TACACS not working in ASA 8.0(3)

Unanswered Question
Feb 24th, 2009

We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"


even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?

thnx in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ansalaza Tue, 02/24/2009 - 13:09

Ok so Local Device was swapped from PIX to ASA. What is the remote Device?

Could you show us the configs from both Ends of the tunnel?

dbellamkonda Tue, 02/24/2009 - 13:40

we have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh

local device configs:

aaa-server protocol tacacs+

aaa-server host < ip>

aaa authentication ssh console

aaa authentication http console

access-list extended permit ip any

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map 20 match address

crypto map 20 set peer x.x.x.x

crypto map 20 set transform-set ESP-3DES-MD5

crypto map 20 set reverse-route

crypto map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

crypto isakmp policy 65535

remote ASA

access-list remark MobileAL

access-list extended permit ip any ip add subnet

crypto map 1925 match address outside_1925_cryptomap

crypto map 1925 set peer

crypto map 1925 set transform-set ESP-3DES-MD5

crypto map 1925 set security-association lifetime seconds 86400

crypto map 1925 set nat-t-disable

crypto map 1925 set reverse-route

ansalaza Tue, 02/24/2009 - 14:07

Sorry, the partial config does not help much...

Please try collecting these debugs from the local ASA:

debug aaa authentication

debug tacacs

Do you have connectivity (ping) from remote End to the Server behind the Local ASA?

Do you see any failed attempts on ACS?

ansalaza Tue, 02/24/2009 - 18:04

It might be easier to check if

TACACS traffic is reaching the local Interface pointing to the ACS Server:

Step 1:

access-list captured permit tcp any any eq 49

Step 2:

capture tacacs access-list captured interface

is the Interface pointing to the ACS Server.

To see the information:

Option A:

show capture tacacs

Option B:


where is the IP address of your Cisco ASA's inside interface.

To remove the access-list:

clear configure access-list captured

To remove the Capture:

No capture tacacs

dbellamkonda Wed, 02/25/2009 - 06:28

Thnx much sir,

Will do that and let u know if i need any thing,.

Thnx again for ur time and help


This Discussion