We have ASA firewall which we have admin access (ssh and asdm) via TACACS+ servers in ISE (10.7.1.17, 10.7.1.18)
We configured the following on the ASA:
Today we performed an upgrade on the ISE and we rebooted the 10.7.1.17, for around 6 minutes we could not access the ASA and for admins who are already logged in, whatever cmd we type, we get authorisation failed.
it seems that the ASA did not failover to 10.7.1.18,
In the Tacacs server group the timer is 10 minutes x 3 fail attempt = 30 minutes
But in individual tacacs config it is 10 sec.
The question is which parameter the ASA use to shift to the secondary tacacs server?
30 minutes or 10 seconds?
I would really appreciate if also someone also can advise on the recommended configuration.
Thnak you in advance
The AAA server group should have gone ahead and tried the next server in the group when the first one was marked inactive (i.e. after 3 x 10 seconds). The 10 minutes timeout for the AAA server group governs the use of the fallback AAA method as opposed to the individual servers within the group. Those follow the server timeout setting.
Did you observe any TACACS+ requests for 10.7.1.18 in the TACACS+ live log during the failure period?
Here's an explanation of the modes FYI:
• Depletion Mode: This is the default mode used by ASA. In this mode, when a server is unresponsive, it is marked as inactive. It remains inactive until all servers in the group are marked inactive. When this happens, a configurable timer, 10 minutes by default, is started. During this time, the fallback method is used by all requests. At the end of the configured time, all servers in the group are marked active and ASA tries to contact the servers for new requests. If the servers are still unresponsive, the cycle is repeated.
• Timed Mode: In this mode, unresponsive servers are marked inactive for a period of 30 seconds. After this period, they are marked active and new requests can be sent to the servers. If the server is still unresponsive, then the 30 second cycle is repeated.
Many thanks for the explanation,the weird thing is that we did not receive any TACACS+ request on 10.7.1.18 during the failure.
Which mode would you recommend to use, Depletion or timed?
Depletion is the default setting and it suffices for most customers' deployments.
It's hard to say why the ASA didn't try to use the second server in the group. I'd test it again in a controlled scenario to validate, possibly running some packet captures or debugs as necessary.
You may want to check your ASA software version for any known bugs and open a TAC case if you want a second pair of eyes on it.