Our ACS 4.2 Failed Attempts log is being filled by "noise" on the async (tty0/tty1) from both our routers and switches. We have modems attached to our routers primarily on the console ports, in addition we have the aux port of our router connected to the console port of our LAN switch so we can reverse telnet into the switch. Both router & switch are TACACs enabled. In the user-name field of the ACS log, we get "noise" such as "interface up and down", "Press RETURN to get started", which the authen-failure-code indicates invalid characters or "ACS user unknown" in username field. What would cause this? I know misconfigured modems can cause echo issues but why a switch console port?
Gregory, I believe we did as we don't see the constant logging. We disabled the modem auto-discovery on the Aux port which I believed resolved the issue but we also disabled Banner Login and set the no exec command on the aux port, so I will have to go back and check my notes but you can try these in the mean time.
This issue occurs when terminal server device (like c2509, c2511 or other) connect to it and which is sending junk to console or aux lines of the Router/Switch.
What may happen wrong with Terminal Server config:
= Incorrect speed for the line (which is connected to console of the router)
= possibly "exec" is running on that line on Terminal Server, thus sending unexpected prompt to the router console/aux.
When you want to allow only an outgoing connection on a line, use the *no**exec* command.The *no exec* command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router.
(For example, the control port of a rack of modems attached to an auxiliary port of router.) When certain types of data are sent to a line connection, an EXEC process can start, which makes the line unavailable.
The user will still be able to access the console of the device and be authenticated as well. This puts extra burden on ACS and you may see some latency with legitimate authentications.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :