AAA Failover

Unanswered Question
Aug 22nd, 2008

We recently installed a secondary ACS solution engine in a separate geographical area and the replication works fine.

I tried testing for failover by switching off the primary ACS. Failover on most edge switches and wireless APs was successfull but most core switches and voice gateways failed to failover. Cisco wireless phones also disconnected or failed to authenticate despite the APs failing over successfully.

Tacacs Debug result on switch:

Using default tacacs server-group "tacacs+" list.

Aug 9 12:32:23 BST: TAC+: Using default tacacs server-group "tacacs+" list.

Aug 9 12:32:23 BST: TAC+: Opening TCP/IP to 10.192.x.x/49 timeout=5

Aug 9 12:32:27 BST: TAC+: send AUTHEN/START packet ver=192 id=1850419983

Aug 9 12:32:27 BST: TAC+: Using default tacacs server-group "tacacs+" list.

Aug 9 12:32:27 BST: TAC+: Opening TCP/IP to 10.192.x.x/49 timeout=5

Aug 9 12:32:28 BST: TAC+: TCP/IP open to 10.192.x.x/49 failed -- Connection

timed out; remote host not responding

Aug 9 12:32:28 BST: TAC+: Opening TCP/IP to 10.168.x.x/49 timeout=5

Aug 9 12:32:28 BST: TAC+: Opened TCP/IP handle 0x44C135F8 to 10.168.x.x/49

Aug 9 12:32:28 BST: TAC+: 10.168.x.x (363094990) ACCT/REQUEST/STOP queued

Aug 9 12:32:28 BST: TAC+: (363094990) ACCT/REQUEST/STOP processed

Aug 9 12:32:28 BST: TAC+: received bad ACCT packet: length = 5, expected 66855

Aug 9 12:32:28 BST: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

Aug 9 12:32:28 BST: TAC+: Closing TCP/IP 0x44C135F8 connection to 10.168.x.x

/49

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Fri, 08/22/2008 - 04:58

Please check the shared secret key. Here are the logs,

Aug 9 12:32:28 BST: TAC+: (363094990) ACCT/REQUEST/STOP processed

Aug 9 12:32:28 BST: TAC+: received bad ACCT packet: length = 5, expected 66855

Aug 9 12:32:28 BST: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

Aug 9 12:32:28 BST: TAC+: Closing TCP/IP 0x44C135F8 connection to 10.168.x.x

/49

Retype key on switch and on acs.

Regards,

~JG

Do rate helpful posts

Premdeep Banga Fri, 08/22/2008 - 04:59

Two things here,

First,

Invalid ACCT/REQUEST/STOP packet (check keys).

It seems like the keys are not matching (Shared Secret Keys), As you said that you are replicating the 2 ACS servers (assuming replicating Network Device too), then the Shared Key should be same), And if authentication is working fine with 1st ACS, then it should also work the same with the second ACS server. Ensure that keys on the AP and the ACS configuration is same.

Second,

Try increasing the Tacacs+ timeout,

tacacs-server timeout

default is 5 sec, go for 10 sec, just for test, try to adjust the most suitable value.

What version of ACS are we using ?

Regards,

Prem

Please rate if it helps!

Actions

This Discussion