ASA Multiple Context lock out because of Misconfiguration for AAA Server IP using the AAA Authorization
It might be possible that the customer might configure Incorrect IP Address for the AAA Server that causes Lock Out from that specific Context as the AAA Authentication was configured for the TACACS server and also the customer would be unable to execute any commands as the AAA Authorization had been enabled as well.
The Fallback authentication is configured to LOCAL but the customer does not have any LOCAL Username and PAssword configured on the ASA device.
If we have the above scenario happening at the customer end , we are not left with many Workarounds or alternatives to get the access to the Locked Out context without deleting the specific context and creating it from the scratch.
Although we have the correct route configured but the IP Address for the AAA server is unreachable.
The only way that we would be able to proceed with the issue would be to change the Config-url command for the specific context but it will still be n issue as:-
The ASA merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command.
You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.
Thus if we change the AAA Server IP for the AAA Server , it would Merge the AAA Server and not replace the New correct IP Address for the AAA Server.
Here is another way to resolve the issue:- we just need to change the Negate the AAA Server commands for the Authentication and Authorization and that should resolve the issue. So the configuration will exactly the same with addition of these commands:-
no aaa authentication enable console TACACS+ LOCALno aaa authorization command TACACS+ LOCAL
With the change of the above commands in the .cfg file that we took the backup from the System context using the TFTP server , we can change the config-url command and that will resolve the issue without the requirement of a reload.
This will remove the AAA restrictions and will make the access the work. In case of Active/Active Fail-over , we can apply this configuration on the device which has this context as Active and that should replicate this to the Standby device.
HIWe have a Site to Site VPN configured between our FTD and a 3rd Party.1. I have a rule allowing inbound from Outside from 3rd party peer to internal servers whcih should bring up the VPN between the peer addresses,2. Do I need a rule from inside to outs...
Hello.My web session keeps expiring in one firepower I manage.When I connect to the firepower web, the session expires in 1~3 minutes irregularly.In some cases, you cannot log in because your session has expired.The browser session timeout is set to 60 mi...
Hi all, I have a cluster of 2x FTDs running on 2130 with version 126.96.36.199 which is managed by my FMC. In the threat defense policy which is applied to my FTD cluster, the Secure shell settings in my platform settings is blank but i am able to ssh...
Hi,I'm having a problem routing LAN traffic out through the firewall. I've read the multiple posts with the same problem but their solutions have not worked for me. Traffic flow isInternet - Cisco ME3400 - Firepower2110 (ASA) - Switch - PC Netwo...
We are on ISE 2.4 and have configured AD <> ISE integration using WMI (to get information of AD users) Some providers suddenly went offline for no reason, we had to manually add back integration Is there a way to set an email alertin...