On 2013-10-18 11:07, Heikki Vatiainen wrote: > On 10/18/2013 11:23 AM, Alexander Hartmaier wrote: >> On 2013-10-11 13:56, Caporossi, Steve G. wrote: >>> We also have issues with NXOS; in our case using RADIUS. >>> >>> It always seems to begin with these syslog messages; >>> 2013 Oct 10 19:56:14.103 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed >>> looking up IP address for RADIUS server <server address> >>> 2013 Oct 10 19:56:14.105 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed >>> looking up IP address for RADIUS server <server address> >>> 2013 Oct 10 19:56:14.106 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed >>> looking up IP address for RADIUS server <server address> >>> 2013 Oct 10 19:56:14.107 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS >>> servers failed to respon >>> d after retries. >>> >>> Authentication fails and we to fallback to local authentication to "fix" >>> the issue by sending test authentication to the RADIUS servers. >>> >>> We have the DNS entries configured on the Nexus devices and when this is >>> happening the device can ping the servers using the hostname. Another >>> strange thing is it happens primarily in one VDC and much less frequently >>> on the others using the same OOB management network. >> What do you mean with 'dns entries configured *on* the Nexus'? Does it >> happen too if you configure the radius servers ip addresses instead of >> their dns names? >> >> @Radiator guys: any update from you? > For the RADIUS/DNS problem above, I can only think of configuring the > server with address instead of name. Why it fails? Maybe there's a rate > limit on the DNS side. If there are lots of RADIUS requests each causing > a DNS lookup, that might cause the lookup failures. > > What comes to NX-OS problems Alexander sees, could it be possible that > accounting requests are sent to different Radiators than authentication > or authorization requests? > > If so, then there might be a different shared key configured on the > NX-OS than on Radiator? In this case Radiator logs should show errors > hinting about 'Bad key?'. If Radiator thinks the key is bad, it will > disconnect and this may be logged as 'All servers failed to respond'. The requests are sent to two Radiator servers forming a faiover pair which both have the same TACACS key. It only happens from time to time, the authentication and accouting requests usually work.
> > Thanks, > Heikki > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
