Re: RE: ASA 5520 failover exec mate command

Good to know, thanks for your help

Fabian

On Aug 12, 2010 12:42 PM, "Ryan West" <rwest_at_zyedge.com> wrote:
> Fabian,
>
> Until your standby address is added to the TACACS server, the other ASA
has no concept of the user connected, like you mentioned. I would have
expected enable_15 to have tried the connection and that failing. Enable_1
is used to sync the configuration in a failover pair and I assume keep the
state and VPN tables in sync. I _think_, however, when you issue a command
it is being treated differently. Are you configurations properly synced up?
>
> Here is the output from a show ver on standby ASA:
>
> Configuration last modified by enable_1 at 14:38:14.097 EDT Thu Aug 12
2010
>
> -ryan
>
> From: Fabian Pucciarelli [mailto:fabiangp_at_gmail.com]
> Sent: Thursday, August 12, 2010 2:24 PM
> To: Ryan West
> Cc: Cisco certification
> Subject: Re: ASA 5520 failover exec mate command
>
> That's correct, but I think it should be looking for my username in the
local database instead of enable_1 username. Here are my aaa configs
>
> aaa-server AUTH-SERVERS protocol tacacs+
> accounting-mode simultaneous
> aaa-server AUTH-SERVERS (management) host x.x.x.x
> key *****
> aaa-server AUTH-SERVERS (management) host y.y.y.y
> key *****
> aaa authentication http console AUTH-SERVERS LOCAL
> aaa authentication ssh console AUTH-SERVERS LOCAL
> aaa authentication telnet console AUTH-SERVERS LOCAL
> aaa authentication enable console AUTH-SERVERS LOCAL
>
> I cannot add the standby ips immediately to test, I have no access to the
tacacs servers.
>
> Fabian
> On Thu, Aug 12, 2010 at 12:02 PM, Ryan West <rwest_at_zyedge.com<mailto:
rwest_at_zyedge.com>> wrote:
>
>
> From: Fabian Pucciarelli [mailto:fabiangp_at_gmail.com<mailto:
fabiangp_at_gmail.com>]
> Sent: Thursday, August 12, 2010 1:55 PM
> To: Ryan West; Cisco certification
> Subject: Re: ASA 5520 failover exec mate command
>
> Thanks for the quick reply. I'll give it a try, so you think the standby
unit is sourcing the tacacs request from the internal ip? I still don't
understand why it looks for enable_1 in the local database.
>
> Fabian
>
> I didn't have a reference to the ACS setup, like how it's configured or
where it's located. Since the configs are replicated and assuming you have
standby's enabled, it seems to be failing authentication and trying to fall
back to local. Do you have a similar AAA command on your ASA?
>
> aaa authentication enable console <tacacs_group> LOCAL
>
> Can you try adding the standby address of your ASA to the TACACS server
and posting your relevant AAA configs?
>
> -ryan
>
>
>
>
> --
> Regards,
>
> Fabian Pucciarelli

Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 12 2010 - 21:39:50 ART