Guest

Preview Tool

Cisco Bug: CSCte75993 - ACS sends the same server list name and gen-ID when NAD switches ACS

Last Modified

Mar 17, 2011

Products (1)

  • Cisco Secure Access Control Server Solution Engine

Known Affected Releases

5.0(0.21)

Description (partial)

Symptom:
CAT6K device will initially attempt to access a wrong ACS server, and later will continue to show that wrong server as its primary destination for TrustSec RADIUS services.

Conditions:
if the server config is modified to point to a different ACS, the device is not able to recognize that a new server list has been updated from the new server:

- Device is configured with Server A
- Env-data download from Server A returns server list 
  named "ACSServerList1" with Server A in it
- Device's private list now contains Server A
- Server A is brought down
- Device config changed - Server A is replaced with Server B
- Server A is marked DEAD on the device's private list
- Env-data download refresh sent to Server B (public list)
- Server B returns same server list named "ACSServerList1" with 
   same gen-ID
- Since server list name is identical and gen-ID did not change, 
  device sees no need to download  the server info and never
  acquires info for Server B
- Device ends up with Server A in its private list

CAT6k gives priority to private server list over the public list, so it will attempt to use it without knowing that it is the wrong one.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.