HI @aleksandar.astardzhiev Thanks for you support. I had raised the case with Palo Alto TAC. TAC engineer took the root access of firewall by using below commands >debug tac-login challenge (Receive an output and TAC engineer coped it) >debug tac-login response. (After that entered the response generated for above challenge ) After that deleted the user name from the password change database of both(active and passive) PA firewall. Please, find the PA TAC call summery for more details. ================================================= Thanks for your time on call. A quick recap of the zoom meeting : 1. Firewall was prompting for password change for TACACS user "ITsupport". In the past, you had the same local username on the firewall which is now deleted. 2. We took root access of the firewall and removed the below problematic usernames from lastpwchange & pwchangerequired SQL database. #Troubleshooting commands: [root@yyyy~]# sqlite3 /opt/pancfg/mgmt/global/db/loginhistory.db SQLite version 3.6.12 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .schema CREATE TABLE gracelogin(name varchar, start datetime, count integer); CREATE TABLE lastpwchange(name varchar, dt datetime); CREATE TABLE loginhistory(name varchar, dt datetime, status integer, client varchar); CREATE TABLE pwchangerequired(name varchar, pwchanged integer); sqlite> sqlite> select * from lastpwchange; sqlite> delete from lastpwchange where name='xxxx'; sqlite> select * from pwchangerequired; sqlite> delete from pwchangerequiredwhere name='xxxx'; sqlite> .quit : [root@yyyy~]# exit logout 3. After the above changes we were able to log in to the Active firewall with "ITsupport" TACACS account. Repeated same process for passive firewall. Per your confirmation, this ticket will now be closed. It was my pleasure assisting you with this case. After that issue has been resolved Tacacs user was successfully able to login to the PA firewall. ================================================
... View more