Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2287
Views
0
Helpful
4
Replies

TACACS+ Authentication Fails on ACS 5.3 - 24495 Active Directory Servers are not available

andrew-hunt
Level 1
Level 1

‎02-20-2014 03:28 AM - edited ‎03-10-2019 09:25 PM

We have a four-node ACS deployment and one node is experiencing problems when handling TACACS authentications.

ACS shows "24495 Active Directory Servers are not available"

The ACS log via SSH shows:

Feb 20 03:01:29 DRACS adclient[10643]: WARN <fd:29 CAPIAuthValidatePlainTextUser > audit User 'AHunt' not authenticated: AD was unavailable for Kerberos authentication, and validation against cached hash failed: No user hash in cache for [domain]\ahunt

We're running ACS 5.3 with patch 9

The two scenarios in http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html#err24495 do not seem to be relevant in our case.

ACS shows it is joined to the domain and doing nslookup via SSH lists all the domain controllers.  The other three nodes in the deployment don't have an issue and work correctly.

Any advice or suggestions appreciated.

Thanks,

Andrew.

Labels:
0 Helpful
4 Replies 4

Naveen Kumar
Level 4
Level 4

‎02-25-2014 12:21 AM

Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID

CSCtx71254

(registered customers only) for more information.

0 Helpful

andrew-hunt
Level 1
Level 1
In response to Naveen Kumar

‎02-25-2014 02:50 AM

Thanks for the post but this is not our issue.  We don't see that output in the log.  The output is:

Feb 25 02:46:02 DRACS adclient[10643]: WARN  <25 capiauthvalidateplaintextuser=""> audit User 'AHunt' not authenticated: AD was unavailable for Kerberos authentication, and validation against cached hash failed: No user hash in cache for lw\ahunt

This seems awfully like our issue:

http://community.centrify.com/t5/DirectControl-Express-for-UNIX/Maually-specified-DC-s-because-No-DNS-having-issues/td-p/8934

Any thoughts?  Thanks!


Andrew.

0 Helpful

Aishwarya Srivastava
Cisco Employee
Cisco Employee
In response to andrew-hunt

‎02-25-2014 03:40 AM 

Have you condigured NTP server in the ACS?
It seems like there is synchronization problem between ntpd and the ntp server.
Please try to reconfigure the NTP server ( if t is there) and test again.
0 Helpful

andrew-hunt
Level 1
Level 1
In response to Aishwarya Srivastava

‎02-25-2014 04:05 AM

Yes, NTP is fine.  This is a four-node ACS deployment and everything was working fine until recently.  However, the issue is actually now fixed.

I issued debug-adclient enable from which I was able to see that the ACS instance was connecting to a DC in Singapore (the ACS box is in California) which led me to assume that the subnet wasn't associated with the correct AD site.  I added the subnet to AD Sites and Services, waited for replication, and then restarted ACS.  It is now associated with the correct local DC and working correctly.  I assume the problem was caused by high latency / timeouts.

Thanks for your help and suggestions.

0 Helpful
Customers Also Viewed These Support Documents