03-22-2002 12:43 PM - edited 02-21-2020 09:59 AM
Hopefully someone has heard of this...
I have a customer with a PIX 520 (with 6.1(1)), which does AAA (Authentication Authorization Accounting) with CiscoSecure ACS/NT to authorize users to access the internet from inside the firewall. From time to time, the PIX stops displaying the pop-up login box for users wishng to autheticate to access the internet. Users who are already authorized see no trouble, and statically permitted devices don't have any probem passing thru the firewall either.
On the occasions when this has happened, we have restarted the ACS server, took the primary offline so the PIX would access the backup, restarted both ACS servers, etc. None of this helps restore service. The ONLY thing that we've done to restore service is to actually RELOAD the PIX. When we reload, the PIX immediately takes off and runs like a charm.
Perhaps some of you could help me determine some additional steps to take, and some things to look at while it is failing. I'm inclined to upgrade to 6.1(2) or 6.1(3), but I don't see any specific caveats that cover this.
TAC hasn't been able to help much, because I can't really give them any good information, other than a description of the problem. Let me know if you ahve any good ideas... Thanks!
03-22-2002 01:40 PM
Are you using an access list to define what traffic should be authorized, or are you using the old 'aaa authorization include . . .' command?
03-23-2002 09:59 AM
I'm using the 'aaa authorization include . . .' command. I'd like to switch, but I haven't really found a good example of how to use Access lists in the PIX.
Perhaps I will make this question a separate conversation... Thanks!
03-23-2002 07:38 AM
This sounds suspiciously like bug CSCdw01653
DESCRIPTION:
When doing authentication on the PIX for users passing through the PIX,
the possibility exists that the PIX will run out of internal user objects,
causing the PIX to stop prompting for authentication.
Users that have already been authenticated will work fine, as will all
existing connections. Only new un-authenticated users will have
problems authenticating.
WORKAROUND:
Reboot the PIX.
This bug has been fixed in 6.1.1(106). It is not fixed in 6.1(2) or 6.1(3). It will be fixed in 6.1(4). If troubleshooting reveals that you are running into this bug and you can't wait for 6.1(4), then contact the TAC for the engineering build 6.1.1(106).
HTH
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide