Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Admin TACACS+ access fails ASA in Active/Standby Configuration

We have two ASA 5510 with version 8.2(1) in Active/Standby configuration, the failover works fine, but when the primary ASA comes back it remains standby , so we manually change it to active with the failover active command, then we try to access the device using a TACACS+ account , it doesnt work , just the local account works; after a period of time (15min) , the TACACS+ access start to work.

4 REPLIES

Re: Admin TACACS+ access fails ASA in Active/Standby Configurati

I'm not sure about your configuration but when in timed mode, a server that is declared "failed" will once again

be made available after 30 seconds. Unlike reactivation mode, it is not

necessary for all of the servers to fail before any can be reactivated.

On possible source of confusion to be aware of in timed mode:

The "show aaa-server" command will continue to show the server as FAILED

until the server is needed to authenticate a connection.

depletion

Reactivates failed servers only after all of the servers in the group are inactive.

timed

Reactivates failed servers after 30 seconds of down time.

Please tweak reactivation mode.

Regards,

~JG

Do rate helpful posts

Community Member

Re: Admin TACACS+ access fails ASA in Active/Standby Configurati

I think I didnt explain myself clearly.

The TACACs server are Cisco ACS ver 4.2 both them works fine, the issue is when the Active ASA5510 goes down for whatever reason , and then goes up it remains in standby mode , it must be set active manually. After being set active we try to log using a tacacs account , it doesnt work , local account does . We have to wait , and then we have tacacs access.

Thanks for any help.

Regards,

jman

Cisco Employee

Re: Admin TACACS+ access fails ASA in Active/Standby Configurati

Hi Jman,

When you say that you have to wait for next 15 min for tacacs to respond, what error message you see on the ACTIVE ASA/ACS FAILED attempts?

also please reproduce the issue, if possible and help me with the following

sh run aaa

sh run aaa-server

debug aaa authentication

debug tacacs

Please revert if you have any query or concern.

HTH

JK

Pla rate helpful posts-

~Jatin Katyal

Re: Admin TACACS+ access fails ASA in Active/Standby Configurati

Hi Jaman,

I understand your issue here. Please provide the output of

pixfirewall(config)# show run aaa-server

It seems that aaa-server is marked dead due to reactivation-mode timer. We need to tweak this timer.

Regards,

~JG

Do rate helpful posts

466
Views
0
Helpful
4
Replies
CreatePlease to create content