cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
4
Helpful
3
Replies

ASA Active/passive AAA access

raghav.arun
Level 1
Level 1

Hi,

I have a ASA 5555 Active/standby failover firewall. In which, the tacacs login for Active Firewall is successful. But, the tacacs login for Standby Firewall doesnt work. Its shows the username prompt, however cannot login.

After issuing test aaa authentication <server-group> host <ip-address> username user password pass command, it shows that "Authentication Server not responding; No error"

On packet capturing, I found that it Standby Firewall uses the Active Firewall IP to send the tacacs authentication packet on port 49. However, ACS Tacacs server doesn't show any passed attempts or failed attempts log in the particular time.

CISCO ACS is configured right and serves the other devices and the active firewall.

At standby Firewall, "show aaa-server" shows that the ACS server is active and timeout increases for every authentication.

Please help.

Thanks

3 Replies 3

vishaw jasrotia
Level 1
Level 1

Hello ,

you have do some work out to capture the error .

First : From secondary ASA , yon need to check that when it  is sending the request to your ACS server , it is using which source IP wither primary IP or secondary IP.

If it is using Primary IP (Active firewall ), than in return packet from ACS to sencondary ASA will not reach to the Sec ASA as that Primary IP is active on Active Firewall.

Second: On ACS you need to check, whether you had made a entry for secondary IP.

Thanks

Hi Vishaw,

Its been found its a cisco bug on the ASA version 9.0(1).

CSCud24452

Thanks for the help.

Hi guys,

I have the same problem with ASA vesion9.1(1).

Here you can find the bug in the table for Resolved Caveats in ASA Version 9.1(2)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: