Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2808
Views
10
Helpful
5
Replies

Cisco Security Manager uses a NULL username to access Cisco ASA FWs

vladakoci
Level 1
Level 1

‎10-09-2014 02:39 AM - edited ‎02-21-2020 05:18 AM

We have Cisco Security Manager 4.5.0 Patch 3 and using it to manage hundreds of Cisco ASA FWs.
We found many failure attempts on our Radius servers. These records say the radius client is an ASA FW and calling station is Cisco Security Manager.


Debug on one of the Cisco ASA FWs revealed Cisco Security Manager uses first a  NULL username to access Cisco ASA FWs and then the configured username ( we have it configured as 'use primary credentials' and the same for all FWs ). This is not dependent on the OS version we have on ASA FWs.

Here is the debug from a Cisco ASA FW, first Cisco Security Manager uses a username with no characters in it and when this attempt fails it uses the username that is configured in Cisco Security Manager by us as primary credentials.

%ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = IPADDRESSREMOVED : user =
%ASA-6-611102: User authentication failed: Uname:
%ASA-6-605004: Login denied from IPADDRESSREMOVED/59208 to inside:IPADDRESSREMOVED/https for user ""
%ASA-6-725007: SSL session with client inside:IPADDRESSREMOVED/59208 terminated.
%ASA-6-302013: Built inbound TCP connection 1221667 for inside:1IPADDRESSREMOVED/59222 (1IPADDRESSREMOVED/59222) to identity:IPADDRESSREMOVED/443 (IPADDRESSREMOVED/443)
%ASA-6-725001: Starting SSL handshake with client inside:IPADDRESSREMOVED/59222 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client inside:PADDRESSREMOVED/59222 proposes the following 15 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-MD5
%ASA-7-725011: Cipher[2] : RC4-SHA
%ASA-7-725011: Cipher[3] : AES128-SHA
%ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[9] : DES-CBC-SHA
%ASA-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA
%ASA-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA
%ASA-7-725011: Cipher[12] : EXP-RC4-MD5
%ASA-7-725011: Cipher[13] : EXP-DES-CBC-SHA
%ASA-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA
%ASA-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client inside:1IPADDRESSREMOVED/59222
%ASA-6-725002: Device completed SSL handshake with client inside:1IPADDRESSREMOVED/59222
%ASA-6-302014: Teardown TCP connection 1221666 for inside:IPADDRESSREMOVED/59208 to identity:1IPADDRESSREMOVED/443 duration 0:00:01 bytes 1054 TCP FINs
%ASA-6-113004: AAA user authentication Successful : server =  IPADDRESSREMOVED : user = USERNAMEREMOVED
%ASA-6-113008: AAA transaction status ACCEPT : user = USERNAMEREMOVED
%ASA-6-611101: User authentication succeeded: Uname: USERNAMEREMOVED
%ASA-6-605005: Login permitted from IPADDRESSREMOVED/59222 to inside:1IPADDRESSREMOVED/https for user "USERNAMEREMOVED"
%ASA-7-111009: User 'USERNAMEREMOVED' executed cmd: show vpn-sessiondb full svc
%ASA-6-725007: SSL session with client inside:IPADDRESSREMOVED/59222 terminated. 

 

Does anyone know is this a bug and is workaround known?

 

Thank you,

Vlad

 

4 people had this problem
0 Helpful
5 Replies 5

PAUL TRIVINO
Level 3
Level 3

‎11-10-2014 04:56 PM

Not sure but it happens in CSM 4.4.0SP2 as well.  I am hoping it goes away as of 4.7.  But, it doesn't seem tremendously harmful, either.

0 Helpful

bgl-group
Level 1
Level 1
In response to PAUL TRIVINO

‎02-02-2015 06:40 AM

I just got asked to look at the same situation by one of our security people.

We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)

0 Helpful

Jens Weber
Level 1
Level 1
In response to bgl-group

‎09-26-2016 08:26 AM

Same Problem with CSM 4.12

...hope it will be fixed soon...

0 Helpful

chrissa
Cisco Employee
Cisco Employee
In response to Jens Weber

‎10-20-2016 12:22 PM

I'm seeing the same thing.  Is there a bug related to this behavior?

0 Helpful

arickenbach
Level 1
Level 1

‎01-18-2018 08:00 AM

Hi

 

The problem is related to the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCua86550

 

You can fix it with the following workaround:

 

 

Following steps are for Reporting Component:

1. Go to \MDC\reports\config
needs to be substituted by the directory where CSM has been
installed.
For example: E:\Program Files\CSCOpx\MDC\reports\config
2. Open the "communication.properties" file using a text editor.
This file contains the configuration for how CSM logs into devices when
it collects information for the Report Manager.
3. Locate the line that reads:
USE_ENABLE_PASSWORD_FIRST=true
4. Replace the word "true" with the word "false". The line should now
read:
USE_ENABLE_PASSWORD_FIRST=false
5. Save the changes that have been made to the file


Following steps are for HPM Component:

1. Go to \MDC\hpm\config\
needs to be substituted by the directory where CSM has been
installed.
For example: E:\Program Files\CSCOpx\MDC\hpm\config\
2. Open the "communication.properties" file using a text editor.
This file contains the configuration for how CSM logs into devices when
it collects information for the Health and Performance Monitor.
3. Locate the line that reads:
USE_ENABLE_PASSWORD_FIRST=true
4. Replace the word "true" with the word "false". The line should now
read:
USE_ENABLE_PASSWORD_FIRST=false
5. Save the changes that have been made to the file

 


The following is for Discovery/Deployment:

1. Go to \MDC\athena\config
needs to be substituted by the directory where CSM has been
installed.
For example: E:\Program Files\CSCOpx\MDC\reports\config
2. Open the "DCS.properties" file using a text editor.
This file contains the configuration for how CSM logs into devices
during Discovery/Deployment/Image Management.
3. Locate the line that reads:
DCS.useEnablePasswordFirstForFw=true
4. Replace the word "true" with the word "false". The line should now
read:
DCS.useEnablePasswordFirstForFw=false
5. Save the changes that have been made to the file

Restart the daemon manager:

1. Open the Windows Command Prompt
2. Execute the following command: net stop crmdmgtd
3. Wait for the message that indicates that the services have stopped
4. Execute the following command: net start crmdmgtd

 

Regards Andrin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card