roll back operation : AAA deployment

Unanswered Question
Mar 1st, 2010

Hi !

we plan to deploy AAA function on our production network as requested by our policy (and by any good pratice) I had to plan a roll back plan is case of problem.  After deployed command on our Core Catalyst switch in lab and successfully authenticate my user session it's looklike impossible to roll back and disable AAA function without reload the switch.

when I using the command

no aaa new-model
Active AAA sessions present
Cannot change to no aaa new-model while sessions still active

before I had issue this command I had removed all other AAA command from the configuration.  I know if we reload the switch I will be able to removed aaa new-model command.  I would like to avoid to reload the switch to undeploy this command.  Someone could help me ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Panos Kampanakis Mon, 03/01/2010 - 08:19

This relates to defect CSCsu32327 and I am afraid there is nothing to do get rid of it other than rebooting.

The disabling of aaa new model has been deprecated.  New-model is a superset of old-model which is 15 years old. 

I hope it helps.

xine xine Mon, 03/01/2010 - 08:38

Hi !

I had search in bug tool kit to view a description and patch availibility for this issue, that bug is not available to public only Cisco employes can view this bug description... is it exist some special reason to this ?

is a patch is plan to be available ?

Thanks a lot

Panos Kampanakis Mon, 03/01/2010 - 08:58

It is already fixed in 12.2(33)SXI02.

So I guess an upgrade would fix it. But an upgrade would still reboot the switch.

So either of them will solve your problem.

I apologize for the bug not being external. The reason is that this is mostly a command design issue to fix since the command needs to be deprecated.

I hope it helps.


xine xine Mon, 03/01/2010 - 09:10

Hi !

our 6509 currently running IOS s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin, so it's looklike not fixed already ? or I miss understanding something in IOS naming version.....

Panos Kampanakis Mon, 03/01/2010 - 09:36

Hmm, 2a is not the same as .2.

The command should be deprecated so if it exists in .2a probably it was not integrated in it, I believe.


xine xine Mon, 03/01/2010 - 09:40

I know, but 2a should not suppose to include all patch on 2 ?  Should I open a case with the TAC for that issue ?


This Discussion