ASA / RADIUS / ACS Problem ?

jbigrow — Sun, 10 Mar 2019 21:52:10 GMT

Good Morning Folks;

Below is the output from the show aaa-servers from my asa5540. Notice the status "failed". When the status is thus (on both aaa servers) noone can login the the VPN on the ASA5540. I've checked the duplex / speed etc on the ports feeding the AAA servers and the ASA5540. no errors, no duplex problems..... Also

the AAA servers are used by other systems WITHOUT this problem. Also the ASA and the AAA machines are on the same local LAN segment....After approximately 10 minutes the status will go back to active.......

The ACS is version 3.3 the ASA is running 7.2(1)

I'm tring to findout exactly why the radius client on the ASA5540 is detecting this problem and exactly what it means and how to resolve it......

any help would be terrific.....

Server Group: infinity

Server Protocol: radius

Server Address: 192.168.1.23

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 18:53:58 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 30ms

Number of authentication requests 61

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 46

Number of accepts 28

Number of rejects 5

Number of challenges 25

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 28

Number of unrecognized responses 0

Server Group: infinity

Server Protocol: radius

Server Address: 192.168.1.2

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 18:53:57 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 5

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 0

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 5

Number of unrecognized responses 0

pierce(config)# show aaa-server

Server Group: LOCAL

Server Protocol: Local database

Server Address: None

Server port: None

Server status: ACTIVE, Last transaction at 18:58:46 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 154

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 154

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Server Group: infinity

Server Protocol: radius

pierce(config)# show aaa-server

Server Group: LOCAL

Server Protocol: Local database

Server Address: None

Server port: None

Server status: ACTIVE, Last transaction at 19:03:52 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 163

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 163

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Re: ASA / RADIUS / ACS Problem ?

a.kiprawih — Wed, 06 Dec 2006 16:02:19 GMT

Looks like your ASA lost connection with ACS/AAA server. This might not necessarily network connection, but could be application communication level which may be due to wrong entry in ACS for the ASA (check in ACS for correct ASA IP Address, authentication protocol via radius).

On ASA, make sure you can ping ACS Server to verify that network level connection works fine. Check the 'aaa-server' command point to the right interface (normally inside intf) where the ACS server sits, as well as the ACS IP Address.

Test the radius authentication with local user (create username/password in SA local dbase) to verify that ASA VPN-related config/services is running fine before pointing the actual VPN user authentication to ACS via radius.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008063715a.html#wp1140273

HTH

Re: ASA / RADIUS / ACS Problem ?

jbigrow — Tue, 12 Dec 2006 18:44:42 GMT

Thanks for taking the time to reply.

I should have added that this problem is very intermittent. It will work for up to an hour

then the status failed will occur at which time the user community cannot login until the error condition automatically clears then everything works for a while again untill the ASA detects the "failed" status.

topic ASA / RADIUS / ACS Problem ? in Network Access Control

ASA / RADIUS / ACS Problem ?

Re: ASA / RADIUS / ACS Problem ?

Re: ASA / RADIUS / ACS Problem ?