cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

872
Views
0
Helpful
7
Replies
John Patrick Lopez
Enthusiast

ASA Disconnecting from TACACS

We've been having this strange issue wherein the firewall would disconnect or stop communicating to TACACS server. We recently migrated to Cisco ISE from Cisco ACS and for some strange reason there will be times (a lot of times) that the ASA will stop talking to the AAA server and will switch to local authentication. I don't know if there's something with the ISE that's breaking these firewalls because they're running different code and this just started to happen when we moved to ISE. With ASAs, it would take 10 minutes or so to recover from that so it's going to take a while to gain access again to the CLI unless I use a local credentials. 

Anyone here experienced the same thing?

 

7 REPLIES 7
Francesco Molino
VIP Mentor

Hi,

What is the source interface on asa used for tacacs? Have you performed some captures to see if traffic is arriving on ISE when this happens?
Are all your ASAs affected or only some of them? What versions are your running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

The source interface is always the inside. On the ISE, there are no logs because the ASA is no longer sending AAA packets. So it's basically nothing in the ISE anymore. I am now noticing this happening into a lot of ASA firewalls but not yet on routers and switches.

When it occurs on ASA, have you done some debugs on tacacs to see what happens?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I cannot login to ASA because the we recently changed our ways and our local password is in password vault of our manager. So I will need to vontact him every time it happens so I can capture logs.

 

We have an automation server that logs on a regular basis and I think eventually it will break and by the time I log in it's no longer authenticating.

 

I understand but for the troubleshooting it will be important to have a temporary user on 1 asa to see what's happening during that time.
I didn't see your answers regarding affected ASAs. You said it happens on a lot of them. So this means you have some that aren't failing, right?
What code are you running on this vs the failing ones?
Can you share both configs?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes. I think some of them are still ok. We have hundreds of ASAs and I don’t log into all of them frequently. Just mostly the ones in the data centers. With regards to the code, we may have like 3 different codes running across the network and what baffles me is that even a pre 8.3 is experiencing the same issue.

I initially observed this when I was executing my python script and from having successful connections, it started giving me access denied but since it is a lab firewall I can easily setup a local account. Then I started to notice that it’s happening in 2 more firewalls in the data center then my colleague said the same as well.

Can you share your tacacs config please? So you can easily reproduce it into a LAB environment?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Content for Community-Ad