Usage of failover exec mate command in Cisco ASA

So, recently I came across this situation  where I had to check the TACACS shared secret on standby ASA without directly logging into it.
Reason being that the standby firewall just wouldn’t let me log in directly.
Standby unit was earlier integrated with the AAA server.
My efforts of firstly removing the standby device from AAA server failed.
AAA server was throwing logs which suggested mismatching TACACS shared secret.

Cisco ASA has this handy command which you can execute from the primary ASA to get output from standby unit.
On the active unit, you can execute commands like

failover exec mate show run


You may log the session output to a file and check/verify your TACACS key provided it is not encrypted.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s