RE: [SPAM] - RE: Problem with ACS - Sending mail server found

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Thu Apr 12 2007 - 11:56:21 ART

• Next message: Todd, Douglas M.: "RE: trouble understanding L2 protocol tunneling"
• Previous message: Bob.Barnes@thomson.com: "Issues using MPLS with a VPN back-up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello

Did you install ACS with administrator privileges? (had to ask)

Are CSMon logs telling you anything ? like failure to periodically
authenticate in order to check is CSTacacs is up?

Check everything, CSAuth, CSMon, and CSLog.

Do you have any proxy distribution table configured? Is the default
entry pointing to your own ACS?

Are you using any external user database? Have you tried with a local
account?

Are you using NAF's or NAR's?

Just shooting at the problems...

Gustavo Novais

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
CCDesire
Sent: quinta-feira, 12 de Abril de 2007 15:00
To: 'Cisco certification'
Subject: [SPAM] - RE: Problem with ACS - Sending mail server found on
xbl.spamhaus.org

Hi Hewie,

I tried as you recommend and got similar output as what you got.

Our server is installed with zone alarm but even when I shut it down,
things
didnt get any better.

Still no logs on server and authentication failed on router.

   _____

From: Hewie [mailto:whewetson@gmail.com]
Sent: Thursday, April 12, 2007 12:23 AM
To: Luu Hoang Dung
Cc: ccielab@groupstudy.com
Subject: Re: Problem with ACS

Hi Luu,

run 'netstat -an | more' from the command prompt on your ACS server to
see
if it is listening on TCP 49, your output should look like this

 Proto Local Address Foreign Address State
  TCP HYPERLINK "http://0.0.0.0:49"0.0.0.0:49 HYPERLINK
"http://0.0.0.0:0"0.0.0.0:0 LISTENING

Are you sure you dont have the windows firewall enabled on you server?

Hewie

On 4/11/07, Luu Hoang Dung <HYPERLINK
"mailto:lhd.ccdzi@gmail.com"lhd.ccdzi@gmail.com> wrote:

Hi Marvin and other guys,

Firstly thank you for your concern.

I have tried to check my process and the result are:

1 - There is only a transparent switch between the
router-to-be-authenticated and the ACS server

2 - When I telnet to port 49 of the ACS server from my PC I got: " could
not
open connection to the host on port 49: Connect failed ".

When I telnet to port 49 of the ACS server from my Routers I got:

" Router2#telnet HYPERLINK "http://192.168.1.200"192.168.1.200 49

Trying HYPERLINK "http://192.168.1.200"192.168.1.200, 49 ...

% Connection refused by remote host ".

3 - I configure the router to authenticate locally like this:

username cisco password 0 cisco

aaa new-model

!

!

aaa authentication login default local

And the result is successful.

4- I tried to authenticate different routers and the error msg still the
same and I got this for more :

*Mar 1 00:17:48.315: TPLUS(00000004)/0/WRITE: write to HYPERLINK
"http://192.168.1.200"192.168.1.200 failed
with errno 134((ENOTCONN))

*Mar 1 00:17:53.311: TPLUS(00000004)/0/WRITE/62E74248: timed out

5- There isn't any ACL anywhere

What more can be wrong here ?

-----Original Message-----

From: Marvin Greenlee [mailto:HYPERLINK
"mailto:marvin@ipexpert.com"marvin@ipexpert.com]

Sent: Wednesday, April 11, 2007 9:08 AM

To: 'CCDesire'; 'Cisco certification'

Subject: RE: Problem with ACS

Are there other devices in the data path between your router and the ACS

server?

Do you get the same response (connection is refused) if you telnet from
the

router to the ACS server on TCP port 49 ?

Are you getting this message when you try an authentication from the
router

locally (using the 'test aaa' command)?

Do you only get the 'connection refused' when trying to connect to the

router from somewhere else? If only when trying to connect to the
router

from somewhere else, is there any configured access-class/ACL blocking

traffic to the router?

Are you able to authenticate to the ACS server from the router using
RADIUS?

Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)

Senior Technical Instructor - IPexpert, Inc.

"When Will You Be an IP Expert?"

HYPERLINK "mailto:marvin@ipexpert.com"marvin@ipexpert.com

HYPERLINK "http://www.IPexpert.com"http://www.IPexpert.com

-----Original Message-----

From: HYPERLINK "mailto:nobody@groupstudy.com"nobody@groupstudy.com
[mailto:HYPERLINK "mailto:nobody@groupstudy.com" nobody@groupstudy.com]
On
Behalf Of

CCDesire

Sent: Tuesday, April 10, 2007 9:37 PM

To: 'Cisco certification'

Subject: Problem with ACS

Dear group,

I have the following error message every time I try to authenticate
routers

to the Tacacs+ Server in Cisco Secure ACS:

 Connection is refused by remote host

I tried different ways to fix this problem but still unsuccessful.

Router-to-be-authenticated can ping Server, all firewall on server are

closed (ACS with W2K server).

The hostname, the IP and the shared-key for the router is correctly

configured.

This is what I configured about authentication:

Aaa new-model

Aaa authen login default group tacacs local

Tacacs-server host HYPERLINK "http://206.222.152.1"206.222.152.1 single

Tacacs-server key ventu

Pls help me troubleshoot this problem.

--
Internal Virus Database is out-of-date.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date:
3/23/2007
3:27 PM

• Next message: Todd, Douglas M.: "RE: trouble understanding L2 protocol tunneling"
• Previous message: Bob.Barnes@thomson.com: "Issues using MPLS with a VPN back-up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART