issue with one of our ASAs authenticating

Unanswered Question
Aug 28th, 2007

one of our ASAs is having problems authenticating against our tacacs server. We can run the test authentication feature fine and the ASA can ping the server. However when I try to authenticate I see this in the log:

4 Aug 28 2007 09:30:31 409023 Attempting AAA Fallback method LOCAL for Authentication request for user [someuser] : Auth-server group [acsserver] unreachable

On the ACS server I don't see any failed attmpets on the logs. All of our other devices work fine including a few other ASAs. Th eonly difference with this guy is that its running 8.0 software. I double checked the shared key and its okay (well it should be fine since I can run the test fine). Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Tue, 08/28/2007 - 07:41


Do you see any hits on acs passed attempts ? Try increasing tacacs timeout and see if that makes any difference.



jackleung Tue, 08/28/2007 - 08:29

I took a look at those logs. I see the hits when I run the test authentication from the ASA (I'm logged in locally as fallback at the moment) but when I try to login as normal with my AD creds I dont see any hits.

pemasirid Wed, 03/12/2008 - 06:40

Hi Jack,

Hoped you solved the issue with AAA authorization in your ASA. I have simmilar issue with my ASA.

I configured AAA authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Here is my configurations

XXX-PIX515(config)# sh run aaa-server

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host

key XXX

aaa-server VPN host

key XXX

aaa-server my-group protocol tacacs+

aaa-server my-group host

key XXXX

aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

aaa authorization command my-group LOCAL

aaa accounting command privilege 15 my-group

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.

Can you tell me why I cant authenticate and authorize with TACACS+ server.

Thanks in advance


This Discussion