cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1220
Views
0
Helpful
3
Replies

Unable to login to active ASA using radius but can on secondary ASA

Thomas McLean
Level 1
Level 1

Guys,

Bit of a strange problem here that just started last week - basically I tried to logon to our ASA and I was denied access, thought that's strange but tried a few times and got some other people to do the same - on doing so they also failed. I tried to login through our local admin account and that worked straight away - I cannot however SSH to console with either the radius info or the local information. The weird thing is I can gain access to our secondary ASA with no issue using radius authentication, this is being ran in a active/standby failover configuration.

I have checked the configs under the ASA part of ASDM on both priamry and standby but neither deviate at all.

Can anyone shed some light on this or has it happened to anyone before?

Many thanks for your time and looking at this.

Thomas.

3 Replies 3

Thomas McLean
Level 1
Level 1

I'm clutching at straws but could this have anything to do with it? I doubt it

Failover On

Failover unit Primary

Failover LAN Interface: failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 110 maximum

failover replication http

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 17:33:51 GMT/BST Jan 11 2012

This host: Primary - Active

Active time: 4376017 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (xxx.xxx.xxx.xxx): Normal (Waiting)

Interface management (7.7.7.7): No Link (Not-Monitored)

Interface Hosting_DMZ_Internal (xxx.xxx.xxx.xxx): Normal

Interface Hosting_DMZ_External (xxx.xxx.xxx.xxx): Normal

Interface Services_DMZ (172.25.4.1): Normal (Not-Monitored)

Interface Virtual_Services_DMZ (xxx.xxx.xxx.xxx): Normal (Not-Monitored)

Interface Auth_DMZ (xxx.xxx.xxx.xxx): Normal

Interface inside (xxx.xxx.xxx.xxx): Normal

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (xxx.xxx.xxx.xxx): Failed (Waiting)

Interface management (0.0.0.0): Normal (Not-Monitored)

Interface Hosting_DMZ_Internal (xxx.xxx.xxx.xxx): Normal

Interface Hosting_DMZ_External (xxx.xxx.xxx.xxx): Normal

Interface Services_DMZ (xxx.xxx.xxx.xxx): Normal (Not-Monitored)

Interface Virtual_Services_DMZ (172.25.10.2): Normal (Not-Monitored)

Interface Auth_DMZ (xxx.xxx.xxx.xxx): Normal

Interface inside (xxx.xxx.xxx.xxx): Normal

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

It says "Other host: Secondary - Failed". It should say "Standby" instead of "failed". It also says "Interface oustide : Failed". You should look that

It would be good to know the ip addressing and know what IPs are you ssh'ing into.

Thomas

I agree with Eduardo that it is significant that the output shows the other failover participant is failed. When I put this together with your statement that you can log in to the backup without any problem then I believe that this is your problem:

- there has been some problem that causes the ASAs to not communicate with each other.

- each ASA believes that its mate has failed and that it should be the active ASA.

- so both ASAs are trying to be active, and both ASAs are attempting to use the same IP address (and probably the same MAC address).  The duplication of IP address (and possibly duplication of MAC address) means that only one of the ASAs is reachable.

HTH

Rick

HTH

Rick