ACS Failover is not working

sudiptoch · ‎07-14-2007

We are running primary and secondary ACS servers 4.0 on appliance and it has been configured for automatic replication every 6 hours between them. When the primary server goes offline bcos of network issue, the secondary is supposed to authenticate but it is not happening. Hence we are forced to use the local accounts configured in the networking device to login and make configuration. Please note all our devices are configured to use both primary and secondary ACS servers.

have anyone in this group has come across such a problem?

somishra · ‎07-14-2007

Hi,

In the secondary ACS server -

Check the Proxy distribution table. It should be forwarding to the secondary ACS and not the primary ACS server.

Hope this helps.

Soumya

Richard Burts · ‎07-14-2007

Sudipto

There could be several things that cause your problem.

My first question would be whether the network devices and the backup server are correctly configured for each other. If you change the configuration of some network device, removing the definition of the primary ACS server so that the only server configured is the backup, does the network device authenticate with the backup?

My second question would be when there is a network issue with the primary server is it possible that the network issue also impacts connectivity to the backup server? Can you check the logs on the backup server and see whether it received authentication requests? If it did receive authentication requests what was its response (were they authenticated or denied)?

My third question is whether the network devices are attempting to failover. The best way to determine this would be from the output of some debugs. I suggest that on the router you configure debug aaa authentication and debug tacacs authentication (or radius if you are using radius instead of tacacs) . If you could post the debug output, taken when the problem is going on, it would help us to analyze your problem.

I have had some experience with certain failure modes on the ACS server in which the network devices would not fail over to the backup. I had a TAC case on this which resulted in a bugID. I am aware of several other bugIDs for similar issues where failover did not occur on remote devices due to certain failure modes on the server. But in these cases there was connectivity to the server and the server was sending a response which was not expected by the remote network device. From your description it sounds like there is no connectivity, so I assume it is not the same issue.

If you can answer the questions that I listed and provide the debug output I hope that we can help to resolve your issue.

HTH

Rick

HTH

Rick

dpatkins · ‎07-14-2007

Soumya,

What type of errors would we be getting? I am butting in on this string if you all do not mind. I am having similar problems with my replication. My secondary machine still had deliverance1 on the ACS and the ip address for the machine was a 169.254.x.x address.

I think I have that resolved. Mine says it is forwarding to the primary as well. Are you saying that I should change that?

Thanks

Dwane

Premdeep Banga · ‎07-15-2007

Hi Dwane,

On Primary ACS server, you should have Primary's entry in the "Forward To" column.

On Secondary ACS server you should have Secondary's entry in the "Forward To" column,

under Proxy Distribution Table (Default).

If you have Primary's entry in the "Forward To" column on Secondary box, then it would mean that,

When Primary is down, as per device config, request will go to Secondary Box, and then secondary will forward the incoming request to Primary Box (which is down), because we have In (Default) Proxy section mentioned any incoming request to be sent to Primary ACS box.

Regards,

Prem