Guest

Preview Tool

Cisco Bug: CSCvu23026 - DOC: ASA is sending 3 authentication attempts when an invalid TACACS response is received

Last Modified

May 19, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4.29)

Description (partial)

Symptom:
ASA is sending 3 authentication attempts when an invalid TACACS response packet is received from server.
Status 0 is unsupported, so the TACACS+ code in lina sends a "server failed" message back to AAA.  The AAA server code will then retry. It has a default max-failed-attempts of 3, so that three attempts are made before failing that server and trying another.   This can be changed if desired by adjusting max-failed-attempts for the server group on ASA.

This doc bug is opened simply to update the ASA config guides to clarify what ASA considers a "failed" AAA attempt, as currently it only mentions the scenario of an unresponsive server, but does not state that invalid responses from servers are also considered a "failed" attempt.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/aaa-tacacs.html

Conditions:
ASA Receiving an invalid TACACS response packet from server to authentication attempts
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.