Showing results for 
Search instead for 
Did you mean: 
Vibhor Amrodia
Cisco Employee
Cisco Employee




    ASA Multiple Context lock out because of Misconfiguration for AAA Server IP using the AAA Authorization


    It might be possible that the customer might configure Incorrect IP  Address for the AAA Server that causes Lock Out from that specific  Context as the AAA Authentication was configured for the TACACS server  and also the customer would be unable to execute any commands as the AAA  Authorization had been enabled as well.

    The Fallback authentication is configured to LOCAL but the customer  does not have any LOCAL Username and PAssword configured on the ASA  device.


    If we have the above scenario happening at the customer end , we are  not left with many Workarounds or alternatives to get the access to the  Locked Out context without deleting the specific context and creating it  from the scratch.

    Related Configuration

    aaa-server TACACS+ protocol tacacs+reactivation-mode timedaaa-server TACACS+ (inside) host key *****aaa authentication enable console TACACS+ LOCALaaa authentication http console TACACS+ LOCALaaa authentication ssh console TACACS+ LOCALaaa authorization command TACACS+ LOCAL

    Although we have the correct route configured but the IP Address for the AAA server is unreachable. 

    The only way that we would be able to proceed with the issue would be to change the Config-url command for the specific context but it will still be n issue as:- 

    The ASA merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration.
    If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command.

    You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.

    Thus if we change the AAA Server IP for the AAA Server , it would  Merge the AAA Server and not replace the New correct IP Address for the  AAA Server.

    Cisco ASA Series Command Reference

    Here is another way to resolve the issue:- we just need to change the  Negate the AAA Server commands for the Authentication and Authorization  and that should resolve the issue. So the configuration will exactly  the same with addition of these commands:-

    no aaa authentication enable console TACACS+ LOCAL
    no aaa authorization command TACACS+ LOCAL

    With the change of the above commands in the .cfg file that we took  the backup from the System context using the TFTP server , we can change  the config-url command and that will resolve the issue without the  requirement of a reload.

    This will remove the AAA restrictions and will make the access the  work. In case of Active/Active Fail-over , we can apply this  configuration on the device which has this context as Active and that  should replicate this to the Standby device.


    Cisco ASA Series Command Reference

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: