Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
4
Replies

ASA5510 and ACS issue

tahequivoice
Level 2
Level 2

‎04-28-2011 07:52 AM - edited ‎03-10-2019 06:02 PM

For some odd reason we have one cluster of ASA lose connectivity with ACS. Sometimes we can log in using our TACACS accoutn, other times local, but what is most annoying.

Fallback authorization. Username '' not in LOCAL database
Command authorization failed

Mid stream working on the ASA, boom, lost connectivity.  The ACS is external on a public network, and on the same physical network as the firewalls. I can ping the ACS server from the ASA when it is "down" too, so I know it isnt a routing problem.  What is even worse, my user name is 3 charactors long, and the minimum is 4 on local database. GRRR.

Cisco Adaptive Security Appliance Software Version 8.0(4)33

ACS v4.2

Labels:
0 Helpful
4 Replies 4

andamani
Cisco Employee
Cisco Employee

‎05-02-2011 08:33 AM

Hi,

Not quite sure how you can ping the ACS from ASA when the ACS is down.. Can you check the arp entry and ensure that the correct ACS is replying to the ping.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is answered . Do rate helpful posts.

0 Helpful

tahequivoice
Level 2
Level 2
In response to andamani

‎05-02-2011 08:40 AM

AHA now you see my dilema! The ACS is not down. It is our master ACS, the only one we use, and use it for all our customer routers and firewalls that we maintain. It is also the Radius server for the VPN connections we use to maintain devices behind their firewalls. We can VPN into the same ASA without any issues, but TACACS fades in and out, and that includes devices behind the ASA that authenticate to the same ACS, but use the firewall IP as the client IP. There are no routing issues, otherwise Radius would also suffer.

I dont have this problem with any other ASA, and there are plenty of them we maintain.  Could it be a possible bug in the code?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to tahequivoice

‎05-02-2011 10:01 AM

hmmm.. so i guess the issue is only with TACACS... are all the devices using TACACS are affected at the same time??

What are you using ACS Windows or Appliance?? from the description looks like the TACACS service is dying..

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

tahequivoice
Level 2
Level 2
In response to andamani

‎05-02-2011 10:06 AM

Again, this is why it is funky, the services on ACS are fine. I can login to all the other devices, even those 1000 miles away just fine. Only the ASA cluster is affected, and it is the cluster, the standby unit has the same issue. Only devices affected are the ASA's and the routers and switches behind it that use the IP of the ASA as a client. The thing is, if you are logged in via the ACS, you can work on it, as long as it is connecting, then you get locked out because you dont have a local user account, and if you logged in via local user, you get command authorization failures because the local account doesnt exist on ACS. Gets old quickly when you are trying to work on a VPN and have to flip back and forth between the two logins.

0 Helpful
Customers Also Viewed These Support Documents