Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8289
Views
0
Helpful
3
Replies

Failed Authentication Message Inquiry

alex.galido
Level 1
Level 1

‎03-10-2017 10:26 AM - edited ‎03-08-2019 09:41 AM

We have cisco router and after checking the log I saw this message:

pam_aaa:authentication failed from <ipaddress> -sshd[2909] 

pam_aaa:authentication failed from <ipaddress> -sshd[2913]

pam_aaa:authentication failed from <ipaddress> -sshd[3158]

I wanted to validate that number inside the [] brackets are the source port number? Any reference or direction to a Cisco documentation of the message is much appreciated. 

Alex 

3 people had this problem
Labels:
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎03-10-2017 11:33 AM

This document references to Nexus but you may be able to use it for your router to troubleshoot the issue.

The local user database does not contain the user account that the user is using to login with.

Solution

Perform the following steps to check the authentication fallback method.

  • As a best practice, include the aaa authentication login error-enable command in the configuration. When it is included in the configuration, the login session sees whether the fallback method is operating correctly. If messages, such as “Remote AAA servers unreachable; local authentication done" or “Remote AAA servers unreachable; local authentication failed", are received, then the fallback method is operating correctly.
  • If the remote AAA servers are not accessible, check to see if the local user database has the user credential for local authentication. Use the show user-account command to display the credential.
  • link
  • http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/troubleshooting/guide/N5K_Troubleshooting_Guide/n5K_ts_sec.html
  • HTH
0 Helpful

alex.galido
Level 1
Level 1
In response to Reza Sharifi

‎03-10-2017 12:04 PM

Hi Reza, I'm really more interested on the the numeric characters inside the [] bracket. I looked in this doc http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-message-banners.html

It was not clear enough to say that the numerical character in the bracket [] are the port number.

pam_aaa:authentication failed from <ipaddress> -sshd[2909] 

I'm not looking for the reason for the error message; but more to the substance of the number inside the bracket []. Is it the source port # of the device who failed to login or something else that Cisco have defined?  

BTW, the device is a Cisco MDS 9396S and I'm checking the link you've provided as well and see if there's any info that fit to what I'm looking for. 

Thank you in advance for your response. 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to alex.galido

‎03-11-2017 01:47 PM

Hi Alex,

You are right.  The document is not clear but you can actually test it for your self.

You can simply open an SSH session to the Cisco device and than use "sh tcp brief all" command to see the source and destination port for the ssh session and match it with what is in the logs.

The output of "sh tcp brief all"  should look like this.  The source port is 56044

TCB       Local Address               Foreign Address             (state)
3D9B0DDC  10.10.80.75.22           10.10.152.81.56044          ESTAB

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card