Core issue
In this issue, if ASA is configured with two ACS servers, and both are Active, ASA reports primary as failed and sends accounting logs for wireless users who use EAP-FAST to secondary ACS server.
Resolution
Complete these steps in order to resolve this issue:
- Change the reactivation-mode as Timed on ASA with these commands:
hostname(config)# aaa-server RADIUS protocol radius
hostname(config-aaa-server)#reactivation-mode timed
In timed mode, failed servers are reactivated after 30 seconds of down time. This is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible. This policy breaks down in the case of UDP servers. Since a connection to a UDP server does not fail, even if the server is not present, UDP servers are put back on line blindly. This could lead to slowed connection times or connection failures if a server list contains multiple servers that are not reachable.
Accounting server groups that have simultaneous accounting enabled are forced to use the timed mode. This implies that all servers in a given list are equivalent.
- From AP GUI, choose Security > Server Manager. For RADIUS Accounting, configure Primary and Secondary server as Priority 1 and 2 respectively.
- Go to the service set identifier (SSID), and check Accounting.
