cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2398
Views
0
Helpful
9
Replies

ASA Disconnecting from TACACS

jpl861
Level 4
Level 4

We've been having this strange issue wherein the firewall would disconnect or stop communicating to TACACS server. We recently migrated to Cisco ISE from Cisco ACS and for some strange reason there will be times (a lot of times) that the ASA will stop talking to the AAA server and will switch to local authentication. I don't know if there's something with the ISE that's breaking these firewalls because they're running different code and this just started to happen when we moved to ISE. With ASAs, it would take 10 minutes or so to recover from that so it's going to take a while to gain access again to the CLI unless I use a local credentials. 

Anyone here experienced the same thing?

 

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni
Hi,

What is the source interface on asa used for tacacs? Have you performed some captures to see if traffic is arriving on ISE when this happens?
Are all your ASAs affected or only some of them? What versions are your running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

The source interface is always the inside. On the ISE, there are no logs because the ASA is no longer sending AAA packets. So it's basically nothing in the ISE anymore. I am now noticing this happening into a lot of ASA firewalls but not yet on routers and switches.

When it occurs on ASA, have you done some debugs on tacacs to see what happens?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I cannot login to ASA because the we recently changed our ways and our local password is in password vault of our manager. So I will need to vontact him every time it happens so I can capture logs.

 

We have an automation server that logs on a regular basis and I think eventually it will break and by the time I log in it's no longer authenticating.

 

I understand but for the troubleshooting it will be important to have a temporary user on 1 asa to see what's happening during that time.
I didn't see your answers regarding affected ASAs. You said it happens on a lot of them. So this means you have some that aren't failing, right?
What code are you running on this vs the failing ones?
Can you share both configs?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes. I think some of them are still ok. We have hundreds of ASAs and I don’t log into all of them frequently. Just mostly the ones in the data centers. With regards to the code, we may have like 3 different codes running across the network and what baffles me is that even a pre 8.3 is experiencing the same issue.

I initially observed this when I was executing my python script and from having successful connections, it started giving me access denied but since it is a lab firewall I can easily setup a local account. Then I started to notice that it’s happening in 2 more firewalls in the data center then my colleague said the same as well.

Can you share your tacacs config please? So you can easily reproduce it into a LAB environment?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

William King
Level 1
Level 1

Sorry to respond to a thread that is almost a year old, but I have this exact same issue and its getting more frequent.  
We had this issue randomly when we used the old ACS servers, but now we are seeing the failure to authenticate with TACACS on our Clearpass server.  This is NOT a Clearpass issue just like the OP said it was NOT an ISE issue.  The authentication request never leaves the ASA (code 9.8.4(34)) during the issue.  It does recover after about 10 minutes and unlike the OP, I was able to access the ASA with our rotating local authentication.  There was no indication that TACACS was not working from ASDM or CLI.  I was even able to do a "test" from within the AAA section of ASDM and authenticate with my username, but when trying to CLI or Login with ASDM with that same username it failed.  Also I had ASDM open when this happened and I got a warning that it would not authorize my username to access anything on the ASA.  I had to login as a local rotating user to gain access.  This local user is what I used to test my TACACS username and the issue only appears to affect the login to the ASA and not the TACACS service as a whole.  Any thoughts or resolutions on this?  

Did you find out what's going on? I cannot remember unfortunately what we did here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: