topic AAA RADIUS issue in Network Access Control

AAA RADIUS issue

Vitor Stefaneli — Mon, 11 Mar 2019 05:12:44 GMT

Hello everybody.

I am having some trouble when lots of users try to connect via Anyconnect on my ASA (5545-X).

At the peak some users complaints they cannot authenticate and I see these messages flaping on logs:

%ASA-2-113022: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as FAILED
%ASA-2-113023: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as ACTIVE

After a while it get back working normaly and has no more message like that.

Changing the "timeout" parameter (default is 10) to a higher number is a good idea? Or the problem could be at Radius server?

aaa-server SRV-RADIUS1 protocol radius
aaa-server SRV-RADIUS1 (inside) host 1.1.1.1
time-out 20

thnks

Couple of questions:1. How

nspasov — Tue, 25 Nov 2014 04:02:37 GMT

Couple of questions:

1. How many VPN users do you have concurrently authenticating against the Radius server

2. What type of Radius solution are you using

Thank you for rating helpful posts!

So, it is usually about of

Vitor Stefaneli — Tue, 25 Nov 2014 13:21:08 GMT

So, it is usually about of 400 total users. I think that are not more than 10 users accessing the Radius at same time on peak hours. The Radius runs on a Windows 2003 platform.
I've changed the timeout and the problem appears stopped.

But I also noted that the ASA sends lots of attributes to Radius server.
Actually I need just two: user (1) and password (2).

I have a new question: Is it possible to change the number of attributes ASA sends out??? I mean, to do not include attrib (26) Vendor-Specific, for example.

Thks again

(sorry my english)

Hi Vitor and sorry for the

nspasov — Sat, 29 Nov 2014 00:05:07 GMT

Hi Vitor and sorry for the delayed reply! Your English is just fine! 🙂

I am glad that changing the "timeout" value have solved the problem.

On your second question: I never had to filter any attributes out of the ASA and I am not sure if it is possible. With that being said, I don't think that the issue was/is with the ASA sending too much logging/Radius info. If you only had around 10 concurrent users during your peak hours then there is no way that they overwhelmed the Radius server 🙂 The fact that the issue went away after changing the "timeout" value leads me to believe that the problem is related to something else. For instance, RTT (round trip delay) between the aaa server and your ASA or link saturation that causes bandwidth starvation which cases the server to timeout in the ASA...just some ideas here 🙂

I hope this helps!

Thank you for rating helpful posts!

Hi @Neno, i guess you are

Vitor Stefaneli — Fri, 05 Dec 2014 12:26:49 GMT

Hi @Neno, i guess you are right. It´s something other than some ASA problem.

Actually, after some working on that, we figured out that is caused probably by an application code/platform problem.

My ask about changing the RADIUS attribs that ASA sends, in fact is an 'help' to the application. Cause if it did not receive these attributes, it will not process that, and the RTT may decrease.

Anyway, now we are looking for the possibilities to change the application or improve the infrastructure.

Thank you for your attention.

Regards.

Filtering the attributes

nspasov — Sat, 06 Dec 2014 18:45:43 GMT

Filtering the attributes would make sense if you could confirm that the server is being overwhelmed. For instance, check the CPU and memory utilization. If those are normal then the server is fine. You can also do a traceroute to the Radius server from a PC that is behind the ASA and see if there any loops or hops that have large RTT.

Either way, let us know what the solution is.

Thank you for rating helpful posts!