Solved: %AAA-3-SERVER_INTERNAL_ERROR on 9300 Switches

lb123 · ‎03-03-2020

I am getting the following error on all my 9300 switches, but none of my other models...

%AAA-3-SERVER_INTERNAL_ERROR: Switch 1 R0/0: sessmgrd: Server ';(null)';: No server stats to increment access accept count!

I know it has something to do with radius and my backup ISE server using the server-private command in the radius group, but can't figure out how to use a fail-over radius with an authentication key without server-private. When I delete the backup server out of the group and leave in the primary, I don't get the errors. And when I disconnect the backup server completely, I don't get the errors. Any ideas?

Cristian Matei · ‎03-03-2020

Hi,

Try using this config instead (delete the server-private config, this was a temporary fix to provide vhf aware radius/tacacs):

radius server FIRST

address ipv4 x.x.x.x

key xxxxx

!

radius server SECOND

address ipv4 y.y.y.y

key yyyyy

!
aaa group server radius RADIUS_GROUP
server name FIRST
server name SECOND
ip radius source-interface Vlan5

Regards,
Cristian Matei.

View solution in original post

Cristian Matei · ‎03-03-2020

Hi,

What is your RADIUS configuration? And do you have RADIUS failover or RADIUS load-balancing?

Regards,

Cristian Matei.

lb123 · ‎03-03-2020

Radius config is below. Don't have any other commands other than these for radius. All the same commands work on our 3850 and 2960s.

aaa new-model

aaa group server radius RADIUS_GROUP
server-private X.X.X.X key 7 06315F2D5A4B1B582B5456
server-private X.X.X.X key 7 113E49090117194D2A696F
ip radius source-interface Vlan5

aaa authentication dot1x default group RADIUS_GROUP
aaa authorization config-commands
aaa accounting send stop-record always
aaa accounting update newinfo periodic 20
aaa accounting dot1x default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP

aaa server radius dynamic-author

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 10 tries 3
radius-server deadtime 10

Cristian Matei · ‎03-03-2020

Hi,

Try using this config instead (delete the server-private config, this was a temporary fix to provide vhf aware radius/tacacs):

radius server FIRST

address ipv4 x.x.x.x

key xxxxx

!

radius server SECOND

address ipv4 y.y.y.y

key yyyyy

!
aaa group server radius RADIUS_GROUP
server name FIRST
server name SECOND
ip radius source-interface Vlan5

Regards,
Cristian Matei.

lb123 · ‎03-04-2020

That absolutely works. Wonder what is different on the 9300s that gives the error with server-private. Appreciate the help!

Cristian Matei · ‎03-04-2020

Hi,

I would say, from my experience, that this is what happens at some point, when we're using something which was not designed to be used like that; server-private was designed to support VRF-aware AAA servers, before Cisco came with a final properly architected solution. Pretty much, the server-private option should NOT be used without VRF. if you want to enjoy life and not troubleshoot issues. I call this work ethic, by trying to use something for what it was designed only.

Regards,

Cristian Matei.