×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 locked out

Unanswered Question
Nov 26th, 2013
User Badges:

Hi,


I have an ASA 5505 that was previously using an AAA server for authentication/authorization. This AAA Server is gone. Now, I'd like to log in locally. However, I do not know any local passwords. I used the Cisco guide to reset the password (confreg 0x40) and I am able to boot into privileged mode as directed. However, when I try to copy the start config to the running config I get:


Fallback authorization. username 'enable_15' not in LOCAL database

Command authorization failed


It seems the enable_15 local user is missing.


Any idea how I can reset the password now?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jumora Tue, 11/26/2013 - 20:57
User Badges:
  • Cisco Employee,

you need to create local user privilege 15 first and then copy the configuration over.


Value our effort and rate the assistance!

lcambron Wed, 11/27/2013 - 10:51
User Badges:
  • Bronze, 100 points or more

Hello,


You can just create the user:

username admin password password privilege 15


If you are no longer using the AAA server, I would suggest removing those commands.


Regards,


Felipe.



Remember to rate useful posts.

SHIBI V DEV Wed, 11/27/2013 - 12:04
User Badges:

Create local user in the ASA with priv 15 , login with that user  and remove the AAA configs and try to save config


try this command also :  aaa authentication ssh console LOCAL

BlueMCisco Wed, 11/27/2013 - 14:01
User Badges:

Thank you all for the replies. My problem is that the ACS server that the ASA  was using is no longer available to me (I cut ties with the company that was providing the ACS service).


Therefore, I cannot log in to the ASA with any  account that has enough privileges to create a local user as you are all mentioning as a solution.

lcambron Wed, 11/27/2013 - 14:29
User Badges:
  • Bronze, 100 points or more

You can try to remove the aaa authorization commands but if it does let you, another way will be to backup the configuration, remove the commands from the back and add the user, then copied back to the ASA.


Regards,


Felipe.



Remember to rate useful posts.

Marius Gunnerud Thu, 11/28/2013 - 11:16
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

If you are unable to access the ASA it is very likely that either the enabl 15 user is missing or that the AAA config is not configured to use the local user account as a fall back.  Have a look at this link to perform a password recovery on the ASA5505.


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/trouble.html#wp1049302


--

Please rate all helpful posts and select a correct answer

Matt qomat Fri, 03/04/2016 - 09:44
User Badges:

So almost everybody hear gave stupid answer..remove aaa or add enable privilege level 15.

None of those will work since you can't login because of authorization failed. Some suggested do it before you copy config..beautiful..but when you do that you modify running-config which is empty/clean anyways..once you copy startup to runn all those changes will be overwritten and you end up in same place you were.

Anyone has a good idea?


Seems like copying config to tftp server and modifying it there is an option..or copy the config to tftp..on asa do write mem with clean config (to clear the config ) and than paste what ever you need from tftp copy..

It seems stupid Cisco didn't compensate for option when someone will forget add authorization console LOCAL....

Akshay Rastogi Sun, 03/06/2016 - 02:18
User Badges:
  • Cisco Employee,

Hi,

When you copy a configuration from startup to running, it doesn't throw you out of the console. You would still be having a access. so after startup to running, you can make changes.


Regards,

Akshay Rastogi

Matt qomat Mon, 03/07/2016 - 05:53
User Badges:

Nobody said here it will throw you out from console.All I was saying you can't modify it since authorization doesn't allow you to get to startup config!modifying run as people suggested and than copy startup will overwrite run..so it won't work

Actions

This Discussion