Problem with delayed communications between Cisco ACS 3.3 and RSA SecurID

Unanswered Question
Jul 2nd, 2008

Hi All

This is a bit of a strange one! In a nutshell we have Cisco ACS 3.3 and RSA SecureID 5.2 server on our Remote Access Server. Checking the RADIUS logs in ACS we see that there is a definate 4 second delay with the authentication between ACS and RSA

Let me elaborate....

Our primary method of connection is using the Cisco VPN Client v 4.6. We've never noticed a problem with this connection before. (VPN client seems a bit more forgiving)

We are now trialling Telstra NextG wireless modems, using a alternative connection to the VPN client

We have been monitoring the logs on RADIUS and see the incoming request from Telstra, followed 2 seconds later by a retry, which is then followed 2 seconds later by another retry. At this point Telstra gives up and fails the connection. But according to the logs, the connection is accepted at the same time as the connection 'gives up' (but appears further in the log).

Each time this happens we noticed that it takes 4 seconds (sometimes 5) for the OK to be logged by Cisco coming from RSA.

My question is (after all that!), is there anyway we can further troubleshoot / configure the connections between RSA and Cisco?

Has anyone else noticed this problem before, or something similar?

The server is managing over a thousand other connection devices that arent using RSA with no problems. Looks like its something to do with the connection between Cisco and RSA?

Looking forward to hearing your thoughts!

Cheers

Ben

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Tue, 07/08/2008 - 05:53

Post your running config on which interface is connected to that remote location .

ben_simon Wed, 07/09/2008 - 14:14

Hey all

Looks like we've sorted it out

We've managed to change the 2 second delay between Cisco and RSA. This delay is actually configured in RSA, which we have since changed

After working with the network carrier we found that our RADIUS server was attempting to issue an IP address that was already in use, by a user that was logged in but not visible with on the RADIUS server.

After ratting around with the IP Pool config, i noticed a box, that was ticked, that said "Release address if allocated for longer than 5 hours".

We have had users connected continously for 3 days, but it looks like they were dissapearing from our RADIUS after 5 hours. Along comes the next request, and the server tries to issue an IP address it thinks is free, but is actually in use.

Anyway, unselected this, and it all seems good!

Cheers

Ben

Actions

This Discussion