Symptom
Request the enhancement to the FMC GUI under the AAA-Server to allow the reactivation policy to be configured or changed.
Current default on FTD is "reactivation-mode depletion deadtime 10"
Which states that all AAA-servers need to be marked FAILED before retrying the first server in the list again after waiting 10 minutes.
Configuration for ASA:
Specify the method (reactivation policy) by which failed servers in a group are reactivated.
reactivation-mode {depletion [deadtime minutes] | timed}
Example:
ciscoasa(config-aaa-server-group)# reactivation-mode depletion deadtime 20
The depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
Conditions
1)FMC
2)Multiple AAA-Servers configured under the same group
3)FTD Code device
Workaround
Flexconfig:
- add the reactivation-mode {depletion [deadtime minutes] | timed}
Example of configuration:
aaa-server ISE-RADIUS protocol radius
reactivation-mode timed
or
the reactive the Failed aaa-server by using the following example command in CLI of the FTD
#aaa-server ISE-RADIUS [active or fail] host [DNS or ip address]
Further Problem Description
