Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

TACACS+ fallback problem ASA 5520


I  have configured tacacs in ASA 5520, it is working fine, I can login  into ASA with tacacs credentials..authentication is successfull when  tacacs server is unreachable Local authentication is also  successfull.....But after that when Tacacs server is reachable again...I am not able to login with tacacs credentials.

Is the the bug of Cisco ASA 5520 software image?

Below are the configurations:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host

key tacacs_key

aaa authentication enable console TACACS+ LOCAL

aaa authentication http console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

aaa accounting command privilege 15 TACACS+

Cisco Employee

TACACS+ fallback problem ASA 5520

Hi Arun,

Can you take captures on inside interface of ASA when problem occurs? Put the captures in pcap.

Paste debug level logs from ASA and logs from ACS when issue is seen.



Sourav Kakkar

TACACS+ fallback problem ASA 5520

Hello Arun,

Can you share the following command with us when the AAA authentication against the tacacs+ database is not working

show aaa-server TACACS+  host

For more information about Core and Security Networking follow my website at

Any question contact me at


Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
Community Member

Re: TACACS+ fallback problem ASA 5520

Hi, its because after a tacacs+ server fails it remains inactive.

You got 2 options.
1. Is to add "reactivation-mode timed" as an commands under "aaa-server TACACS+ protocol tacacs" it will allow your servicer to automaticly re-activated after 30 seconds.

2. Either way you can add "reactivation-mode depletion" in the same spot; this will only activate the server(s) after all servers in the same pool is failed.

Cheers, Nico
CreatePlease to create content