08-23-2020 12:14 PM
We've been having this strange issue wherein the firewall would disconnect or stop communicating to TACACS server. We recently migrated to Cisco ISE from Cisco ACS and for some strange reason there will be times (a lot of times) that the ASA will stop talking to the AAA server and will switch to local authentication. I don't know if there's something with the ISE that's breaking these firewalls because they're running different code and this just started to happen when we moved to ISE. With ASAs, it would take 10 minutes or so to recover from that so it's going to take a while to gain access again to the CLI unless I use a local credentials.
Anyone here experienced the same thing?
08-23-2020 06:35 PM
08-23-2020 07:49 PM
08-23-2020 08:02 PM
08-23-2020 08:08 PM
I cannot login to ASA because the we recently changed our ways and our local password is in password vault of our manager. So I will need to vontact him every time it happens so I can capture logs.
We have an automation server that logs on a regular basis and I think eventually it will break and by the time I log in it's no longer authenticating.
08-24-2020 07:37 PM
08-24-2020 07:52 PM
08-25-2020 05:24 PM
06-24-2021 12:14 PM
Sorry to respond to a thread that is almost a year old, but I have this exact same issue and its getting more frequent.
We had this issue randomly when we used the old ACS servers, but now we are seeing the failure to authenticate with TACACS on our Clearpass server. This is NOT a Clearpass issue just like the OP said it was NOT an ISE issue. The authentication request never leaves the ASA (code 9.8.4(34)) during the issue. It does recover after about 10 minutes and unlike the OP, I was able to access the ASA with our rotating local authentication. There was no indication that TACACS was not working from ASDM or CLI. I was even able to do a "test" from within the AAA section of ASDM and authenticate with my username, but when trying to CLI or Login with ASDM with that same username it failed. Also I had ASDM open when this happened and I got a warning that it would not authorize my username to access anything on the ASA. I had to login as a local rotating user to gain access. This local user is what I used to test my TACACS username and the issue only appears to affect the login to the ASA and not the TACACS service as a whole. Any thoughts or resolutions on this?
07-25-2021 09:28 AM
Did you find out what's going on? I cannot remember unfortunately what we did here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide