providing the ACS service).

Therefore, I cannot log in to the ASA with any  account that has enough privileges to create a local user as you are all mentioning as a solution.

You can try to remove the aaa authorization commands but if it does let you, another way will be to backup the configuration, remove the commands from the back and add the user, then copied back to the ASA.

Regards,

Felipe.

Remember to rate useful posts.

If you are unable to access the ASA it is very likely that either the enabl 15 user is missing or that the AAA config is not configured to use the local user account as a fall back.  Have a look at this link to perform a password recovery on the ASA5505.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/trouble.html#wp1049302

--

Please rate all helpful posts and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Matt qomat
Level 1
Level 1

So almost everybody hear gave stupid answer..remove aaa or add enable privilege level 15.

None of those will work since you can't login because of authorization failed. Some suggested do it before you copy config..beautiful..but when you do that you modify running-config which is empty/clean anyways..once you copy startup to runn all those changes will be overwritten and you end up in same place you were.

Anyone has a good idea?

Seems like copying config to tftp server and modifying it there is an option..or copy the config to tftp..on asa do write mem with clean config (to clear the config ) and than paste what ever you need from tftp copy..

It seems stupid Cisco didn't compensate for option when someone will forget add authorization console LOCAL....

Hi,

When you copy a configuration from startup to running, it doesn't throw you out of the console. You would still be having a access. so after startup to running, you can make changes.

Regards,

Akshay Rastogi

Nobody said here it will throw you out from console.All I was saying you can't modify it since authorization doesn't allow you to get to startup config!modifying run as people suggested and than copy startup will overwrite run..so it won't work

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: