We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2.
We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,
saw the Proxy Distribution Table
moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
By default the ACS 4.x Proxy Distribution Settings should have the ACS entry for itself on the Forward To box. Your ACS1 entry should be on the Forward To box.
The Internal Error message on the ACS should be highligthing a different issue on your ACS1. Also, the message stating that we cannot have zero servers on the "Forward To" box is expected.
Set your ACS1 for Full Logging Detail (System Configuration > Service Control) and configure the ACS1 entry under the Forward To box. Recreate the authentication issue and collect a package.cab file. If you have an ACS for Windows, under the ACS Installation folder look for the CSAuth folder > Logs and share the auth.log file with a failure timestamp for us to review the ACS logs when failing with Internal Error.
Thanks very much for your suggestions. It was helpful to hear that having the ACS1 in its own Forward To list is OK and normal, but I can assure you that our other server does not look that way. There's nothing in its Forward To list, which is what I'd expect.
In any case, we punted and upgraded, first to ACS v184.108.40.206, which did not fix the problem, and then to ACS v220.127.116.11, which made the problem go away.
I'll report back after we upgrade the other server. I'm very curious to see if it (ACS2) appears in its own Forward To list after we do the upgrade + patch.