customer provide quite large network with dot1x deployment - there is dual ACS5.3 servers for authentication Wired, VPN and WiFi access. Users (and computers) are mostly authenticated against Active Directory - there are several AD servers in the network.
I found there is tens of cases every day with error message:
24401 Could not establish connection with ACS Active Directory agent
This happens in random day and night time regardless on current authentication load.
Can somebody point me, how to diagnose this more deeply? Or where to look for – is it problem with internal communication with AD Agent or is the problem in communication AD agent to AD servers? How is solved redundancy in case one AD server is not accessible – as there is no such setting in the AD connection configuration in ACS.
Can you go to both ACS servers under "Users and Identity Store > External Identity Stores > Active Directory" and click on Test Connection? Is the results successful for both ACS servers?
Some of the authentication requests might be hitting the secondary server which might be having issue communicating with AD.
If this was helpful please rate.
Was the issue occurring at the moment of the test or was authentication working as expected? We should check the AD connectivity status on both ACS servers when the authentication failures are reported.
I opened Service Request on Cisco TAC and they found we are probably hitting the bug
It seems it is exactly our issu as ACS log contains the errors with "Running in disconnected mode: unlatch" - as it is in the bug description.
There is a new patch available for ACS 5.3, patch 3, that includes fixes for the issue above
CSCtx71254: ACS 5.3 disconnecting from AD "unlatch" is seen in adclient logs
and some other issues related to active directory as well as some other fixes
Thank you for you info, we applied the patch today but the issue is still there. There has been SR opened earlier for this – it now continues – so Cisco Developing team working on it. As we know, most of the customers who was hit by this issue confirmed the new patch solved the issue for them, but unfortunately not in our case.
I am also getting same messages in my ACS. I am going to upgrade my ACS now.
Will post results of upgrade.
Hi After installing patch 3 I can see taht I am not getting that message of unlatch which is good indication that problem might be solved, But I can confirm that AD connection is solved in case it does not repeat in next 24 hours.