08-09-2016 04:17 AM - edited 03-10-2019 11:59 PM
Hi Guys,
We recently upgraded our ASA to 9.5.2 to allow us to have a separate routing table for the management interface, and allow us to reach the TACACS server through this interface. We currently have ACS for TACACS.
After upgrade, we are no longer able to authenticate through TACACS and we are receiving a timeout error after a bit:
test aaa-server authentication TACACS+
Server IP Address or name: 172.16.36.36
Username: test
Password: *************
INFO: Attempting Authentication test to IP address <172.16.36.36> (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error
We tried to perform a packet capture on the interface and found no packets being sent through the management interface.
The below checks were done:
ping management 172.16.36.36
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.36.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
show cap cap1
10 packets captured
1: 14:43:16.595840 172.16.72.16 > 172.16.36.36: icmp: echo request
2: 14:43:16.596404 172.16.36.36 > 172.16.72.16: icmp: echo reply
3: 14:43:16.596725 172.16.72.16 > 172.16.36.36: icmp: echo request
4: 14:43:16.597106 172.16.36.36 > 172.16.72.16: icmp: echo reply
5: 14:43:16.597396 172.16.72.16 > 172.16.36.36: icmp: echo request
6: 14:43:16.597762 172.16.36.36 > 172.16.72.16: icmp: echo reply
7: 14:43:16.598052 172.16.72.16 > 172.16.36.36: icmp: echo request
8: 14:43:16.598510 172.16.36.36 > 172.16.72.16: icmp: echo reply
9: 14:43:16.598800 172.16.72.16 > 172.16.36.36: icmp: echo request
10: 14:43:16.599273 172.16.36.36 > 172.16.72.16: icmp: echo reply
S 172.16.36.36 255.255.255.255 [1/0] via 172.16.75.200, management
C 172.16.72.0 255.255.252.0 is directly connected, management
Below the configuration for the aaa-server:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 172.16.36.36
key *****
Additional info:
Any hints or recommended additional tests would be appreciated.
Thank you
Solved! Go to Solution.
08-12-2016 04:23 AM
We seemed to be hitting bug CSCuw26653:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw26653/?referring_site=bugquickviewclick
Removing the management-access interface solved the problem
08-13-2016 06:18 AM
DE's closed this defect with the comments that there is a design limitation in supporting two interface types defined for a single interface (management-only and management-access). There was a discussion going on to document the same in the ASA configuration guide. Hence there is no upgrade available to fix this.
Hope it helps.
Regards,
Jatin
08-12-2016 04:23 AM
We seemed to be hitting bug CSCuw26653:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw26653/?referring_site=bugquickviewclick
Removing the management-access interface solved the problem
08-12-2016 03:25 PM
Exactly. Thanks for sharing.
~ Jatin
08-13-2016 12:49 AM
Hi there Jatin.
Do you know if there is a fix for this bug in any software releases?
08-13-2016 06:18 AM
DE's closed this defect with the comments that there is a design limitation in supporting two interface types defined for a single interface (management-only and management-access). There was a discussion going on to document the same in the ASA configuration guide. Hence there is no upgrade available to fix this.
Hope it helps.
Regards,
Jatin
08-13-2016 08:39 AM
Thanks for the clarification Jatin!
08-13-2016 08:45 AM
Yw - have a good one.
~ Jatin
08-13-2016 09:40 AM
Great info. Thanks for sharing guys.
07-08-2019 09:18 AM
We have experienced the same issue with LDAP protocol. Workaround works too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide