https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761500#M56953 <P>Hi Guys,</P><P>&nbsp;</P><P>Wondering if anyone can help me. &nbsp;I&nbsp;have an ASA setup with an AAA server to authenticate users authenticating with the ASA, the RADIUS server is located off the ASA on another network and to get to it the AAA server&nbsp;it routes the request out the access interface. &nbsp;The issue is that we have put in a leasedline which now acts as the primary route to get to the AAA server, so i have had to manually change the interface which the AAA request is sourced from and also change a route back on the router which hosts the AAA server to avoid asynchronous routing.</P><P>&nbsp;</P><P>Obviously there re now 2 paths to get to the AAA server and i have to manually set an outgoing interface against one of them, so if the primary link fails and the request is sourced from the primary interface but is routed out the backup, then the ASA will drop the packet when it comes back.</P><P>&nbsp;</P><P>I can only add one server within an AAA group with the same IP as i was going to add 2 servers with the same ip with two different outgoing interfaces but it does not work.</P><P>Is there a way to get this to work? &nbsp;maybe turn off asynchronous routing somehow just for this AAA server? &nbsp;</P><P>&nbsp;</P><P>Could anybody tell me how i can get this to work?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Mar 2019 06:11:19 GMT Matthew burnley 2019-03-11T06:11:19Z https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761500#M56953 <P>Hi Guys,</P><P>&nbsp;</P><P>Wondering if anyone can help me. &nbsp;I&nbsp;have an ASA setup with an AAA server to authenticate users authenticating with the ASA, the RADIUS server is located off the ASA on another network and to get to it the AAA server&nbsp;it routes the request out the access interface. &nbsp;The issue is that we have put in a leasedline which now acts as the primary route to get to the AAA server, so i have had to manually change the interface which the AAA request is sourced from and also change a route back on the router which hosts the AAA server to avoid asynchronous routing.</P><P>&nbsp;</P><P>Obviously there re now 2 paths to get to the AAA server and i have to manually set an outgoing interface against one of them, so if the primary link fails and the request is sourced from the primary interface but is routed out the backup, then the ASA will drop the packet when it comes back.</P><P>&nbsp;</P><P>I can only add one server within an AAA group with the same IP as i was going to add 2 servers with the same ip with two different outgoing interfaces but it does not work.</P><P>Is there a way to get this to work? &nbsp;maybe turn off asynchronous routing somehow just for this AAA server? &nbsp;</P><P>&nbsp;</P><P>Could anybody tell me how i can get this to work?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Mar 2019 06:11:19 GMT https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761500#M56953 Matthew burnley 2019-03-11T06:11:19Z https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761501#M56954 <P>Hi Matt ,&nbsp;</P><P>You can try to apply a TCP-bypass to this traffic to allow the AAA server reply &nbsp;in a different ASa interface where it was sourced.&nbsp;</P><P>Check examples below</P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html" target="_blank">http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html</A></P><P>Hope it helps</P><P>-Randy-</P> Tue, 27 Oct 2015 05:21:18 GMT https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761501#M56954 rvarelac 2015-10-27T05:21:18Z https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761502#M56956 <P>Hi Randy,</P><P>&nbsp;</P><P>I'll have to give the TCP bypass a go.</P><P>&nbsp;</P><P>What happens if i create two AAA groups and put the same server IP &nbsp;in each group but specify different outgoing interfaces for the server?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 27 Oct 2015 23:17:09 GMT https://community.cisco.com/t5/network-access-control/aaa-server-on-asa-asynchronous-routing/m-p/2761502#M56956 Matthew burnley 2015-10-27T23:17:09Z