We are still running ACS v184.108.40.206.6/7 in several infrastructures mixed with 1111s, 1112s and 1113s. I know, we are out of support. We have some of our upgrades in hand and will be starting soon. We have almost 40 of these appliances in 5 different infrastructures around the world so we have a lot of work to do . Until then, we are dealing with a nagging problem and wondered if there was an explanation or solution. Unfortunately the infrastructure that sees this problem the most cannot be upgraded just yet.
Periodically, the key in a client entry changes, causing authentication failures. Because we have many AAA clients that include possibly 100s of IPs, the failures can be widespread. The key almost always changes to this:
From testing, it appears that one cause is using Firefox when making edits. We know that browser is not supported so we are not using it. I suspected IE8 was causing it too, but I have been unsuccessful in proving that. Those of us making edits are using IE6.
I don't suppose you have any documented combinations that you know cause this problem, do you? While its not too difficult to determine browsers that can cause this problem, its a bit more difficult when Java is included as a variable.
I've seen this in multiple ACS infrastructures, so I'm inclined to think (or hope), that its not due to db corruption, athough I definitely would not dismiss that as an option. DB corruption seems to be a common occurance in ACS v3.x with the db being registry-based.
Has this problem been seen in ACS v4.2? We are getting ready to upgrade to v4.2 and was hoping that would help.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...