Cisco Bug: CSCur10638 - ASA : AAA fallback auth not working with 'reactivation-mode timed'
May 22, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: When none of the aaa servers are available, the authentication method will not fall back to LOCAL, which causes the login attempts to fail. In "show aaa-server" output, you can see that the ASA has the servers tagged as 'active', even if there is no network connectivity to the AAA servers. This is not the correct behavior. See example below... ASA# sh aaa-ser Server Group: TACACS+ Server Protocol: tacacs+ Server Address: 10.43.50.222 Server port: 49 Server status: ACTIVE, Last transaction at 14:33:02 UTC Thu Sep 18 2014 Server Group: TACACS+ Server Protocol: tacacs+ Server Address: 10.11.162.222 Server port: 49 Server status: ACTIVE, Last transaction at 14:33:32 UTC Thu Sep 18 2014 Conditions: - ASA running 9.1.5 code - aaa-server configured on ASA, with protocol "tacacs" and/or "radius", with at least two AAA servers/hosts to authenticate against - The "reactivation-mode timed" option is used in the aaa-server configuration. i.e. aaa-server TACACS+ protocol tacacs+ reactivation-mode timed - The aaa-server group name is used in aaa authentication and LOCAL is the fallback method. i.e. aaa authentication ssh console TACACS+ LOCAL
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases