Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
58816
Views
18
Helpful
13
Replies

Detect up/down radius server

David Coupez
Level 1
Level 1

‎03-29-2010 05:03 AM - edited ‎03-06-2019 10:21 AM

Hello,

I was wondering how does a switch proceed to detect when one or several radius server is down.

If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:

13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.

Anyone can explain me why a such ouput?

Thank you for your help!

David

4 people had this problem
Labels:
0 Helpful
13 Replies 13

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎03-29-2010 05:14 AM 

Hello,
I was wondering how does a switch proceed to detect when one or several radius server is down.
If
I leave only one radius server in a C3560-24PS (running with the
lastest software version) and shut all services associated with my
ACS4.2 through the web interface, I receive the following error logs:
13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.
Anyone can explain me why a such ouput?
Thank you for your help!
David

Hi David,

Following are the comments for the above messages

%RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests

For checking purpose check to see if the RADIUS server is still active.

%RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
to a new request

Hope to Help !!

Remember to rate the helpful post

Ganesh.H
0 Helpful

Access2
Level 1
Level 1
In response to Ganesh Hariharan

‎10-16-2017 01:58 PM

Hi,

 

I'm having the same issue, is anyone able to fix this reported issue on this thread?

 

Thanks,

Magesh

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-29-2010 05:20 AM

Hello David,

RADIUS uses a pair of UDP ports in your case UDP 1645 and 1646 for AAA and accounting

the device is probably probing those ports according to radius server configuration over time, so it can detect when services are available or not based on the fact of receiving or not receiving answers from server.

this is what is provided also by error message decoder

%RADIUS-4-RADIUS_DEAD:

RADIUS server [IP_address]:[int],[int] is not responding.

A RADIUS server has not responded to repeated requests.

Recommended Action: Check to determine if the RADIUS server is still active.

Related documents- No specific documents apply to this  error message.

I think this is good news if failure detection happens when the Radius service is disabled on server

Hope to help

Giuseppe

0 Helpful

David Coupez
Level 1
Level 1
In response to Giuseppe Larosa

‎03-29-2010 05:51 AM

Thank you for your quick answers but my problem is the fact the switch detects the radius server back in the exact same second it became unavailable.

And in the meanwhile, the radius was disconnected (either by shutting down corresponding services or by physically disconnecting the network port of the ACS server).

I don't understand how a switch can detect a radius server alive if it is certainly not. Two possibilities arise in my mind: either the switch thinks the radius is alive and the logging is correct, either the logging is simply buggy.

In both cases, there is a problem...

Any ideas?

David

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to David Coupez

‎03-29-2010 06:09 AM

Hello David,

>> Thank you for your quick answers but my problem is the fact the switch  detects the radius server back in the exact same second it became  unavailable.

Now it is more clear and I agree this is a problem.

The result of this is the device will try to send messages to the radius server for accounting or AAA.

It should be able to detect the server failure when trying to use it.

So some resources are wasted in the attempt to contact a dead server.

Hope to help

Giuseppe

0 Helpful

David Coupez
Level 1
Level 1
In response to Giuseppe Larosa

‎03-29-2010 06:49 AM

Heloo Giuseppe,

Apparently when I set the debug mode on, it seems more like a logging problem than a real confusion from the switch. Good to know but just makes things harder to debug.

Thank you for your time

0 Helpful

GFWAFBCCO
Level 1
Level 1
In response to David Coupez

‎10-22-2014 08:55 AM

Is there any update on a fix action?

0 Helpful

Maksim Sataev
Level 1
Level 1

‎04-04-2016 05:06 AM

I had the same problem when i installed new router in branch.

I used Loopback interface for radius connection:

ip radius source-interface Loopback0

But ip address of this Loopback was routed for radius server in the different path. 

Check available route to your device where you want to be authenticated for AAA server.

I hope that helped you!

Maksim

TheDukeofBaghdad
Level 1
Level 1
In response to Maksim Sataev

‎04-09-2018 11:14 AM

I had the same problem:

 

%RADIUS-4-RADIUS_DEAD: RADIUS server X.X.X.X:1645,1646 is not responding.
%RADIUS-4-RADIUS_ALIVE: RADIUS server X.X.X.X:1645,1646 is being marked alive.

 

%RADIUS-4-RADIUS_DEAD: RADIUS server Y.Y.Y.Y:1645,1646 is not responding.
%RADIUS-4-RADIUS_ALIVE: RADIUS server Y.Y.Y.Y:1645,1646 is being marked alive.

 

The way I fixed it is by removing the aaa new-module (no aaa new-model) and apply it again!

I guess there is a specific order that you have to follow when configuring your AAA and Radius servers.

Hope that help somebody in the future :) 

best of luck

Emre Ozel
Level 1
Level 1

‎09-03-2020 01:34 AM

Hello,

 

I faced the same problem too. I solved the problem with some reviews on Cisco ISE side.

1-  First of all, the switch that I got the error from is the switch I use as the backbone
    error output:
          %RADIUS-4-RADIUS_DEAD: RADIUS server XXX is not responding.
          %RADIUS-4-RADIUS_ALIVE: RADIUS server XXX is being marked alive.
   

I recorded the time interval I tried to log in and got an error, and on Cisco ISE side, I looked at what happened during those hours.

10.png

 

When I look at the error details :

11.png

 

NAS IPv4 Address : 

where it should be the switch ip address. The ip blog where Cisco ISE server is located had a gateway.

12.png

 

 

I fixed the switch ip address for the network device and the problem was solved.

halilmollaoglu
Level 1
Level 1
In response to Emre Ozel

‎09-03-2020 05:57 AM

Thank you for sharing, we encountered the same issue resolved it now.

0 Helpful

alvarteearu
Level 1
Level 1

‎10-22-2020 02:56 AM - edited ‎10-22-2020 03:00 AM

Had a same issue, even when I completely blocked RADIUS access with Firewall, it kept popping up as alive.

 

The solution or maybe we can also call it a workaround, was “automate-tester” and “probe-on” function that is available from IOS 15.2(2)E / XE 03.04.00E. With this addition “dead” server will be marked “up” only when a response is received from the RADIUS server, hence as I actually did not get responses back from the server it was kept “dead”.

0 Helpful

cnfrtclk
Level 1
Level 1

‎03-15-2023 08:10 AM

sorunun çözümünü bulan bulmuştur, bulmayanlar için bilerek türkçe yazıyorum. çevirip anlasınlar.

sunucuda kayıt yaptığınız ağ'a göre yada yönetim IP lerine göre,

yönlendiricide yada anahtarda yönetim vlanını kaynak göstermeniz gerekiyor.

komut: ip radius source-interface vlan X

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card