Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2170
Views
0
Helpful
4
Replies

multiple aaa-server hosts for vpn authentication

Go to solution
t-heeter
Level 1
Level 1

‎10-12-2006 12:36 PM - edited ‎03-10-2019 02:47 PM

ASA5510 - 7.2(1)

Using the following config, I am attempting to have multiple radius servers configured for backup vpn authentication in case primary fails. This appears to work ok. But once the primary server is back up, at what point will the asa begin to use it again. The output of "show aaa-server host 172.25.4.20" says

Server status: FAILED, Server disabled at 08:04:25.

How do you reenable it?

aaa-server adauth protocol radius

aaa-server adauth host 172.25.4.20

key ***

authentication-port 1812

accounting-port 1813

aaa-server adauth host 172.25.4.40

key ***

authentication-port 1812

accounting-port 1813

tunnel-group group general-attributes

address-pool pool

authentication-server-group adauth

default-group-policy policy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ethiel
Level 3
Level 3

‎10-18-2006 05:16 PM

You can add the option in the aaa-server group:

"reactivation-mode timed"

This causes a dead server to be re-added to the pool after 30 seconds.

The following link has some good info on the available options. I suggest searching the doc for "reactivation".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.pdf

-Eric

Please remember to rate all helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
amritpatek
Level 6
Level 6

‎10-18-2006 04:37 PM

If you configured the authentication server using a DNS name then this problem will occur .Configure the authentication server using an IP Address instead of the DNS name as a workaround.

0 Helpful

Go to solution
t-heeter
Level 1
Level 1
In response to amritpatek

‎10-19-2006 05:00 AM

I did use IP address. See config above.

0 Helpful

Go to solution
ethiel
Level 3
Level 3

‎10-18-2006 05:16 PM

You can add the option in the aaa-server group:

"reactivation-mode timed"

This causes a dead server to be re-added to the pool after 30 seconds.

The following link has some good info on the available options. I suggest searching the doc for "reactivation".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.pdf

-Eric

Please remember to rate all helpful posts.

0 Helpful

Go to solution
i00116715
Level 1
Level 1
In response to ethiel

‎12-18-2006 10:06 PM

I had add the option in the aaa-server group:

"reactivation-mode timed"

but it does not work!

When I restart one of the ACS server,my ASA5520 told me this information:

Server Address: 10.1.100.35

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 09:53:57 BJ Tue Dec 19 2006

And the server never active again!

Can you help me,thanks.

0 Helpful
Customers Also Viewed These Support Documents