https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863741#M227421 <HTML><HEAD></HEAD><BODY><P>We have Distributed deployment, and i found one of the Secondary instance is not connecting to domain. It giving following message " connection test to domain failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; - clock skew error.&nbsp; "</P></BODY></HTML> Fri, 06 Jan 2012 19:09:53 GMT Santosh Shetty 2012-01-06T19:09:53Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863737#M227415 <P>ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting </P> Mon, 11 Mar 2019 01:41:38 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863737#M227415 Santosh Shetty 2019-03-11T01:41:38Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863738#M227417 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>If you access the ACS 5.x CLI and execute "show application status acs" are all the services running?</P><P></P><P>Also, under the ACS 5.x GUI Users and Identity Stores &gt; External Identity Stores &gt; Active Directory which is the status of the ACS under Connectivity Status? Is it showing as Connected or Disconnected?</P><P></P><P>Regards.</P></BODY></HTML> Fri, 06 Jan 2012 16:53:53 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863738#M227417 camejia 2012-01-06T16:53:53Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863739#M227419 <HTML><HEAD></HEAD><BODY><P>Carlos,</P><P></P><P>Thanks for the reply,</P><P></P><P>I verified all services are running and also AD status is connected.</P><P></P><P></P><P></P><P>All the device are able to authenticate using ACS except one which show up following error message in ACS log</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "24444 Active Directory Operation has failed because of an unspecified errro in the ACS"</P></BODY></HTML> Fri, 06 Jan 2012 18:29:01 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863739#M227419 Santosh Shetty 2012-01-06T18:29:01Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863740#M227420 <HTML><HEAD></HEAD><BODY><P>Hello Santosh,</P><P></P><P>I wanted to verify the following as well. How many ACS servers do you have on your network? Is it only one ACS server acting as standalone? Or do you have a Distributed Deployment with Secondary ACS Servers?</P><P></P><P>If you have multiple ACS servers, can you access the Failure log again and verify which ACS Instance is authenticating the ASA request? If it is a different ACS instance can you check the AD status on that one as well.</P><P></P><P>I will dig further on another options and I will be waiting for your response as well.</P><P></P><P>Regards.</P></BODY></HTML> Fri, 06 Jan 2012 18:35:15 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863740#M227420 camejia 2012-01-06T18:35:15Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863741#M227421 <HTML><HEAD></HEAD><BODY><P>We have Distributed deployment, and i found one of the Secondary instance is not connecting to domain. It giving following message " connection test to domain failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; - clock skew error.&nbsp; "</P></BODY></HTML> Fri, 06 Jan 2012 19:09:53 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863741#M227421 Santosh Shetty 2012-01-06T19:09:53Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863742#M227424 <HTML><HEAD></HEAD><BODY><P>That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.</P><P></P><P>After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.</P><P></P><P>This should address the issue.</P><P></P><P>Regards.</P></BODY></HTML> Fri, 06 Jan 2012 19:26:08 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863742#M227424 camejia 2012-01-06T19:26:08Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863743#M227428 <HTML><HEAD></HEAD><BODY><P>Hi&nbsp; Carlos,</P><P></P><P></P><P>Thanks for your help, everything working finally.</P></BODY></HTML> Mon, 09 Jan 2012 05:47:17 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-fails-for-one-of-our-network-device/m-p/1863743#M227428 Santosh Shetty 2012-01-09T05:47:17Z