After a considerable amount of time since the ACS was reconnected to the network (20 minutes or so), the PIX is now authenticating against the ACS again. What would cause this long period of time where the PIX would refuse to attempt to authenticate against the tacacs server group?
Check if you have the radius-server deadtime interval set. This interval tells the device how long not to attempt with a radius server that was unavailable.
This is useful when you have multiple radius servers and you failover to another radius server should the first one is unavailable.
Without this interval configured, the device will always send request to the first configured radius server and then if not responding send the request to the second radius server after timeout or to another method if configured.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...