topic Cisco ASA delay in viewing command output in Network Security

Cisco ASA delay in viewing command output

Majed Al-Masri — Fri, 21 Feb 2020 13:19:38 GMT

Dears,

I am using ASA5520 in active/standby failover... when we connect through console or telnet and write ant "show" command, it is very slow in viewing the output !!!

thanks,

Majed

Hello Majed-Do you by any

nspasov — Tue, 18 Nov 2014 06:09:59 GMT

Hello Majed-

Do you by any chance have aaa configured and your aaa servers are down or not available?

Thank you for rating helpful posts!

Hello Neno, actually yes, the

Majed Al-Masri — Tue, 18 Nov 2014 06:48:24 GMT

Hello Neno,

actually yes, the ASA is configured for AAA.

Through logging monitor logs, the asa recursively states that aaa server failed then it states the aaa server is alive !!!

does that cause any delay in the ASA? and what can be done to avoid this?

In addition, checking the memory and CPU doesn't indicate any high CPU or over utilized memory.

thank you for your help 🙂

regards,

Majed

Yes, this can most likely

nspasov — Tue, 18 Nov 2014 06:51:28 GMT

Yes, this can most likely cause a delay because depending on how the device is configured. Can you post the output of the following command:

show run aaa

Also, what do you use for a AAA server?

Thank you for rating helpful posts!

yes sure, i will send the

Majed Al-Masri — Tue, 18 Nov 2014 06:54:11 GMT

yes sure, i will send the customer to send me the output of the required command and i will share it with you as soon as i get the reply!

regards,

Majed

Hey, here is the

Majed Al-Masri — Tue, 18 Nov 2014 09:05:48 GMT

Hey,

here is the configuration of the aaa:

aaa-server Radius-ACS protocol radius
aaa-server TACACS-ACS protocol tacacs+
aaa-server TACACS-ACS (inside) host 10.163.17.30
key ******
aaa-server TACACS-ACS (inside) host 10.163.17.31
key ******
aaa authentication ssh console TACACS-ACS LOCAL
aaa authentication telnet console TACACS-ACS LOCAL
aaa authentication enable console TACACS-ACS LOCAL
aaa authentication http console TACACS-ACS LOCAL
aaa authentication serial console TACACS-ACS LOCAL
aaa authorization command TACACS-ACS LOCAL
aaa authentication secure-http-client

thanks,

Majed

Ok, so the ASA is configured

nspasov — Wed, 19 Nov 2014 06:52:42 GMT

Ok, so the ASA is configured with AAA, more specifically TACACS+ Moreover, you reported that the AAA server keeps showing up as DOWN and then UP again. I believe that is the root cause of your problem. When you try to execute a command, the ASA is first trying to check against the AAA server and after it times out it references the secondary database, which in your case is the local database. So the eliminate this you can do one of the following:

1. Remove TACACS+ related configs and rely on the local database for authentication and authorization

2. Figure out why the TACACS+ server is unavailable/bouncing

Thank you for rating helpful posts!

hello Neno,regarding the

Majed Al-Masri — Wed, 19 Nov 2014 07:12:16 GMT

hello Neno,

regarding the TACACS+ server, it was configured for other devices in the network and this ASA is removed from the ACS...

now, regarding removing the configuration; i have tried removing only the "aaa authentication telnet console TACACS-ACS LOCAL" command. but as you suggestion, i believe you mean to replace all the aaa commands with only the local database right?

thanks,

Majed

Well that would depend on how

nspasov — Wed, 19 Nov 2014 08:04:33 GMT

Well that would depend on how you would want administrators to authenticate and authorize on the ASA. But yes, removing the TACACS+ reference out of the AAA commands instruct the ASA not to check the ACS server for authentication/authorization. Depending on what version of code you are running, I would recommend consulting the ASA CLI configuration guide:

v8.2

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_nw.html

Also, if the ASDM is available and you are more comfortable with it, then I would recommend using it. The ASDM makes it very simple when it comes to configuring such services and from there it is a lot easier to tell the device if it should use tacacs+, local etc

I hope this helps!

Thank you for rating helpful posts!

Hello Neno,thank you very

Majed Al-Masri — Thu, 20 Nov 2014 06:43:29 GMT

Hello Neno,

thank you very much for your help and support. your advice worked with us perfectly and the ASA is now working properly without any delay in viewing the commands 🙂

Problem Description: We were facing delays and very slow response from the ASA to view any output for all show commands!

Analysis (By Neno Spasov): the ASA is configured for AAA authentication/authorization, while the ACS "AAA server" is not configured for ASA! this causes the ASA to check with the AAA each time you type a command but with no response from the ASA, after timeout ASA checks with the local database and view the output

Solution (By Neno Spasov): remove the aaa server commands from the ASA configuration

Thank you again Neno 🙂

kind regards,

Majed