Tacacs authentication of a standby ASA over a site-to-site tunnel.
I have two ASA 9.1 configured as a failover pair (active/standby). There is also a site-to-site tunnel configured and the aaa-server (TACACS+) is at the remote site. The active ASA can authenticate over the tunnel perfectly, but I'm having troubles making the standby ASA do the same. It seem the standby unit can't reach the server on the remote site. My question is if such authentication is possible, supported by Cisco or not.
I'm running 9.1(1) on both ends of the tunnel. On the site which has the TACACS+ in its LAN I have the problem described in the bug you're referring. But there, the standby unit reaches the server and yes, indeed the packets have the active's source address. (soon I'll upgrade to 9.1(2) and )
But on the site, where the traffic needs to go through the tunnel established by it's active peer - the standby unit doesn't reach the server. So it seems there is a routing problem, but how to route that traffic since the two devices have identical configurations and one is terminating the tunnel which the second have to use? Is that possible?
Good question - I thought about that scenario after posting yesterday.
I seem to recall a tip about marking the inside interface for management access helping a similar situation.
What use case do you have for logging into the standby unit? I very seldom find it necessary to so. If I need something specific to it, I usually go into the active unit and use the "failover exec standby" commands.
The inside interface is set for management access already. As for the need of logging into the standby unit - currently it can be accessed with credentials from the LOCAL database which is an unwanted effect. But also the client doesn't want the authentication to be left only with tacacs, if the server fails the LOCAL database will be needed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :