Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to login to active ASA using radius but can on secondary ASA

Guys,

Bit of a strange problem here that just started last week - basically I tried to logon to our ASA and I was denied access, thought that's strange but tried a few times and got some other people to do the same - on doing so they also failed. I tried to login through our local admin account and that worked straight away - I cannot however SSH to console with either the radius info or the local information. The weird thing is I can gain access to our secondary ASA with no issue using radius authentication, this is being ran in a active/standby failover configuration.

I have checked the configs under the ASA part of ASDM on both priamry and standby but neither deviate at all.

Can anyone shed some light on this or has it happened to anyone before?

Many thanks for your time and looking at this.

Thomas.

3 REPLIES
New Member

Unable to login to active ASA using radius but can on secondary

I'm clutching at straws but could this have anything to do with it? I doubt it

Failover On

Failover unit Primary

Failover LAN Interface: failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 110 maximum

failover replication http

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 17:33:51 GMT/BST Jan 11 2012

This host: Primary - Active

Active time: 4376017 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (xxx.xxx.xxx.xxx): Normal (Waiting)

Interface management (7.7.7.7): No Link (Not-Monitored)

Interface Hosting_DMZ_Internal (xxx.xxx.xxx.xxx): Normal

Interface Hosting_DMZ_External (xxx.xxx.xxx.xxx): Normal

Interface Services_DMZ (172.25.4.1): Normal (Not-Monitored)

Interface Virtual_Services_DMZ (xxx.xxx.xxx.xxx): Normal (Not-Monitored)

Interface Auth_DMZ (xxx.xxx.xxx.xxx): Normal

Interface inside (xxx.xxx.xxx.xxx): Normal

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Other host: Secondary - Failed

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)

Interface outside (xxx.xxx.xxx.xxx): Failed (Waiting)

Interface management (0.0.0.0): Normal (Not-Monitored)

Interface Hosting_DMZ_Internal (xxx.xxx.xxx.xxx): Normal

Interface Hosting_DMZ_External (xxx.xxx.xxx.xxx): Normal

Interface Services_DMZ (xxx.xxx.xxx.xxx): Normal (Not-Monitored)

Interface Virtual_Services_DMZ (172.25.10.2): Normal (Not-Monitored)

Interface Auth_DMZ (xxx.xxx.xxx.xxx): Normal

Interface inside (xxx.xxx.xxx.xxx): Normal

slot 1: ASA-SSM-4GE hw/sw rev (1.0/1.0(0)10) status (Up)

Unable to login to active ASA using radius but can on secondary

It says "Other host: Secondary - Failed". It should say "Standby" instead of "failed". It also says "Interface oustide : Failed". You should look that

It would be good to know the ip addressing and know what IPs are you ssh'ing into.

Hall of Fame Super Silver

Unable to login to active ASA using radius but can on secondary

Thomas

I agree with Eduardo that it is significant that the output shows the other failover participant is failed. When I put this together with your statement that you can log in to the backup without any problem then I believe that this is your problem:

- there has been some problem that causes the ASAs to not communicate with each other.

- each ASA believes that its mate has failed and that it should be the active ASA.

- so both ASAs are trying to be active, and both ASAs are attempting to use the same IP address (and probably the same MAC address).  The duplication of IP address (and possibly duplication of MAC address) means that only one of the ASAs is reachable.

HTH

Rick

503
Views
0
Helpful
3
Replies
CreatePlease to create content