Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2788
Views
0
Helpful
15
Replies

ACS redudancy

-kostas-
Level 1
Level 1

‎06-02-2003 02:10 AM - edited ‎03-10-2019 07:19 AM

Greetings all,

I am tryin to configure an ACS redudancy model in our routers. We have 2 ACS servers runnin on W2K. In the router configuration I've made an "aaa group server tacacs+ test" and denoted our 2 ACS server from the global config.

However, when I shutdown the first ACS server, the whole thing don't work and I get a strange error from the debug (see bellow).

Bellow is a snap-shot from the config just in case a left something out.

Has anyone implement this ?

Thanx in advance,

Kostas

-----------------------------------------------------------------------------------------------------------

aaa new-model

!

!

aaa group server tacacs+ TEST

server 10.10.10.1

server 10.10.10.2

!

aaa authentication login telnet group tacacs+ local

aaa authentication login aux local

aaa authentication login console local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa session-id common

.

.

.

!

tacacs-server host 10.10.10.1 key tes1t

tacacs-server host 10.10.10.2 key tes2t

tacacs-server directed-request

.

.

.

line con 0

login authentication console

line aux 0

login authentication aux

line vty 0 4

login authentication telnet

transport input telnet

!

end

-----------------------------------------------------------------------------------------------------------

debug-error:

Jun 2 13:04:31.611: TPLUS: Queuing AAA Authentication request 12951 for processing

Jun 2 13:04:31.611: TPLUS: processing authentication start request id 12951

Jun 2 13:04:31.611: TPLUS: Authentication start packet created for 12951()

Jun 2 13:04:31.611: TPLUS: Using server 10.10.10.1

Jun 2 13:04:31.615: TPLUS(00003297): Select released but nopeername.. Failover

Jun 2 13:04:31.615: TPLUS: Choosing next server: 10.10.10.2

Jun 2 13:04:36.616: TPLUS(00003297): Select Timed out

Labels:
0 Helpful
15 Replies 15

-kostas-
Level 1
Level 1
In response to mhoda

‎06-09-2003 02:45 AM

Hi Mynu,

Well no, that isn't the case. We are not trying to authenticate users with the domain accounts. Actually we don't have domain accounts at all. :-)

We use ACS only for our NOC people for strictly telnet purposes, for some custom scripts and for some VoIP testing. But the main reason of the existence of ACS is for telnet reasons.

The case is the second example that you are giving.

I stop all the services from the primary ACS (even unpluged the network cable) and then try to login in the router with the backup ACS, and that doesn't work.

The thing with the replication cross my mind so what I did is to delete ALL the entries in the backup ACS and do a manual replication and all worked well.

As for the IOS bug, I read about the one (CSCdx41454) for the problem with routers that have loopbacks but the router which I experiment with don't have a loopback and has only one FastEthernet active with a default-gateway.

As for the version, well to tell you the truth we have many routers from GSR12000, 7200, 3640, AS5300, in different PoPs so it's kind difficult to get the IOS versions from all of them. In a statistically experiment, I tried to check the redudancy in various boxes in various PoPs (after stoping the active ACS) but none of them worked so I thought that couldn't be an IOS bug. Nevertheless if you think that there is a bug problem I can sent you a full list of the various IOS versions plus the package.cab files as I did with Yatin. Just for the records I will c/p the sh ver output of the router I am experiment.

Finally, the strange situation is that when the backup ACS take the place of the active ACS and the active ACS becomes backup everything seems to work well. At least in a couple of routers that I've tested it.

Thanks in advance,

/kostas

----------------------------------------------------------------------------------------------------

#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 5300 Software (C5300-JK8S-M), Version 12.2(11)T, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Wed 31-Jul-02 20:11 by ccai

Image text-base: 0x60008938, data-base: 0x61730000

ROM: System Bootstrap, Version 12.0(2)XD1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

BOOTLDR: 5300 Software (C5300-BOOT-M), Version 12.0(4)T1, RELEASE SOFTWARE (fc1)

uptime is 6 weeks, 6 days, 2 hours, 20 minutes

System returned to ROM by reload at 11:20:41 EDT Tue Apr 22 2003

System restarted at 11:21:31 EDT Tue Apr 22 2003

System image file is "flash:c5300-jk8s-mz.122-11.T.bin"

cisco AS5300 (R4K) processor (revision A.32) with 131072K/16384K bytes of memory.

Processor board ID 24710123

R4700 CPU at 150Mhz, Implementation 33, Rev 1.0, 512KB L2 Cache

Channelized E1, Version 1.0.

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp).

TN3270 Emulation software.

Primary Rate ISDN software, Version 1.1.

Backplane revision 2

Manufacture Cookie Info:

EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x30,

Board Hardware Version 3.2, Item Number 800-2544-04,

Board Revision B0, Serial Number 24710123,

PLD/ISP Version 0.0, Manufacture Date 25-Feb-2001.

1 Ethernet/IEEE 802.3 interface(s)

1 FastEthernet/IEEE 802.3 interface(s)

128 Serial network interface(s)

4 Channelized E1/PRI port(s)

60 DSP(s), 120 Voice resource(s)

128K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

8192K bytes of processor board Boot flash (Read/Write)

-----------------------------------------------------------------------------------------------------------

0 Helpful
Customers Also Viewed These Support Documents