ASA Multiple Context lock out because of Misconfiguration for AAA Server IP using the AAA Authorization
It might be possible that the customer might configure Incorrect IP Address for the AAA Server that causes Lock Out from that specific Context as the AAA Authentication was configured for the TACACS server and also the customer would be unable to execute any commands as the AAA Authorization had been enabled as well.
The Fallback authentication is configured to LOCAL but the customer does not have any LOCAL Username and PAssword configured on the ASA device.
If we have the above scenario happening at the customer end , we are not left with many Workarounds or alternatives to get the access to the Locked Out context without deleting the specific context and creating it from the scratch.
Although we have the correct route configured but the IP Address for the AAA server is unreachable.
The only way that we would be able to proceed with the issue would be to change the Config-url command for the specific context but it will still be n issue as:-
The ASA merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command.
You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.
Thus if we change the AAA Server IP for the AAA Server , it would Merge the AAA Server and not replace the New correct IP Address for the AAA Server.
Here is another way to resolve the issue:- we just need to change the Negate the AAA Server commands for the Authentication and Authorization and that should resolve the issue. So the configuration will exactly the same with addition of these commands:-
no aaa authentication enable console TACACS+ LOCALno aaa authorization command TACACS+ LOCAL
With the change of the above commands in the .cfg file that we took the backup from the System context using the TFTP server , we can change the config-url command and that will resolve the issue without the requirement of a reload.
This will remove the AAA restrictions and will make the access the work. In case of Active/Active Fail-over , we can apply this configuration on the device which has this context as Active and that should replicate this to the Standby device.
Hello All, Can anyone help me how can I enable logging using Ssh So that I can collect/view debug logs for real time logs and previous logs like 3-4 days before. Below is the output of my ftd cli firepower# show logging
Syslog logging: dis...
Have used the following IPs for reference :Jump Server IP: 192.168.10.5 (Subnet A - AWS)ASAv30 inside interface IP: 192.168.20.5 (subnet B - AWS) Able to ping the ASAv inside interface from the Jump Server, but unable to SSH/HTTPS the ASAv insi...
I attempted to create an access control rule for IPS and AMP from information I found online, and apparently it was completely wrong, because it had the effect of ignoring all block rules and opening up my whole network to the Internet. No matter wh...
My customer is asking for Port Pairing (NIC Teaming) for Data port. The customer is going to use only one Data Port for to and fro traffic and want to pair P1 and P2 interface.
My question to you is if there is any downside of using port pairi...
Folks,Is there a way to filter or block NHRP registration requests completely on a next-hop server? I know that's an odd question but there are good reasons to do this.I have already tried several things and none of it has worked. I would be really amazed...