ASA: issue with RSA SDI replica server

abiatarsa · ‎01-11-2016

Hi, I have an ASA 9.1(5)21 and I'm trying to setup SDI authentication with an RSA 8.1. When the primary server falls down the replica doesn't respond. This is the error I get: "ERROR: Authentication Server not responding: No error"

When listing the SDI servers, the replica shows an active address of 0.0.0.0. I manually uploaded the sdopts file (x-x-x-x.sdopts and sdopts.rec just in case, where x.x.x.x is the ip of the primary rsa server)

FW# sh aaa-server RSA-SDI
Server Group: RSA-SDI
Server Protocol: sdi
Server Address: x.x.x.x
Server port: 5500
Server status: ACTIVE, Last transaction at 12:27:29 ART Mon Jan 11 2016
Number of pending requests 0
Average round trip time 2411ms
Number of authentication requests 4
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 2
Number of rejects 1
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 1
Number of unrecognized responses 0

SDI Server List:
Active Address: x.x.x.x
Server Address: x.x.x.x
Server port: 5500
Priority: 7
Proximity: 2
Status: SUSPENDED
Number of accepts 2
Number of rejects 1
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 1
Number of timeouts 1

Active Address: 0.0.0.0 <-------------------
Server Address: y.y.y.y
Server port: 5500
Priority: 0
Proximity: 0
Status: SUSPENDED
Number of accepts 0
Number of rejects 0
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 1
Number of timeouts 1

And the sdi debug:

FW# In sdi_ioctl
sdi mkreq: 0x80000033
sip_lookup: sip with id 2147483699 not found
alloc_sip 0x00007fff36d53970
new request 0x80000033 --> 0 (0x00007fff36d53970)
New SIP state: SDI_NEW (loc 1366)
add_req 0x00007fff36d53970 session 0x80000033 id 85
init_ace_server: handle 2296151525, server_id 193, server_addr x.x.x.x, sess_id -2147483597
New SIP state: SDI_WAIT_INIT_RESP (loc 999)
In sdi_callback: handle 2296151525, error code 1, sdi_status 23, sess_id -2147483597, state: 1
session_done: status -2, state 1
callback_aaa_task: status = -2, msg =
New SIP state: SDI_DELETE (loc 1022)
remove_req 0x00007fff36d53970 session 0x80000033 id 85
free_sip 0x00007fff36d53970
sdi: send queue empty

Nothing arrives to the replica server. Any ideas? Thanks!

Richard Burts · ‎01-11-2016

Am I correct in understanding that authentication works ok with the primary RSA server but has problems when attempting to use the secondary RSA server? If so I would guess that it was some issue with the setup of the secondary server or the relationship between the primary and the secondary server. If the primary server does authenticate for the ASA then things like the shared secret key are correct. The primary server should communicate to the ASA the identity of the secondary server. If it is not doing this then I would think it more likely an issue on the RSA side than on the ASA side.

HTH

Rick

HTH

Rick

abiatarsa · ‎01-11-2016

Hi Richard, thank's for your answer.

That's correct, it works with the primary server. In fact, the ASA downloaded the .sdi file and learnt about the secondary server.

On the RSA side I see no much to do. I did a capture on the asa and saw that no traffic is going to the replica, not even the first time, when it goes from the OK to the SUSPENDED state. I saw a similar issue in the CSCsu70314 bug (Invalid aaa-server 0.0.0.0) that's why my suspicious are on the ASA.

Regards,

Mónica

Richard Burts · ‎01-11-2016

Monica

It is good that the ASA did download the sdi file and learned about the secondary server. If you suspect a bug in the ASA software then perhaps it would be appropriate to open a case with Cisco TAC.

HTH

Rick

HTH

Rick