Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
2
Replies

AAA Failover

johnmapa22
Level 1
Level 1

‎08-22-2008 12:53 AM - edited ‎03-10-2019 04:03 PM

We recently installed a secondary ACS solution engine in a separate geographical area and the replication works fine.

I tried testing for failover by switching off the primary ACS. Failover on most edge switches and wireless APs was successfull but most core switches and voice gateways failed to failover. Cisco wireless phones also disconnected or failed to authenticate despite the APs failing over successfully.

Tacacs Debug result on switch:

Using default tacacs server-group "tacacs+" list.

Aug 9 12:32:23 BST: TAC+: Using default tacacs server-group "tacacs+" list.

Aug 9 12:32:23 BST: TAC+: Opening TCP/IP to 10.192.x.x/49 timeout=5

Aug 9 12:32:27 BST: TAC+: send AUTHEN/START packet ver=192 id=1850419983

Aug 9 12:32:27 BST: TAC+: Using default tacacs server-group "tacacs+" list.

Aug 9 12:32:27 BST: TAC+: Opening TCP/IP to 10.192.x.x/49 timeout=5

Aug 9 12:32:28 BST: TAC+: TCP/IP open to 10.192.x.x/49 failed -- Connection

timed out; remote host not responding

Aug 9 12:32:28 BST: TAC+: Opening TCP/IP to 10.168.x.x/49 timeout=5

Aug 9 12:32:28 BST: TAC+: Opened TCP/IP handle 0x44C135F8 to 10.168.x.x/49

Aug 9 12:32:28 BST: TAC+: 10.168.x.x (363094990) ACCT/REQUEST/STOP queued

Aug 9 12:32:28 BST: TAC+: (363094990) ACCT/REQUEST/STOP processed

Aug 9 12:32:28 BST: TAC+: received bad ACCT packet: length = 5, expected 66855

Aug 9 12:32:28 BST: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

Aug 9 12:32:28 BST: TAC+: Closing TCP/IP 0x44C135F8 connection to 10.168.x.x

/49

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎08-22-2008 04:58 AM

Please check the shared secret key. Here are the logs,

Aug 9 12:32:28 BST: TAC+: (363094990) ACCT/REQUEST/STOP processed

Aug 9 12:32:28 BST: TAC+: received bad ACCT packet: length = 5, expected 66855

Aug 9 12:32:28 BST: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

Aug 9 12:32:28 BST: TAC+: Closing TCP/IP 0x44C135F8 connection to 10.168.x.x

/49

Retype key on switch and on acs.

Regards,

~JG

Do rate helpful posts

0 Helpful

Premdeep Banga
Level 7
Level 7

‎08-22-2008 04:59 AM

Two things here,

First,

Invalid ACCT/REQUEST/STOP packet (check keys).

It seems like the keys are not matching (Shared Secret Keys), As you said that you are replicating the 2 ACS servers (assuming replicating Network Device too), then the Shared Key should be same), And if authentication is working fine with 1st ACS, then it should also work the same with the second ACS server. Ensure that keys on the AP and the ACS configuration is same.

Second,

Try increasing the Tacacs+ timeout,

tacacs-server timeout

default is 5 sec, go for 10 sec, just for test, try to adjust the most suitable value.

What version of ACS are we using ?

Regards,

Prem

Please rate if it helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents