Problem with delayed communications between Cisco ACS 3.3 and RSA SecurID
This is a bit of a strange one! In a nutshell we have Cisco ACS 3.3 and RSA SecureID 5.2 server on our Remote Access Server. Checking the RADIUS logs in ACS we see that there is a definate 4 second delay with the authentication between ACS and RSA
Let me elaborate....
Our primary method of connection is using the Cisco VPN Client v 4.6. We've never noticed a problem with this connection before. (VPN client seems a bit more forgiving)
We are now trialling Telstra NextG wireless modems, using a alternative connection to the VPN client
We have been monitoring the logs on RADIUS and see the incoming request from Telstra, followed 2 seconds later by a retry, which is then followed 2 seconds later by another retry. At this point Telstra gives up and fails the connection. But according to the logs, the connection is accepted at the same time as the connection 'gives up' (but appears further in the log).
Each time this happens we noticed that it takes 4 seconds (sometimes 5) for the OK to be logged by Cisco coming from RSA.
My question is (after all that!), is there anyway we can further troubleshoot / configure the connections between RSA and Cisco?
Has anyone else noticed this problem before, or something similar?
The server is managing over a thousand other connection devices that arent using RSA with no problems. Looks like its something to do with the connection between Cisco and RSA?
Re: Problem with delayed communications between Cisco ACS 3.3 an
Looks like we've sorted it out
We've managed to change the 2 second delay between Cisco and RSA. This delay is actually configured in RSA, which we have since changed
After working with the network carrier we found that our RADIUS server was attempting to issue an IP address that was already in use, by a user that was logged in but not visible with on the RADIUS server.
After ratting around with the IP Pool config, i noticed a box, that was ticked, that said "Release address if allocated for longer than 5 hours".
We have had users connected continously for 3 days, but it looks like they were dissapearing from our RADIUS after 5 hours. Along comes the next request, and the server tries to issue an IP address it thinks is free, but is actually in use.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.