02-15-2007 12:33 AM - edited 03-10-2019 02:59 PM
Hi,
We are using Cisco Secure ACS and for the past week, our switch and router logins are really really intermittent. Most of the time, even if we are into the console already and issue a command, "authorization failed" will appear then just keep pressing up and enter then the command will be accepted. Any idea why is this happening? Thank you very much.
02-22-2007 05:48 AM
Hi,
thanks for your thoughts.
How many tacacs sessions can acs handle?
02-22-2007 06:03 AM
John,
ACS Solution enginer will not reply to ping if CSA Agent is enabled. (System Configuration->Appliance Configuration)
Increasing timeout is not always the answer but is a good first step in identifying the problem.
We could be experiencing a delay from the external db or even from remote logging facility. All these and more would contribute to a delay is authentication
ACS running out of threads is not a common thing and not seen often.
Auth.log would be a very good place to look for problems.
Regards,
Vivek
02-22-2007 06:25 AM
Vivek,
our test-switch is now configured with:
tacas-server host [ip] single-connection
we're testing the following way:
- log in
- send a cmd (for example: show tacacs)
with "single-connection" on, we have to send a command very often to reproduce the queue and the "authorisation failed"-message - without "single-connection" it was worse.
now we're comparing the number of requests in auth.log with the number of commands that the aaa client sent. it seems to us that there are no dropped requests in auth.log - just "Start RQ****" and "Done RQ****".
we'll keep you posted.
02-22-2007 06:37 AM
Hi,
I would suggest setting the Log level to full (system configuration->Service control) while testing.
Regards,
Vivek
02-23-2007 01:53 AM
Hi Vivek,
our log level was, and still is, set to full.
02-23-2007 02:32 AM
Hi,
how many single-connections does a acs server handle?
Is there a limit? If so, could this limit be configured?
Can the active single-connections be monitored (how many open connections at a/one time?)
Is it possible to shut down active single-connections?
02-23-2007 03:54 AM
Hi,
Tacacs single connections are taken fromt he total available (which is around 50). The limit can be changed if a TAC case is opened.
Active single connections cannot be "monitored" but auth.log will give an indication of open threads.
Active connections will be closed by Aaa client as per normal operation but abnormally we will have to restart the services.
Regards,
Vivek
02-23-2007 05:06 AM
Hi Vivek,
we created a TAC.
02-25-2007 11:42 PM
Hi Vivek,
the generated TAC has being rejected because our current contracts don't include support for ACS.
It needs a while to include this service to our contracts - what's the fastest way to get support for ACS now?
Thanks.
02-26-2007 02:48 AM
Hi,
I believe your AM/SE can help you out there. Since you are using ACS 4.x only TAC can help. If it was 3.x I could have helped here.
Regards,
Vivek
02-26-2007 06:58 AM
Hi Vivek,
we disabled all unnecessary logging. After that we couldn't reproduce the errors. Our colleagues are currently testing and will inform us if the error occurs again.
Our server has never had and still has no performance problems. Any idea which daemon makes so much trouble?
For now we leave the detailed logging off. We'll put it back on only if we have to (in case of any other error or problem).
02-26-2007 09:10 AM
Hi,
Slow authentication response from ACS will be due to CSAuth and CsTacacs/CsRadius.
Regards,
Vivek
02-27-2007 08:00 PM
Hi Vivek,
We are using ACS 3.3 appliance. Is there a way to increase the maximum session? Because we are still encountering the problem. We already enabled CSAgent. We can now ping the ACS appliance and we don't encounter any dropped packets. Sometimes, if we try to login to the webpage, we are getting protocol error message and we still have to wait until it's accessible.
Please help. Thanks.
02-26-2007 10:14 AM
hi,
with acs 3.1 we had the problem that we reached the maximum of 40 single connections ! (Message in the package.cab : "maximum 40 single connection are busy")
we increased the maximum "MaxSessions" in the Registry from 40 (hex 28) to 200 (hex C8 )
Look at
[HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.1\CSTacacs]
"BaseDir"="\\CSTacacs"
"Version"="3.1(1.27)"
"Port"=dword:00000031
"PacketSize"=dword:00000400
"MaxSessions"=dword:00000028
"LocalSecret"="secret_value"
"SingleConnect"=dword:00000001
"ProxyOn"=dword:00000001
"ProxyRetries"=dword:00000001
"ChPassEnabled"=dword:00000000
"ChPassFastReplicate"=dword:00000000
"CHPassDisabledMessage"="Chpass is currently disabled."
"PackDump"=dword:00000001
regards
alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide