Introduction
ASA Multiple Context lock out because of Misconfiguration for AAA Server IP using the AAA Authorization
Scenario
It might be possible that the customer might configure Incorrect IP Address for the AAA Server that causes Lock Out from that specific Context as the AAA Authentication was configured for the TACACS server and also the customer would be unable to execute any commands as the AAA Authorization had been enabled as well.
The Fallback authentication is configured to LOCAL but the customer does not have any LOCAL Username and PAssword configured on the ASA device.
Solution
If we have the above scenario happening at the customer end , we are not left with many Workarounds or alternatives to get the access to the Locked Out context without deleting the specific context and creating it from the scratch.
Related Configuration
aaa-server TACACS+ protocol tacacs+reactivation-mode timedaaa-server TACACS+ (inside) host 10.8.31.22 key *****aaa authentication enable console TACACS+ LOCALaaa authentication http console TACACS+ LOCALaaa authentication ssh console TACACS+ LOCALaaa authorization command TACACS+ LOCAL
Although we have the correct route configured but the IP Address for the AAA server is unreachable.
The only way that we would be able to proceed with the issue would be to change the Config-url command for the specific context but it will still be n issue as:-
The ASA merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration.
If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command.
You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.
Thus if we change the AAA Server IP for the AAA Server , it would Merge the AAA Server and not replace the New correct IP Address for the AAA Server.
Cisco ASA Series Command Reference
Here is another way to resolve the issue:- we just need to change the Negate the AAA Server commands for the Authentication and Authorization and that should resolve the issue. So the configuration will exactly the same with addition of these commands:-
no aaa authentication enable console TACACS+ LOCAL
no aaa authorization command TACACS+ LOCAL
With the change of the above commands in the .cfg file that we took the backup from the System context using the TFTP server , we can change the config-url command and that will resolve the issue without the requirement of a reload.
This will remove the AAA restrictions and will make the access the work. In case of Active/Active Fail-over , we can apply this configuration on the device which has this context as Active and that should replicate this to the Standby device.
Reference
Cisco ASA Series Command Reference