[c-nsp] aaa group doesn't fail over

Painting, Stuart Stuart.Painting at TheAA.com
Fri Nov 14 02:53:01 EST 2014


 

"radius-server retry method reorder" may help, although that merely moves
the failing server to the back of the list rather than stopping it from
being used altogether. According to the documentation it was integrated
into 12.2(33)SRC, so SRE should have it.



-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike
Sent: 13 November 2014 18:27
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] aaa group doesn't fail over


Hi,

     On Cisco 7201 with 122-33.SRE7, I have the following:

aaa group server radius radius-pia
  server 10.0.1.21 auth-port 1812 acct-port 1813
  server 10.0.1.22 auth-port 1812 acct-port 1813
  server 10.0.1.23 auth-port 1812 acct-port 1813
  deadtime 1


radius-server host 10.0.1.21 auth-port 1812 acct-port 1813 timeout 5 
test username servercheck idle-time 1 key none
radius-server host 10.0.1.22 auth-port 1812 acct-port 1813 timeout 5 
test username servercheck idle-time 1 key none
radius-server host 10.0.1.23 auth-port 1812 acct-port 1813 timeout 5 
test username servercheck idle-time 1 key none


     Today, server 10.0.1.21 is dead.  In my logs I have:

Nov 13 08:19:05.854 PST: %RADIUS-4-RADIUS_DEAD: RADIUS server 
10.0.1.21:1812,1813 is not responding.

     However, despite having 3 choices, the cisco continues to try and 
send radius requests to the new dead server. I had to manually remove 
'server 10.0.1.21 auth-port 1812 acct-port 1813' from the above to force 
it to use one of the remaining live hosts (the next one in the list).

     Is there something more I need to do to get it to not use a host it 
knows for a fact is dead?

Mike-





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

“To our Members we're the 4th Emergency Service " 
This electronic message contains information from AA Corporation Limited or from a member, or members, of its group of companies which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. We cannot accept any responsibility for viruses, so please scan all attachments. 
No changes to Terms and Conditions of trade can be accepted through e-mail communication. All changes to Terms and Conditions must be in writing evidenced by a director of the company and in hard copy format. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author. ”



More information about the cisco-nsp mailing list