Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Unable to login to Switch & Router through secondary Acs ,when primary ACS is down.

Dear All,

  i have configured primary ACS in DC data center and secondary ACS in DR data center, i have configured replication , and it is working well, but when we put down primary ACS , we are unable to login in switch and router through secondary ACS , i ahve  dedicated link between core dc sw to core dr sw through which all traffic is getting replicated . All user , mgmt vlan are created in FWSM firewall.Kindly help.

Regards

Amit Kulshrestha

14 REPLIES

Re: Unable to login to Switch & Router through secondary Acs ,wh

Amit,

See if you can telnet into port 49 to the secondary acs. Please post the aaa and tacacs configuration of your device. What version of ACS are you on, and do you see anything relevant in the logs?

Thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*

Unable to login to Switch & Router through secondary Acs ,when p

Tarik,

Yes we are able to telnet 49 that for tacacs to Sec Acs .Both ACS are running same verison , with same patch.

CORE-DC-SW-1#sh run | in tacacs

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ none

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization configuration default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host 172.61.0.116

tacacs-server host 172.63.0.116

tacacs-server directed-request

tacacs-server key 7 00371665165A1F265E741F

CORE-DC-SW-1#

this config is in all devices.

New Member

Re: Unable to login to Switch & Router through secondary Acs ,wh

Hello,

As per your diagram both running on same version.So there may not be any replication issue.

Check the reachability between tacacs clients and secondary acs server and also check all services on secondary ACS is running.

I mean check the secondary acs config on tacacs client.

Thanks,

Vishweswaran

Unable to login to Switch & Router through secondary Acs ,when p

Hello ,

Vishweswaran, Both ACs are running same version, also relpication is happen properly..For check reachability between tacacs clients , what would be the method for cecking. what all config should i check on sec ACS. kindly guide me.

New Member

Re: Unable to login to Switch & Router through secondary Acs ,wh

How about the ping response from the clients to the secondary ACS IP...?

When was the last replication happened...?

Re: Unable to login to Switch & Router through secondary Acs ,wh

Hi Amit,

When the DC ACS is down means... how the application down or the ACS server itself is down... Because if you make the application alone down.... the failover will not happen until the server gets physically down i guess.... so the DC ACS will respond to your TACACS requests if it is reachable!!!

Please let me know how is your case!!!

Unable to login to Switch & Router through secondary Acs ,when p

Hi Karthikeyan,

DC ACS means I am not shutting down the server itself. I am just stopping the services.

I have to try the option which you said.

I will let you know once I will done with same.

Thanks !!!

Unable to login to Switch & Router through secondary Acs ,when p

Hi Vishweswaran,

Ping response is normal ... between 7ms - 9ms ...

Replication took place daily ... and that too successfully.

Re: Unable to login to Switch & Router through secondary Acs ,wh

Please tell us what version of ACS you are running, also are the tacacs services up on this distant node (if running version 4.2 on a windows box you can go to the services and see if all the CS* pre-pended services are running. Also you can test authentications to this server by issuing the "test aaa" command, you should be able to tab your way through this.

i.e test aaa group tacacs username password new-code...(something of that sort),

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Re: Unable to login to Switch & Router through secondary Acs ,wh

Hi Bro

I'm assuming you've configured your ACS correctly and the Cisco network devices correctly. Perhaps, this could be a bug. The reason I say this is because last week, I was implementing 2 units of Cisco ACS 1121 v5.3 (in HA mode) for a client, and i had similar issues myself. When I down the primary ACS, I'm unable to login to my network devices, eventhough my secondary ACS is UP and PINGable from all network devices.

Hence, I downloaded and applied the latest cummulative patch from the CCO website 5-3-0-40-4.tar.gpg (Release Date: 27/May/2012) and my problem solved.

Perhaps, your ACS version isn't 5.3, but the morale of the story here is, maybe patching is required for your case!!

.

Please do let me know the outcome. May the force be with you, bro!

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department

Unable to login to Switch & Router through secondary Acs ,when p

Hi Ramraj,

I have tried same. Initaially I was using Acs-4.2.1.15.4 version. Now, I have updated same to Acs-4.2.1.15.9 with latest patch released on June 2012.

Replication is working fine after doing same. But, when I stop the services of Primary ACS then my devices didn't authenticate via Secondary ACS.

Still required help ... !!! Not getting what to do.

I am able to ping both the ACS from my devices but the problem is still same...

Unable to login to Switch & Router through secondary Acs ,when p

Hi Amit

If you were to unplug the UTP cable that's going to the Primary ACS server, is the AAA authentication to your Secondary ACS works fine? If no, then this is what I need you to do for me;

a) To perform this command from a switch/router when you've unplugged the UTP cable that's going to the Primary ACS server.     ------->>> Router# test aaa group tacacs+ admin cisco123 legacy.

b) To run "debug aaa authentication" and "debug aaa authorization" from a switch/router when the Primary ACS server is UP and also you've unplug the UTP cable.

c) To provide a show run of a latest equipment i.e. switch/router.

I believe with this 2 output, we should be able to narrow down the root cause.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department

Re: Unable to login to Switch & Router through secondary Acs ,wh

Hi Amit,

As i told earlier.

Please try by shutting the entire primary acs and try it should work. I knew this is a strange behaviour. Even though your services are in shut. If still your acs is reachable in network. Then it won't work. This is a known problem in windows based ACS server.

And also one more thing have you configured the timeout for the tacacs requests.

Unable to login to Switch & Router through secondary Acs ,when p

Hi Guys,

Thanks for all the help.

The Problem is been solved.

I have re-integrate both (Primary and Secondary) ACS with AD (LDAP).

Once the integration is been done again, I tried to login via Secondary ACS and it works.

Thanks all ...

1088
Views
12
Helpful
14
Replies