Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 locked out

Hi,

I have an ASA 5505 that was previously using an AAA server for authentication/authorization. This AAA Server is gone. Now, I'd like to log in locally. However, I do not know any local passwords. I used the Cisco guide to reset the password (confreg 0x40) and I am able to boot into privileged mode as directed. However, when I try to copy the start config to the running config I get:

Fallback authorization. username 'enable_15' not in LOCAL database

Command authorization failed

It seems the enable_15 local user is missing.

Any idea how I can reset the password now?

Thanks.

9 REPLIES
Silver

ASA 5505 locked out

you need to create local user privilege 15 first and then copy the configuration over.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Bronze

ASA 5505 locked out

Hello,

You can just create the user:

username admin password password privilege 15

If you are no longer using the AAA server, I would suggest removing those commands.

Regards,

Felipe.

Remember to rate useful posts.

New Member

ASA 5505 locked out

Create local user in the ASA with priv 15 , login with that user  and remove the AAA configs and try to save config

try this command also :  aaa authentication ssh console LOCAL

New Member

ASA 5505 locked out

Thank you all for the replies. My problem is that the ACS server that the ASA  was using is no longer available to me (I cut ties with the company that was providing the ACS service).

Therefore, I cannot log in to the ASA with any  account that has enough privileges to create a local user as you are all mentioning as a solution.

Bronze

ASA 5505 locked out

You can try to remove the aaa authorization commands but if it does let you, another way will be to backup the configuration, remove the commands from the back and add the user, then copied back to the ASA.

Regards,

Felipe.

Remember to rate useful posts.

VIP Green

ASA 5505 locked out

If you are unable to access the ASA it is very likely that either the enabl 15 user is missing or that the AAA config is not configured to use the local user account as a fall back.  Have a look at this link to perform a password recovery on the ASA5505.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/trouble.html#wp1049302

--

Please rate all helpful posts and select a correct answer

--

Please remember to rate and select a correct answer
New Member

So almost everybody hear gave

So almost everybody hear gave stupid answer..remove aaa or add enable privilege level 15.

None of those will work since you can't login because of authorization failed. Some suggested do it before you copy config..beautiful..but when you do that you modify running-config which is empty/clean anyways..once you copy startup to runn all those changes will be overwritten and you end up in same place you were.

Anyone has a good idea?

Seems like copying config to tftp server and modifying it there is an option..or copy the config to tftp..on asa do write mem with clean config (to clear the config ) and than paste what ever you need from tftp copy..

It seems stupid Cisco didn't compensate for option when someone will forget add authorization console LOCAL....

Cisco Employee

Hi,

Hi,

When you copy a configuration from startup to running, it doesn't throw you out of the console. You would still be having a access. so after startup to running, you can make changes.

Regards,

Akshay Rastogi

New Member

Nobody said here it will

Nobody said here it will throw you out from console.All I was saying you can't modify it since authorization doesn't allow you to get to startup config!modifying run as people suggested and than copy startup will overwrite run..so it won't work

1156
Views
5
Helpful
9
Replies
CreatePlease to create content