Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
2
Replies

Problem with delayed communications between Cisco ACS 3.3 and RSA SecurID

ben_simon
Level 1
Level 1

‎07-02-2008 05:16 PM

Hi All

This is a bit of a strange one! In a nutshell we have Cisco ACS 3.3 and RSA SecureID 5.2 server on our Remote Access Server. Checking the RADIUS logs in ACS we see that there is a definate 4 second delay with the authentication between ACS and RSA

Let me elaborate....

Our primary method of connection is using the Cisco VPN Client v 4.6. We've never noticed a problem with this connection before. (VPN client seems a bit more forgiving)

We are now trialling Telstra NextG wireless modems, using a alternative connection to the VPN client

We have been monitoring the logs on RADIUS and see the incoming request from Telstra, followed 2 seconds later by a retry, which is then followed 2 seconds later by another retry. At this point Telstra gives up and fails the connection. But according to the logs, the connection is accepted at the same time as the connection 'gives up' (but appears further in the log).

Each time this happens we noticed that it takes 4 seconds (sometimes 5) for the OK to be logged by Cisco coming from RSA.

My question is (after all that!), is there anyway we can further troubleshoot / configure the connections between RSA and Cisco?

Has anyone else noticed this problem before, or something similar?

The server is managing over a thousand other connection devices that arent using RSA with no problems. Looks like its something to do with the connection between Cisco and RSA?

Looking forward to hearing your thoughts!

Cheers

Ben

Labels:
0 Helpful
2 Replies 2

aghaznavi
Level 5
Level 5

‎07-08-2008 05:53 AM

Post your running config on which interface is connected to that remote location .

0 Helpful

ben_simon
Level 1
Level 1
In response to aghaznavi

‎07-09-2008 02:14 PM

Hey all

Looks like we've sorted it out

We've managed to change the 2 second delay between Cisco and RSA. This delay is actually configured in RSA, which we have since changed

After working with the network carrier we found that our RADIUS server was attempting to issue an IP address that was already in use, by a user that was logged in but not visible with on the RADIUS server.

After ratting around with the IP Pool config, i noticed a box, that was ticked, that said "Release address if allocated for longer than 5 hours".

We have had users connected continously for 3 days, but it looks like they were dissapearing from our RADIUS after 5 hours. Along comes the next request, and the server tries to issue an IP address it thinks is free, but is actually in use.

Anyway, unselected this, and it all seems good!

Cheers

Ben

0 Helpful
Customers Also Viewed These Support Documents