ASA Multiple Context lock out because of Misconfiguration for AAA Server IP using the AAA Authorization
It might be possible that the customer might configure Incorrect IP Address for the AAA Server that causes Lock Out from that specific Context as the AAA Authentication was configured for the TACACS server and also the customer would be unable to execute any commands as the AAA Authorization had been enabled as well.
The Fallback authentication is configured to LOCAL but the customer does not have any LOCAL Username and PAssword configured on the ASA device.
If we have the above scenario happening at the customer end , we are not left with many Workarounds or alternatives to get the access to the Locked Out context without deleting the specific context and creating it from the scratch.
Although we have the correct route configured but the IP Address for the AAA server is unreachable.
The only way that we would be able to proceed with the issue would be to change the Config-url command for the specific context but it will still be n issue as:-
The ASA merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command.
You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.
Thus if we change the AAA Server IP for the AAA Server , it would Merge the AAA Server and not replace the New correct IP Address for the AAA Server.
Here is another way to resolve the issue:- we just need to change the Negate the AAA Server commands for the Authentication and Authorization and that should resolve the issue. So the configuration will exactly the same with addition of these commands:-
no aaa authentication enable console TACACS+ LOCALno aaa authorization command TACACS+ LOCAL
With the change of the above commands in the .cfg file that we took the backup from the System context using the TFTP server , we can change the config-url command and that will resolve the issue without the requirement of a reload.
This will remove the AAA restrictions and will make the access the work. In case of Active/Active Fail-over , we can apply this configuration on the device which has this context as Active and that should replicate this to the Standby device.
Hello, I recenlty turned on the email logging feature. And I see a lot of ASA Alerts for Deny UDP reverse path from 169.254.x.x to 169.254.x.x to vlan(inside). Keep in mind, my level of experience is novice/noob. There are several of...
Hello All, So i need to buy a Firewall Hardware and the requirements are :1. Firewall Capability2. IDS and IPS (one if possible both)3. No SubscriptionAnd my seller offer me ASA5508-FTD-K9, my questions are :1. What feature does it have?2. Does it in...
Hi,Working on upgrading VPN (L2L & AnyConnect) firewall but not sure about what OS to upgrade from existing 9.8.(2).I see 9.8.(4) Interim Gold on cisco download page but reviews are not great. Any recommendation is highly appreciated. Thank You,J...
i have ISE integrated with MDM server and a device that has already authenticated on the network, and stays connected, but fails out of compliance what will be the measure I have to take to ensure that a noncompliant device is checked periodically and re-...