Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17376
Views
0
Helpful
3
Replies

remote AAA server access issues

Go to solution
west33637
Level 1
Level 1

‎02-04-2011 01:37 PM - edited ‎03-10-2019 05:48 PM

Hello all. I can ping and trace to this TACACS server. but I can't get it to authenticate my telnet users. I configured local AAA fallback so it tries the remote server several times and then falls back to the local TACACS. I noticed the logs show TCP FINS. Does that indicate that I am actually reaching the remote server but the server is sending me TCP FINS or is the server just not accessible as the logs indicate. Why will the server not be accessible if I can ping and trace to it.

I also verified from the NOC that the extranet firewall was accepting my traffic through to the TACACS server. they captured the logs showing that my traffic was being accepted.


Feb 04 2011 13:04:12: %ASA-7-609001: Built local-host inside:AAA_SERVER
Feb 04 2011 13:04:12: %ASA-6-302013: Built outbound TCP connection 24726 for inside:AAA_SERVER/49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
Feb 04 2011 13:04:12: %ASA-6-113014: AAA authentication server not accessible : server =  AAA_SERVER : user = vzz19
Feb 04 2011 13:04:12: %ASA-6-302013: Built outbound TCP connection 24727 for inside:AAA_SERVER/49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
Feb 04 2011 13:04:12: %ASA-6-302014: Teardown TCP connection 24726 for inside:AAA_SERVER/49 to identity:17.2.2.2/28055 duration 0:00:00 bytes 41 TCP FINs
Feb 04 2011 13:04:12: %ASA-6-113014: AAA authentication server not accessible : server =  AAA_SERVER : user = vzz19
Feb 04 2011 13:04:12: %ASA-6-302013: Built outbound TCP connection 24728 for inside:AAA_SERVER/49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
Feb 04 2011 13:04:12: %ASA-6-302014: Teardown TCP connection 24727 for inside:AAA_SERVER/49 to identity:17.2.2.2/32029 duration 0:00:00 bytes 41 TCP FINs
Feb 04 2011 13:04:12: %ASA-6-113014: AAA authentication server not accessible : server =  AAA_SERVER : user = vzz19
Feb 04 2011 13:04:12: %ASA-6-302013: Built outbound TCP connection 24729 for inside:AAA_SERVER/49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
Feb 04 2011 13:04:12: %ASA-6-302014: Teardown TCP connection 24728 for inside:AAA_SERVER/49 to identity:17.2.2.2/39039 duration 0:00:00 bytes 41 TCP FINs
Feb 04 2011 13:04:12: %ASA-6-113014: AAA authentication server not accessible : server =  AAA_SERVER : user = vzz19
Feb 04 2011 13:04:12: %ASA-2-113022: AAA Marking TACACS+ server AAA_SERVER in aaa-server group MYGROUP as FAILED
Feb 04 2011 13:04:12: %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user vzz19 : Auth-server group MYGROUP unreachable
Feb 04 2011 13:04:12: %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = vzz19
Feb 04 2011 13:04:12: %ASA-6-611102: User authentication failed: Uname: vzz19
Feb 04 2011 13:04:12: %ASA-6-605004: Login denied from 10.2.2.2/26089 to inside:17.2.2.2/telnet for user "vzz19"
Feb 04 2011 13:04:12: %ASA-6-302014: Teardown TCP connection 24729 for inside:AAA_SERVER/49 to identity:17.2.2.2/33702 duration 0:00:00 bytes 41 TCP FINs
Feb 04 2011 13:04:12: %ASA-7-609002: Teardown local-host inside:AAA_SERVER duration 0:00:00


heres my aaa config

aaa-server MYGROUP protocol tacacs+
max-failed-attempts 4
aaa-server MYGROUP (inside) host AAA_SERVER
timeout 3
aaa authentication telnet console MYGROUP LOCAL
aaa authentication enable console MYGROUP LOCAL
aaa accounting command privilege 15 MYGROUP


I can ping AND trace to the TACACS server

ATLUSA01-FW01# ping AAA_SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AAA_SERVER, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ATLUSA01-FW01# trace AAA_SERVER

Type escape sequence to abort.
Tracing the route to 151.162.239.239

1  17.2.2.3 0 msec 0 msec 0 msec
2  17.2.2.4 0 msec 0 msec 0 msec  ---- extranet firewall
3  10.4.7.1 0 msec 0 msec 0 msec
4  10.4.7.13 0 msec 0 msec 0 msec
5  10.4.7.193 0 msec 0 msec 0 msec
6  AAA_SERVER (10.5.5.5) 10 msec 0 msec 10 msec

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4
In response to west33637

‎02-06-2011 08:11 PM

You will definitely need the assitance of the AAA administrator, troubleshooting on the AAA client side shows only a fraction of what is going on.

Ask her or him to do the following:

The most important and also easiest thing is to check the "failed attempt" log and look if there is any entry at all for your ASA.

If there is an entry it should be self-explaining like "unknown NAS" or "tacacs key mismatch" - being convinced about a correct config and verifying it is two different things.

I have seen weird things like entering a key on a AAA server via a remote desktop and the keyboard settings were mismatched: english/german resulting in swapped letters "Y" and "Z" - never trust your config until you verified it.

If there is no entry at all then it could be a device on the path which is dropping tcp/49 but permitting ping/traceroute or some device is translating the address of the ASA (well in that case you should see an "unknown NAS" in the failed attempts).

Do you have the possibility to connect a device to the inside network of the ASA like a notebook? If so, try to telnet to tcp/49 of the AAA server, you should see right away, whether tcp/49 is permitted (get a blank screen immediately=connectivity, timeout=no connectivity)

That's all you can do from your side, sadly tha ASA doesn't have a telnet client.

Rgds,

MiKa

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎02-05-2011 01:38 AM

Hi,

What is your TACACS+ server hw/sw version?

Have you defined the ASA on the AAA devices?

Which IP address have you used on the AAA device configuration? Is it the one from which the ASA is sourcing the TACACS+ traffic?

Can you doublecheck the shared secret that mathes the one configured on the ASA?

Do you see any error/fail message on the TACACS+ server? What does it say?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
west33637
Level 1
Level 1
In response to Tiago Antunes

‎02-05-2011 07:43 AM

hello Tiago. I do not manage the TACACS server, so I'm not certain what version it is. I do know that it is Cisco ACS, not sure whether its Windows or appliance. I had the ACS administrator add my ASA device to the AAA devices. I am sourcing the AAA requests from my inside interface and that is the IP that I gave the ACS admin. I am sure that the shared secret matches. As of Wednesday, when I tested trying to log into my firewall using AAA, my traffic was not seen in the TACACS server at all. but I could ping the TACACS server from the firewall. I contacted the NOC to make sure they were allowing my source traffic to go through to TCP destination port 49. They have since allowed that traffic. but I still cant access the TACACS server and I have not been able to get a hold of the person that administers the TACACS server to see if he sees my request hit the server now.

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to west33637

‎02-06-2011 08:11 PM

You will definitely need the assitance of the AAA administrator, troubleshooting on the AAA client side shows only a fraction of what is going on.

Ask her or him to do the following:

The most important and also easiest thing is to check the "failed attempt" log and look if there is any entry at all for your ASA.

If there is an entry it should be self-explaining like "unknown NAS" or "tacacs key mismatch" - being convinced about a correct config and verifying it is two different things.

I have seen weird things like entering a key on a AAA server via a remote desktop and the keyboard settings were mismatched: english/german resulting in swapped letters "Y" and "Z" - never trust your config until you verified it.

If there is no entry at all then it could be a device on the path which is dropping tcp/49 but permitting ping/traceroute or some device is translating the address of the ASA (well in that case you should see an "unknown NAS" in the failed attempts).

Do you have the possibility to connect a device to the inside network of the ASA like a notebook? If so, try to telnet to tcp/49 of the AAA server, you should see right away, whether tcp/49 is permitted (get a blank screen immediately=connectivity, timeout=no connectivity)

That's all you can do from your side, sadly tha ASA doesn't have a telnet client.

Rgds,

MiKa

0 Helpful
Customers Also Viewed These Support Documents