How does ACS check redundancy?

Answered Question
Feb 1st, 2010
User Badges:

Hi,


In a router, if you configure tacacs-server host tacacs-1 tacacs-2, this is how you set up ACS redundancy.  My question is, how does router check the pulse of each tacacs server?  By ping or some other keepalive mechanism?  What does this command really do behind the scene?


What happen in our environment is that tacacs-1 services within Windows keep on stopping by itself.  We can't authenticate and the tacacs service does not fail over to tacacs-2.

Correct Answer by Ganesh Hariharan about 7 years 1 month ago

Hi Ganesh.H,


Thanks for the reply.  Looking at the command documentation, it states:


"If the command is not configured, the timeout interval is 5 seconds."


So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?


Kevin,


This command is not default configured in cisco swithces the default parameter is 5 sec if you configure tacas server timeout only without sepcifying the time in sec.


HTH

Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Mon, 02/01/2010 - 23:06
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi,


In a router, if you configure tacacs-server host tacacs-1 tacacs-2, this is how you set up ACS redundancy.  My question is, how does router check the pulse of each tacacs server?  By ping or some other keepalive mechanism?  What does this command really do behind the scene?


What happen in our environment is that tacacs-1 services within Windows keep on stopping by itself.  We can't authenticate and the tacacs service does not fail over to tacacs-2.


Hi,


Actually the configuration is not like this for redundacy of tacas server in cisco switches,it should be like this in below sample :-


tacacs-server host 10.1.X.X  - Primary
tacacs-server host 10.2.X.X  - Secondary


TACACS+ is a method of information exchange between a device that provides network access tousers (the "TACACS+ client") and a device that contains authentication information for those users (the "TACACS+ server"). TACACS+ is based on AAA model: Authentication, authorization and

accounting and for your query Genrally a TACACS+ client and TACACS+ server communicate by means of TACACS+ packets sent over TCP/IP networks. TACACS+ packets are formatted using conventions outlined in The TACACS+ Protocol Version 1.78.


Hope that clear out your query !!


If helpful do rate the post


Ganesh.H

kevin.hu Tue, 02/02/2010 - 07:30
User Badges:

Thanks.  But it still does not answer my question.


Basically, ACS is installed on Windows.  Often the TACACS service is hung but Windows server itself is working.  The redundancy command on the router does not fail over to the second TACACS server because the Windows server is working.  How do I solve this issue?


Thanks.

Ganesh Hariharan Tue, 02/02/2010 - 08:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Thanks.  But it still does not answer my question.


Basically, ACS is installed on Windows.  Often the TACACS service is hung but Windows server itself is working.  The redundancy command on the router does not fail over to the second TACACS server because the Windows server is working.  How do I solve this issue?


Thanks.


Hi,


To set the interval that the server waits for a server host to reply, use the tacacs-server timeout sec global configuration command in cisco switches.


seconds

Integer that specifies the timeout interval in seconds (between 1 and 300). The default is 5 seconds.



Hope that help !!


If helpful do rate the post


Ganesh.H

kevin.hu Tue, 02/02/2010 - 08:34
User Badges:

Hi Ganesh.H,


Thanks for the reply.  Looking at the command documentation, it states:


"If the command is not configured, the timeout interval is 5 seconds."


So it is default configured regardless I enter this command or not.  However, this command does not work as TACACS service does not fail over.  Any other idea?

Correct Answer
Ganesh Hariharan Tue, 02/02/2010 - 08:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Ganesh.H,


Thanks for the reply.  Looking at the command documentation, it states:


"If the command is not configured, the timeout interval is 5 seconds."


So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?


Kevin,


This command is not default configured in cisco swithces the default parameter is 5 sec if you configure tacas server timeout only without sepcifying the time in sec.


HTH

Ganesh.H

Actions

This Discussion