Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2010
Views
5
Helpful
9
Replies

FTD Failed RADIUS question

Go to solution
brettp
Level 1
Level 1

‎05-03-2022 09:30 AM

Hello,

 

I am setting up a RADIUS server group for remote access VPN users. Everything is working fine, mostly, however I had question. What is the default behavior of the FTD for a failed RADIUS server? I can not find any information online. Basically, we have a primary and secondary RADIUS server... so that's two servers in the group. In my testing, I stopped the service on the primary server (on the actual Windows server) and the FTD started using the secondary as planned. However, when I re-enabled the primary server (by starting the service on the Windows server,) it continued using the secondary. I assume this is because the primary was marked "failed" on the FTD... though I didn't run any commands to check as the FTD is completely new to me, I hadn't thought of it. I checked all sorts of places on the FTD (via FMC) for how to configure the behavior but couldn't find anything. Is there no way for the FTD to automatically attempt to reconnect to the primary RADIUS server after some point in time or at least with some kind of manual intervention? Is there some kind of default timer the server is marked failed before it tries again? Any info is appreciated.

 

Thanks

Chris

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to brettp

‎05-03-2022 10:15 AM

@brettp although I've found no confirmation in the documentation, my understanding is there is no preemption.

If the first AAA is marked as down/dead for any reason, the next AAA server is used as the active server. If the first AAA server comes back online, this is not used until the current active is marked down/dead.

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP

‎05-03-2022 12:13 PM

""Dead Time—Failed servers are reactivated only after all servers have failed. The dead time is how long to wait, from 0 - 1440 minutes, after the last server fails before reactivating all servers. The default is 10 minutes.""

 

""If external authentication has been working, but has stopped working, consider the possibility that all servers are in the dead time. When all the RADIUS servers within a group have failed, the dead time is the number of minutes the system waits before trying the first server again. The default is 10 minutes, but you can configure as long as 1440 minutes.""

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-identity-sources.html

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-03-2022 09:42 AM - edited ‎05-03-2022 09:43 AM

There may be something wrong, when the first server in the order come online and working, FTD should able to use that server.

 

as you mentioned it show still Failed, then it was not meet the requirement (until FTD see as live it will not send any request to taht server).

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
brettp
Level 1
Level 1
In response to balaji.bandi

‎05-03-2022 09:54 AM

I did not confirm the first server was failed... I just assumed it was since I manually disabled the service. I assumed once the first server in the list came back online, the FTD would start using it, but that was not the case even though nothing was wrong per se. Is that for sure the default behavior of the FTD, because I know earlier ASA code, that was not the default behavior. In testing, when the FTD was not using the first server, I removed the second server from the AAA group, deployed the change, and then the FTD started using the first server without issue. Can this be a bug?

0 Helpful

Go to solution
brettp
Level 1
Level 1
In response to balaji.bandi

‎05-03-2022 10:01 AM

I assumed once the first server in the list came back online, the FTD would start using it, but that was not the case even though nothing was wrong. Is that for sure the default behavior of the FTD, because I know earlier ASA code, that was not the default behavior. In testing, when the FTD was not using the first server, I removed the second server from the AAA group, deployed the change, and then the FTD started using the first server without issue. Can this be a bug?
0 Helpful

Go to solution
brettp
Level 1
Level 1

‎05-03-2022 10:01 AM

I assumed once the first server in the list came back online, the FTD would start using it, but that was not the case even though nothing was wrong. Is that for sure the default behavior of the FTD, because I know earlier ASA code, that was not the default behavior. In testing, when the FTD was not using the first server, I removed the second server from the AAA group, deployed the change, and then the FTD started using the first server without issue. Can this be a bug?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to brettp

‎05-03-2022 10:15 AM

@brettp although I've found no confirmation in the documentation, my understanding is there is no preemption.

If the first AAA is marked as down/dead for any reason, the next AAA server is used as the active server. If the first AAA server comes back online, this is not used until the current active is marked down/dead.

Go to solution
brettp
Level 1
Level 1
In response to Rob Ingram

‎05-03-2022 11:08 AM

@Rob Ingram This is the indeed the behavior I was asking about. Is there no way to configure the FTD to automatically start using the first server when it becomes available again? Or is there a manual way of doing it (other than removing the second server?) 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-03-2022 12:13 PM

""Dead Time—Failed servers are reactivated only after all servers have failed. The dead time is how long to wait, from 0 - 1440 minutes, after the last server fails before reactivating all servers. The default is 10 minutes.""

 

""If external authentication has been working, but has stopped working, consider the possibility that all servers are in the dead time. When all the RADIUS servers within a group have failed, the dead time is the number of minutes the system waits before trying the first server again. The default is 10 minutes, but you can configure as long as 1440 minutes.""

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-identity-sources.html

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎05-04-2022 12:49 AM

Depletion mode and timed mode are not available in FMC GUI but you can try setting it from FlexConfig.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/aaa-radius.html#ID-2113-00000920

0 Helpful

Go to solution
brettp
Level 1
Level 1
In response to Peter Koltl

‎05-04-2022 05:29 AM

Thank you for the information. Just an FYI, I can't confirm if this is available or not on the FTD as I haven't tried but I'm just going to go with the default behavior. My issue is only temporary at the moment but when the hardware is put into production it really shouldn't matter. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card