01-29-2014 07:31 PM - last edited on 03-25-2019 05:52 PM by ciscomoderator
Hi,
I have a ASA 5555 Active/standby failover firewall. In which, the tacacs login for Active Firewall is successful. But, the tacacs login for Standby Firewall doesnt work. Its shows the username prompt, however cannot login.
After issuing test aaa authentication <server-group> host <ip-address> username user password pass command, it shows that "Authentication Server not responding; No error"
On packet capturing, I found that it Standby Firewall uses the Active Firewall IP to send the tacacs authentication packet on port 49. However, ACS Tacacs server doesn't show any passed attempts or failed attempts log in the particular time.
CISCO ACS is configured right and serves the other devices and the active firewall.
At standby Firewall, "show aaa-server" shows that the ACS server is active and timeout increases for every authentication.
Please help.
Thanks
01-29-2014 08:02 PM
Hello ,
you have do some work out to capture the error .
First : From secondary ASA , yon need to check that when it is sending the request to your ACS server , it is using which source IP wither primary IP or secondary IP.
If it is using Primary IP (Active firewall ), than in return packet from ACS to sencondary ASA will not reach to the Sec ASA as that Primary IP is active on Active Firewall.
Second: On ACS you need to check, whether you had made a entry for secondary IP.
Thanks
02-02-2014 05:22 PM
05-28-2014 11:28 AM
Hi guys,
I have the same problem with ASA vesion9.1(1).
Here you can find the bug in the table for Resolved Caveats in ASA Version 9.1(2)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: