12-06-2024 05:49 AM
I have an ASA 5516-X witch firmware version 9.16(4)
I'm trying to configure aaa-server on the ASA
This ASA has a site-to-site VPN connection to another ASA, behind which is an ISE server with IP address 172.16.1.100
When I perform a test authentication of aaa-server, the message "ERROR: Authentication Server does not answer: No active server found" appears
Command packet-traceroute from mgmt interace to ISE IP shows a drop in phase 2
There is IP communication between ASA and ISE. I can ping from ASA to ISE.
ASA settings:
What can block radius request packets from ASA to ISE?
12-06-2024 05:52 AM
Use VTI nameif as interface to connect to ISE
Mgmt interface I think can not use here.
MHM
12-06-2024 11:28 PM
ASA can't use VTI name to configure aaa-server.
I have tried to use nameif outside1 as interface to connect to ISE. Also I have changed nameif magmt to inside1.
The resule is the same.
12-07-2024 12:00 AM - edited 12-07-2024 12:00 AM
You use inside' that good
The only two steps need more
1- sure you have route to ISE via vti
2- config inside with management-access
I send you PM
MHM
12-08-2024 09:45 AM
I configured the inside interface instead of the mgmt interface. The result is the same. The inside interfaces have the management-access command. There is a route to ISE via vti. I can ping from a host on the 10.10.200.0 network to ISE But packet-trace icmp from the ASA interface to ISE shows Phase2 drops. Packet-trace udp is also dropped. It seems that packets from the ASA's own IP interface to ISE are dropped by the ASA. I have other network devices on the 10.10.200.0 network. All devices connect to the ASA via the vti interfcae without problems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide