Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
3
Replies

TACACS+ fallback problem ASA 5520

arun.stha
Level 1
Level 1

‎09-05-2013 03:21 AM - edited ‎03-11-2019 07:34 PM

Hi,

I  have configured tacacs in ASA 5520, it is working fine, I can login  into ASA with tacacs credentials..authentication is successfull when  tacacs server is unreachable Local authentication is also  successfull.....But after that when Tacacs server is reachable again...I am not able to login with tacacs credentials.

Is the the bug of Cisco ASA 5520 software image?

Below are the configurations:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 1.1.1.1

key tacacs_key

aaa authentication enable console TACACS+ LOCAL

aaa authentication http console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

aaa accounting command privilege 15 TACACS+

Labels:
0 Helpful
3 Replies 3

sokakkar
Cisco Employee
Cisco Employee

‎09-11-2013 10:51 AM

Hi Arun,

Can you take captures on inside interface of ASA when problem occurs? Put the captures in pcap.

Paste debug level logs from ASA and logs from ACS when issue is seen.

-

Regards,

Sourav Kakkar

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-11-2013 12:27 PM

Hello Arun,

Can you share the following command with us when the AAA authentication against the tacacs+ database is not working

show aaa-server TACACS+  host 1.1.1.1

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Nicolaj Nielsen
Level 1
Level 1

‎11-07-2017 05:05 AM

Hi, its because after a tacacs+ server fails it remains inactive.

You got 2 options.
1. Is to add "reactivation-mode timed" as an commands under "aaa-server TACACS+ protocol tacacs" it will allow your servicer to automaticly re-activated after 30 seconds.

2. Either way you can add "reactivation-mode depletion" in the same spot; this will only activate the server(s) after all servers in the same pool is failed.

Cheers, Nico
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card