cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACS5.3 - Could not establish connection with ACS Active Directory agent

pnavratil
Beginner
Beginner

Hi all,

customer provide quite large network with dot1x deployment - there is dual ACS5.3 servers for authentication Wired, VPN and WiFi access. Users (and computers) are mostly authenticated against Active Directory - there are several AD servers in the network.

I found there is tens of cases every day with error message:

24401 Could not establish connection with ACS Active Directory agent

This happens in random day and night time regardless on current authentication load.

Can somebody point me, how to diagnose this more deeply? Or where to look for – is it problem with internal communication with AD Agent or is the problem in communication AD agent to AD servers? How is solved redundancy in case one AD server is not accessible – as there is no such setting in the AD connection configuration in ACS.

Regards

Pavel

9 REPLIES 9

camejia
Participant
Participant

Hello,

Can you go to both ACS servers under "Users and Identity Store > External Identity Stores > Active Directory" and click on Test Connection? Is the results successful for both ACS servers?

Some of the authentication requests might be hitting the secondary server which might be having issue communicating with AD.

If this was helpful please rate.

Regards

Test connection was successful from both ACS.

Regards

Hello,

Was the issue occurring at the moment of the test or was authentication working as expected? We should check the AD connectivity status on both ACS servers when the authentication failures are reported.

Regards.

pnavratil
Beginner
Beginner

I opened Service Request on Cisco TAC and they found we are probably hitting the bug

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx71254

It seems it is exactly our issu as ACS log contains the errors with "Running in disconnected mode: unlatch" - as it is in the bug description.

Regards

There is a new patch available for ACS 5.3, patch 3, that includes fixes for the issue above

CSCtx71254: ACS 5.3 disconnecting from AD "unlatch" is seen in adclient logs

and some other issues related to active directory as well as some other fixes

Thank you for you info, we applied the patch today but the issue is still there. There has been SR opened earlier for this – it now continues – so Cisco Developing team working on it. As we know, most of the customers who was hit by this issue confirmed the new patch solved the issue for them, but unfortunately not in our case.

Regards

Pavel Navratil

Would be happy to dig in further but d not have an SR or case details

I am also getting same messages in my ACS. I am going to upgrade my ACS now.

Will post results of upgrade.

Regards

Ajay

Hi After installing patch 3 I can see taht I am not getting that message of unlatch which is good indication that problem might be solved, But I can confirm that AD connection is solved in case it does not repeat in next 24 hours.

Regards

Ajay

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: