ASA Failover is OK but can't issue 'failover exec mate' commands

johnlloyd_13 · ‎06-01-2020

hi,

i can't seem to issue 'failover exec mate' commands from primary ASA FW and i can only SSH to the secondary FW using the 'local' username and not via ISE/TACACS.

the 'show failover' output seems fine and i can ping each other's failover IP and ping TACACS from both FW.

the cofig is syncing according to the 'show version' although i could see on the secondary FW the 'enable_1' who last modified the config vs the primary FW shows the actual TACACS user.

Configuration last modified by enable_1 at 20:02:32.108 UTC Thu May 28 2020

i'll be upgrading both FW pair and just want to ensure i could perform the 'zero hit' upgrade properly.

question is, should i proceed with the upgrade? what other troubleshooting or things i should check?

ciscoasa/pri/act# failover exec mate show version
Fallback authorization. Username 'john' not in LOCAL database
Command authorization failed

ciscoasa/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: folink GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 6 of 216 maximum
Version: Ours 9.1(3), Mate 9.1(3)
Last Failover at: 03:39:14 UTC Feb 14 2020
This host: Primary - Active
Active time: 9419923 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(3)) status (Up Sys)

<INTERFACE SNIPPED>

Other host: Secondary - Standby Ready
Active time: 1837 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(3)) status (Up Sys)

<INTERFACE SNIPPED>

ciscoasa/pri/act# sh run failover
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/7
failover link folink GigabitEthernet0/7
failover interface ip folink 192.168.1.1 255.255.255.248 standby 192.168.1.2

ciscoasa/pri/act# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa/pri/act# ping ISE-1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to ISE-1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

-----

ciscoasa/sec/stby# show run failover
failover
failover lan unit secondary
failover lan interface folink GigabitEthernet0/7
failover link folink GigabitEthernet0/7
failover interface ip folink 192.168.1.1 255.255.255.248 standby 192.168.1.2

ciscoasa/sec/stby# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa/sec/stby# ping ISE-1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to ISE-1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Sheraz.Salim · ‎06-02-2020

If i were you I stop not processed with this upgrade. can you share the aaaf-server configuration on the both units. also could you give us the show failover history.

ciscoasa/pri/act# failover exec mate show version
Fallback authorization. Username 'john' not in LOCAL database
Command authorization failed

when you ssh to primary active the user John is configured and authenticated on ISE server? share you aaa-server config.

please do not forget to rate.