Cisco Bug: CSCte75993 - ACS sends the same server list name and gen-ID when NAD switches ACS
Mar 17, 2011
- Cisco Secure Access Control Server Solution Engine
Known Affected Releases
Symptom: CAT6K device will initially attempt to access a wrong ACS server, and later will continue to show that wrong server as its primary destination for TrustSec RADIUS services. Conditions: if the server config is modified to point to a different ACS, the device is not able to recognize that a new server list has been updated from the new server: - Device is configured with Server A - Env-data download from Server A returns server list named "ACSServerList1" with Server A in it - Device's private list now contains Server A - Server A is brought down - Device config changed - Server A is replaced with Server B - Server A is marked DEAD on the device's private list - Env-data download refresh sent to Server B (public list) - Server B returns same server list named "ACSServerList1" with same gen-ID - Since server list name is identical and gen-ID did not change, device sees no need to download the server info and never acquires info for Server B - Device ends up with Server A in its private list CAT6k gives priority to private server list over the public list, so it will attempt to use it without knowing that it is the wrong one.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases