Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
2
Replies

ASA / RADIUS / ACS Problem ?

jbigrow
Visitor

‎12-06-2006 06:08 AM - edited ‎03-10-2019 02:52 PM

Good Morning Folks;

Below is the output from the show aaa-servers from my asa5540. Notice the status "failed". When the status is thus (on both aaa servers) noone can login the the VPN on the ASA5540. I've checked the duplex / speed etc on the ports feeding the AAA servers and the ASA5540. no errors, no duplex problems..... Also

the AAA servers are used by other systems WITHOUT this problem. Also the ASA and the AAA machines are on the same local LAN segment....After approximately 10 minutes the status will go back to active.......

The ACS is version 3.3 the ASA is running 7.2(1)

I'm tring to findout exactly why the radius client on the ASA5540 is detecting this problem and exactly what it means and how to resolve it......

any help would be terrific.....

Server Group: infinity

Server Protocol: radius

Server Address: 192.168.1.23

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 18:53:58 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 30ms

Number of authentication requests 61

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 46

Number of accepts 28

Number of rejects 5

Number of challenges 25

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 28

Number of unrecognized responses 0

Server Group: infinity

Server Protocol: radius

Server Address: 192.168.1.2

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 18:53:57 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 5

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 0

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 5

Number of unrecognized responses 0

pierce(config)# show aaa-server

Server Group: LOCAL

Server Protocol: Local database

Server Address: None

Server port: None

Server status: ACTIVE, Last transaction at 18:58:46 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 154

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 154

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Server Group: infinity

Server Protocol: radius

pierce(config)# show aaa-server

Server Group: LOCAL

Server Protocol: Local database

Server Address: None

Server port: None

Server status: ACTIVE, Last transaction at 19:03:52 EDT Mon Nov 20 2006

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 163

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 163

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 11
Level 11

‎12-06-2006 08:02 AM

Looks like your ASA lost connection with ACS/AAA server. This might not necessarily network connection, but could be application communication level which may be due to wrong entry in ACS for the ASA (check in ACS for correct ASA IP Address, authentication protocol via radius).

On ASA, make sure you can ping ACS Server to verify that network level connection works fine. Check the 'aaa-server' command point to the right interface (normally inside intf) where the ACS server sits, as well as the ACS IP Address.

Test the radius authentication with local user (create username/password in SA local dbase) to verify that ASA VPN-related config/services is running fine before pointing the actual VPN user authentication to ACS via radius.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008063715a.html#wp1140273

HTH

AK

0 Helpful

jbigrow
Visitor
In response to a.kiprawih

‎12-12-2006 10:44 AM

Thanks for taking the time to reply.

I should have added that this problem is very intermittent. It will work for up to an hour

then the status failed will occur at which time the user community cannot login until the error condition automatically clears then everything works for a while again untill the ASA detects the "failed" status.

0 Helpful
Customers Also Viewed These Support Documents