BugZero | Cisco BugID CSCwi54317 - AAA Configuration missing after applying SMU for F...

Cisco - Defect ID: CSCwi54317

AAA Configuration missing after applying SMU for FN 72292

Cisco - Defect ID: CSCwi54317

AAA Configuration missing after applying SMU for FN 72292

Last updated on 1/24/2024

Overall: 7.77.7

Severity: 8.28.2

Lifecycle: 7.87.8

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.77.7

Severity: 8.28.2

Lifecycle: 7.87.8

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

• Install SMU for FN 72292 running 9.3.8 SW03# install add bootflash:nxos.CSCwa04181-n9k_ALL-1.0.0-9.3.8.lib32_n9000.rpm activate Adding the patch (/nxos.CSCwa04181-n9k_ALL-1.0.0-9.3.8.lib32_n9000.rpm) [####################] 100% Install operation 1 completed successfully at Mon Dec 18 19:38:00 2023 Activating the patch (/nxos.CSCwa04181-n9k_ALL-1.0.0-9.3.8.lib32_n9000.rpm) ====================================================== !!!WARNING!! there is unsaved configuration!!! This is a reload patch and system will be reloaded if you proceed with patch operation. ======================================================= Do you want to continue (y/n)?: [n] y • After reload from the SMU the tacacs-server key is missing in running-config. SW03# sh run tacacs+ feature tacacs+ logging level tacacs 7 ip tacacs source-interface Vlan1100 <--------------- Issue reproduced tacacs-server host 10.10.10.x aaa group server tacacs+ TACACS+ server 10.10.10.x • The TACACS key is still present in DME config. Even though DME config contains the TACACS key, there is still no access to the switch. SW03# show system internal dme running-config dn sys/userext/tacacsext { "aaaTacacsPlusEp": { "attributes": { "key": "ABCDEF", <--------------- Key in DME matches the TACACS key from proir to the SMU "keyEnc": "7", "loggingLevel": "Debug", "srcIf": "vlan1100" }, • Bootflash size confirms the SMU worked SW03# dir | i byte 2320461824 bytes used 7866302464 bytes free 10186764288 bytes total <--------------- SMU worked

Conditions

HW: N9K-C92348GC-X SW: 9.3(8) Pre SMU TACACS Config Lab switch started out with only 4G in bootflash which confirms it is impacted by FN 72292

Workaround

Least disruptive workaround of applying "fake" key then re-applying original key: SW03# conf SW03(config)# tacacs-server key 7 "FakeKey" SW03(config)# SW03(config)# SW03(config)# tacacs-server key 7 "ABCDEF" SW03(config)# end SW03# SW03# sh run tacacs+ feature tacacs+ logging level tacacs 7 tacacs-server key 7 "ABCDEF" <---------- Original TACACS key is back in the running config and access is restored. ip tacacs source-interface Vlan1100 tacacs-server host 10.10.10.x aaa group server tacacs+ TACACS+ server 10.10.10.x

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwi54317

AAA Configuration missing after applying SMU for FN 72292

Cisco - Defect ID: CSCwi54317

AAA Configuration missing after applying SMU for FN 72292

Last updated on 1/24/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?