cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1110
Views
15
Helpful
8
Replies

TACACS+ Problem on Management Interface After ASA Upgrade

Hi Guys,

We recently upgraded our ASA to 9.5.2 to allow us to have a separate routing table for the management interface, and allow us to reach the TACACS server through this interface. We currently have ACS for TACACS.

After upgrade, we are no longer able to authenticate through TACACS and we are receiving a timeout error after a bit:

test aaa-server authentication TACACS+ 

Server IP Address or name: 172.16.36.36
Username: test
Password: *************
INFO: Attempting Authentication test to IP address <172.16.36.36> (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error

We tried to perform a packet capture on the interface and found no packets being sent through the management interface.

The below checks were done:

  • Ping using management interface IP as source, to the ACS server was successful. The icmp traffic was also present in the capture configured:

ping management 172.16.36.36
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.36.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

show cap cap1

10 packets captured

1: 14:43:16.595840 172.16.72.16 > 172.16.36.36: icmp: echo request
2: 14:43:16.596404 172.16.36.36 > 172.16.72.16: icmp: echo reply
3: 14:43:16.596725 172.16.72.16 > 172.16.36.36: icmp: echo request
4: 14:43:16.597106 172.16.36.36 > 172.16.72.16: icmp: echo reply
5: 14:43:16.597396 172.16.72.16 > 172.16.36.36: icmp: echo request
6: 14:43:16.597762 172.16.36.36 > 172.16.72.16: icmp: echo reply
7: 14:43:16.598052 172.16.72.16 > 172.16.36.36: icmp: echo request
8: 14:43:16.598510 172.16.36.36 > 172.16.72.16: icmp: echo reply
9: 14:43:16.598800 172.16.72.16 > 172.16.36.36: icmp: echo request
10: 14:43:16.599273 172.16.36.36 > 172.16.72.16: icmp: echo reply

  • Routing table for management-only is correct:

S        172.16.36.36 255.255.255.255 [1/0] via 172.16.75.200, management

C        172.16.72.0 255.255.252.0 is directly connected, management

  • NTP traffic through the management interface is passing normally and are present in the packet capture

Below the configuration for the aaa-server:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 172.16.36.36
key *****

Additional info:

  • No access-lists have been set on the management interface
  • The software was upgraded to the latest interim version of the 9.5.2 image and still the same issue
  • The ASA is currently running in an active/standby setup, with the problem occurring on the standby ASA. The active ASA has not been upgraded to 9.5 version, so it is working normally without management routing table

Any hints or recommended additional tests would be appreciated.

Thank you

2 ACCEPTED SOLUTIONS

Accepted Solutions

We seemed to be hitting bug

We seemed to be hitting bug CSCuw26653:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw26653/?referring_site=bugquickviewclick

Removing the management-access interface solved the problem

Cisco Employee

DE's closed this defect with

DE's closed this defect with the comments that there is a design limitation in supporting two interface types defined for a single interface (management-only and management-access). There was a discussion going on to document the same in the ASA configuration guide. Hence there is no upgrade available to fix this.

Hope it helps.

Regards,

Jatin

~Jatin Katyal
8 REPLIES 8

We seemed to be hitting bug

We seemed to be hitting bug CSCuw26653:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw26653/?referring_site=bugquickviewclick

Removing the management-access interface solved the problem

Cisco Employee

Exactly. Thanks for sharing.

Exactly. Thanks for sharing.

~ Jatin

~Jatin Katyal

Hi there Jatin.

Hi there Jatin.

Do you know if there is a fix for this bug in any software releases?

Cisco Employee

DE's closed this defect with

DE's closed this defect with the comments that there is a design limitation in supporting two interface types defined for a single interface (management-only and management-access). There was a discussion going on to document the same in the ASA configuration guide. Hence there is no upgrade available to fix this.

Hope it helps.

Regards,

Jatin

~Jatin Katyal

Thanks for the clarification

Thanks for the clarification Jatin!

Cisco Employee

Yw - have a good one. ~ Jatin

Yw - have a good one.

~ Jatin

~Jatin Katyal
Hall of Fame Master

Great info. Thanks for

Great info. Thanks for sharing guys.

Highlighted
Contributor

Re: TACACS+ Problem on Management Interface After ASA Upgrade

We have experienced the same issue with LDAP protocol. Workaround works too.