SRX Services Gateway
Highlighted
SRX Services Gateway

Unable to Access Secondary SRX through TACACS

03.20.12   |  
‎03-20-2012 07:50 PM

HI All,

 

I have setup a working cluster of SRX 650 in our environment and they are made to authnticate using Cisco ACS 5.2 (TACACS).

 

Things are working fine as long as I don't have to login into the secondary firewall, I'm not able to console into the standby firewall.

 

I've tried with the local and ACS account to access the secondary SRX through console but it says "Invalid Login" and does not shows any hits on the ACS. Could you please suggest a workaround??

 

thanks a lot!

 

5 REPLIES
SRX Services Gateway

Re: Unable to Access Secondary SRX through TACACS

03.20.12   |  
‎03-20-2012 07:52 PM

How have you configured TACACs?

 

When in clustering mode you should configure things like TACACS under node groups.

SRX Services Gateway

Re: Unable to Access Secondary SRX through TACACS

03.20.12   |  
‎03-20-2012 08:20 PM

Hi Luca,

 

I've made the changes in the global group earlier but have also tried with the node 0 and node 1 config but it doesn't work.

 

Please note that I've not connected the fxp0's and am trying to acess the secondary SRX through console where it's failing to get authenticated.

 

Thanks

 

SRX Services Gateway

Re: Unable to Access Secondary SRX through TACACS

03.21.12   |  
‎03-21-2012 02:13 PM

Can you post your config?

SRX Services Gateway

Re: Unable to Access Secondary SRX through TACACS

03.24.12   |  
‎03-24-2012 01:46 AM

Hi,

 

If you are using external authentication, that external authentication server (ACS here) should be reachable to the device. As we know, routing engine in secondary device in a cluster will not be active , I am guessing that your secondary device is not able to reach the TACACS server . How is  this server reachable to the SRX cluster ? via fxp0 ? or reth interface ?

 

If this is the case, you need to configure backup router . (better you configure this in both groups , though it is required by the secondary device only)

 

set sytem backup-router x.x.x.x destination tacacs_IP/32 , here x.x.x.x is any L3 device's IP address, which knows how to reach the tacacs server and which is in the same network of cluster.

 

Hope this helps Smiley Happy

Regards,
Pradeep JNCIE-SEC
SRX Services Gateway

Re: Unable to Access Secondary SRX through TACACS

03.24.12   |  
‎03-24-2012 01:56 AM

Hi,

 

one more thought ! 

 

do you have any local user configured in the cluster ? hows your authentication oder configured ?  If ACS server reachability is the issue,  even if you don't have "password" in the authentication-order statement , if the tacplus server is not reachable, it should consult the local database after some retries. 

 

 

Regards,
Pradeep JNCIE-SEC