Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6117
Views
0
Helpful
4
Replies

ASA5520 username password invalid,what is the reason?

Go to solution
CSCO11685325
Beginner
Beginner

‎11-04-2012 05:47 AM - edited ‎03-11-2019 05:18 PM

Two 5520 firewall configuration of the failover and SSH, the first remote landing SSH, can use user and password successful landing, again landing, to prompt the user name password is invalid, what is the reason?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to CSCO11685325

‎11-05-2012 01:23 AM

You have the following configured:

aaa local authentication attempts max-fail 3

Which will only allows 3 fails attempt, and it won't allow you to connect anymore after 3 fails attempt.

To check if your username is locked out, you can issue:

show aaa local user

If the user is locked out, you can clear it by using:

clear aaa local user lockout username ciscocc

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-04-2012 05:49 AM

Are you saying that when you try to SSH, the first time you can successfully login, however, when you try to access the same ASA the second time, it doesn't?

Which interface are you trying to SSH on?

Can you pls share your configuration.

0 Helpful

Go to solution
CSCO11685325
Beginner
Beginner
In response to Jennifer Halim

‎11-04-2012 07:43 AM

HI,

      Password must be true, because just used, interval minute again remote landing, SSH authentication password is invalid, access through HTTPS ASDM, also prompts the user password error.

ASA Version 8.2(5)

!

hostname FIREWALL

domain-name cife.com

enable password ciscocc

passwd ciscocc

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.240 standby 1.1.1.2

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.5 255.255.255.248 standby 10.1.1.6

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name cife.com

access-list 115 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface failoverint GigabitEthernet0/3

failover replication http

failover link failoverint GigabitEthernet0/3

failover interface ip failoverint 192.168.10.1 255.255.255.0 standby 192.168.10.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group  115 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 3

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 30

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ciscocc password ciscocc

!

!

Cryptochecksum:62171bdb273626844a351aecee7e4ed7

: end

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend
In response to CSCO11685325

‎11-04-2012 08:49 AM

I am surprised to see the output above with plain text passwords. I would expect the output of "show run" to include encrypted (hashed) values for passwords. How did you generate the output - using "more:system running-config"?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to CSCO11685325

‎11-05-2012 01:23 AM

You have the following configured:

aaa local authentication attempts max-fail 3

Which will only allows 3 fails attempt, and it won't allow you to connect anymore after 3 fails attempt.

To check if your username is locked out, you can issue:

show aaa local user

If the user is locked out, you can clear it by using:

clear aaa local user lockout username ciscocc

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents