Solved: ASA Level 5 Log Alert

agoraya · ‎01-10-2017

Does anyone know why this log message is generated:

Error Message %ASA-5-502103: User priv level changed: Uname: user From: privilege_level To: privilege_level

In my case the Uname: enable_1 is not a recognized username local to the FW, is this generated because FW sees this as a form of unauthorized access?

Rahul Govindan · ‎01-10-2017

This will be seen when the user goes from privileged exec mode(Hostname#) to exec mode (Hostname>). So if someone logged in to the privileged exec mode and used the command "disable", it would take them back to enable mode. I think the ASA moves the user back to enable_1 by default. This is an excerpt from my ASA:

CiscoASA# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
CiscoASA# disable
CiscoASA> show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
CiscoASA>

View solution in original post

Rahul Govindan · ‎01-10-2017

This will be seen when the user goes from privileged exec mode(Hostname#) to exec mode (Hostname>). So if someone logged in to the privileged exec mode and used the command "disable", it would take them back to enable mode. I think the ASA moves the user back to enable_1 by default. This is an excerpt from my ASA:

CiscoASA# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
CiscoASA# disable
CiscoASA> show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
CiscoASA>