Detect up/down radius server

Unanswered Question
Mar 29th, 2010
User Badges:

Hello,


I was wondering how does a switch proceed to detect when one or several radius server is down.


If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:


13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.


Anyone can explain me why a such ouput?


Thank you for your help!


David

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Mon, 03/29/2010 - 05:14
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hello,


I was wondering how does a switch proceed to detect when one or several radius server is down.


If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:


13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.


Anyone can explain me why a such ouput?


Thank you for your help!


David


Hi David,


Following are the comments for the above messages


%RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests

For checking purpose check to see if the RADIUS server is still active.

%RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
to a new request

Hope to Help !!

Remember to rate the helpful post

Ganesh.H
Giuseppe Larosa Mon, 03/29/2010 - 05:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello David,

RADIUS uses a pair of UDP ports in your case UDP 1645 and 1646 for AAA and accounting


the device is probably probing those ports according to radius server configuration over time, so it can detect when services are available or not based on the fact of receiving or not receiving answers from server.


this is what is provided also by error message decoder


%RADIUS-4-RADIUS_DEAD:

RADIUS server [IP_address]:[int],[int] is not responding.

A RADIUS server has not responded to repeated requests.




Recommended Action: Check to determine if the RADIUS server is still active.

Related documents- No specific documents apply to this  error message.


I think this is good news if failure detection happens when the Radius service is disabled on server


Hope to help

Giuseppe

David Coupez Mon, 03/29/2010 - 05:51
User Badges:

Thank you for your quick answers but my problem is the fact the switch detects the radius server back in the exact same second it became unavailable.


And in the meanwhile, the radius was disconnected (either by shutting down corresponding services or by physically disconnecting the network port of the ACS server).


I don't understand how a switch can detect a radius server alive if it is certainly not. Two possibilities arise in my mind: either the switch thinks the radius is alive and the logging is correct, either the logging is simply buggy.


In both cases, there is a problem...


Any ideas?


David

Giuseppe Larosa Mon, 03/29/2010 - 06:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello David,


>> Thank you for your quick answers but my problem is the fact the switch  detects the radius server back in the exact same second it became  unavailable.


Now it is more clear and I agree this is a problem.


The result of this is the device will try to send messages to the radius server for accounting or AAA.

It should be able to detect the server failure when trying to use it.

So some resources are wasted in the attempt to contact a dead server.


Hope to help

Giuseppe

David Coupez Mon, 03/29/2010 - 06:49
User Badges:

Heloo Giuseppe,


Apparently when I set the debug mode on, it seems more like a logging problem than a real confusion from the switch. Good to know but just makes things harder to debug.


Thank you for your time

Maksim Sataev Mon, 04/04/2016 - 05:06
User Badges:

I had the same problem when i installed new router in branch.

I used Loopback interface for radius connection:

ip radius source-interface Loopback0

But ip address of this Loopback was routed for radius server in the different path. 

Check available route to your device where you want to be authenticated for AAA server.


I hope that helped you!

Maksim

Actions

This Discussion

Related Content