Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
0
Helpful
2
Replies

ACS Primary and Secondary communication problems

justin putman
Level 1
Level 1

‎03-11-2010 02:28 PM - edited ‎03-10-2019 05:00 PM

Experts,

I curretly have two ACS servers.  The primary server is running version 3.3.3 while the secondary is running 4.2 (recently updated) .  The problem I am seeing is when both the primary and secondary are up and running, my users are unable to access any of the tacacs authenticated devices.  The really strange thing I am seeing is that we have one network device that is configured to use only the primary tacacs server and when both the primary and secondary are running, authentication fails (even though the logs show on the primary "Authen OK").  When I shut down the secondary ACS server, everything works fine.

Please be aware that these two servers have been configured for replication and proxy distribution (even though its currently not working do to the different running versions)

Is this because the primary and secondary are running different versions?  And why does auth fail when the primary and secondary are running and the network device is configured to only use the primary??  Any ideas?

Thanks,

Justin

Labels:
0 Helpful
2 Replies 2

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎03-12-2010 12:29 AM 

Experts,
I curretly have
two ACS servers.  The primary server is running version 3.3.3 while the
secondary is running 4.2 (recently updated) .  The problem I am seeing
is when both the primary and secondary are up and running, my users are
unable to access any of the tacacs authenticated devices.  The really
strange thing I am seeing is that we have one network device that is
configured to use only the primary tacacs server and when both the
primary and secondary are running, authentication fails (even though
the logs show on the primary "Authen OK").  When I shut down the
secondary ACS server, everything works fine. 
Please
be aware that these two servers have been configured for replication
and proxy distribution (even though its currently not working do to the
different running versions) 
Is
this because the primary and secondary are running different versions? 
And why does auth fail when the primary and secondary are running and
the network device is configured to only use the primary??  Any ideas?
Thanks,
Justin

Hi Justin,

When you configure only one ACS from switches or routers for authentication and as said you are getting auth ok in ACS logs,try enable debig for aaa packets and see what exactly happens whne auth request is genrated.This will give some clue to troubleshoot the porblem.

Hope to Help !!

Ganesh.H

0 Helpful

justin putman
Level 1
Level 1
In response to Ganesh Hariharan

‎03-12-2010 08:30 AM

Ganesh,  I am seeing in the debug that the TACACS authentication is timing out when the secondary is running.  I was looking over the ACS documentation and came across an interesting "fact" that states if you configure replication between two ACS servers, then you have to enable "distributed system".  When distributed systems is running, the primary server may successfully authenticate a user but it then passes the authorization privileges to the remote ACS server (in this case the secondary - do to the proxy distribution configuration)  where the user's profile information is applied. So it would almost appear as even though you have two ACS servers, with replication configured, the act as a single ACS with no redundancy?  Am I correct?   

02:50:48: TAC+: Opening TCP/IP to 10.50.1.240/49 timeout=2 02:50:48: TAC+: Opened TCP/IP handle 0x3CB49A0 to 10.50.1.240/49 02:50:48: TAC+: periodic timer started 02:50:48: TAC+: 10.50.1.240 req=30353F0 Qd id=781114850 ver=192 handle=0x3CB49A0 expire=2 AUTHEN/START/LOGIN/ASCII queued 02:50:48: TAC+: 10.50.1.240 id=781114850 wrote 44 of 44 bytes 02:50:48: TAC+: 10.50.1.240 req=30353F0 Qd id=781114850 ver=192 handle=0x3CB49A0 expire=1 AUTHEN/START/LOGIN/ASCII sent 02:50:48: TAC+: 10.50.1.240 read=12 wanted=12 alloc=12 got=12 02:50:48: TAC+: 10.50.1.240 read=28 wanted=28 alloc=28 got=16 02:50:48: TAC+: 10.50.1.240 received 28 byte reply for 30353F0 02:50:48: TAC+: req=30353F0 Tx id=781114850 ver=192 handle=0x3CB49A0 expire=1 AUTHEN/START/LOGIN/ASCII processed 02:50:48: TAC+: periodic timer stopped (queue empty) 02:50:48: TAC+: periodic timer started 02:50:48: TAC+: 10.50.1.240 req=30353E4 Qd id=781114850 ver=192 handle=0x3CB49A0 expire=2 AUTHEN/CONT queued 02:50:48: TAC+: 10.50.1.240 id=781114850 wrote 32 of 32 bytes 02:50:48: TAC+: 10.50.1.240 req=30353E4 Qd id=781114850 ver=192 handle=0x3CB49A0 expire=1 AUTHEN/CONT sent 02:50:50: TAC+: 10.50.1.240 (781114850) AUTHEN/CONT -- TIMED OUT 02:50:50: TAC+: req=30353E4 Tx id=781114850 ver=192 handle=0x3CB49A0 expire=0 AUTHEN/CONT processed 02:50:50: TAC+: periodic timer stopped (queue empty) 02:50:50: TAC+: Closing TCP/IP 0x3CB49A0 connection to 10.50.1.240/49

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents