Saturday, March 12, 2016

Usage of failover exec mate command in Cisco ASA

So, recently I came across this situation  where I had to check the TACACS shared secret on standby ASA without directly logging into it.
Reason being that the standby firewall just wouldn't let me log in directly.
Standby unit was earlier integrated with the AAA server.
My efforts of firstly removing the standby device from AAA server failed.
AAA server was throwing logs which suggested mismatching TACACS shared secret.

Cisco ASA has this handy command which you can execute from the primary ASA to get output from standby unit.
On the active unit, you can execute commands like

failover exec mate show run


You may log the session output to a file and check/verify your TACACS key provided it is not encrypted.

No comments:

Post a Comment