Cisco Bug: CSCur10638 - ASA : AAA fallback auth not working with 'reactivation-mode timed'

Last Modified

Sep 17, 2018

Products (1)

Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(5) 9.1(5.12)

Description (partial)

Symptom:
When none of the aaa servers are available, the authentication method will not fall back to LOCAL, which causes the login attempts to fail.

In "show aaa-server" output, you can see that the ASA has the servers tagged as 'active', even if there is no network connectivity to the AAA servers.  This is not the correct behavior.  See example below...

ASA# sh aaa-ser
Server Group:    TACACS+
Server Protocol: tacacs+
Server Address:  10.43.50.222
Server port:     49
Server status:   ACTIVE, Last transaction at 14:33:02 UTC Thu Sep 18 2014

Server Group:    TACACS+
Server Protocol: tacacs+
Server Address:  10.11.162.222
Server port:     49
Server status:   ACTIVE, Last transaction at 14:33:32 UTC Thu Sep 18 2014

Conditions:
- ASA running 9.1.5 code
- aaa-server configured on ASA, with protocol "tacacs" and/or "radius", with at least two AAA servers/hosts to authenticate against
- The "reactivation-mode timed" option is used in the aaa-server configuration.
   i.e. aaa-server TACACS+ protocol tacacs+
           reactivation-mode timed
- The aaa-server group name is used in aaa authentication and LOCAL is the fallback method.
   i.e.  aaa authentication ssh console TACACS+ LOCAL

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts