Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

multiple aaa-server hosts for vpn authentication

ASA5510 - 7.2(1)

Using the following config, I am attempting to have multiple radius servers configured for backup vpn authentication in case primary fails. This appears to work ok. But once the primary server is back up, at what point will the asa begin to use it again. The output of "show aaa-server host 172.25.4.20" says

Server status: FAILED, Server disabled at 08:04:25.

How do you reenable it?

aaa-server adauth protocol radius

aaa-server adauth host 172.25.4.20

key ***

authentication-port 1812

accounting-port 1813

aaa-server adauth host 172.25.4.40

key ***

authentication-port 1812

accounting-port 1813

tunnel-group group general-attributes

address-pool pool

authentication-server-group adauth

default-group-policy policy

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: multiple aaa-server hosts for vpn authentication

You can add the option in the aaa-server group:

"reactivation-mode timed"

This causes a dead server to be re-added to the pool after 30 seconds.

The following link has some good info on the available options. I suggest searching the doc for "reactivation".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.pdf

-Eric

Please remember to rate all helpful posts.

4 REPLIES
Silver

Re: multiple aaa-server hosts for vpn authentication

If you configured the authentication server using a DNS name then this problem will occur .Configure the authentication server using an IP Address instead of the DNS name as a workaround.

New Member

Re: multiple aaa-server hosts for vpn authentication

I did use IP address. See config above.

Silver

Re: multiple aaa-server hosts for vpn authentication

You can add the option in the aaa-server group:

"reactivation-mode timed"

This causes a dead server to be re-added to the pool after 30 seconds.

The following link has some good info on the available options. I suggest searching the doc for "reactivation".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.pdf

-Eric

Please remember to rate all helpful posts.

New Member

Re: multiple aaa-server hosts for vpn authentication

I had add the option in the aaa-server group:

"reactivation-mode timed"

but it does not work!

When I restart one of the ACS server,my ASA5520 told me this information:

Server Address: 10.1.100.35

Server port: 1645(authentication), 1646(accounting)

Server status: FAILED, Server disabled at 09:53:57 BJ Tue Dec 19 2006

And the server never active again!

Can you help me,thanks.

312
Views
0
Helpful
4
Replies