11-13-2014 04:07 AM - edited 02-21-2020 05:19 AM
Dears,
I am using ASA5520 in active/standby failover... when we connect through console or telnet and write ant "show" command, it is very slow in viewing the output !!!
thanks,
Majed
Solved! Go to Solution.
11-18-2014 10:52 PM
Ok, so the ASA is configured with AAA, more specifically TACACS+ Moreover, you reported that the AAA server keeps showing up as DOWN and then UP again. I believe that is the root cause of your problem. When you try to execute a command, the ASA is first trying to check against the AAA server and after it times out it references the secondary database, which in your case is the local database. So the eliminate this you can do one of the following:
1. Remove TACACS+ related configs and rely on the local database for authentication and authorization
2. Figure out why the TACACS+ server is unavailable/bouncing
Thank you for rating helpful posts!
11-17-2014 10:09 PM
Hello Majed-
Do you by any chance have aaa configured and your aaa servers are down or not available?
Thank you for rating helpful posts!
11-17-2014 10:48 PM
Hello Neno,
actually yes, the ASA is configured for AAA.
Through logging monitor logs, the asa recursively states that aaa server failed then it states the aaa server is alive !!!
does that cause any delay in the ASA? and what can be done to avoid this?
In addition, checking the memory and CPU doesn't indicate any high CPU or over utilized memory.
thank you for your help :)
regards,
Majed
11-17-2014 10:51 PM
Yes, this can most likely cause a delay because depending on how the device is configured. Can you post the output of the following command:
show run aaa
Also, what do you use for a AAA server?
Thank you for rating helpful posts!
11-17-2014 10:54 PM
yes sure, i will send the customer to send me the output of the required command and i will share it with you as soon as i get the reply!
regards,
Majed
11-18-2014 01:05 AM
Hey,
here is the configuration of the aaa:
aaa-server Radius-ACS protocol radius
aaa-server TACACS-ACS protocol tacacs+
aaa-server TACACS-ACS (inside) host 10.163.17.30
key ******
aaa-server TACACS-ACS (inside) host 10.163.17.31
key ******
aaa authentication ssh console TACACS-ACS LOCAL
aaa authentication telnet console TACACS-ACS LOCAL
aaa authentication enable console TACACS-ACS LOCAL
aaa authentication http console TACACS-ACS LOCAL
aaa authentication serial console TACACS-ACS LOCAL
aaa authorization command TACACS-ACS LOCAL
aaa authentication secure-http-client
thanks,
Majed
11-18-2014 10:52 PM
Ok, so the ASA is configured with AAA, more specifically TACACS+ Moreover, you reported that the AAA server keeps showing up as DOWN and then UP again. I believe that is the root cause of your problem. When you try to execute a command, the ASA is first trying to check against the AAA server and after it times out it references the secondary database, which in your case is the local database. So the eliminate this you can do one of the following:
1. Remove TACACS+ related configs and rely on the local database for authentication and authorization
2. Figure out why the TACACS+ server is unavailable/bouncing
Thank you for rating helpful posts!
11-18-2014 11:12 PM
hello Neno,
regarding the TACACS+ server, it was configured for other devices in the network and this ASA is removed from the ACS...
now, regarding removing the configuration; i have tried removing only the "aaa authentication telnet console TACACS-ACS LOCAL" command. but as you suggestion, i believe you mean to replace all the aaa commands with only the local database right?
thanks,
Majed
11-19-2014 12:04 AM
Well that would depend on how you would want administrators to authenticate and authorize on the ASA. But yes, removing the TACACS+ reference out of the AAA commands instruct the ASA not to check the ACS server for authentication/authorization. Depending on what version of code you are running, I would recommend consulting the ASA CLI configuration guide:
v8.2
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_nw.html
Also, if the ASDM is available and you are more comfortable with it, then I would recommend using it. The ASDM makes it very simple when it comes to configuring such services and from there it is a lot easier to tell the device if it should use tacacs+, local etc
I hope this helps!
Thank you for rating helpful posts!
11-19-2014 10:43 PM
Hello Neno,
thank you very much for your help and support. your advice worked with us perfectly and the ASA is now working properly without any delay in viewing the commands :)
Problem Description: We were facing delays and very slow response from the ASA to view any output for all show commands!
Analysis (By Neno Spasov): the ASA is configured for AAA authentication/authorization, while the ACS "AAA server" is not configured for ASA! this causes the ASA to check with the AAA each time you type a command but with no response from the ASA, after timeout ASA checks with the local database and view the output
Solution (By Neno Spasov): remove the aaa server commands from the ASA configuration
Thank you again Neno :)
kind regards,
Majed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide