John,

ACS Solution enginer will not reply to ping if CSA Agent is enabled. (System Configuration->Appliance Configuration)

Increasing timeout is not always the answer but is a good first step in identifying the problem.

We could be experiencing a delay from the external db or even from remote logging facility. All these and more would contribute to a delay is authentication

ACS running out of threads is not a common thing and not seen often.

Auth.log would be a very good place to look for problems.

Regards,

Vivek

Vivek,

our test-switch is now configured with:

tacas-server host [ip] single-connection

we're testing the following way:

- log in

- send a cmd (for example: show tacacs)

with "single-connection" on, we have to send a command very often to reproduce the queue and the "authorisation failed"-message - without "single-connection" it was worse.

now we're comparing the number of requests in auth.log with the number of commands that the aaa client sent. it seems to us that there are no dropped requests in auth.log - just "Start RQ****" and "Done RQ****".

we'll keep you posted.

Hi,

I would suggest setting the Log level to full (system configuration->Service control) while testing.

Regards,

Vivek

Hi Vivek,

our log level was, and still is, set to full.

Hi,

how many single-connections does a acs server handle?

Is there a limit? If so, could this limit be configured?

Can the active single-connections be monitored (how many open connections at a/one time?)

Is it possible to shut down active single-connections?

Hi,

Tacacs single connections are taken fromt he total available (which is around 50). The limit can be changed if a TAC case is opened.

Active single connections cannot be "monitored" but auth.log will give an indication of open threads.

Active connections will be closed by Aaa client as per normal operation but abnormally we will have to restart the services.

Regards,

Vivek

Hi Vivek,

we created a TAC.

Hi Vivek,

the generated TAC has being rejected because our current contracts don't include support for ACS.

It needs a while to include this service to our contracts - what's the fastest way to get support for ACS now?

Thanks.

Hi,

I believe your AM/SE can help you out there. Since you are using ACS 4.x only TAC can help. If it was 3.x I could have helped here.

Regards,

Vivek

Hi Vivek,

we disabled all unnecessary logging. After that we couldn't reproduce the errors. Our colleagues are currently testing and will inform us if the error occurs again.

Our server has never had and still has no performance problems. Any idea which daemon makes so much trouble?

For now we leave the detailed logging off. We'll put it back on only if we have to (in case of any other error or problem).

Hi,

Slow authentication response from ACS will be due to CSAuth and CsTacacs/CsRadius.

Regards,

Vivek

Hi Vivek,

We are using ACS 3.3 appliance. Is there a way to increase the maximum session? Because we are still encountering the problem. We already enabled CSAgent. We can now ping the ACS appliance and we don't encounter any dropped packets. Sometimes, if we try to login to the webpage, we are getting protocol error message and we still have to wait until it's accessible.

Please help. Thanks.

hi,

with acs 3.1 we had the problem that we reached the maximum of 40 single connections ! (Message in the package.cab : "maximum 40 single connection are busy")

we increased the maximum "MaxSessions" in the Registry from 40 (hex 28) to 200 (hex C8 )

Look at

[HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.1\CSTacacs]

"BaseDir"="\\CSTacacs"

"Version"="3.1(1.27)"

"Port"=dword:00000031

"PacketSize"=dword:00000400

"MaxSessions"=dword:00000028

"LocalSecret"="secret_value"

"SingleConnect"=dword:00000001

"ProxyOn"=dword:00000001

"ProxyRetries"=dword:00000001

"ChPassEnabled"=dword:00000000

"ChPassFastReplicate"=dword:00000000

"CHPassDisabledMessage"="Chpass is currently disabled."

"PackDump"=dword:00000001

regards

alex