08-22-2008 12:53 AM - edited 03-10-2019 04:03 PM
We recently installed a secondary ACS solution engine in a separate geographical area and the replication works fine.
I tried testing for failover by switching off the primary ACS. Failover on most edge switches and wireless APs was successfull but most core switches and voice gateways failed to failover. Cisco wireless phones also disconnected or failed to authenticate despite the APs failing over successfully.
Tacacs Debug result on switch:
Using default tacacs server-group "tacacs+" list.
Aug 9 12:32:23 BST: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 9 12:32:23 BST: TAC+: Opening TCP/IP to 10.192.x.x/49 timeout=5
Aug 9 12:32:27 BST: TAC+: send AUTHEN/START packet ver=192 id=1850419983
Aug 9 12:32:27 BST: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 9 12:32:27 BST: TAC+: Opening TCP/IP to 10.192.x.x/49 timeout=5
Aug 9 12:32:28 BST: TAC+: TCP/IP open to 10.192.x.x/49 failed -- Connection
timed out; remote host not responding
Aug 9 12:32:28 BST: TAC+: Opening TCP/IP to 10.168.x.x/49 timeout=5
Aug 9 12:32:28 BST: TAC+: Opened TCP/IP handle 0x44C135F8 to 10.168.x.x/49
Aug 9 12:32:28 BST: TAC+: 10.168.x.x (363094990) ACCT/REQUEST/STOP queued
Aug 9 12:32:28 BST: TAC+: (363094990) ACCT/REQUEST/STOP processed
Aug 9 12:32:28 BST: TAC+: received bad ACCT packet: length = 5, expected 66855
Aug 9 12:32:28 BST: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).
Aug 9 12:32:28 BST: TAC+: Closing TCP/IP 0x44C135F8 connection to 10.168.x.x
/49
08-22-2008 04:58 AM
Please check the shared secret key. Here are the logs,
Aug 9 12:32:28 BST: TAC+: (363094990) ACCT/REQUEST/STOP processed
Aug 9 12:32:28 BST: TAC+: received bad ACCT packet: length = 5, expected 66855
Aug 9 12:32:28 BST: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).
Aug 9 12:32:28 BST: TAC+: Closing TCP/IP 0x44C135F8 connection to 10.168.x.x
/49
Retype key on switch and on acs.
Regards,
~JG
Do rate helpful posts
08-22-2008 04:59 AM
Two things here,
First,
Invalid ACCT/REQUEST/STOP packet (check keys).
It seems like the keys are not matching (Shared Secret Keys), As you said that you are replicating the 2 ACS servers (assuming replicating Network Device too), then the Shared Key should be same), And if authentication is working fine with 1st ACS, then it should also work the same with the second ACS server. Ensure that keys on the AP and the ACS configuration is same.
Second,
Try increasing the Tacacs+ timeout,
tacacs-server timeout
default is 5 sec, go for 10 sec, just for test, try to adjust the most suitable value.
What version of ACS are we using ?
Regards,
Prem
Please rate if it helps!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: