Force ASA to disconnect console session

johnlloyd_13 · ‎05-11-2017

hi,

i tried to google but can only see how to kill or clear SSH or telnet session to an ASA.

could someone tell me how to kill the console session?

we got a OOB server that console to the ASA and got locked when i applied the AAA when via another SSH session.

was thinking to remove the AAA serial line but it doesn't have it.

no aaa authentication serial console ACS LOCAL

ciscoasa/pri/act(config)# end
Command authorization failed

Ajay Saini · ‎05-12-2017

Unfortunately, there is no way to clear the console session. Only telnet, ssh and asdm sessions are allowed to be clear since they are a tcp session to the firewall.

If you have made a config that got you locked out, you can restart the ASA. This will help if config was not saved.

If the config has been saved somehow after you got locked out, you can then do a password recovery to get back into the ASA.

HTH

-AJ

johnlloyd_13 · ‎05-12-2017

hi,

looks like there's no other way to kill/clear the console session as you've said.

i've applied AAA via OOB console and then tested SSH remote access.

i can't exit out from global config on the console session.

might just wait for routing to ACS to die for me use the LOCAL password and able to execute commands on the console.

not sure if unplug/re-plug console would work as i haven't tried it and DC is unmanned.

cofee · ‎05-12-2017

You can create an ACL on the device closer to affected firewall blocking its access to ACS, once that happens firewall will failover to local credentials.

i guess you are only having issues accessing firewall via its console port through avocent or something similar. What about shut-no shut on the device that's connected to fw console port. Can you access the firewall via ssh? Or is it completely locked out? In either case blocking connectivity to ACS will work . Also asdm is not affected when changes are only made to ssh authentication .

cofee · ‎05-12-2017

Do you know why it lock you out or if you can tell what changes were made?

ronbuchalski · ‎02-09-2022

I am experiencing this right now. It's a configuration issue on the firewall. With a multiple context firewall, connecting via the serial port (console) puts the user into the System context. And it's configured to use AAA (TACACS) for serial authentication, and then LOCAL as a fallback method. But if, while on the console, you change contexts (changeto context foo), when you try to log out of the firewall console, or change context, it doesn't associate the user with your authenticated connection on the console port, so it fails command authorization. And you can't exit the firewall. Even typing 'exit' fails to be authorized.

Solution I found that works (another post in this thread) is to set the console timeout to a lower value, then disconnect from the console and wait for that timer to expire. The default command is 'console timeout 0' which means it never times out.

So, just like you probably configure a exec-timeout on the vty lines of your Cisco routers and switches, you should probably set the console timeout to a similar value, and not leave it at 0.

mlewis756494 · ‎02-28-2019

Fix for this one is to set a console timeout to a low value and then it will automatically log the session off, you can then disable the timeout again.

console timeout 2