So, recently I came across this situation where I had to check the TACACS shared secret on standby ASA without directly logging into it.
Reason being that the standby firewall just wouldn’t let me log in directly.
Standby unit was earlier integrated with the AAA server.
Standby unit was earlier integrated with the AAA server.
My efforts of firstly removing the standby device from AAA server failed.
AAA server was throwing logs which suggested mismatching TACACS shared secret.
Cisco ASA has this handy command which you can execute from the primary ASA to get output from standby unit.
Cisco ASA has this handy command which you can execute from the primary ASA to get output from standby unit.
On the active unit, you can execute commands like
failover exec mate show run
You may log the session output to a file and check/verify your TACACS key provided it is not encrypted.
Networking & Security 