Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
674
Views
0
Helpful
3
Replies

ACS issue with ASA

sajism220
Level 1
Level 1

‎05-31-2011 10:11 AM - edited ‎03-10-2019 06:07 PM

Hi all,

This is regarding our Main internet ASA(5550) AAA login issue, We are facing some probelm like some time , we are not able to login with tacacs Username and password.

Due to this issue, some time our daily configuration backup is droping, Client security consultant are making noise..

But it work after I reload the primary ACS, We have 2 acs working as primary and secondary..

Can you guys suggest some solution..below is config template of ACS AAA configs.

name 192.168.1.X1 ACS1
name 192.168.1.Y2 ACS2
name 192.168.1.10 ACS ( This IP is ACE tacacs  loadbalance IP ), All client is request is reaching to this IP and ACE is doing the load balancing.

aaa-server ACCT protocol tacacs+
aaa-server ACCT (inside) host ACS1
key *****
aaa-server ACCT (inside) host ACS2
key *****
aaa-server AUTH protocol tacacs+
aaa-server AUTH (inside) host ACS
key *****
aaa authentication telnet console AUTH LOCAL
aaa authentication ssh console AUTH LOCAL
aaa authentication http console AUTH LOCAL
aaa authentication serial console AUTH LOCAL
aaa authentication enable console AUTH LOCAL
aaa authorization command AUTH LOCAL
aaa accounting command AUTH
!

Labels:
0 Helpful
3 Replies 3

andamani
Cisco Employee
Cisco Employee

‎05-31-2011 05:56 PM

Hi,

The configuration seems fine.

Are you saying that the issue is intermittent? If yes, I would ask you to check the failed attempts of the ACS server at the time it fails. If they are being updated then the issue is not with the ACS. If they are not being updated collect the package.cab in full logging mode and we will need to find a reason why it is behaving that way. Probability is that the TACACS service might be hanging hence authentication stalls.

Action plan:

1. make logging full i.e. system configuration > Service Control > level of logging > Full > Restart

2. check the failed attempts of the ACS when authentication fails. If updated,not an issue with ACS

3. If not updated collect package.cab and we will have to check the reason of the failure. i.e. System configuration > Support > Run support now.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

sajism220
Level 1
Level 1
In response to andamani

‎06-02-2011 04:42 AM

Hi Anisha,

Currently I can log in to same, as I said before, this will not happen regularly, Any way I will wait for that moment again,

I am attaching the current package.cab for your reference, Will sent the same agine one the issue comes

Have a look and advice

Regards

-Saji

87289-Package.cab.zip
0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to sajism220

‎06-02-2011 09:28 AM

Hi Saji,

This is cool.. Please ensure that you give me a timestamo when the issue occurs as well. :-)

Regards,
Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful
Top