02-08-2012 07:56 AM - edited 03-10-2019 06:48 PM
Hi all,
customer provide quite large network with dot1x deployment - there is dual ACS5.3 servers for authentication Wired, VPN and WiFi access. Users (and computers) are mostly authenticated against Active Directory - there are several AD servers in the network.
I found there is tens of cases every day with error message:
24401 Could not establish connection with ACS Active Directory agent
This happens in random day and night time regardless on current authentication load.
Can somebody point me, how to diagnose this more deeply? Or where to look for – is it problem with internal communication with AD Agent or is the problem in communication AD agent to AD servers? How is solved redundancy in case one AD server is not accessible – as there is no such setting in the AD connection configuration in ACS.
Regards
Pavel
02-08-2012 12:46 PM
Hello,
Can you go to both ACS servers under "Users and Identity Store > External Identity Stores > Active Directory" and click on Test Connection? Is the results successful for both ACS servers?
Some of the authentication requests might be hitting the secondary server which might be having issue communicating with AD.
If this was helpful please rate.
Regards
02-10-2012 03:56 AM
Test connection was successful from both ACS.
Regards
02-10-2012 06:34 AM
Hello,
Was the issue occurring at the moment of the test or was authentication working as expected? We should check the AD connectivity status on both ACS servers when the authentication failures are reported.
Regards.
02-14-2012 07:31 AM
I opened Service Request on Cisco TAC and they found we are probably hitting the bug
It seems it is exactly our issu as ACS log contains the errors with "Running in disconnected mode: unlatch" - as it is in the bug description.
Regards
04-16-2012 10:11 AM
There is a new patch available for ACS 5.3, patch 3, that includes fixes for the issue above
CSCtx71254: ACS 5.3 disconnecting from AD "unlatch" is seen in adclient logs
and some other issues related to active directory as well as some other fixes
04-17-2012 06:53 AM
Thank you for you info, we applied the patch today but the issue is still there. There has been SR opened earlier for this – it now continues – so Cisco Developing team working on it. As we know, most of the customers who was hit by this issue confirmed the new patch solved the issue for them, but unfortunately not in our case.
Regards
Pavel Navratil
04-17-2012 10:26 AM
Would be happy to dig in further but d not have an SR or case details
04-22-2012 01:13 AM
I am also getting same messages in my ACS. I am going to upgrade my ACS now.
Will post results of upgrade.
Regards
Ajay
04-22-2012 06:46 AM
Hi After installing patch 3 I can see taht I am not getting that message of unlatch which is good indication that problem might be solved, But I can confirm that AD connection is solved in case it does not repeat in next 24 hours.
Regards
Ajay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: