On a RHEL5.3 box I have my /etc/pam.d/system-auth file just like yours above, however even when a user, say usera, logs in successfully via ssh, faillog shows an incremented login failure count.
However if I login with another user, say userb (which will now have a failed login attempt even though login was successful just like usera above), and then su to usera, faillog will clear out any and all failed login attempts for usera.
It appears su will reset the account after a successful login attempt while using ssh does not. Any suggestions for getting ssh to interact with pam_tally successfully?
[SOLVED]
Not using openssh. Using Reflections for Secure IT SSH. Either it doesnt work properly with pam_tally.so or I have not configured it correctly. However the sytem-auth file provided works with openssh.

I still can’t get my configuration working with openssh and pam_tally. I have it locking ok, but it will not reset on successful login. The latest version does not have the “reset” option as above, and instead should do it by default, and only has a “no_reset” option.
Worse, when a user logs in successfully, it increments the failed attempts each time! So even with successful logins they user will eventually be locked out!