Hi,

Many thanks for your reply.

We have local authentication on our firewall, however, when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic and I can't find a way to stop it and, therefore, I cannot enter the command you suggested.

This only happens via console - not remote ssh (when I eventually connect).

Are there any historical logs I can check when successfully conntect using ssh?

We have two 5520s in a HA pair and I can make the stand-by firewall the primary one, and the same problems occurs - cannot ssh using putty and when using colsole cable contstant scrolling of firewall traffic.

This is very odd behaviour.  Would something like a memory leak cause these issues?

Kind regards

Alex

when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic

That means that debugging/informational logging is enabled. You, after successful connection throug ssh, first disable the console logging using no logging console. After that, disconnect from ssh, connect to console, enable

debug aaa authentication, connect again through ssh and see what's happening.

Are there any historical logs I can check when successfully conntect using ssh?

Yes, you can enable logging to buffer, i.e. logging buffer debugging. The log will be saved to the buffer and you'll be able to see it later. Alternatively you can save logs to any syslog servers, but i don't think you need it here)

Hi Andrew,

Thanks for all the info - it is very much appreciated.

I had to send the 'no logging console' command from the ASDM because I still can't get ssh access.

However, once that was done, I ran the 'debug aaa authentication' command and got a 'Resetting 10.116.0.3's numtries' message.  That IP is our ACS, so I'll start looking there.

Thanks again for your help.

Regards

Alex

Hello,

You said it was local authentication and now you are dealing with an ACS problem, you can share the asa setup to review it ,

Regards,

Hi,

Please accept my apologies - I didn't realise the ACS was used for this authentication.  I'm very new to Cisco products and I'm having difficulty learning on a production network.

Attached is the ASA config as requested.

Also, the ACS has the following messages in the logs:

Failure Reason > Authentication Failure Code Lookup

Failure Reason : 22056 Subject not found in the applicable identity store(s).

The help I'm receiving really is appreciated.

Regards

Alex

Hello Alex,

Does not look like the SSH sessions are being sent to the AAA server for authentication it's being authenticated locally,

can you add :

username cisco password cisco

An try to authenticate as a test with those

Hi,

I've managed to find a workaround by setting SSH authentication to local only - not ACS.

Thanks for you time and effort in helping me with this problem.

Regards

Alex