cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3387
Views
0
Helpful
5
Replies

Help! ASA 5510 - Cannot Access

bgilchrist4
Level 1
Level 1

Recently powered down device (transformer overhaul) and when it booted back up, unable to access with ASDM, SSH...can access directly using HyperTerm, but have only limited commands...will not accept known user/password credentials. When I issue 'show flash' I can see that there are upgrade_startup_errors.log files, but cannot access them. Any help is greatly appreciated!

1 Accepted Solution

Accepted Solutions

Hi,

I didn't quite get what the result of the password recovery was.

I haven't had to do that on an ASA to this day (old PIX firewalls had some separate .bin file that erased the passwords)

But what I quickly got from the document was that you will load up the startup configuration to the ASA after you have booted it without configuration. At that point you should be able to remove any AAA configurations so you can get control of the ASA again and determine whats the problem with the AAA not accepting your credentials.

Either theres been some change on the AAA server or you are not using the correct LOCAL credentials?

While you are connected through console, is it possible to check the logs at the same time when you are trying to connect through SSH or ASDM? Sorry I can't remember if that command is available at the level you are on the command line.

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So I guess you can get to the device by console but when you use the "enable" command it wont accept your credentials?

If this is the case

  • Is it asking for a password after you issue "enable" or a username+password?
  • If you are using AAA server for management access authentication, could it be unreachable after the maintanance (for some reason) and is now using LOCAL username/password credentials and you are using the AAA server ones?

In the case of ASDM and SSH. Are you even getting the authentication prompt? Or is the device simply not responding to the connections?

Heres a link to a password recovery documentation on Cisco ASA 5500. Seems to be from some 7.1 software documentation. Not sure if it has changed.

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1049302

- Jouni

Hi Jouni,

    Thanks for your response.

"So I guess you can get to the device by console but when you use the "enable" command it wont accept your credentials?" - Yes, that is correct

"If this is the case

  • Is it asking for a password after you issue "enable" or a username+password?" - username+password

"In the case of ASDM and SSH. Are you even getting the authentication prompt? Or is the device simply not responding to the connections?" - Yes, getting the authentication prompt.

I went through the password recovery and was successful at the console, but cannot use those same credential to SSH or w/ASDM.

Any further help is greatly appreciated.

-Bryan

HI Bryan,

If you have aaa configured for the ASA which will authenticate to TACACS/Radius server as the 1st preferred authentication. If it is not in network or any failures to AAA server it will come for local authentication.

So please check and let us know the same.

By

Karthik

Hi,

I didn't quite get what the result of the password recovery was.

I haven't had to do that on an ASA to this day (old PIX firewalls had some separate .bin file that erased the passwords)

But what I quickly got from the document was that you will load up the startup configuration to the ASA after you have booted it without configuration. At that point you should be able to remove any AAA configurations so you can get control of the ASA again and determine whats the problem with the AAA not accepting your credentials.

Either theres been some change on the AAA server or you are not using the correct LOCAL credentials?

While you are connected through console, is it possible to check the logs at the same time when you are trying to connect through SSH or ASDM? Sorry I can't remember if that command is available at the level you are on the command line.

- Jouni

So, I issued a "no aaa authentication http console {server group}" command and can now access via ASDM. Some access rules were lost, but that's about it.

Thanks for your help-

Bryan

Review Cisco Networking for a $25 gift card