|
|
< Day Day Up > |
|
Troubleshooting AAAThis section provides information about the AAA troubleshooting mechanisms available on Cisco ASA. Additionally, it includes several common problems and describes how to resolve them using the different commands available for troubleshooting. Troubleshooting Administrative Connections to Cisco ASAAdministrative connections can be authenticated using RADIUS, TACACS+, or the Cisco ASA local user database. The following debug commands are available to troubleshoot AAA problems when you are trying to connect to the Cisco ASA for administration:
If you enter debug tacacs without any options, the debug command is enabled with the session option by default. Example 7-21 includes the output of debug tacacs during a successful Telnet authentication. Example 7-21. Output of debug tacacs During a Successful Telnet AuthenticationChicago# debug tacacs mk_pkt - type: 0x1, session_id: 4 user: user1 Tacacs packet sent Sending TACACS Start message. Session id: 4, seq no:1 Received TACACS packet. Session id:4 seq no:2 tacp_procpkt_authen: GETPASS Authen Message: Password: mk_pkt - type: 0x1, session_id: 4 mkpkt_continue - response: *** Tacacs packet sent Sending TACACS Continue message. Session id: 4, seq no:3 Received TACACS packet. Session id:4 seq no:4 tacp_procpkt_authen: PASS TACACS Session finished. Session id: 4, seq no: 3 In Example 7-21, User1 connected to the Cisco ASA via Telnet. The Cisco ASA was configured to perform authentication via an external TACACS+ server. The first highlighted line shows that User1 attempted a connection to the Cisco ASA. The second highlighted line shows the ASA requesting the user's password. The user information is sent to the TACACS+ server and is finally authenticated. The third highlighted line shows that the authentication was successful. Example 7-22 includes the output of debug tacacs during an authentication failure. In this example, the incorrect password was entered by the user and the TACACS+ server failed its authentication. Example 7-22. Output of debug tacacs During a Failed Authentication Because of Wrong PasswordChicago# debug tacacs mk_pkt - type: 0x1, session_id: 5 user: user1 Tacacs packet sent Sending TACACS Start message. Session id: 5, seq no:1 Received TACACS packet. Session id:5 seq no:2 tacp_procpkt_authen: GETPASS Authen Message: Password: mk_pkt - type: 0x1, session_id: 5 mkpkt_continue - response: *** Tacacs packet sent Sending TACACS Continue message. Session id: 5, seq no:3 Received TACACS packet. Session id:5 seq no:4 tacp_procpkt_authen: FAIL TACACS Session finished. Session id: 5, seq no: 3 The highlighted line in Example 7-22 shows the authentication FAIL message. In Example 7-23, the TACACS+ server was offline or unreachable. Example 7-23. Output of debug tacacs While TACACS+ Server Is UnreachableChicago# debug tacacs mk_pkt - type: 0x1, session_id: 6 user: user1 Tacacs packet sent Sending TACACS Start message. Session id: 6, seq no:1 Received TACACS packet. Session id:6 seq no:2 TACACS Request Timed out. Session id: 6, seq no:1 TACACS Session finished. Session id: 6, seq no: 1 mk_pkt - type: 0x1, session_id: 6 user: user1 Tacacs packet sent Sending TACACS Start message. Session id: 6, seq no:1 Received TACACS packet. Session id:6 seq no:2 TACACS Request Timed out. Session id: 6, seq no:1 TACACS Session finished. Session id: 6, seq no: 1 mk_pkt - type: 0x1, session_id: 6 user: user1 Tacacs packet sent Sending TACACS Start message. Session id: 6, seq no:1 Received TACACS packet. Session id:6 seq no:2 TACACS Request Timed out. Session id: 6, seq no:1 TACACS Session finished. Session id: 6, seq no: 1 aaa server host machine not responding The highlighted lines show how the Cisco ASA attempts to communicate with the TACACS+ server three times and finally finishes all authentication transactions. The show aaa-server command is useful while troubleshooting and monitoring authentication transactions. Example 7-24 includes the output of the show aaa-server command for all TACACS+ transactions. Example 7-24. Monitoring and Troubleshooting TACACS+ Transactions with the show aaa-server CommandChicago# show aaa-server protocol tacacs+
Server Group: mygroup
Server Protocol: tacacs+
Server Address: 172.18.173.109
Server port: 49
Server status: ACTIVE, Last transaction at 21:05:43 UTC Sun Aug 8 2004
Number of pending requests 0
Average round trip time 43ms
Number of authentication requests 4
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 3
Number of rejects 1
Number of challenges 4
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0In Example 7-24, the Cisco ASA processed a total of four authentication requests. Three of those requests were successfully authenticated and one was rejected by the TACACS+ server. Troubleshooting Firewall Sessions (Cut-Through Proxy)The techniques to troubleshoot cut-through proxy sessions on Cisco ASA are similar to the ones mentioned in the previous section. Additionally, the show uauth command can be used to display information about authenticated users and current transactions. Example 7-25 shows the output of this command. Example 7-25. Output of the show uauth CommandChicago# show uauth
Current Most Seen
Authenticated Users 0 0
Authen In Progress 1 3In Example 7-25, a total of three concurrent authentication requests were processed by the Cisco ASA. One is currently being processed. |
|
|
< Day Day Up > |
|