113022: AAA Marking server 0.0.0.0 as failed

Unanswered Question
May 29th, 2009

Just changed AAA to use LDAP to MS2K8 AD rather than former RADIUS. Simply added hosts to existing LDAP group through ASDM. It is working fine, but I am getting tons of the following in the logs ...

May 29 12:54:14 pix2-inside May 29 2009 12:56:11: %PIX-2-113022: AAA Marking RADIUS server 0.0.0.0 in aaa-server group RADIUS as FAILED

May 29 12:55:46 pix2-inside May 29 2009 12:57:43: %PIX-2-113022: AAA Marking LDAP server 0.0.0.0 in aaa-server group LDAP as FAILED

May 29 12:58:51 pix2-inside May 29 2009 13:00:47: %PIX-2-113022: AAA Marking LDAP server 0.0.0.0 in aaa-server group LDAP as FAILED

Config ...

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host LAN-EVE

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host LAN-JAMES

aaa-server LDAP (inside) host LAN-JOHN

aaa authentication ssh console LDAP LOCAL

aaa authentication enable console LDAP LOCAL

aaa authentication http console LDAP LOCAL

aaa authentication secure-http-client

Test through ASDM working for each configured host.

Anyone know why I am getting these messages?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Thu, 06/04/2009 - 09:22

You may try adding the user with zero privs and power off the server and restart it.

freyguy Mon, 12/13/2010 - 12:13

Hiya;

I had this issue and it was the result of turning off name resolution in the configuration and logs (using the "no names" command).

Either reverse that command  (i.e. "names")  or add the aaa-server with its IP address instead of its name

e.g.

aaa-server RADIUS (inside) host 111.222.333.444
aaa-server LDAP (inside) host 222.333.444.555

aaa-server LDAP (inside) host 333.444.555.666

you get the idea...

Hope that helps...

-- KevFrey --

Tarik Admani Mon, 12/13/2010 - 13:55

Here is the bug id for what you are hitting: CSCsj64402

I tried to find the exact details of the bug but for some reason cannot access the bug toolkit at the moment. Basically there is a delay before cdp settles which fails the first few dns lookup when you have you servers configured by name instead of ip.The individual before my post is correct if you want to move past this you can configure the servers by ip address and move pass this issue. Usually this shows up when the PIX is first booted up. Did this occur during bootup or intial configuration of the servers or does this occur everytime you test authentication?

Thanks,

Actions

This Discussion