Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
1
Helpful
5
Replies

AAA stopped ASA-5516-X 9.16.4(57)

JP4_NW
Level 1
Level 1

‎01-23-2025 05:48 AM

Hello everyone, as mentioned in the title we have two ASA-5516-X devices with Software 9.16.4 (57), recently we have been experiencing that authentication through AAA (Cisco-ISE) fails for some reason approximately every 7 days and we have only managed to recover the service by restarting the ASA devices.

It is important to mention that at no time is communication lost at the Network level and in fact at the time of the failure the ASA does not send that type of traffic to the ISE, but other traffic, such as ICMP or something else.
Can you think of what could be happening?

5 Replies 5

MHM Cisco World
VIP
VIP

‎01-23-2025 06:02 AM

Share 

Show aaa server 

MHM

0 Helpful

JP4_NW
Level 1
Level 1
In response to MHM Cisco World

‎01-23-2025 06:17 AM

Thank you for the prompt response.
Attached information.

Note: It is important to mention that there is a high number of rejections due to automatic geolocation of unsafe countries.

Server Group: ISE-AWS
Server Protocol: radius
Server Hostname: cisco-ise-zone-a
Server Address: 172.25.12.185
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 11:11:37 UYST Thu Jan 23 2025
Number of pending requests 0
Average round trip time 938ms
Number of authentication requests 28014
Number of authorization requests 0
Number of accounting requests 6528
Number of retransmissions 0
Number of accepts 8325
Number of rejects 26076
Number of challenges 1049
Number of bad authenticators 0
Number of timeouts 141
Number of unrecognized responses 0

Server Group: ISE-AWS
Server Protocol: radius
Server Hostname: cisco-ise-zone-b
Server Address: 172.25.23.90
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 14:24:44 UYST Wed Jan 22 2025
Number of pending requests 0
Average round trip time 1601ms
Number of authentication requests 253
Number of authorization requests 0
Number of accounting requests 4
Number of retransmissions 0
Number of accepts 8
Number of rejects 246
Number of challenges 7
Number of bad authenticators 0
Number of timeouts 3
Number of unrecognized responses 0

0 Helpful

MHM Cisco World
VIP
VIP
In response to JP4_NW

‎01-23-2025 09:16 AM

Number of authentication requests 253 <<- 

Number of rejects 246 <<- 

You have two AAA server abd it seem that ASA try second and the AAA is reiect the request' so try check second AAA.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-29-2025 02:33 AM

Any news ?

MHM

0 Helpful

ahollifield
VIP
VIP

‎01-23-2025 07:08 AM

https://www.cisco.com/site/us/en/products/collateral/firewalls/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html

What is the MFA strategy here?  Why not use a SAML Flow instead?  What version of ISE?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card