Solved: Re: ASA can reactive radius server in aaa group

jewfcb001 · ‎05-24-2022

Hi All ,

I try to test ASA authenticate with Radius Server . Incase AAA-Group We have 2 Radius server If the first radius fail .ASA will authenticate with the second radius server but If the first radius come back ASA not go back authenticate with the first radius.

I see in document about command " reactivation-mode {depletion [deadtime minutes] | timed} " I'm not sure I will waiting 10 minutes or not for ASA go back to the first radius server . Please advise me.

UdupiKrishna · ‎05-24-2022

This is an expected behaviour.

ASA doesn't have a mechanism to poll and check a server's status and make a decision to change its status.

If you set the reactivation mode to "timed" instead of "depletion" it can automatically reactivate a server, however if the reactivated server is still down/not functioning at that point of time, there may be an increased delay in authentication.

Depletion mode is generally recommended to avoid such delays. You can always manually activate an inactive server once it's confirmed to be functioning and ready to accept authentication requests.

e.g. command

aaa-server <radius-server group name> active host <server IP>

View solution in original post

UdupiKrishna · ‎05-24-2022

By definition, when in depletion mode a failed server is activated only when all the other servers in the group fail/become inactive. You need to set the dead time internal if depletion mode is select.

E.g. If the 1st server is considered inactive, requests go to 2nd server. Unless and until 2nd server is considered inactive, the 1st server is never re-activated.

If you select timed instead, an inactive server is automatically reactivated after 30 seconds

jewfcb001 · ‎05-24-2022

@UdupiKrishna

You mean Do I no need change configuration on ASA ? because ASA will automatically reactivated AAA Server after 30 seconds.

My understand is If 1st Server Fail . ASA go to 2nd Server and after 30 seconds If 1st server online. ASA will automatic go to 1st server but If 1st server not coming It go to 2nd server . My understand correct ?

UdupiKrishna · ‎05-24-2022

Partially. If the reactivation mode is set to depletion, it wont reactivate an inactive server unless all servers within the AAA/RADIUS group is inactive.

However if you set the reactivation mode to timed, an inactive server is automatically reactivated after 30 secs.

jewfcb001 · ‎05-24-2022

I see in configuration guide default configuration set 10 minutes . In this case I waiting 2nd server fail 1st server will coming or not

or necessary 2nd server fail . asa go to 1st server by automatic. because I try to test asa still go to 2nd not change.

UdupiKrishna · ‎05-24-2022

When in depletion mode and as highlighted in the image, it will not go back or reactivate the 1st inactive server unless the 2nd server is also considered inactive.

jewfcb001 · ‎05-24-2022

@UdupiKrishna

Thank you for your answer . As you mention this is behavior of ASA or not ? Do you have solution ASA go to 1st server If 1st server active ?

UdupiKrishna · ‎05-24-2022

This is an expected behaviour.

ASA doesn't have a mechanism to poll and check a server's status and make a decision to change its status.

If you set the reactivation mode to "timed" instead of "depletion" it can automatically reactivate a server, however if the reactivated server is still down/not functioning at that point of time, there may be an increased delay in authentication.

Depletion mode is generally recommended to avoid such delays. You can always manually activate an inactive server once it's confirmed to be functioning and ready to accept authentication requests.

e.g. command

aaa-server <radius-server group name> active host <server IP>

jewfcb001 · ‎05-24-2022

@UdupiKrishna

Thank you for your answer and advisory Oh! I just understand reactivation has 2 mode "timed" and "depletion"

And as you mention below. If in that point 1st fail asa will go to 2nd server or not ?

if the reactivated server is still down/not functioning at that point of time, there may be an increased in delay in authentication.

UdupiKrishna · ‎05-24-2022

Happy to help!!

If the reactivation mode is depletion and 1st server fails, ASA will automatically send authentication requests to 2nd server. 1st server is "not" activated until 2nd server fails (you can manually activate an inactive server)

If the reactivation mode is timed and 1st server fails, ASA will automatically send authentication requests to 2nd server. ASA will also re-activate the 1st server after 30 secs but this can cause delays if the failed server hasn't recovered.

Do rate helpful posts

jewfcb001 · ‎05-26-2022

@UdupiKrishna

Thank you for response.

If the reactivation mode is depletion and 1st server fails, ASA will automatically send authentication requests to 2nd server. 1st server is "not" activated until 2nd server fails (you can manually activate an inactive server)

By the way. I see in document. about mode is depletion . Will asa re-enable after 10minutes ?

UdupiKrishna · ‎05-28-2022

The 10 mins dead interval is after the 2nd or the last server in the group fails and time it waits before activating all the servers again