Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
5
Replies

tacacs authentication stopped working on pix

sonjam
Level 1
Level 1

‎12-11-2007 11:54 AM - edited ‎02-21-2020 10:20 AM

Up until a few hours ago I was able to ssh to my pix firewall and login with my tacacs account. It mysteriously stopped working. My account isn't locked and I can ssh to the standby ip address (the failover pix) and log in via tacacs (proves routing, ACLs and TACACS works). Any ideas why this happened and what I can do to fix it? I've compared both configs (from primary and failover firewalls) and they are exactly the same.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎12-11-2007 01:49 PM

Sonja

I can not tell from your post whether you are accessing the PIX from inside or from outside? Can you clarify?

Is it possible that the primary PIX is having a problem with one of its interfaces that might impact the access to the device (so that it never attempts to authenticate) or that interferes with the attempt to authenticate?

On the TACACS server do you see authentication attempts when you attempt to SSH to the primary firewall?

HTH

Rick

HTH

Rick
0 Helpful

sonjam
Level 1
Level 1
In response to Richard Burts

‎12-11-2007 02:32 PM

This is access from the inside.

It is possible that the pix is having interface problems, but it's also very coincidental. I look into that.

And no, I don't see any attempts on the TACACS server from that pix.

Could there be something else stopping TACACS or any new sessions on the pix itself?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sonjam

‎12-12-2007 09:45 AM

Sonja

It would seem that either the PIX is not generating the authentication request, or that it is generating the request but is not able to send the request.

Do you have access to this PIX by some means other than SSH (telnet, console, etc)? Can you verify whether data traffic is going through the PIX ok?

HTH

Rick

HTH

Rick
0 Helpful

cisco24x7
Level 6
Level 6
In response to Richard Burts

‎12-13-2007 10:27 AM

I had the exact same issue you're facing with

about 6 months ago. I could not ssh into

active Pix with local account. no issue with

ssh to the standby Pix. By the way,

we're accessing this device from the inside

interface. Telnet to the active pix had

no issue

I engaged Cisco TAC to troubleshoot this

problem. They spent about six hours

troubleshooting this issue. They finally

gave up and blamed it on hardware issue.

I still have that issue today.

0 Helpful

tq.captaris
Level 1
Level 1
In response to sonjam

‎12-14-2007 12:26 AM

try reboot or restart the interface on the TACACS server. it might have cached the MAC for the PIX IP if there was a little hiccup on the PIX pair.

0 Helpful
Customers Also Viewed These Support Documents