Detect up/down radius server

David Coupez · ‎03-29-2010

Hello,

I was wondering how does a switch proceed to detect when one or several radius server is down.

If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:

13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.

Anyone can explain me why a such ouput?

Thank you for your help!

David

Ganesh Hariharan · ‎03-29-2010

Hello,

I was wondering how does a switch proceed to detect when one or several radius server is down.

If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:

13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.

Anyone can explain me why a such ouput?

Thank you for your help!

David

Hi David,

Following are the comments for the above messages

%RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests

For checking purpose check to see if the RADIUS server is still active.

%RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
to a new request

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

Access2 · ‎10-16-2017

Hi,

I'm having the same issue, is anyone able to fix this reported issue on this thread?

Thanks,

Magesh

Giuseppe Larosa · ‎03-29-2010

Hello David,

RADIUS uses a pair of UDP ports in your case UDP 1645 and 1646 for AAA and accounting

the device is probably probing those ports according to radius server configuration over time, so it can detect when services are available or not based on the fact of receiving or not receiving answers from server.

this is what is provided also by error message decoder

%RADIUS-4-RADIUS_DEAD:

RADIUS server [IP_address]:[int],[int] is not responding.

A RADIUS server has not responded to repeated requests.

Recommended Action: Check to determine if the RADIUS server is still active.

Related documents- No specific documents apply to this error message.

I think this is good news if failure detection happens when the Radius service is disabled on server

Hope to help

Giuseppe

David Coupez · ‎03-29-2010

Thank you for your quick answers but my problem is the fact the switch detects the radius server back in the exact same second it became unavailable.

And in the meanwhile, the radius was disconnected (either by shutting down corresponding services or by physically disconnecting the network port of the ACS server).

I don't understand how a switch can detect a radius server alive if it is certainly not. Two possibilities arise in my mind: either the switch thinks the radius is alive and the logging is correct, either the logging is simply buggy.

In both cases, there is a problem...

Any ideas?

David

Giuseppe Larosa · ‎03-29-2010

Hello David,

>> Thank you for your quick answers but my problem is the fact the switch detects the radius server back in the exact same second it became unavailable.

Now it is more clear and I agree this is a problem.

The result of this is the device will try to send messages to the radius server for accounting or AAA.

It should be able to detect the server failure when trying to use it.

So some resources are wasted in the attempt to contact a dead server.

Hope to help

Giuseppe

David Coupez · ‎03-29-2010

Heloo Giuseppe,

Apparently when I set the debug mode on, it seems more like a logging problem than a real confusion from the switch. Good to know but just makes things harder to debug.

Thank you for your time

GFWAFBCCO · ‎10-22-2014

Is there any update on a fix action?

Maksim Sataev · ‎04-04-2016

I had the same problem when i installed new router in branch.

I used Loopback interface for radius connection:

ip radius source-interface Loopback0

But ip address of this Loopback was routed for radius server in the different path.

Check available route to your device where you want to be authenticated for AAA server.

I hope that helped you!

Maksim

TheDukeofBaghdad · ‎04-09-2018

I had the same problem:

%RADIUS-4-RADIUS_DEAD: RADIUS server X.X.X.X:1645,1646 is not responding.
%RADIUS-4-RADIUS_ALIVE: RADIUS server X.X.X.X:1645,1646 is being marked alive.

%RADIUS-4-RADIUS_DEAD: RADIUS server Y.Y.Y.Y:1645,1646 is not responding.
%RADIUS-4-RADIUS_ALIVE: RADIUS server Y.Y.Y.Y:1645,1646 is being marked alive.

The way I fixed it is by removing the aaa new-module (no aaa new-model) and apply it again!

I guess there is a specific order that you have to follow when configuring your AAA and Radius servers.

Hope that help somebody in the future :)

best of luck

Emre Ozel · ‎09-03-2020

Hello,

I faced the same problem too. I solved the problem with some reviews on Cisco ISE side.

1- First of all, the switch that I got the error from is the switch I use as the backbone
   error output:
          %RADIUS-4-RADIUS_DEAD: RADIUS server XXX is not responding.
          %RADIUS-4-RADIUS_ALIVE: RADIUS server XXX is being marked alive.

I recorded the time interval I tried to log in and got an error, and on Cisco ISE side, I looked at what happened during those hours.

When I look at the error details :

NAS IPv4 Address :

where it should be the switch ip address. The ip blog where Cisco ISE server is located had a gateway.

I fixed the switch ip address for the network device and the problem was solved.

halilmollaoglu · ‎09-03-2020

Thank you for sharing, we encountered the same issue resolved it now.

alvarteearu · ‎10-22-2020

Had a same issue, even when I completely blocked RADIUS access with Firewall, it kept popping up as alive.

The solution or maybe we can also call it a workaround, was “automate-tester” and “probe-on” function that is available from IOS 15.2(2)E / XE 03.04.00E. With this addition “dead” server will be marked “up” only when a response is received from the RADIUS server, hence as I actually did not get responses back from the server it was kept “dead”.

cnfrtclk · ‎03-15-2023

sorunun çözümünü bulan bulmuştur, bulmayanlar için bilerek türkçe yazıyorum. çevirip anlasınlar.

sunucuda kayıt yaptığınız ağ'a göre yada yönetim IP lerine göre,

yönlendiricide yada anahtarda yönetim vlanını kaynak göstermeniz gerekiyor.

komut: ip radius source-interface vlan X

Minnesotakid · ‎03-27-2025

Just wanted to add to this conversation a bit. We started seeing these logs when we enabled device-sensor notify all-changes on our older switches. Particularly in the 2960 family of switch, including C and X models. This makes sense as all of the device-sensor updates are wrapped in a RADIUS accounting packet.

Our RADIUS servers are functioning properly and no firewalls in between, it is merely the frequency of the device sending Accounting packets that is generating these logs.

For now we are trying to send less frequent updates but no success yet. Either way I wanted to post this in case it helps!