Hello Neno,

actually yes, the ASA is configured for AAA.

Through logging monitor logs, the asa recursively states that aaa server failed then it states the aaa server is alive !!!

does that cause any delay in the ASA? and what can be done to avoid this?

In addition, checking the memory and CPU doesn't indicate any high CPU or over utilized memory.

thank you for your help :)

regards,

Majed

Yes, this can most likely cause a delay because depending on how the device is configured. Can you post the output of the following command:

show run aaa

Also, what do you use for a AAA server?

Thank you for rating helpful posts! 

yes sure, i will send the customer to send me the output of the required command and i will share it with you as soon as i get the reply!

regards,

Majed

Hey,

here is the configuration of the aaa:

aaa-server Radius-ACS protocol radius
aaa-server TACACS-ACS protocol tacacs+
aaa-server TACACS-ACS (inside) host 10.163.17.30
 key ******
aaa-server TACACS-ACS (inside) host 10.163.17.31
 key ******
aaa authentication ssh console TACACS-ACS LOCAL
aaa authentication telnet console TACACS-ACS LOCAL
aaa authentication enable console TACACS-ACS LOCAL
aaa authentication http console TACACS-ACS LOCAL
aaa authentication serial console TACACS-ACS LOCAL
aaa authorization command TACACS-ACS LOCAL
aaa authentication secure-http-client

thanks,

Majed

hello Neno,

regarding the TACACS+ server, it was configured for other devices in the network and this ASA is removed from the ACS...

now, regarding removing the configuration; i have tried removing only the "aaa authentication telnet console TACACS-ACS LOCAL" command. but as you suggestion, i believe you mean to replace all the aaa commands with only the local database right?

thanks,

Majed 

Well that would depend on how you would want administrators to authenticate and authorize on the ASA. But yes, removing the TACACS+ reference out of the AAA commands instruct the ASA not to check the ACS server for authentication/authorization. Depending on what version of code you are running, I would recommend consulting the ASA CLI configuration guide:

v8.2

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_nw.html

Also, if the ASDM is available and you are more comfortable with it, then I would recommend using it. The ASDM makes it very simple when it comes to configuring such services and from there it is a lot easier to tell the device if it should use tacacs+, local etc

I hope this helps!

Thank you for rating helpful posts!

Hello Neno,

thank you very much for your help and support. your advice worked with us perfectly and the ASA is now working properly without any delay in viewing the commands :)

Problem Description: We were facing delays and very slow response from the ASA to view any output for all show commands!

Analysis (By Neno Spasov): the ASA is configured for AAA authentication/authorization, while the ACS "AAA server" is not configured for ASA! this causes the ASA to check with the AAA each time you type a command but with no response from the ASA, after timeout ASA checks with the local database and view the output

Solution (By Neno Spasov): remove the aaa server commands from the ASA configuration

Thank you again Neno :)

kind regards,

Majed