3850 %RADIUS-4-RADIUS_DEAD: RADIUS server Message

Donald Wolfe · ‎02-03-2017

Hi,

We have an issue where some of our 3850's will mark the configured RADIUS server as dead and this causes the Service Policy on the switch to fail the port in open mode. Once the RADIUS is available again the switch will not mark the server alive and return the port back to authentication mode for device. We are running CAT3K_CAA-UNIVERSALK9-M), Version 03.06.05E RELEASE SOFTWARE (fc2). Have any of you ran into this issue before?

Thanks

Georg Pauwen · ‎02-03-2017

Hello Donald,

what makes the RADIUS server reachable again ? Is it randomly disconnecting ?

Can you post the full config of the switch ? Is the RADIUS server on a directly connected subnet ?

Donald Wolfe · ‎02-06-2017

Hi Georg,

When I remove the it and add it back in, it is then reachable.

no radius server CTS-ISEPSNLBVIP01
!
!
radius server CTS-ISEPSNLBVIP01
address ipv4 165.26.210.73 auth-port 1812 acct-port 1813

Georg Pauwen · ‎02-06-2017

Hello,

the 'problem' RADIUS server is on the public Internet. When I traceroute, it resolves to::

pla-old.ecorp.cat.com [165.26.210.73]

It might just come down to reachability. What device is connected to the pubic Internet ? What are the MTU settings ? Can you post the configuration of that device as well ?

Donald Wolfe · ‎02-07-2017

Hi Georg,

That is correct. That is the clients radius server. Are you wanting the config of the server?

Georg Pauwen · ‎02-07-2017

Hello Donald,

the 3850 is not the device connected to the Internet. What device is ? My idea was to check the configuration of that device in order to make sure that the connection to the RADIUS server on the public Internet becomes more stable...

Donald Wolfe · ‎02-07-2017

Hi Georg,

Here is some more information on this issue:

The RADIUS server are behind a load balancer in the Data Center. The VIP of the load balance is what gets marked dead. We have multiple switches that have this same issue. All of them are 3850s. Once the VIP to the load balance for the radius servers are marked dead because of intermittent connection issue, then the switch should mark them back alive once the issue is resolved. But that does not happen.

andrewswanson · ‎02-07-2017

when the radius server becomes unavailable and is declared as dead, the switch will mark it as dead for 3 hours "radius-server deadtime 180". You can tune this down to a value more suitable for the VIP outage times you are experiencing.

hth

Andy

Donald Wolfe · ‎02-07-2017

Hi Andy,

If the radius server becomes responsive prior to the 3hrs will the switch still have it marked as "dead" until the dead timer expires? I am guessing that it doesnt even try to reach out to the server to see if its alive once its been marked as dead until the timer expires?

andrewswanson · ‎02-07-2017

Hi Donald

Yes, the switch won't use the dead radius server until the deadtime expires. See link below for more details.

hth

Andy

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

Georg Pauwen · ‎02-07-2017

Hello,

I can't really see anything wrong with the config. You might want to try and add an automate-tester to the radius server:

radius server CTS-ISEPSNLBVIP01
address ipv4 165.26.210.73 auth-port 1812 acct-port 1813
automate-tester username testuser probe-on

This send periodic test authentication messages to the RADIUS server.

Matteo Comisso · ‎01-23-2018

Hi Donald,
did you find a solution?

Thanks,
Matteo