SRX Services Gateway
Reply
Visitor
isnet75
Posts: 3
Registered: ‎03-13-2012
0

Unable to Access Secondary SRX through TACACS

HI All,

 

I have setup a working cluster of SRX 650 in our environment and they are made to authnticate using Cisco ACS 5.2 (TACACS).

 

Things are working fine as long as I don't have to login into the secondary firewall, I'm not able to console into the standby firewall.

 

I've tried with the local and ACS account to access the secondary SRX through console but it says "Invalid Login" and does not shows any hits on the ACS. Could you please suggest a workaround??

 

thanks a lot!

 

Trusted Contributor
Luca
Posts: 324
Registered: ‎06-11-2009
0

Re: Unable to Access Secondary SRX through TACACS

How have you configured TACACs?

 

When in clustering mode you should configure things like TACACS under node groups.

Visitor
isnet75
Posts: 3
Registered: ‎03-13-2012
0

Re: Unable to Access Secondary SRX through TACACS

Hi Luca,

 

I've made the changes in the global group earlier but have also tried with the node 0 and node 1 config but it doesn't work.

 

Please note that I've not connected the fxp0's and am trying to acess the secondary SRX through console where it's failing to get authenticated.

 

Thanks

 

Trusted Contributor
Luca
Posts: 324
Registered: ‎06-11-2009
0

Re: Unable to Access Secondary SRX through TACACS

Can you post your config?

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Unable to Access Secondary SRX through TACACS

Hi,

 

If you are using external authentication, that external authentication server (ACS here) should be reachable to the device. As we know, routing engine in secondary device in a cluster will not be active , I am guessing that your secondary device is not able to reach the TACACS server . How is  this server reachable to the SRX cluster ? via fxp0 ? or reth interface ?

 

If this is the case, you need to configure backup router . (better you configure this in both groups , though it is required by the secondary device only)

 

set sytem backup-router x.x.x.x destination tacacs_IP/32 , here x.x.x.x is any L3 device's IP address, which knows how to reach the tacacs server and which is in the same network of cluster.

 

Hope this helps :smileyhappy:

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Unable to Access Secondary SRX through TACACS

Hi,

 

one more thought ! 

 

do you have any local user configured in the cluster ? hows your authentication oder configured ?  If ACS server reachability is the issue,  even if you don't have "password" in the authentication-order statement , if the tacplus server is not reachable, it should consult the local database after some retries. 

 

 

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.