Admin TACACS+ access fails ASA in Active/Standby Configuration

Unanswered Question
Oct 12th, 2009

We have two ASA 5510 with version 8.2(1) in Active/Standby configuration, the failover works fine, but when the primary ASA comes back it remains standby , so we manually change it to active with the failover active command, then we try to access the device using a TACACS+ account , it doesnt work , just the local account works; after a period of time (15min) , the TACACS+ access start to work.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 10/12/2009 - 08:23

I'm not sure about your configuration but when in timed mode, a server that is declared "failed" will once again

be made available after 30 seconds. Unlike reactivation mode, it is not

necessary for all of the servers to fail before any can be reactivated.

On possible source of confusion to be aware of in timed mode:

The "show aaa-server" command will continue to show the server as FAILED

until the server is needed to authenticate a connection.


Reactivates failed servers only after all of the servers in the group are inactive.


Reactivates failed servers after 30 seconds of down time.

Please tweak reactivation mode.



Do rate helpful posts

jalmanza_82 Mon, 10/12/2009 - 11:53

I think I didnt explain myself clearly.

The TACACs server are Cisco ACS ver 4.2 both them works fine, the issue is when the Active ASA5510 goes down for whatever reason , and then goes up it remains in standby mode , it must be set active manually. After being set active we try to log using a tacacs account , it doesnt work , local account does . We have to wait , and then we have tacacs access.

Thanks for any help.



Jatin Katyal Mon, 10/12/2009 - 12:05

Hi Jman,

When you say that you have to wait for next 15 min for tacacs to respond, what error message you see on the ACTIVE ASA/ACS FAILED attempts?

also please reproduce the issue, if possible and help me with the following

sh run aaa

sh run aaa-server

debug aaa authentication

debug tacacs

Please revert if you have any query or concern.



Pla rate helpful posts-

Jagdeep Gambhir Mon, 10/12/2009 - 17:47

Hi Jaman,

I understand your issue here. Please provide the output of

pixfirewall(config)# show run aaa-server

It seems that aaa-server is marked dead due to reactivation-mode timer. We need to tweak this timer.



Do rate helpful posts


This Discussion