cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2169
Views
0
Helpful
4
Replies

multiple aaa-server hosts for vpn authentication

t-heeter
Level 1
Level 1

ASA5510 - 7.2(1)

Using the following config, I am attempting to have multiple radius servers configured for backup vpn authentication in case primary fails. This appears to work ok. But once the primary server is back up, at what point will the asa begin to use it again. The output of "show aaa-server host 172.25.4.20" says

Server status: FAILED, Server disabled at 08:04:25.

How do you reenable it?

aaa-server adauth protocol radius

aaa-server adauth host 172.25.4.20

key ***

authentication-port 1812

accounting-port 1813

aaa-server adauth host 172.25.4.40

key ***

authentication-port 1812

accounting-port 1813

tunnel-group group general-attributes

address-pool pool

authentication-server-group adauth

default-group-policy policy

1 Accepted Solution

Accepted Solutions

ethiel
Level 3
Level 3

You can add the option in the aaa-server group:

"reactivation-mode timed"

This causes a dead server to be re-added to the pool after 30 seconds.

The following link has some good info on the available options. I suggest searching the doc for "reactivation".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.pdf

-Eric

Please remember to rate all helpful posts.

View solution in original post

4 Replies 4

amritpatek
Level 6
Level 6

If you configured the authentication server using a DNS name then this problem will occur .Configure the authentication server using an IP Address instead of the DNS name as a workaround.

I did use IP address. See config above.

ethiel
Level 3
Level 3

You can add the option in the aaa-server group:

"reactivation-mode timed"

This causes a dead server to be re-added to the pool after 30 seconds.

The following link has some good info on the available options. I suggest searching the doc for "reactivation".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.pdf

-Eric

Please remember to rate all helpful posts.

I had add the option in the aaa-server group:

"reactivation-mode timed"

but it does not work!

When I restart one of the ACS server,my ASA5520 told me this information:

Server Address: 10.1.100.35

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 09:53:57 BJ Tue Dec 19 2006

And the server never active again!

Can you help me,thanks.