Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
5
Helpful
5
Replies

Cant enter enable mode-AAA server is down

Go to solution
nygenxny123
Level 1
Level 1

‎10-07-2010 04:03 PM - edited ‎03-11-2019 11:51 AM

Cisco ASA 5520

When i attempt to telnet..i get usrname and password..but not authentication since my ACS server is down

i can console in..but cant enter enable mode...

i get the message AAA server is unreachable..

is there anything i can do besides a pw recovery?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to nygenxny123

‎10-09-2010 05:20 AM

Hello,

If you still have lines like 'aaa authentication telnet console TACACS+' in the config then the local username/password won't work. You would need to have the 'LOCAL' keyword at the end of those lines. If that is the case, you'll need to do a password recovery to remove the 'aaa authentication' lines.

Hope that helps.

-Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-07-2010 05:15 PM

Hi,

Here's the link to perform password recovery:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/trouble.html#wp1049302

Hope this helps!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-08-2010 06:08 AM

Hello,

Do you have LOCAL fallback setup for authentication? If so, you can use the credentials configured in the local user database to login. Otherwise, you'll need to either get your AAA server up and running again or perform a password recovery.

When you get it working again, you should consider configuring a local user account to avoid locking yourself out again in the future. You can do that with these commands:

username password priv 15

aaa authentication telnet console LOCAL

Hope that helps.

-Mike

Go to solution
nygenxny123
Level 1
Level 1
In response to mirober2

‎10-08-2010 10:58 AM

thats whats weird

i do have a local password and usernam configured on it

i was actually removing tacacs on it for a new config

when i removed the aaa statement and the aaa tacacs server host and key statemt

i was locked out....

what is left are what i believe the following commands

aaa authentication telnet console TACACS+

aaa authentication enable console TACACS+

aaa authentication ssh console TACACS+

aaa authentication http console TACACS+

when i enter enable

it looks for tacacs

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to nygenxny123

‎10-09-2010 02:58 AM

If you have removed all the "aaa authentication" lines , if you telnet on the equipment the password required is the one set with "password" command if you have one.

HTH

Dan

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to nygenxny123

‎10-09-2010 05:20 AM

Hello,

If you still have lines like 'aaa authentication telnet console TACACS+' in the config then the local username/password won't work. You would need to have the 'LOCAL' keyword at the end of those lines. If that is the case, you'll need to do a password recovery to remove the 'aaa authentication' lines.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card