TACACS not working in ASA 8.0(3)

Unanswered Question
Feb 24th, 2009
User Badges:

We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454


even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?


thnx in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ansalaza Tue, 02/24/2009 - 13:09
User Badges:
  • Cisco Employee,

Ok so Local Device was swapped from PIX to ASA. What is the remote Device?


Could you show us the configs from both Ends of the tunnel?


dbellamkonda Tue, 02/24/2009 - 13:40
User Badges:

we have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh


local device configs:




aaa-server protocol tacacs+

aaa-server host < ip>


aaa authentication ssh console

aaa authentication http console



access-list extended permit ip any

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map 20 match address

crypto map 20 set peer x.x.x.x

crypto map 20 set transform-set ESP-3DES-MD5

crypto map 20 set reverse-route

crypto map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

crypto isakmp policy 65535






remote ASA


access-list remark MobileAL

access-list extended permit ip any ip add subnet

crypto map 1925 match address outside_1925_cryptomap

crypto map 1925 set peer

crypto map 1925 set transform-set ESP-3DES-MD5

crypto map 1925 set security-association lifetime seconds 86400

crypto map 1925 set nat-t-disable

crypto map 1925 set reverse-route


ansalaza Tue, 02/24/2009 - 14:07
User Badges:
  • Cisco Employee,

Sorry, the partial config does not help much...

Please try collecting these debugs from the local ASA:

debug aaa authentication

debug tacacs


Do you have connectivity (ping) from remote End to the Server behind the Local ASA?


Do you see any failed attempts on ACS?

ansalaza Tue, 02/24/2009 - 18:04
User Badges:
  • Cisco Employee,

It might be easier to check if

TACACS traffic is reaching the local Interface pointing to the ACS Server:


Step 1:

access-list captured permit tcp any any eq 49


Step 2:

capture tacacs access-list captured interface


is the Interface pointing to the ACS Server.


To see the information:

Option A:

show capture tacacs

Option B:

https:///admin/capture/tacacs


where is the IP address of your Cisco ASA's inside interface.


To remove the access-list:

clear configure access-list captured


To remove the Capture:

No capture tacacs

dbellamkonda Wed, 02/25/2009 - 06:28
User Badges:

Thnx much sir,

Will do that and let u know if i need any thing,.

Thnx again for ur time and help

Actions

This Discussion