cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


186
Views
10
Helpful
3
Replies
Beginner

TACACs configuration on asa

Dear all,

 

We have ASA firewall which we have admin access (ssh and asdm) via TACACS+ servers in ISE (10.7.1.17, 10.7.1.18)

 

We configured the following on the ASA:

Tacacs1.PNGTACACS+-2.PNG

 

Today we performed an upgrade on the ISE and we rebooted the 10.7.1.17, for around 6 minutes we could not access the ASA and for admins who are already logged in, whatever cmd we type, we get authorisation failed.

it seems that the ASA did not failover to 10.7.1.18,

In the Tacacs server group the timer is 10 minutes x 3 fail attempt = 30 minutes

But in individual tacacs config it is 10 sec.

 

The question is which parameter the ASA use to shift to the secondary tacacs server?

30 minutes or 10 seconds?

I would really appreciate if also someone also can advise on the recommended configuration.

 

Thnak you in advance

 

3 REPLIES 3
Highlighted
Hall of Fame Guru

Re: TACACs configuration on asa

The AAA server group should have gone ahead and tried the next server in the group when the first one was marked inactive (i.e. after 3 x 10 seconds). The 10 minutes timeout for the AAA server group governs the use of the fallback AAA method as opposed to the individual servers within the group. Those follow the server timeout setting.

 

Did you observe any TACACS+ requests for 10.7.1.18 in the TACACS+ live log during the failure period?

 

Here's an explanation of the modes FYI:

 

 Depletion Mode: This is the default mode used by ASA. In this mode, when a server is unresponsive, it is marked as inactive. It remains inactive until all servers in the group are marked inactive. When this happens, a configurable timer, 10 minutes by default, is started. During this time, the fallback method is used by all requests. At the end of the configured time, all servers in the group are marked active and ASA tries to contact the servers for new requests. If the servers are still unresponsive, the cycle is repeated.

 Timed Mode: In this mode, unresponsive servers are marked inactive for a period of 30 seconds. After this period, they are marked active and new requests can be sent to the servers. If the server is still unresponsive, then the 30 second cycle is repeated.

Beginner

Re: TACACs configuration on asa

Hello Marvin,

 

Many thanks for the explanation,the weird thing is that we did not receive any TACACS+ request on 10.7.1.18 during the failure.

Which mode would you recommend to use, Depletion or timed?

 

 

 

Hall of Fame Guru

Re: TACACs configuration on asa

You're welcome.

Depletion is the default setting and it suffices for most customers' deployments.

It's hard to say why the ASA didn't try to use the second server in the group. I'd test it again in a controlled scenario to validate, possibly running some packet captures or debugs as necessary.

You may want to check your ASA software version for any known bugs and open a TAC case if you want a second pair of eyes on it.