ASA 9.8(4)20...

I've configured aaa-server object as :

aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (outside) host ad.obfuscated.edu.au

:

Authentication & authorisation works fine..

The problem is... it seems that ASA selects only the first address from resolved "ad.obfuscated.edu.au" (which is configured by LDNS to resolve to a set of multiple addresses, as well as being load-balancing - round-robin the first entry of the resolved set). This is seemingly confirmed - see "Server Address:" showing only one IP address:

test-asa# show aaa-server ActiveDirectory
Server Group: ActiveDirectory
Server Protocol: ldap
Server Hostname: ad.obfuscated.edu.au
Server Address: 10.obfuscated.0.15
Server port: 0
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 294
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 288
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0

Note that "ad.obfuscated.edu.au" is not a DNS cache entry:

test-asa# show dns-hosts 

test-asa#

So, (I presume) not subject to "dns expire-entry-timer".

My questions: what happens when that AAA server referred to by the first DNS resolved entry fails? Will ASA ever use the next resolved entry in the set to authenticate/authorise against, or will it continue to fail until domain name's TTL expires and hopefully the first entry in next resolved set won't be that of the failed AAA server?

R's, Alex