Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

Want to remove all AAA info from pix 515e

I do a:
no aaa-server BSTVPN (inside) host 192.168.10.x brainstate timeout 10
      clear aaa-server BSTVPN

or a:
no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10

and i get a:
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN

no matter what.

Can somebody let me know what else i need to remove first?
0
jaysonfranklin
Asked:
jaysonfranklin
  • 9
  • 6
1 Solution
 
jaysonfranklinAuthor Commented:
beyond those commands, it seems any other 'no aaa-server' command gives the same message too.
0
 
JFrederick29Commented:
Remove BSTVPN from your aaa authentication statement and try it again.
0
 
jaysonfranklinAuthor Commented:
maybe i'm missing the command. i've also tried removing it everywhere from the pdm with no luck. when i just remove BSTVPN it says no such server group host
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
JFrederick29Commented:
Do you have a command that looks something like this?

aaa authentication .... BSTVPN
0
 
jaysonfranklinAuthor Commented:
Not that i found....and a 'sh auth' displays nothing.

See if you can spot it...

sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password * encrypted
passwd * encrypted
hostname PixFirewall
domain-name brainstate.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
               
 names
access-list Outside_In permit tcp any host x.x.x.x eq www
access-list Outside_In permit tcp any host x.x.x.x eq https
access-list Outside_In permit tcp any host x.x.x.x eq 444
access-list Outside_In permit tcp any host x.x.x.x eq smtp
access-list Outside_In permit icmp any any echo-reply
access-list Outside_In permit icmp any any time-exceeded
access-list Outside_In permit icmp any any unreachable
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location x 255.255.255.255 inside
pdm location x 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
<--- More --->
               
 global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.x www exchsvr www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x https exchsvr https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 444 exchsvr 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp exchsvr smtp netmask 255.255.255.255 0 0
access-group Outside_In in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server BSTVPN protocol tacacs+
aaa-server BSTVPN max-failed-attempts 3
aaa-server BSTVPN deadtime 10
aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10
<--- More --->
               
 http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.61-192.168.10.254 inside
dhcpd dns exchsvr x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain brainstate.local
dhcpd auto_config outside
dhcpd enable inside
username brainstate password * encrypted privilege 2
terminal width 80
banner motd Brain State Technologies Security Message - Terms of Use
<--- More --->
               
 banner motd
banner motd The Brain State Technologies computer system is RESTRICTED to official business by authorized users only. Unauthorized entry is prohibited by law and subject to prosecution. All activities and access attempts are monitored and logged for auditing.
banner motd
banner motd Use of this system is your consent to the current Terms of Use. If you are not authorized to use this system, or do not agree to the current Terms of Use, please exit now.
Cryptochecksum:95673549baef1bda757aa71803f6c89e
: end

 PixFirewall# sh auth

 PixFirewall#
0
 
JFrederick29Commented:
I don't see any reference to BSTVPN so I'm not sure why it's giving you grief.

Try copying and pasting these lines on the PIX one at a time:

no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10
no aaa-server BSTVPN (inside) host 192.168.10.1
clear aaa-server BSTVPN
0
 
jaysonfranklinAuthor Commented:
already tried those commands....did em again and it's the same thing....is Version 6.3(5) buggy?

PixFirewall(config)# no aaa-server BSTVPN (inside) host 192.168.10.1 brainstat$
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)#
PixFirewall(config)# no aaa-server BSTVPN (inside) host 192.168.10.1
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)# clear aaa-server BSTVPN
you must remove all AAA corresponding entries prior to
remove the last server in group BSTVPN
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)#
0
 
JFrederick29Commented:
I run 6.3(5) at home so if the below doesn't work, I'll try it on my PIX.

Couldn't hurt to reboot the pix and then try to remove it again if you can...

Try this:

no aaa-server BSTVPN protocol tacacs+
no aaa-server BSTVPN max-failed-attempts 3
no aaa-server BSTVPN deadtime 10
no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10
0
 
jaysonfranklinAuthor Commented:
it took:
no aaa-server BSTVPN max-failed-attempts 3
no aaa-server BSTVPN deadtime 10

but none of the other ones..different error though.

PixFirewall> en
Password: ********
PixFirewall# config t
PixFirewall(config)# no aaa-server BSTVPN protocol tacacs+
AAA servers configured! cannot remove server_tag
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)# exit
PixFirewall# no aaa-server BSTVPN protocol tacacs+
Type help or '?' for a list of available commands.
PixFirewall#

0
 
JFrederick29Commented:
Okay, so on my PIX running the same version as yours 6.3(5), I added a aaa-server host and removed it without a problem.

For good measure, can you post the results of:

show run | inc BSTVPN
0
 
jaysonfranklinAuthor Commented:
no problem. it's still taking the max-failed and deadtime, but gives a different error Here's what I did:

show run | inc BSTVPN
aaa-server BSTVPN protocol tacacs+
aaa-server BSTVPN max-failed-attempts 3
aaa-server BSTVPN deadtime 10
aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10

 PixFirewall# config t

 PixFirewall(config)# no aaa-server BSTVPN protocol tacacs+
AAA servers configured! cannot remove server_tag
Usage:      [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]

 PixFirewall(config)# no aaa-server BSTVPN max-failed-attempts 3   <---- It took this.

 PixFirewall(config)# no aaa-server BSTVPN deadtime 10    <----- It took this too.

 PixFirewall(config)# no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate$e) host 192.168.10.1 brainstate                          timeout 10no aaa-server BSTVPN (inside) host 192.168.10.1 brainstat$
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN
Usage:      [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]

 PixFirewall(config)# clear aaa-server
you must remove all AAA corresponding entries prior to
remove the last server in group

 PixFirewall(config)#
0
 
JFrederick29Commented:
Wow, I think a reload of the router is in order.  Try removing after a reload.
0
 
jaysonfranklinAuthor Commented:
K. Will do. But it will have to be after hours cause this pix is also my dhcp at the moment. Thanks for all the help.
0
 
jaysonfranklinAuthor Commented:
hey man thanks for the advice i just wanted to make sure there wasn't anything else i could do before a reboot. Have a good'n.
0
 
jaysonfranklinAuthor Commented:
weird why a pix would do that...wonder if it's happened to anyone else....
0
 
hecklejCommented:
I had this same problem and I had to run the follow command before I could get rid of the aaa-servers
no crypto map outside_map client authentication BSTVPN (or the name of your policy)
Hope this helps..
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now