×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS5.3 - Could not establish connection with ACS Active Directory agent

Unanswered Question
Feb 8th, 2012
User Badges:

Hi all,


customer provide quite large network with dot1x deployment - there is dual ACS5.3 servers for authentication Wired, VPN and WiFi access. Users (and computers) are mostly authenticated against Active Directory - there are several AD servers in the network.

I found there is tens of cases every day with error message:


24401 Could not establish connection with ACS Active Directory agent


This happens in random day and night time regardless on current authentication load.

Can somebody point me, how to diagnose this more deeply? Or where to look for – is it problem with internal communication with AD Agent or is the problem in communication AD agent to AD servers? How is solved redundancy in case one AD server is not accessible – as there is no such setting in the AD connection configuration in ACS.


Regards


Pavel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
camejia Wed, 02/08/2012 - 12:46
User Badges:
  • Silver, 250 points or more

Hello,


Can you go to both ACS servers under "Users and Identity Store > External Identity Stores > Active Directory" and click on Test Connection? Is the results successful for both ACS servers?


Some of the authentication requests might be hitting the secondary server which might be having issue communicating with AD.


If this was helpful please rate.


Regards

pnavratil Fri, 02/10/2012 - 03:56
User Badges:

Test connection was successful from both ACS.


Regards

camejia Fri, 02/10/2012 - 06:34
User Badges:
  • Silver, 250 points or more

Hello,


Was the issue occurring at the moment of the test or was authentication working as expected? We should check the AD connectivity status on both ACS servers when the authentication failures are reported.


Regards.

jrabinow Mon, 04/16/2012 - 10:11
User Badges:
  • Cisco Employee,

There is a new patch available for ACS 5.3, patch 3, that includes fixes for the issue above

CSCtx71254: ACS 5.3 disconnecting from AD "unlatch" is seen in adclient logs


and some other issues related to active directory as well as some other fixes

pnavratil Tue, 04/17/2012 - 06:53
User Badges:

Thank you for you info, we applied the patch today but the issue is still there. There has been SR opened earlier for this – it now continues – so Cisco Developing team working on it. As we know, most of the customers who was hit by this issue confirmed the new patch solved the issue for them, but unfortunately not in our case.


Regards


Pavel Navratil

jrabinow Tue, 04/17/2012 - 10:26
User Badges:
  • Cisco Employee,

Would be happy to dig in further but d not have an SR or case details

ajay pandey Sun, 04/22/2012 - 01:13
User Badges:

I am also getting same messages in my ACS. I am going to upgrade my ACS now.

Will post results of upgrade.


Regards

Ajay

ajay pandey Sun, 04/22/2012 - 06:46
User Badges:

Hi After installing patch 3 I can see taht I am not getting that message of unlatch which is good indication that problem might be solved, But I can confirm that AD connection is solved in case it does not repeat in next 24 hours.


Regards

Ajay

Actions

This Discussion