Cisco ASA 5500-X Series Next-Generation Firewalls

ASA Authentication to a Standby ASA When the AAA Device is Located Through a L2L Configuration Example

Document ID: 118089

Updated: Aug 13, 2014

Contributed by Gustavo Medina, Walter Lopez, and Alex Sanchez, Cisco TAC Engineers.



This document describes how to work around a scenario where the Administrator is not able to authenticate to a Standby Cisco Adaptive Security Appliance (ASA) in a Failover Pair due to the fact that the Authentication, Authorization, and Accounting (AAA) server is located on a remote location through a LAN-to-LAN (L2L).

Although fallback to LOCAL authentication can be used, RADIUS Authentication for both units is preferred.



Cisco recommends that you have knowledge of these topics:

  • ASA Failover
  • VPN
  • Network Address Translation (NAT)

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

The RADIUS server is located on the outside of the Failover Pair and it is reachable through a L2L tunnel to This is what causes the probem because the standby ASA tries to reach it through its own outside interface but there is no tunnel built on it at this point; for it to work, it should send the request to the active interface so the packet can flow across the VPN but the routes are replicated from the active unit.

One option is to use a fake IP address for the RADIUS Server on the ASAs and point it to the inside. Therefore, the source and destination IP address of this packet can be translated on an internal device.


interface FastEthernet0/0
ip address
no ip redirects
no ip unreachables
ip nat enable
duplex auto
speed auto

ip access-list extended NAT
permit ip host

ip nat source list NAT interface FastEthernet0/0 overload
ip nat source static

ip route


aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host
timeout 3
key *****
authentication-port 1812
accounting-port 1813

aaa authentication serial console LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL

route outside 1
route inside 1

Note: The IP address was used in the example, but any unused IP address works.


Use this section in order to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.


Router#   show ip nat nvi tra
Pro Source global Source local Destin local Destin global
--- --- ---
--- --- ---


There is currently no specific troubleshooting information available for this configuration.

Updated: Aug 13, 2014
Document ID: 118089