Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Tacacs authentication of a standby ASA over a site-to-site tunnel.


I have two ASA 9.1 configured as a failover pair (active/standby). There is also a site-to-site tunnel configured and the aaa-server (TACACS+) is at the remote site. The active ASA can authenticate over the tunnel perfectly, but I'm having troubles making the standby ASA do the same. It seem the standby unit can't reach the server on the remote site. My question is if such authentication is possible, supported by Cisco or not.

Hall of Fame Super Silver

Which version exactly are you

Which version exactly are you running?

There was a bug (CSCud24452), documented as of 9.0(1) and fixed in 9.1(2), that could cause this.

If that doesn't apply, please check and see

a. what routing the traffic from the standby is attempting to take and

b. are the packets arriving at the TACACS server?

New Member

I'm running 9.1(1) on both

I'm running 9.1(1) on both ends of the tunnel. On the site which has the TACACS+ in its LAN I have the problem described in the bug you're referring. But there, the standby unit reaches the server and yes, indeed the packets have the active's source address. (soon I'll upgrade to 9.1(2) and )

But on the site, where the traffic needs to go through the tunnel established by it's active peer - the standby unit doesn't reach the server. So it seems there is a routing problem, but how to route that traffic since the two devices have identical configurations and one is terminating the tunnel which the second have to use? Is that possible?

Hall of Fame Super Silver

Good question - I thought

Good question - I thought about that scenario after posting yesterday.

I seem to recall a tip about marking the inside interface for management access helping a similar situation.

What use case do you have for logging into the standby unit? I very seldom find it necessary to so. If I need something specific to it, I usually go into the active unit and use the  "failover exec standby" commands.

New Member

The inside interface is set

The inside interface is set for management access already. As for the need of logging into the standby unit - currently it can be accessed with credentials from the LOCAL database which is an unwanted effect. But also the client doesn't want the authentication to be left only with tacacs, if the server fails the LOCAL database will be needed.

CreatePlease to create content