10-05-2010 02:47 AM - edited 03-10-2019 05:27 PM
Dear,
I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?
best regards,
Abebe Amare
Network Engineer, VivaCell
Solved! Go to Solution.
10-05-2010 05:05 AM
Hi Abebe,
On the secondary ASA, please check the following:
sh failover ---> and make sure the secondary is in standby ready and not failed.
sh aaa-server ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.
Enable follwoing debugs and run a test authentication as mentioned:
debug aaa authentication
debug tacacs
debug ssh
test aaa-server authentication
Provide me the debugs after taking out your username in it so that i can analyze.
Cheers,
Rudresh V
10-05-2010 05:05 AM
Hi Abebe,
On the secondary ASA, please check the following:
sh failover ---> and make sure the secondary is in standby ready and not failed.
sh aaa-server ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.
Enable follwoing debugs and run a test authentication as mentioned:
debug aaa authentication
debug tacacs
debug ssh
test aaa-server authentication
Provide me the debugs after taking out your username in it so that i can analyze.
Cheers,
Rudresh V
10-05-2010 06:39 AM
Dear Rudresh,
When I do a sh aaa-server I got the following:
ASA-01# sh aaa-server
Server Group: ACS
Server Protocol: tacacs+
Server Address: 192.168.x.xx
Server port: 49
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.
Thanks for pointing me in the right direction and I give you full marks.
best regards,
Abebe Amare
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide