10-12-2009 07:45 AM - edited 03-10-2019 04:44 PM
We have two ASA 5510 with version 8.2(1) in Active/Standby configuration, the failover works fine, but when the primary ASA comes back it remains standby , so we manually change it to active with the failover active command, then we try to access the device using a TACACS+ account , it doesnt work , just the local account works; after a period of time (15min) , the TACACS+ access start to work.
10-12-2009 08:23 AM
I'm not sure about your configuration but when in timed mode, a server that is declared "failed" will once again
be made available after 30 seconds. Unlike reactivation mode, it is not
necessary for all of the servers to fail before any can be reactivated.
On possible source of confusion to be aware of in timed mode:
The "show aaa-server" command will continue to show the server as FAILED
until the server is needed to authenticate a connection.
depletion
Reactivates failed servers only after all of the servers in the group are inactive.
timed
Reactivates failed servers after 30 seconds of down time.
Please tweak reactivation mode.
Regards,
~JG
Do rate helpful posts
10-12-2009 11:53 AM
I think I didnt explain myself clearly.
The TACACs server are Cisco ACS ver 4.2 both them works fine, the issue is when the Active ASA5510 goes down for whatever reason , and then goes up it remains in standby mode , it must be set active manually. After being set active we try to log using a tacacs account , it doesnt work , local account does . We have to wait , and then we have tacacs access.
Thanks for any help.
Regards,
jman
10-12-2009 12:05 PM
Hi Jman,
When you say that you have to wait for next 15 min for tacacs to respond, what error message you see on the ACTIVE ASA/ACS FAILED attempts?
also please reproduce the issue, if possible and help me with the following
sh run aaa
sh run aaa-server
debug aaa authentication
debug tacacs
Please revert if you have any query or concern.
HTH
JK
Pla rate helpful posts-
10-12-2009 05:47 PM
Hi Jaman,
I understand your issue here. Please provide the output of
pixfirewall(config)# show run aaa-server
It seems that aaa-server is marked dead due to reactivation-mode timer. We need to tweak this timer.
Regards,
~JG
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: