Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3178
Views
10
Helpful
4
Replies

AAA Servers

terrancewbennett
Level 1
Level 1

‎05-06-2013 12:17 PM

Once the ASA marks the NPS server "failed" it has to be a manual actions to re-mark it "active". What are some options around this?

What I don't know is how the ASA fails a server. I know that if anyone failed the server on the ASA it will mark it failed. If I bring down a backup server *not the primary* the ASA does not change the server status. We know the ASA will mark the primary server down and try to select another in its pool if authentication is not pointed to the "local server group" when the primary is down. How does that take place and what are the events, logs, alerts and if any notification are being sent and to who?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-06-2013 04:21 PM

The default dead time on a AAA-Server group is 10 minutes so if the ASA is failed to reach/contact the radius server then the server will be marked dead/failed for next 10 mins.  Even if you only lose the connectivity from the tacacs server for a very short period of time but the server won't become active again for next 10 mins so in order to over come this issue you need reduce this time by changing the reactivation-mode command under the AAA server-group. enter the following command:

hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}

'reactivation-mode timed' thinking that this would probably be a good option so that server should come back more quickly (in 30 seconds). I hope that will be still there.

Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.

The timed keyword reactivates failed servers after 30 seconds of down time.

More info

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1787712

You may also try to run show aaa-server to see the status of the servers in the group.

Jatin Katyal

- Do rate helpful posts -

~Jatin

terrancewbennett
Level 1
Level 1
In response to Jatin Katyal

‎05-07-2013 01:44 PM

I'm can now see the status go from failed to active using the ASDM to configure AAA Server Group to Reactivation Mode = Timed and changed the Accounting mode to Simultaneous.

The question now is how does the ASA really know the server is back? What checks if any does the ASA preform to ensure a server in the group is actually up? I will see if anything changes on the ASA now as I will bring down a server in the group not the primary.

Thanks

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to terrancewbennett

‎05-07-2013 06:30 PM

Please read the discussion thread:

https://supportforums.cisco.com/thread/2117456

Jatin Katyal


- Do rate helpful posts -

~Jatin

sachin.sharma711
Level 1
Level 1
In response to Jatin Katyal

‎08-11-2014 01:30 AM

Nice explaination,

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents