Re: ASA Primary TACACS+ not working

johnlloyd_13 · ‎10-28-2025

hi,

i encountered a strange issue with my ASA primary FW. i can't login via TACACS+ on the primary but i can login fine to the secondary ASA. ping to ISE/TACACS+ server from both primary and secondary ASA are fine. i'm only able to login to primary ASA using the local user.

can someone advise if they've encountered a similar issue and how to troubleshoot? there's no recent change in the primary and TACACS+/AAA config are fine. i was thinking of a force failover to secondary then revert back again to primary but i'm afraid both the primary and secondary TACACS+ might fail.

/pri/act/admin# ping 10.1.1.42
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.42, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

/pri/act/admin# test aaa-server authentication TAC_Group $
INFO: Attempting Authentication test to IP address 10.1.1.42 (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error

-----

/sec/stby/admin# test aaa-server authentication TAC_Group$
INFO: Attempting Authentication test to IP address 10.1.1.42 (timeout: 12 seconds)
INFO: Authentication Successful

balaji.bandi · ‎10-28-2025

check

show aaa-server (check the service status active) to start

also check on (if this is ISE Live Logs - give some direction)

# show aaa-server protocol tacacs+ (give you success and failed)

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13 · ‎10-28-2025

sorry nevermind. i managed to fix this.

"someone" intentionally changed the TACACS+ shared secret.