02-03-2017 12:22 PM - edited 03-08-2019 09:10 AM
Hi,
We have an issue where some of our 3850's will mark the configured RADIUS server as dead and this causes the Service Policy on the switch to fail the port in open mode. Once the RADIUS is available again the switch will not mark the server alive and return the port back to authentication mode for device. We are running CAT3K_CAA-UNIVERSALK9-M), Version 03.06.05E RELEASE SOFTWARE (fc2). Have any of you ran into this issue before?
Thanks
02-03-2017 01:09 PM
Hello Donald,
what makes the RADIUS server reachable again ? Is it randomly disconnecting ?
Can you post the full config of the switch ? Is the RADIUS server on a directly connected subnet ?
02-06-2017 09:47 AM
Hi Georg,
When I remove the it and add it back in, it is then reachable.
no radius server CTS-ISEPSNLBVIP01
!
!
radius server CTS-ISEPSNLBVIP01
address ipv4 165.26.210.73 auth-port 1812 acct-port 1813
02-06-2017 12:33 PM
Hello,
the 'problem' RADIUS server is on the public Internet. When I traceroute, it resolves to::
pla-old.ecorp.cat.com [165.26.210.73]
It might just come down to reachability. What device is connected to the pubic Internet ? What are the MTU settings ? Can you post the configuration of that device as well ?
02-07-2017 06:24 AM
Hi Georg,
That is correct. That is the clients radius server. Are you wanting the config of the server?
02-07-2017 07:41 AM
Hello Donald,
the 3850 is not the device connected to the Internet. What device is ? My idea was to check the configuration of that device in order to make sure that the connection to the RADIUS server on the public Internet becomes more stable...
02-07-2017 12:43 PM
Hi Georg,
Here is some more information on this issue:
The RADIUS server are behind a load balancer in the Data Center. The VIP of the load balance is what gets marked dead. We have multiple switches that have this same issue. All of them are 3850s. Once the VIP to the load balance for the radius servers are marked dead because of intermittent connection issue, then the switch should mark them back alive once the issue is resolved. But that does not happen.
02-07-2017 01:36 PM
when the radius server becomes unavailable and is declared as dead, the switch will mark it as dead for 3 hours "radius-server deadtime 180". You can tune this down to a value more suitable for the VIP outage times you are experiencing.
hth
Andy
02-07-2017 02:24 PM
Hi Andy,
If the radius server becomes responsive prior to the 3hrs will the switch still have it marked as "dead" until the dead timer expires? I am guessing that it doesnt even try to reach out to the server to see if its alive once its been marked as dead until the timer expires?
02-07-2017 10:59 PM
Hi Donald
Yes, the switch won't use the dead radius server until the deadtime expires. See link below for more details.
hth
Andy
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
02-07-2017 02:09 PM
Hello,
I can't really see anything wrong with the config. You might want to try and add an automate-tester to the radius server:
radius server CTS-ISEPSNLBVIP01
address ipv4 165.26.210.73 auth-port 1812 acct-port 1813
automate-tester username testuser probe-on
This send periodic test authentication messages to the RADIUS server.
01-23-2018 02:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide