Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Active/passive AAA access

Hi,

I have a ASA 5555 Active/standby failover firewall. In which, the tacacs login for Active Firewall is successful. But, the tacacs login for Standby Firewall doesnt work. Its shows the username prompt, however cannot login.

After issuing test aaa authentication <server-group> host <ip-address> username user password pass command, it shows that "Authentication Server not responding; No error"

On packet capturing, I found that it Standby Firewall uses the Active Firewall IP to send the tacacs authentication packet on port 49. However, ACS Tacacs server doesn't show any passed attempts or failed attempts log in the particular time.

CISCO ACS is configured right and serves the other devices and the active firewall.

At standby Firewall, "show aaa-server" shows that the ACS server is active and timeout increases for every authentication.

Please help.

Thanks

3 REPLIES
New Member

ASA Active/passive AAA access

Hello ,

you have do some work out to capture the error .

First : From secondary ASA , yon need to check that when it  is sending the request to your ACS server , it is using which source IP wither primary IP or secondary IP.

If it is using Primary IP (Active firewall ), than in return packet from ACS to sencondary ASA will not reach to the Sec ASA as that Primary IP is active on Active Firewall.

Second: On ACS you need to check, whether you had made a entry for secondary IP.

Thanks

New Member

ASA Active/passive AAA access

Hi Vishaw,

Its been found its a cisco bug on the ASA version 9.0(1).

CSCud24452

Thanks for the help.

New Member

Hi guys,I have the same

Hi guys,

I have the same problem with ASA vesion9.1(1).

Here you can find the bug in the table for Resolved Caveats in ASA Version 9.1(2)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html

277
Views
4
Helpful
3
Replies