Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1883
Views
0
Helpful
3
Replies

PIX intermittently stops AAA with CiscoSecure ACS/NT

jwitherell
Level 1
Level 1

‎03-22-2002 12:43 PM - edited ‎02-21-2020 09:59 AM

Hopefully someone has heard of this...

I have a customer with a PIX 520 (with 6.1(1)), which does AAA (Authentication Authorization Accounting) with CiscoSecure ACS/NT to authorize users to access the internet from inside the firewall. From time to time, the PIX stops displaying the pop-up login box for users wishng to autheticate to access the internet. Users who are already authorized see no trouble, and statically permitted devices don't have any probem passing thru the firewall either.

On the occasions when this has happened, we have restarted the ACS server, took the primary offline so the PIX would access the backup, restarted both ACS servers, etc. None of this helps restore service. The ONLY thing that we've done to restore service is to actually RELOAD the PIX. When we reload, the PIX immediately takes off and runs like a charm.

Perhaps some of you could help me determine some additional steps to take, and some things to look at while it is failing. I'm inclined to upgrade to 6.1(2) or 6.1(3), but I don't see any specific caveats that cover this.

TAC hasn't been able to help much, because I can't really give them any good information, other than a description of the problem. Let me know if you ahve any good ideas... Thanks!

Labels:
0 Helpful
3 Replies 3

ross.filipek
Level 1
Level 1

‎03-22-2002 01:40 PM

Are you using an access list to define what traffic should be authorized, or are you using the old 'aaa authorization include . . .' command?

0 Helpful

jwitherell
Level 1
Level 1
In response to ross.filipek

‎03-23-2002 09:59 AM

I'm using the 'aaa authorization include . . .' command. I'd like to switch, but I haven't really found a good example of how to use Access lists in the PIX.

Perhaps I will make this question a separate conversation... Thanks!

0 Helpful

jekrauss
Level 1
Level 1

‎03-23-2002 07:38 AM

This sounds suspiciously like bug CSCdw01653

DESCRIPTION:

When doing authentication on the PIX for users passing through the PIX,

the possibility exists that the PIX will run out of internal user objects,

causing the PIX to stop prompting for authentication.

Users that have already been authenticated will work fine, as will all

existing connections. Only new un-authenticated users will have

problems authenticating.

WORKAROUND:

Reboot the PIX.

This bug has been fixed in 6.1.1(106). It is not fixed in 6.1(2) or 6.1(3). It will be fixed in 6.1(4). If troubleshooting reveals that you are running into this bug and you can't wait for 6.1(4), then contact the TAC for the engineering build 6.1.1(106).

HTH

Jeff

0 Helpful
Customers Also Viewed These Support Documents