10-05-2010 02:47 AM - edited 03-10-2019 05:27 PM
Dear,
I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?
best regards,
Abebe Amare
Network Engineer, VivaCell
Solved! Go to Solution.
10-05-2010 05:05 AM
Hi Abebe,
On the secondary ASA, please check the following:
sh failover ---> and make sure the secondary is in standby ready and not failed.
sh aaa-server ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.
Enable follwoing debugs and run a test authentication as mentioned:
debug aaa authentication
debug tacacs
debug ssh
test aaa-server authentication
Provide me the debugs after taking out your username in it so that i can analyze.
Cheers,
Rudresh V
10-05-2010 05:05 AM
Hi Abebe,
On the secondary ASA, please check the following:
sh failover ---> and make sure the secondary is in standby ready and not failed.
sh aaa-server ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.
Enable follwoing debugs and run a test authentication as mentioned:
debug aaa authentication
debug tacacs
debug ssh
test aaa-server authentication
Provide me the debugs after taking out your username in it so that i can analyze.
Cheers,
Rudresh V
10-05-2010 06:39 AM
Dear Rudresh,
When I do a sh aaa-server I got the following:
ASA-01# sh aaa-server
Server Group: ACS
Server Protocol: tacacs+
Server Address: 192.168.x.xx
Server port: 49
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.
Thanks for pointing me in the right direction and I give you full marks.
best regards,
Abebe Amare
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: