Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
4
Replies

Tacacs authentication of a standby ASA over a site-to-site tunnel.

pstratiev
Level 1
Level 1

‎06-02-2014 08:26 AM - edited ‎03-11-2019 09:16 PM

Hello,

I have two ASA 9.1 configured as a failover pair (active/standby). There is also a site-to-site tunnel configured and the aaa-server (TACACS+) is at the remote site. The active ASA can authenticate over the tunnel perfectly, but I'm having troubles making the standby ASA do the same. It seem the standby unit can't reach the server on the remote site. My question is if such authentication is possible, supported by Cisco or not.

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-02-2014 10:03 AM

Which version exactly are you running?

There was a bug (CSCud24452), documented as of 9.0(1) and fixed in 9.1(2), that could cause this.

If that doesn't apply, please check and see

a. what routing the traffic from the standby is attempting to take and

b. are the packets arriving at the TACACS server?

0 Helpful

pstratiev
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2014 01:26 AM

I'm running 9.1(1) on both ends of the tunnel. On the site which has the TACACS+ in its LAN I have the problem described in the bug you're referring. But there, the standby unit reaches the server and yes, indeed the packets have the active's source address. (soon I'll upgrade to 9.1(2) and )

But on the site, where the traffic needs to go through the tunnel established by it's active peer - the standby unit doesn't reach the server. So it seems there is a routing problem, but how to route that traffic since the two devices have identical configurations and one is terminating the tunnel which the second have to use? Is that possible?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pstratiev

‎06-03-2014 07:26 AM

Good question - I thought about that scenario after posting yesterday.

I seem to recall a tip about marking the inside interface for management access helping a similar situation.

What use case do you have for logging into the standby unit? I very seldom find it necessary to so. If I need something specific to it, I usually go into the active unit and use the  "failover exec standby" commands.

0 Helpful

pstratiev
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2014 08:07 AM

The inside interface is set for management access already. As for the need of logging into the standby unit - currently it can be accessed with credentials from the LOCAL database which is an unwanted effect. But also the client doesn't want the authentication to be left only with tacacs, if the server fails the LOCAL database will be needed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card