Showing results for 
Search instead for 
Did you mean: 

AAA details from log message


Hello all,

I am looking for a way to gather more information on the AAA user authentication rejected: reason = Unspecified : server =a.b.c.d: user = message. We seem to be having someone spray usernames and passwords towards my ASA in an attempt to gain access. I am trying to figure out a was to see the source IP address that is generating this traffic. I have been trying different AAA debugs without success. I am thinking that if I can determine the offending IP address I can add it to my block list. Any thoughts or suggestions on how to approach this issue?


3 Replies 3

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

he want to access via telnet ?
if Yes 
which interface you use for telnet, let assume it is IN 
do traffic capture for IN interface and use TCP 23 as capture filter 
then check the IP 
this best way catch this IP. 

Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

We commonly see this on any public-facing address. The usual mitigation is to just make sure you don't allow ssh (or telnet!)on the outside interface. that way the ASA has no listener (asp-table socket) for the service on that interface.

Trying to block every address that sources this type of background noise is a never ending game which is why it's best to just shut off the service. If it's absolutely required then restrict it to authorized public IP addresses.

Aref Alsouqi
VIP Collaborator VIP Collaborator
VIP Collaborator

Normal traffic logs should show you those denies, if not as already suggested you can run packet capture on the interested interface and capture the required data from there.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers