10-26-2015 02:37 PM - edited 03-10-2019 11:11 PM
Hi Guys,
Wondering if anyone can help me. I have an ASA setup with an AAA server to authenticate users authenticating with the ASA, the RADIUS server is located off the ASA on another network and to get to it the AAA server it routes the request out the access interface. The issue is that we have put in a leasedline which now acts as the primary route to get to the AAA server, so i have had to manually change the interface which the AAA request is sourced from and also change a route back on the router which hosts the AAA server to avoid asynchronous routing.
Obviously there re now 2 paths to get to the AAA server and i have to manually set an outgoing interface against one of them, so if the primary link fails and the request is sourced from the primary interface but is routed out the backup, then the ASA will drop the packet when it comes back.
I can only add one server within an AAA group with the same IP as i was going to add 2 servers with the same ip with two different outgoing interfaces but it does not work.
Is there a way to get this to work? maybe turn off asynchronous routing somehow just for this AAA server?
Could anybody tell me how i can get this to work?
Thanks!
10-26-2015 10:21 PM
Hi Matt ,
You can try to apply a TCP-bypass to this traffic to allow the AAA server reply in a different ASa interface where it was sourced.
Check examples below
Hope it helps
-Randy-
10-27-2015 04:17 PM
Hi Randy,
I'll have to give the TCP bypass a go.
What happens if i create two AAA groups and put the same server IP in each group but specify different outgoing interfaces for the server?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide