Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
0
Helpful
3
Replies

ACS 5.3 unreachable if network activity decrease

gilles.donze
Level 1
Level 1

‎05-30-2012 01:39 AM - edited ‎03-10-2019 07:08 PM

Hi,

I am triing to migrate my old ACS to the new one. I am using ACS 5.3 on appliance CSACS-1121. Sometime, i loose the connection to the appliance and i could not connect to the appliance with SSH, i could not start the GUI and the authentication is switched to the secondary instance. As soon as I have traffic, the connection is restored.

How can fix this problem. Could you tell me what kind of config, on the switch and on the appliance, i have to do.

Many thanks in advance for your answer.

Kind Gilles

Labels:
0 Helpful
3 Replies 3

Eduardo Aliaga
Level 4
Level 4

‎05-30-2012 03:05 PM

Hello Gilles

What you say is expected behavior. If you have several ACS appliances only one of them is primary and all the other ones are secondary.

"Primary" and "secondary" concepts are different from "active" and "standby" concepts. All ACS are "active".

The switch configuration tells the switch which ACS to talk to. It can be one, two, three, any number of ACS. Also if there are more than one ACS, the switch configuration gives the preference to the first ACS declared in the configuration. Only if the first ACS doesn't respond at all , the switch will try to talk to the second ACS declared. Only if the second ACS doesn't respond at all then the switch will try to talk to the third ACS and so on.

here's an example of switch configuration with three ACS

radius-server host 192.168.1.10 key MYPASSWORD

radius-server host 192.168.1.11 key MYPASSWORD

radius-server host 192.168.1.12 key MYPASSWORD

radius-server vsa send authentication

aaa new-model

!

aaa group server radius ACS

server 192.168.1.10

server 192.168.1.11

server 192.168.1.12

!

aaa authentication dot1x default group ACS

aaa authorization network default group ACS

aaa accounting dot1x default start-stop group ACS

0 Helpful

gilles.donze
Level 1
Level 1
In response to Eduardo Aliaga

‎05-31-2012 01:33 AM

Hello,

It's a miss understanding.

I dont have any problem with the ACS application. But I think it's a problem with the IP Stack of the appliance and the switch cisco catalyst 3560. I lost the connexion with some host from and to the ACS appliance !

For example, we have a management application. This is polling the appliance each 5 minutes (ping and SNMP) after a while, the application could not reach the appliance ! this begin especcially when the request to the appliance is going down.

If i try to ping from the appliance the managment application. I have no answer and both are reachable from my workstation. Network is up and running well and ACS instance working fine !

Do you have an idea how to fix this problem. It a special network config to do on the switch 3560 or on the aplliance. Is it a hardware problem from the appliance ?

Many thanks for your help

0 Helpful

gilles.donze
Level 1
Level 1
In response to gilles.donze

‎06-26-2012 06:01 AM

Hello,

I found the solution : I reconfig the poret of the switch by using standard Cisco macro and it's working fine.

Kind Gilles

0 Helpful
Customers Also Viewed These Support Documents