10-09-2014 02:39 AM - edited 02-21-2020 05:18 AM
We have Cisco Security Manager 4.5.0 Patch 3 and using it to manage hundreds of Cisco ASA FWs.
We found many failure attempts on our Radius servers. These records say the radius client is an ASA FW and calling station is Cisco Security Manager.
Debug on one of the Cisco ASA FWs revealed Cisco Security Manager uses first a NULL username to access Cisco ASA FWs and then the configured username ( we have it configured as 'use primary credentials' and the same for all FWs ). This is not dependent on the OS version we have on ASA FWs.
Here is the debug from a Cisco ASA FW, first Cisco Security Manager uses a username with no characters in it and when this attempt fails it uses the username that is configured in Cisco Security Manager by us as primary credentials.
%ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = IPADDRESSREMOVED : user =
%ASA-6-611102: User authentication failed: Uname:
%ASA-6-605004: Login denied from IPADDRESSREMOVED/59208 to inside:IPADDRESSREMOVED/https for user ""
%ASA-6-725007: SSL session with client inside:IPADDRESSREMOVED/59208 terminated.
%ASA-6-302013: Built inbound TCP connection 1221667 for inside:1IPADDRESSREMOVED/59222 (1IPADDRESSREMOVED/59222) to identity:IPADDRESSREMOVED/443 (IPADDRESSREMOVED/443)
%ASA-6-725001: Starting SSL handshake with client inside:IPADDRESSREMOVED/59222 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client inside:PADDRESSREMOVED/59222 proposes the following 15 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-MD5
%ASA-7-725011: Cipher[2] : RC4-SHA
%ASA-7-725011: Cipher[3] : AES128-SHA
%ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[9] : DES-CBC-SHA
%ASA-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA
%ASA-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA
%ASA-7-725011: Cipher[12] : EXP-RC4-MD5
%ASA-7-725011: Cipher[13] : EXP-DES-CBC-SHA
%ASA-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA
%ASA-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client inside:1IPADDRESSREMOVED/59222
%ASA-6-725002: Device completed SSL handshake with client inside:1IPADDRESSREMOVED/59222
%ASA-6-302014: Teardown TCP connection 1221666 for inside:IPADDRESSREMOVED/59208 to identity:1IPADDRESSREMOVED/443 duration 0:00:01 bytes 1054 TCP FINs
%ASA-6-113004: AAA user authentication Successful : server = IPADDRESSREMOVED : user = USERNAMEREMOVED
%ASA-6-113008: AAA transaction status ACCEPT : user = USERNAMEREMOVED
%ASA-6-611101: User authentication succeeded: Uname: USERNAMEREMOVED
%ASA-6-605005: Login permitted from IPADDRESSREMOVED/59222 to inside:1IPADDRESSREMOVED/https for user "USERNAMEREMOVED"
%ASA-7-111009: User 'USERNAMEREMOVED' executed cmd: show vpn-sessiondb full svc
%ASA-6-725007: SSL session with client inside:IPADDRESSREMOVED/59222 terminated.
Does anyone know is this a bug and is workaround known?
Thank you,
Vlad
11-10-2014 04:56 PM
Not sure but it happens in CSM 4.4.0SP2 as well. I am hoping it goes away as of 4.7. But, it doesn't seem tremendously harmful, either.
02-02-2015 06:40 AM
I just got asked to look at the same situation by one of our security people.
We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)
09-26-2016 08:26 AM
Same Problem with CSM 4.12
...hope it will be fixed soon...
10-20-2016 12:22 PM
I'm seeing the same thing. Is there a bug related to this behavior?
01-18-2018 08:00 AM
Hi
The problem is related to the following bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCua86550
You can fix it with the following workaround:
Following steps are for Reporting Component:
1. Go to \MDC\reports\config
needs to be substituted by the directory where CSM has been
installed.
For example: E:\Program Files\CSCOpx\MDC\reports\config
2. Open the "communication.properties" file using a text editor.
This file contains the configuration for how CSM logs into devices when
it collects information for the Report Manager.
3. Locate the line that reads:
USE_ENABLE_PASSWORD_FIRST=true
4. Replace the word "true" with the word "false". The line should now
read:
USE_ENABLE_PASSWORD_FIRST=false
5. Save the changes that have been made to the file
Following steps are for HPM Component:
1. Go to \MDC\hpm\config\
needs to be substituted by the directory where CSM has been
installed.
For example: E:\Program Files\CSCOpx\MDC\hpm\config\
2. Open the "communication.properties" file using a text editor.
This file contains the configuration for how CSM logs into devices when
it collects information for the Health and Performance Monitor.
3. Locate the line that reads:
USE_ENABLE_PASSWORD_FIRST=true
4. Replace the word "true" with the word "false". The line should now
read:
USE_ENABLE_PASSWORD_FIRST=false
5. Save the changes that have been made to the file
The following is for Discovery/Deployment:
1. Go to \MDC\athena\config
needs to be substituted by the directory where CSM has been
installed.
For example: E:\Program Files\CSCOpx\MDC\reports\config
2. Open the "DCS.properties" file using a text editor.
This file contains the configuration for how CSM logs into devices
during Discovery/Deployment/Image Management.
3. Locate the line that reads:
DCS.useEnablePasswordFirstForFw=true
4. Replace the word "true" with the word "false". The line should now
read:
DCS.useEnablePasswordFirstForFw=false
5. Save the changes that have been made to the file
Restart the daemon manager:
1. Open the Windows Command Prompt
2. Execute the following command: net stop crmdmgtd
3. Wait for the message that indicates that the services have stopped
4. Execute the following command: net start crmdmgtd
Regards Andrin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide