Usage of failover exec mate command in Cisco ASA

So, recently I came across this situation  where I had to check the TACACS shared secret on standby ASA without directly logging into it.
Reason being that the standby firewall just wouldn’t let me log in directly.
Standby unit was earlier integrated with the AAA server.
My efforts of firstly removing the standby device from AAA server failed.
AAA server was throwing logs which suggested mismatching TACACS shared secret.

Cisco ASA has this handy command which you can execute from the primary ASA to get output from standby unit.
On the active unit, you can execute commands like

failover exec mate show run

You may log the session output to a file and check/verify your TACACS key provided it is not encrypted.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s