Guest

Preview Tool

Cisco Bug: CSCvv09077 - AAA Server Group: Getting marked as unreachable when using Depletion reactivation mode

Last Modified

Sep 01, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3) 9.8

Description (partial)

Symptom:
AAA server (ISE) group configured on ASA is getting marked as unreachable after a few minutes of authentication getting successful when we are using "reactivation mode Depletion" with timeout duration of 10 minutes.

Troubleshooting:

Found in logs:
%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user XXXX : Auth-server group ISE-XXX unreachable

IDCBTFW01# show aaa-server ISE-XXX
Server Group:    ISE-XXX
Server Protocol: tacacs+
Server Address:  1xx.xx.xxx.xxx
Server port:     49
Server status:   ACTIVE, Last transaction at 12:37:07 WIB Sun Jul 5 2020
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       997
Number of authorization requests        63
Number of accounting requests           56
Number of retransmissions               0
Number of accepts                       125
Number of rejects                       225
Number of challenges                    8
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      766
Number of unrecognized responses        0

IDCBTFW01# test aaa authentication ISE-XXX user xxx.xxxxxx pass abcdefgh
Server IP Address or name: 1xx.xx.xxx.xxx
INFO: Attempting Authentication test to IP address (1xx.xx.xxx.xxx) (timeout: 12 seconds)
INFO: Authentication Successful

No Issue observed in the Packet capture as well.

Conditions:
When using "reactivation  mode depletion" with a timeout of 10 minutes. 
The issue is not observed when we are using "reactivation mode timed".
The issue observed only for the ISE server group. 
It works fine for the ACS server groups.

ASA: 5512 running 9.8
Still experienced after upgrading to 9.12.3 interim
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.