PIX intermittently stops AAA with CiscoSecure ACS/NT
Hopefully someone has heard of this...
I have a customer with a PIX 520 (with 6.1(1)), which does AAA (Authentication Authorization Accounting) with CiscoSecure ACS/NT to authorize users to access the internet from inside the firewall. From time to time, the PIX stops displaying the pop-up login box for users wishng to autheticate to access the internet. Users who are already authorized see no trouble, and statically permitted devices don't have any probem passing thru the firewall either.
On the occasions when this has happened, we have restarted the ACS server, took the primary offline so the PIX would access the backup, restarted both ACS servers, etc. None of this helps restore service. The ONLY thing that we've done to restore service is to actually RELOAD the PIX. When we reload, the PIX immediately takes off and runs like a charm.
Perhaps some of you could help me determine some additional steps to take, and some things to look at while it is failing. I'm inclined to upgrade to 6.1(2) or 6.1(3), but I don't see any specific caveats that cover this.
TAC hasn't been able to help much, because I can't really give them any good information, other than a description of the problem. Let me know if you ahve any good ideas... Thanks!
Re: PIX intermittently stops AAA with CiscoSecure ACS/NT
This sounds suspiciously like bug CSCdw01653
When doing authentication on the PIX for users passing through the PIX,
the possibility exists that the PIX will run out of internal user objects,
causing the PIX to stop prompting for authentication.
Users that have already been authenticated will work fine, as will all
existing connections. Only new un-authenticated users will have
Reboot the PIX.
This bug has been fixed in 6.1.1(106). It is not fixed in 6.1(2) or 6.1(3). It will be fixed in 6.1(4). If troubleshooting reveals that you are running into this bug and you can't wait for 6.1(4), then contact the TAC for the engineering build 6.1.1(106).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...