RE: ASA 5520 failover exec mate command

Fabian,

Until your standby address is added to the TACACS server, the other ASA has no
concept of the user connected, like you mentioned. I would have expected
enable_15 to have tried the connection and that failing. Enable_1 is used to
sync the configuration in a failover pair and I assume keep the state and VPN
tables in sync. I _think_, however, when you issue a command it is being
treated differently. Are you configurations properly synced up?

Here is the output from a show ver on standby ASA:

Configuration last modified by enable_1 at 14:38:14.097 EDT Thu Aug 12 2010

-ryan

From: Fabian Pucciarelli [mailto:fabiangp_at_gmail.com]
Sent: Thursday, August 12, 2010 2:24 PM
To: Ryan West
Cc: Cisco certification
Subject: Re: ASA 5520 failover exec mate command

That's correct, but I think it should be looking for my username in the local
database instead of enable_1 username. Here are my aaa configs

aaa-server AUTH-SERVERS protocol tacacs+
 accounting-mode simultaneous
aaa-server AUTH-SERVERS (management) host x.x.x.x
 key *****
aaa-server AUTH-SERVERS (management) host y.y.y.y
 key *****
aaa authentication http console AUTH-SERVERS LOCAL
aaa authentication ssh console AUTH-SERVERS LOCAL
aaa authentication telnet console AUTH-SERVERS LOCAL
aaa authentication enable console AUTH-SERVERS LOCAL

I cannot add the standby ips immediately to test, I have no access to the
tacacs servers.

Fabian
On Thu, Aug 12, 2010 at 12:02 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:

From: Fabian Pucciarelli
[mailto:fabiangp_at_gmail.com<mailto:fabiangp_at_gmail.com>]
Sent: Thursday, August 12, 2010 1:55 PM
To: Ryan West; Cisco certification
Subject: Re: ASA 5520 failover exec mate command

Thanks for the quick reply. I'll give it a try, so you think the standby unit
is sourcing the tacacs request from the internal ip? I still don't understand
why it looks for enable_1 in the local database.

Fabian

I didn't have a reference to the ACS setup, like how it's configured or where
it's located. Since the configs are replicated and assuming you have
standby's enabled, it seems to be failing authentication and trying to fall
back to local. Do you have a similar AAA command on your ASA?

aaa authentication enable console <tacacs_group> LOCAL

Can you try adding the standby address of your ASA to the TACACS server and
posting your relevant AAA configs?

-ryan

--
Regards,
Fabian Pucciarelli
Blogs and organic groups at http://www.ccie.net