Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2652
Views
5
Helpful
4
Replies

AAA TACACS Authentication fails after ASA Failover

Go to solution
joe@gonetforward.com
Level 1
Level 1

‎07-24-2018 09:55 PM - edited ‎02-21-2020 08:00 AM

Hello,

 

I have a pair of ASA(s) running in active/standby. I can fail them over and none of my users remote access VPN connections are effected. My issues with with AAA authentication using TACACS. After the failover I am unable to user TACACS for at least five minutes. I can only get in using the fallback method which is the local database. When doing aaa debugging I get a message that the "Auth-server group NAME unreachable". The thing is I can perform a "test aaa-server authentication NAME" and it successfully authenticates against the same group that it is claiming is unreachable when I try to ssh into it. Anyone every seen this issue?

 

Thanks for the help,

 

Joe

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
joe@gonetforward.com
Level 1
Level 1

‎07-28-2018 07:05 AM

Root cause was that the secondary firewall had not been added to ISE. Before the failover events the commands I was running were attempting to run against AAA authorization on ISE but were being rejected as it was not a part of ISE. When the failover occurred the firewall was not even trying to hit ISE as there must be some sort of timer after a failed attempt that prevents it from trying again. Bottom line have both of your firewall in ISE and able to authenticate. This was handy command:

 

vpn-hk# test aaa-server authentication AAA-SERVER-GROUP

Server IP Address or name: 10.10.10.10

Username: jrenwick

Password: ********

INFO: Attempting Authentication test to IP address <10.10.10.10> (timeout: 12 seconds)

INFO: Authentication Successful

vpn-hk#

 

Hope this helps somebody someday.

View solution in original post

4 Replies 4

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎07-25-2018 06:30 AM - edited ‎07-25-2018 06:31 AM

can you share the aaa relevamnt config on the fail over box?  cheers

 

also do you see the faiiling authentication request in the log of your tacacs server?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
joe@gonetforward.com
Level 1
Level 1
In response to Dennis Mink

‎07-28-2018 07:06 AM

Thanks for following up. Turns out the issue was not having the secondary firewall configured in ISE. See my response for details.

0 Helpful

Go to solution
joe@gonetforward.com
Level 1
Level 1

‎07-28-2018 07:05 AM

Root cause was that the secondary firewall had not been added to ISE. Before the failover events the commands I was running were attempting to run against AAA authorization on ISE but were being rejected as it was not a part of ISE. When the failover occurred the firewall was not even trying to hit ISE as there must be some sort of timer after a failed attempt that prevents it from trying again. Bottom line have both of your firewall in ISE and able to authenticate. This was handy command:

 

vpn-hk# test aaa-server authentication AAA-SERVER-GROUP

Server IP Address or name: 10.10.10.10

Username: jrenwick

Password: ********

INFO: Attempting Authentication test to IP address <10.10.10.10> (timeout: 12 seconds)

INFO: Authentication Successful

vpn-hk#

 

Hope this helps somebody someday.

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to joe@gonetforward.com

‎07-30-2018 06:20 AM

good to hear mate, mark your answer as solved.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card