Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8732
Views
0
Helpful
3
Replies

113022: AAA Marking server 0.0.0.0 as failed

mismtk2007
Level 1
Level 1

‎05-29-2009 10:26 AM - edited ‎03-10-2019 04:31 PM

Just changed AAA to use LDAP to MS2K8 AD rather than former RADIUS. Simply added hosts to existing LDAP group through ASDM. It is working fine, but I am getting tons of the following in the logs ...

May 29 12:54:14 pix2-inside May 29 2009 12:56:11: %PIX-2-113022: AAA Marking RADIUS server 0.0.0.0 in aaa-server group RADIUS as FAILED

May 29 12:55:46 pix2-inside May 29 2009 12:57:43: %PIX-2-113022: AAA Marking LDAP server 0.0.0.0 in aaa-server group LDAP as FAILED

May 29 12:58:51 pix2-inside May 29 2009 13:00:47: %PIX-2-113022: AAA Marking LDAP server 0.0.0.0 in aaa-server group LDAP as FAILED

Config ...

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host LAN-EVE

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host LAN-JAMES

aaa-server LDAP (inside) host LAN-JOHN

aaa authentication ssh console LDAP LOCAL

aaa authentication enable console LDAP LOCAL

aaa authentication http console LDAP LOCAL

aaa authentication secure-http-client

Test through ASDM working for each configured host.

Anyone know why I am getting these messages?

Labels:
0 Helpful
3 Replies 3

sadbulali
Level 4
Level 4

‎06-04-2009 09:22 AM

You may try adding the user with zero privs and power off the server and restart it.

0 Helpful

freyguy
Level 1
Level 1

‎12-13-2010 12:13 PM

Hiya;

I had this issue and it was the result of turning off name resolution in the configuration and logs (using the "no names" command).

Either reverse that command  (i.e. "names")  or add the aaa-server with its IP address instead of its name

e.g.

aaa-server RADIUS (inside) host 111.222.333.444
aaa-server LDAP (inside) host 222.333.444.555

aaa-server LDAP (inside) host 333.444.555.666

you get the idea...

Hope that helps...

-- KevFrey --

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎12-13-2010 01:55 PM

Here is the bug id for what you are hitting: CSCsj64402

I tried to find the exact details of the bug but for some reason cannot access the bug toolkit at the moment. Basically there is a delay before cdp settles which fails the first few dns lookup when you have you servers configured by name instead of ip.The individual before my post is correct if you want to move past this you can configure the servers by ip address and move pass this issue. Usually this shows up when the PIX is first booted up. Did this occur during bootup or intial configuration of the servers or does this occur everytime you test authentication?

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents