https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544795#M1087037 <P>test aaa-server authentication tacacs username teszt password meme<BR />Server IP Address or name: 10.1.1.1<BR />INFO: Attempting Authentication test to IP address (1.1.1.1) (timeout: 10 seconds)<BR />INFO: Authentication Successful</P><P>--------</P><P>but&nbsp;</P><P>ssh -l teszt 10.0.1.70<BR />teszt@10.0.1.70's password:<BR />Permission denied, please try again.<BR />teszt@10.0.1.70's password:</P><P>--------------------------------------------</P><P>after few minutes works well again</P><P>&nbsp;</P><P>teszt@10.0.1.70's password:<BR />User teszt logged in to f-pe1-13<BR />Logins over the last 2 days: 10. Last login: 12:50:13 CEST Feb 3 2022 from console<BR />Failed logins since the last login: 0. Last failed login: 10:22:28 CEST Feb 3 2022 from 10.0.2.4<BR />Type help or '?' for a list of available commands.<BR />asa&gt;</P><P>------------------------------</P><P>&nbsp;</P><P>my problem is the that the fallback time slow</P><P>tacacs to Local change 3 second, but Local to tacacs five minutes&nbsp;</P> Thu, 03 Feb 2022 13:43:50 GMT tothz 2022-02-03T13:43:50Z https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544735#M1087034 <P>Hi everybody</P><P>&nbsp;</P><P>I have operate Cisco asa 5506 with aaa settings. I use linux tac_plus server.</P><P>It semms to be work well, but very slow.&nbsp;</P><P>If I stop tacacs server the login stop inmedietly&nbsp; with tacacs user, and I can login with local user. Nice.</P><P>If I start again tacacs server I can not login with tacacs user . <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;&nbsp;It looks like asa is still using the local database.</P><P>asa aaa config</P><P>aaa-server tacacs protocol tacacs+<BR />reactivation-mode depletion deadtime 1<BR />aaa-server tacacs (inside) host 1.1.1.1<BR />timeout 5<BR />key *****<BR />user-identity default-domain LOCAL<BR />aaa authentication http console tacacs LOCAL<BR />aaa authentication ssh console tacacs LOCAL<BR />aaa authentication enable console tacacs LOCAL<BR />aaa authentication serial console tacacs LOCAL<BR />aaa authorization command tacacs LOCAL<BR />aaa accounting command tacacs<BR />aaa accounting enable console tacacs<BR />aaa accounting ssh console tacacs<BR />aaa accounting serial console tacacs<BR />aaa local authentication attempts max-fail 5<BR />aaa authentication login-history</P><P>&nbsp;&nbsp;</P><P>Any idea ?&nbsp;</P> Thu, 03 Feb 2022 12:05:27 GMT https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544735#M1087034 tothz 2022-02-03T12:05:27Z https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544743#M1087035 <P>what is the ASA IP adress, do you have good connection betweeen ASA and Linux ?</P> <PRE>I can login with local user</PRE> <P>this shows its fall back to local, what Logs you see on Linux ?</P> <P>&nbsp;</P> Thu, 03 Feb 2022 12:28:41 GMT https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544743#M1087035 balaji.bandi 2022-02-03T12:28:41Z https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544748#M1087036 <P>Is the ASA able to reach to the t+ server? Have you attempted to run a packet trace to ensure routes/acls are good? Try this from cli: #test aaa-server authentication/authorization &lt;group_name&gt; username &lt;username&gt; password &lt;pass&gt;</P> <P>What are the results?</P> Thu, 03 Feb 2022 12:36:48 GMT https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544748#M1087036 Mike.Cifelli 2022-02-03T12:36:48Z https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544795#M1087037 <P>test aaa-server authentication tacacs username teszt password meme<BR />Server IP Address or name: 10.1.1.1<BR />INFO: Attempting Authentication test to IP address (1.1.1.1) (timeout: 10 seconds)<BR />INFO: Authentication Successful</P><P>--------</P><P>but&nbsp;</P><P>ssh -l teszt 10.0.1.70<BR />teszt@10.0.1.70's password:<BR />Permission denied, please try again.<BR />teszt@10.0.1.70's password:</P><P>--------------------------------------------</P><P>after few minutes works well again</P><P>&nbsp;</P><P>teszt@10.0.1.70's password:<BR />User teszt logged in to f-pe1-13<BR />Logins over the last 2 days: 10. Last login: 12:50:13 CEST Feb 3 2022 from console<BR />Failed logins since the last login: 0. Last failed login: 10:22:28 CEST Feb 3 2022 from 10.0.2.4<BR />Type help or '?' for a list of available commands.<BR />asa&gt;</P><P>------------------------------</P><P>&nbsp;</P><P>my problem is the that the fallback time slow</P><P>tacacs to Local change 3 second, but Local to tacacs five minutes&nbsp;</P> Thu, 03 Feb 2022 13:43:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-aaa-timeout/m-p/4544795#M1087037 tothz 2022-02-03T13:43:50Z