Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX intermittently stops AAA with CiscoSecure ACS/NT

Hopefully someone has heard of this...

I have a customer with a PIX 520 (with 6.1(1)), which does AAA (Authentication Authorization Accounting) with CiscoSecure ACS/NT to authorize users to access the internet from inside the firewall. From time to time, the PIX stops displaying the pop-up login box for users wishng to autheticate to access the internet. Users who are already authorized see no trouble, and statically permitted devices don't have any probem passing thru the firewall either.

On the occasions when this has happened, we have restarted the ACS server, took the primary offline so the PIX would access the backup, restarted both ACS servers, etc. None of this helps restore service. The ONLY thing that we've done to restore service is to actually RELOAD the PIX. When we reload, the PIX immediately takes off and runs like a charm.

Perhaps some of you could help me determine some additional steps to take, and some things to look at while it is failing. I'm inclined to upgrade to 6.1(2) or 6.1(3), but I don't see any specific caveats that cover this.

TAC hasn't been able to help much, because I can't really give them any good information, other than a description of the problem. Let me know if you ahve any good ideas... Thanks!

  • Other Security Subjects
New Member

Re: PIX intermittently stops AAA with CiscoSecure ACS/NT

Are you using an access list to define what traffic should be authorized, or are you using the old 'aaa authorization include . . .' command?

New Member

Re: PIX intermittently stops AAA with CiscoSecure ACS/NT

I'm using the 'aaa authorization include . . .' command. I'd like to switch, but I haven't really found a good example of how to use Access lists in the PIX.

Perhaps I will make this question a separate conversation... Thanks!

New Member

Re: PIX intermittently stops AAA with CiscoSecure ACS/NT

This sounds suspiciously like bug CSCdw01653


When doing authentication on the PIX for users passing through the PIX,

the possibility exists that the PIX will run out of internal user objects,

causing the PIX to stop prompting for authentication.

Users that have already been authenticated will work fine, as will all

existing connections. Only new un-authenticated users will have

problems authenticating.


Reboot the PIX.

This bug has been fixed in 6.1.1(106). It is not fixed in 6.1(2) or 6.1(3). It will be fixed in 6.1(4). If troubleshooting reveals that you are running into this bug and you can't wait for 6.1(4), then contact the TAC for the engineering build 6.1.1(106).