This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSH and console login blocked

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSH and console login blocked

ceapen01
L2 Linker

‎11-23-2023 01:34 AM

cannot login to Palo Alto SSH and console using super admi user. From console it shows error = "user not known to the underlying authentication module"

From SSH it shows error - " Access Denied".

SSH screenshot attached.

FWSSH.jpg

0 Likes Likes
8 REPLIES 8

akuzhuppilly
L4 Transporter

‎11-23-2023 07:54 PM

Hello @ceapen01 

The account you used is 'admin2'.

Is this a valid superuser account present in the firewall?

Do you have any other accounts to log in? If so, please check the system logs and authd logs.

 

Anoopkumar
Network Security Engineer
0 Likes Likes

ceapen01
L2 Linker
In response to akuzhuppilly

‎11-23-2023 09:21 PM

admin or admin2, which ever super admin user result is the same.

0 Likes Likes

akuzhuppilly
L4 Transporter

‎11-23-2023 09:33 PM

Hello @ceapen01 

Here are a few other options you can try:

  1. If the firewall is connected to Panorama, attempt to create a new admin account from Panorama and push it to the firewall.

  2. If the firewall is in High Availability (HA) and you can log in to one firewall in the HA pair, create a local account, and synchronize the configuration.

If there is no other way to log in to the firewall, you may need to perform a factory reset, as explained in the following KB: 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClK2CAK

Anoopkumar
Network Security Engineer

ceapen01
L2 Linker
In response to akuzhuppilly

‎11-23-2023 11:27 PM

Firewall is not connected to panorama. We tried creating local user from secondary firewall, still no luck.

0 Likes Likes

akuzhuppilly
L4 Transporter

‎11-26-2023 09:55 PM

So, you mean to say you are able to connect to the Passive FW?

What does the config sync status show in the HA details?

If you are making a change on the Passive FW (such as creating a new local account), you will need to sync the config (if it's not already in sync) from Passive to Active.

 

Anoopkumar
Network Security Engineer
0 Likes Likes

BlairTurner
L0 Member

‎11-27-2023 12:41 AM

The error message indicates the user is not recognized by the authentication module.

rmfalconer
L5 Sessionator

‎11-27-2023 09:05 AM

Do you have these accounts set with Role Based access? 

0 Likes Likes

ceapen01
L2 Linker
In response to akuzhuppilly

‎11-28-2023 02:26 AM

the config is getting synced successful, but cannot login to primary firewall CLI using any admin credentials.

0 Likes Likes
  • 1952 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks