topic Re: ASA can reactive radius server in aaa group in Network Security

ASA can reactive radius server in aaa group

jewfcb001 — Tue, 24 May 2022 07:52:09 GMT

Hi All ,

I try to test ASA authenticate with Radius Server . Incase AAA-Group We have 2 Radius server If the first radius fail .ASA will authenticate with the second radius server but If the first radius come back ASA not go back authenticate with the first radius.

I see in document about command " reactivation-mode {depletion [deadtime minutes] | timed} " I'm not sure I will waiting 10 minutes or not for ASA go back to the first radius server . Please advise me.

Re: ASA can reactive radius server in aaa group

Udupi Krishna. — Tue, 24 May 2022 11:48:21 GMT

By definition, when in depletion mode a failed server is activated only when all the other servers in the group fail/become inactive. You need to set the dead time internal if depletion mode is select.

E.g. If the 1st server is considered inactive, requests go to 2nd server. Unless and until 2nd server is considered inactive, the 1st server is never re-activated.

If you select timed instead, an inactive server is automatically reactivated after 30 seconds

Re: ASA can reactive radius server in aaa group

jewfcb001 — Tue, 24 May 2022 11:54:59 GMT

@Udupi Krishna.

You mean Do I no need change configuration on ASA ? because ASA will automatically reactivated AAA Server after 30 seconds.

My understand is If 1st Server Fail . ASA go to 2nd Server and after 30 seconds If 1st server online. ASA will automatic go to 1st server but If 1st server not coming It go to 2nd server . My understand correct ?

Re: ASA can reactive radius server in aaa group

Udupi Krishna. — Tue, 24 May 2022 12:02:24 GMT

Partially. If the reactivation mode is set to depletion, it wont reactivate an inactive server unless all servers within the AAA/RADIUS group is inactive.

However if you set the reactivation mode to timed, an inactive server is automatically reactivated after 30 secs.

Re: ASA can reactive radius server in aaa group

jewfcb001 — Tue, 24 May 2022 12:12:14 GMT

I see in configuration guide default configuration set 10 minutes . In this case I waiting 2nd server fail 1st server will coming or not

or necessary 2nd server fail . asa go to 1st server by automatic. because I try to test asa still go to 2nd not change.

Re: ASA can reactive radius server in aaa group

Udupi Krishna. — Tue, 24 May 2022 13:16:23 GMT

When in depletion mode and as highlighted in the image, it will not go back or reactivate the 1st inactive server unless the 2nd server is also considered inactive.

Re: ASA can reactive radius server in aaa group

jewfcb001 — Tue, 24 May 2022 13:28:04 GMT

@Udupi Krishna.

Thank you for your answer . As you mention this is behavior of ASA or not ? Do you have solution ASA go to 1st server If 1st server active ?

Re: ASA can reactive radius server in aaa group

Udupi Krishna. — Tue, 24 May 2022 13:52:17 GMT

This is an expected behaviour.

ASA doesn't have a mechanism to poll and check a server's status and make a decision to change its status.

If you set the reactivation mode to "timed" instead of "depletion" it can automatically reactivate a server, however if the reactivated server is still down/not functioning at that point of time, there may be an increased delay in authentication.

Depletion mode is generally recommended to avoid such delays. You can always manually activate an inactive server once it's confirmed to be functioning and ready to accept authentication requests.

e.g. command

aaa-server <radius-server group name> active host <server IP>

Re: ASA can reactive radius server in aaa group

jewfcb001 — Tue, 24 May 2022 14:00:15 GMT

@Udupi Krishna.

Thank you for your answer and advisory Oh! I just understand reactivation has 2 mode "timed" and "depletion"

And as you mention below. If in that point 1st fail asa will go to 2nd server or not ?

if the reactivated server is still down/not functioning at that point of time, there may be an increased in delay in authentication.

Re: ASA can reactive radius server in aaa group

Udupi Krishna. — Tue, 24 May 2022 14:07:27 GMT

Happy to help!!

If the reactivation mode is depletion and 1st server fails, ASA will automatically send authentication requests to 2nd server. 1st server is "not" activated until 2nd server fails (you can manually activate an inactive server)

If the reactivation mode is timed and 1st server fails, ASA will automatically send authentication requests to 2nd server. ASA will also re-activate the 1st server after 30 secs but this can cause delays if the failed server hasn't recovered.

Do rate helpful posts 🙂

Re: ASA can reactive radius server in aaa group

jewfcb001 — Thu, 26 May 2022 07:15:55 GMT

@Udupi Krishna.

Thank you for response.

By the way. I see in document. about mode is depletion . Will asa re-enable after 10minutes ?

Re: ASA can reactive radius server in aaa group

Udupi Krishna. — Sat, 28 May 2022 10:26:24 GMT

The 10 mins dead interval is after the 2nd or the last server in the group fails and time it waits before activating all the servers again