Solved

Want to remove all AAA info from pix 515e

Posted on 2006-11-08
16
892 Views
Last Modified: 2012-05-05
I do a:
no aaa-server BSTVPN (inside) host 192.168.10.x brainstate timeout 10
      clear aaa-server BSTVPN

or a:
no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10

and i get a:
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN

no matter what.

Can somebody let me know what else i need to remove first?
0
Comment
Question by:jaysonfranklin
  • 9
  • 6
16 Comments
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17899249
beyond those commands, it seems any other 'no aaa-server' command gives the same message too.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17899409
Remove BSTVPN from your aaa authentication statement and try it again.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17899485
maybe i'm missing the command. i've also tried removing it everywhere from the pdm with no luck. when i just remove BSTVPN it says no such server group host
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17899774
Do you have a command that looks something like this?

aaa authentication .... BSTVPN
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17899902
Not that i found....and a 'sh auth' displays nothing.

See if you can spot it...

sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password * encrypted
passwd * encrypted
hostname PixFirewall
domain-name brainstate.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
               
 names
access-list Outside_In permit tcp any host x.x.x.x eq www
access-list Outside_In permit tcp any host x.x.x.x eq https
access-list Outside_In permit tcp any host x.x.x.x eq 444
access-list Outside_In permit tcp any host x.x.x.x eq smtp
access-list Outside_In permit icmp any any echo-reply
access-list Outside_In permit icmp any any time-exceeded
access-list Outside_In permit icmp any any unreachable
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location x 255.255.255.255 inside
pdm location x 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
<--- More --->
               
 global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.x www exchsvr www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x https exchsvr https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 444 exchsvr 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp exchsvr smtp netmask 255.255.255.255 0 0
access-group Outside_In in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server BSTVPN protocol tacacs+
aaa-server BSTVPN max-failed-attempts 3
aaa-server BSTVPN deadtime 10
aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10
<--- More --->
               
 http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.61-192.168.10.254 inside
dhcpd dns exchsvr x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain brainstate.local
dhcpd auto_config outside
dhcpd enable inside
username brainstate password * encrypted privilege 2
terminal width 80
banner motd Brain State Technologies Security Message - Terms of Use
<--- More --->
               
 banner motd
banner motd The Brain State Technologies computer system is RESTRICTED to official business by authorized users only. Unauthorized entry is prohibited by law and subject to prosecution. All activities and access attempts are monitored and logged for auditing.
banner motd
banner motd Use of this system is your consent to the current Terms of Use. If you are not authorized to use this system, or do not agree to the current Terms of Use, please exit now.
Cryptochecksum:95673549baef1bda757aa71803f6c89e
: end

 PixFirewall# sh auth

 PixFirewall#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17900067
I don't see any reference to BSTVPN so I'm not sure why it's giving you grief.

Try copying and pasting these lines on the PIX one at a time:

no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10
no aaa-server BSTVPN (inside) host 192.168.10.1
clear aaa-server BSTVPN
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17900114
already tried those commands....did em again and it's the same thing....is Version 6.3(5) buggy?

PixFirewall(config)# no aaa-server BSTVPN (inside) host 192.168.10.1 brainstat$
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)#
PixFirewall(config)# no aaa-server BSTVPN (inside) host 192.168.10.1
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)# clear aaa-server BSTVPN
you must remove all AAA corresponding entries prior to
remove the last server in group BSTVPN
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17900157
I run 6.3(5) at home so if the below doesn't work, I'll try it on my PIX.

Couldn't hurt to reboot the pix and then try to remove it again if you can...

Try this:

no aaa-server BSTVPN protocol tacacs+
no aaa-server BSTVPN max-failed-attempts 3
no aaa-server BSTVPN deadtime 10
no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17901046
it took:
no aaa-server BSTVPN max-failed-attempts 3
no aaa-server BSTVPN deadtime 10

but none of the other ones..different error though.

PixFirewall> en
Password: ********
PixFirewall# config t
PixFirewall(config)# no aaa-server BSTVPN protocol tacacs+
AAA servers configured! cannot remove server_tag
Usage:  [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <
seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]
PixFirewall(config)# exit
PixFirewall# no aaa-server BSTVPN protocol tacacs+
Type help or '?' for a list of available commands.
PixFirewall#

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17902204
Okay, so on my PIX running the same version as yours 6.3(5), I added a aaa-server host and removed it without a problem.

For good measure, can you post the results of:

show run | inc BSTVPN
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17902360
no problem. it's still taking the max-failed and deadtime, but gives a different error Here's what I did:

show run | inc BSTVPN
aaa-server BSTVPN protocol tacacs+
aaa-server BSTVPN max-failed-attempts 3
aaa-server BSTVPN deadtime 10
aaa-server BSTVPN (inside) host 192.168.10.1 brainstate timeout 10

 PixFirewall# config t

 PixFirewall(config)# no aaa-server BSTVPN protocol tacacs+
AAA servers configured! cannot remove server_tag
Usage:      [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]

 PixFirewall(config)# no aaa-server BSTVPN max-failed-attempts 3   <---- It took this.

 PixFirewall(config)# no aaa-server BSTVPN deadtime 10    <----- It took this too.

 PixFirewall(config)# no aaa-server BSTVPN (inside) host 192.168.10.1 brainstate$e) host 192.168.10.1 brainstate                          timeout 10no aaa-server BSTVPN (inside) host 192.168.10.1 brainstat$
you must remove all AAA corresponding entries prior to
removing the last server in group BSTVPN
Usage:      [no] aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <seconds>]
       [no] aaa-server <tag> protocol tacacs+|radius
       [no] aaa-server <tag> max-failed-attempts <tries>
       [no] aaa-server <tag> deadtime <deadtimeout>
       clear aaa-server [<tag>]
       [no] aaa-server radius-authport [<auth_port>]
       [no] aaa-server radius-acctport [<acct_port>]

 PixFirewall(config)# clear aaa-server
you must remove all AAA corresponding entries prior to
remove the last server in group

 PixFirewall(config)#
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 125 total points
ID: 17902382
Wow, I think a reload of the router is in order.  Try removing after a reload.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17902464
K. Will do. But it will have to be after hours cause this pix is also my dhcp at the moment. Thanks for all the help.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17919657
hey man thanks for the advice i just wanted to make sure there wasn't anything else i could do before a reboot. Have a good'n.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17919659
weird why a pix would do that...wonder if it's happened to anyone else....
0
 

Expert Comment

by:hecklej
ID: 21904501
I had this same problem and I had to run the follow command before I could get rid of the aaa-servers
no crypto map outside_map client authentication BSTVPN (or the name of your policy)
Hope this helps..
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now