https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252505#M6855 <P>I created a TAC case and these commands solved it and they came from TAC engineer.&nbsp;</P> <P>&nbsp;</P> Mon, 20 Apr 2026 06:23:05 GMT J.Klasa 2026-04-20T06:23:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/585693#M3103 <P>Hello, everyone.</P> <P>&nbsp;</P> <P><SPAN>Firewall has OS of 10.2.4-H2.</SPAN></P> <P>&nbsp;</P> <P>When TACACS account to connect to Firewall SSH, the login succeeds, but there is an issue that closes the session immediately.</P> <P>&nbsp;</P> <P>In Firewall System-log, authentication and authorization were successful and it was confirmed that the Superuser role was granted..</P> <P>&nbsp;</P> <P>However, a "create-admin-acct-error" log with Critical Severity is created. - "Failed to create local user account for admin user: username" in system-log.</P> <P>&nbsp;</P> <P>WEB GUI is connected normally, but only SSH Session issues.</P> <P>&nbsp;</P> <P>the log was generated as below in TSF File syslog-system.</P> <P>&nbsp;</P> <P>sshd[13371]: error: PAM: User account has expired for [username] from [IP].</P> <P>&nbsp;</P> <P>HA Peer device doesn't have this issue at all. It happens only on this firewall.</P> <P>&nbsp;</P> <P>Is there any way to solve?</P> Fri, 03 May 2024 01:04:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/585693#M3103 hbshin 2024-05-03T01:04:03Z https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252114#M6839 <P>You can try these commands if you haven't already solved I guess since it's an old post but I hade the exact same issue.&nbsp;<BR /><BR />&gt; Remove Lock Files: delete authentication system-lock-files<BR />&gt; Restart the Authentication Daemon: debug software restart process authd<BR /><BR /><BR /></P> Mon, 13 Apr 2026 20:24:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252114#M6839 J.Klasa 2026-04-13T20:24:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252315#M6847 <P>Check the local admin account as it seems flaged as expired, additionally, you can clear cache by command "debug authentication clear-cache all".</P><P>Finally if the issue not resolved, you can try restart the management plane "debug software restart process management-server".</P><P>On the other hand, could check you panos release as some of them has a known bug in TACACS authentication.</P> Thu, 16 Apr 2026 11:00:24 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252315#M6847 abayoumi21 2026-04-16T11:00:24Z https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252505#M6855 <P>I created a TAC case and these commands solved it and they came from TAC engineer.&nbsp;</P> <P>&nbsp;</P> Mon, 20 Apr 2026 06:23:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/firewall-ssh-the-login-succeeds-with-tacacs-account-but-there-is/m-p/1252505#M6855 J.Klasa 2026-04-20T06:23:05Z