ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x

Similar Messages

• DHCP Address changes to 169.254.x.x after starting to download image in PE

  Our network requires the user to register their computer on the network to obtain network access.  This really isn't for security, but for tracking reasons.  This registration is done via the web on a temporary private network they get sent to if the dhcp server doesn't recognize the machine.  Once registered they can either reboot and renew their IP or just wait till the IP times out which is 2 minutes to gain access to the network with a real IP.  The tempoary network runs 2 minute lease times because of the limited number of IPs and the large turnaround we have on this network during peak times.  The real network runs 4 hour lease times mainly just because of the large turnaround of computers some buildings have been reduced to 1 hour because at 4 hours we would run out of IPs for the building.  We have a class B subnet for real IPs that all clients get with IPv4 we have to play a delicate balancing act to keep from running out.  We have in the process of implementing IPv6 which could solve some of these problems.
  Back to my problem.  When a bare metal computer comes in the tech needs to load the machine.  At this point it is on the tempoary network.  The tech boots the computer into pe either cd or pxe.  Then they register the computer with configmgr and start up the correct task sequence.  Even with the 2 minute lease time the client maintains constant connectivity no matter how long the user takes to register the client.  You can wait days if you like.  Once the task sequence is chosen and it starts to apply the image it will fail.  If you push F8 and do an ipconfig it shows a 169.254.x.x ip address.  If you try to renew the IP you get An error occurred while renewing interface Local Area Connection : The requested address is not valid in its context.  You can release and renew and get a new IP, but at this point the task sequence has failed with error 0x80070035.  This is a problem with all model computers even in vmware.
  Has anyone experienced this problem?  I've seen other post before and the solution was always to bump up the lease time which the network guys won't and probably can't do.  It is like the IP will not auto renew while downloading an image.  This happens whether you do download as needed by task sequence or access content directly.  We are in native mode, but had the same problem in mixed.

  We need to be able to image bare metal computers from anywhere on the network so using a dedicated vlan is difficult.  The requirement for network registration during the setup process has been a problem for years, but with little resolution between the techs and the network guys.
  We are using public ips for clients because many years ago the routing hardware couldn't handle the NAT translations for the large number of clients.  The network guys don't have dynamic vlans configured although I think they are working on it right now they just piggyback subnets on interfaces.  Also the separate vlan for loading computers would be partially difficults since this has to work any all buildings, but because of potential routing problems they don't put a vlan in more than one building.  Each building right now has at least 1 dedicated vlan with a corresponding subnet and router.  Most of our core is 10Gb with at least 2Gb-10Gb to each building so bandwith usually isn't a problem.  The DHCP server is old, but handleing the work load just fine.
  Our environment doesn't 100% match the typical corporation that runs configmgr.  We have a primary central support area and then many sub support areas that all do their own thing with special image requirements.  There is a need to keep these areas separate, but centralliy manages with minimal administrative overhead.  So to handle this we use unknown computer support just to make booting with pxe into PE.  I then use tsconfig.ini to call a modified version of the unknownsystem.hta from the configmgr sdk.  The tech doing the imaging logs into this screen and selects an image collection (the available list is based on the users rights to the collections), ad ou, custom variable settings, and machine name to add the computer to the system and recieve the appropriate os advertisements without having to add the system manually through the configmgr console.
  We are still working on ways to avoid the network registration step or register the computer on behalf of the client, but would still like to figure out this problem.
  Thanks,
  Sam

• Not able to access object after server IP address changes

  I have an Activatable object that gets registered with the RMIDs registry.
  If my servers IP address changes, then when I look up the remote object, I can retrieve it from the registry, but as soon as I make a method call I get an access denied to xx.xx.xx.xx, where xx.xx.xx.xx is the old IP address - and not the new one.
  I've tried rebinding the object to the registry after the IP address has changed but with no success.
  I've also tried settings -Dnetworkaddress.cache.ttl=0. All my lookups are done by hostname.
  Any ideas?
  TIA
  Ian

  If the server changes its IP address all stubs which have already been exported become invalid and must be reacquired. For an Activatable this also means that you must re-register the object as an Activatable as well as rebinding it.

• Why Windows keep detecting ip address such as 169.254.201.217/16 Both on Windows 8 and Windows 8.1

  Why Windows 8 and Windows 8.1 (Even Windows 7) detects ip network address 169.254.201.217/16 on my computer???
  I keep getting that most of the time.
   

  Hi 
  This is my host files.
  # Copyright (c) 1993-2009 Microsoft Corp.
  # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  # This file contains the mappings of IP addresses to host names. Each
  # entry should be kept on an individual line. The IP address should
  # be placed in the first column followed by the corresponding host name.
  # The IP address and the host name should be separated by at least one
  # space.
  # Additionally, comments (such as these) may be inserted on individual
  # lines or following the machine name denoted by a '#' symbol.
  # For example:
  #      102.54.94.97     rhino.acme.com          # source server
  #       38.25.63.10     x.acme.com              # x client host
  # localhost name resolution is handled within DNS itself.
  # 127.0.0.1       localhost
  # ::1             localhost
  And this is my network files.
  # Copyright (c) 1993-1999 Microsoft Corp.
  # This file contains network name/network number mappings for 
  # local networks. Network numbers are recognized in dotted decimal form.
  # Format:
  # <network name>  <network number>     [aliases...]  [#<comment>]
  # For example:
  #    loopback     127
  #    campus       284.122.107
  #    london       284.122.108
  loopback                 127

• File Server IP address change

  I am migrating my file server from server 2003 to a new box server 2012. I plan on keeping the hostname same but the IP address will change.
  Any known issues with this?
  Vijay

  That depends on how your clients access to your File Server. If Access
  by Host Name to  File
  Server , all OK. if accessed by IP address, you must notify all change the IP address of
  the client.

• ACS error, AAA Server is a referenced in the Proxy Distribution Table

  When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
  The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
  AAA server AAA server IP address AAA server type
  self 10.10.10.1 CiscoSecure ACS
  ciscoacs 169.254.25.58 CiscoSecure ACS
  Under Network Configuration>Proxy Distribution Table
  Character String AAA Servers Strip Account
  Default ciscoacs no Local
  The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
  ACS error when trying to delete..
  “Can not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Table”
  Many Thanks MJ

  Go to,
  Network configuration > Proxy Distribution Table > (Default).
  swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
  Then try to delete 169.x.x.x entry.
  Regards,
  Prem

• Acs se aaa server problem

  HI
  I have installed acs se for peap authenetication in a wireless network .
  however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
  The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
  Pls help me to get this fixed

  Hi.
  The name of the ACS SE listed in AAA Server section is "self".
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
  "In ACS SE, the name of the machine is listed as self."
  "deliverance1" is the default ACS SE name(hostname).
  Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
  NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
  In order to correct this issue, follow following steps:
  [1] On ACS hardware/appliance go to,
  Reports and Activity > Appliance Status Page >
  From "NIC Configuration", copy the IP address of the ACS SE.
  Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
  Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
  Note down the "Name" against the Ip address of the ACS SE.
  Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
  And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
  [2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
  System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
  Establish Serial Console connection to ACS SE,
  Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
  [3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
  Now, the correct IP address will be associated with the correct hostname.
  Regards.
  Prem

• Airports fail to serve DHCP addresses

  I am having trouble reconfiguring an existing network with 2 Airport devices -- switching to having the Airports serve addresses via DHCP is failing, and would appreciate help determining what I'm doing wrong here.
  Details:
  I have a network with a 16-IP public address space x.x.x.208-223.  My DSL router/firewall is at x.209, and I have various devices with manually assigned statics IPs in the x.210-x.218 range.  The router is configured to serve up the last 4 IP addresses x.219-x.222 via DHCP.  Within the static IP range, I have a Time Capsule at x.210 and an Airport Express at x.214, located at far ends of the house, and running differently named wireless networks.  They have so far been configured with [Connection sharing: Off (Bridge Mode)]  Under Internet > Internet Connection and appropriate manual settings under Internet > TCP/IP.
  All has worked fine with this configuration to-date.  Our few devices without a static IP were assigned DHCP addresses from the 219-222 range, whether connected via our hard-wired ethernet network, or over either wireless network -- the addresses picked up from the router at 209.
  While the 4 addresses available by DHCP were previously sufficient, with the proliferation of mobile devices in my family, it's not enough anymore, and I am trying to reconfigure the Airports to serve up private network blocks 10.0.x.x and 10.0.y.y via DHCP [Connection sharing: Share a public IP address].  This is not working.  When I reconfigure either Airport in this manner, network devices connecting via wireless no longer can connect to the internet.  Connection to the wireless network itself is fine, but the device is unable to get a DHCP address from the Airport.  Instead, after a short delay it gets a self-assigned address in the 169.254.x.x range.  This happens with either Airport base station, and both with my iPhone 4 as well as my MacBook Pro.
  Thinking that having the router serve DHCP within the public space might be interfering with the Airport DHCP in its own private block, I tried disabling DHCP at the router.  Even so, I cannot get the Airports to start serving IP addresses to their wireless clients.
  Any suggestions ?

  Hi Linc,
  I appreciate the discussion.  Let me reply in-line
  Linc Davis wrote:
  I'm having a lot of trouble understanding your questions. Rather than trying to figure it out, let me tell you how it should work.
  You have a DSL modem that is also a router. It gets an address for its WAN interface from your ISP's DHCP server, or it has a static address -- doesn't matter which.
  My router has a static WAN IP address, which is in my ISP's subnet.  The LAN is my own public subnet 209.128.72.208/28, and the router's LAN IP address is 209.128.72.209.
  It had better not be serving DHCP on the WAN, or you may get kicked off by your ISP. I'd be surprised if you were even able to configure it that way.
  No, it's not serving DHCP on the WAN.  It is serving DHCP only on the LAN, in the 209.128.72.219-222 range.
  The router's LAN interface has a fixed private IP address that you configure. It serves DHCP to other devices on the LAN.
  Yes, that is how it is.
  The AE can get an address from the router for its Ethernet port from the router, or it can have a fixed address, whichever you want.
  Yes, it is configured with its own static, manually configured address, which is 209.128.72.214, outside of the DHCP range served by the router.
  Set it to operate in bridge mode, which means that the wireless network will be like an extension of the wired network, with the same address pool. Wireless devices will get their addresses from the router.
  Yes.  To-date I have operated it in bridge mode, exactly that way.  And it's worked great up until now.  Devices with manually assigned IP addresses in the 209.128.72.210-218 range have worked fine either when connected by ethernet or wireless, and those without (iPhones, etc) have picked up DHCP addresses from the router just fine.
  The AE does not need to be a DHCP server.
  Unless your needs are very unusual, that setup will work for you.
  And so it has worked that way for a while.  However, my needs have changed recently.  The range of available IPs for DHCP from the router is limited to 4 devices (209.128.72.219-222).  That worked fine when we had only 4 devices (iPhone, iPad, Roku, and Blackberry).  Now, the kids have wireless devices (iPod touch and an old iPhone).  The available range is not sufficient for 6 devices.  So, rather than serve wireless devices with addresses from the limited remaining IPs in the public subnet, I want to have the AE serve DHCP in a private network 10.1.x.0/24 , which obviously has alot more room. 
  I'm willing to try turning off DHCP on the router completely.  That doesn't seem to help -- I've tried it twice.

• IP address 169.254....

  Hello,
  A few weeks ago, both my ethernet and my airport were working fine in my dormitory and anywhere I went.  Then in my dormitory, the ethernet suddenly stopped working as I was using it.  I didn't change any settings, I was not messing arround with anything. It just suddenly stopped!  I tried asking for help to the people in the dormitory, but being in a place where no one (in the dormitories and IT technicians) really speaks my language and I don't really speak theirs, doesn't help very much. Plus the fact that they don't really seem to be able to use and fix mac problems.  My ethernet cable connection works excllent with any other computer that is connected to it BUT with mine.
  Anyways, everything is on automatic the way it should be, but it shows that the self assigned IP address is of 169.254. etc, and it cannot connect to the internet.  It happens with both ethernet and airport.  With the airport I used to connect perfectly, but now, a few places where I used to connect perfectly won't work anymore, and it shows this same IP address of 169.254.blah.blah.  It has been driving me crazy not being able to connect to the internet propperly since it is the only way I can communicate with my family.  Could anyone PLEASE help me? I am really desperate here T^T Thank You!!
  Regards,
  Omar.

  Try removing all the RAM and putting in new RAM. We had a PowerMac G5 at work that couldn't connect to the Ethernet no matter what we did. I was convinced it was the motherboard/Ethernet connection failure. But after running a couple of hardware tests, it came up with bad RAM. Put in all new RAM, and lo and behold, we have Internet!!
  This would explain why multiple computers can connect to an internet connection, but one computer doesn't.
  I'm having this problem with my MacBook Pro right now, and will attempt to take out the RAM when I get home to see if it fixes it. I had it at work, and was in the middle of surfing on our Ethernet network, when it suddenly stopped. I just put new RAM in a few weeks ago, so one might have failed.

• AAA Server IP Pool based on AAA Client

  Hi,
  I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
  So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
  Any pointers on how to do this (if possible) would be greatly appreciated.
  Thanks in advance
  Andy

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• AAA static IP address for RA VPN Client

  Hi,
  my vpn group and VPN POOL  is locally created in Cisco VPN router but users are authenticated through ACS, AAA server via TACACS. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.
  My router is configured for TACACS+. I have checked the user configuration in AAA server to get the static ip address but it is not working. Please help me out how to do this. I cant change Router to Radius but this is my main router which is configured for 160 sites through ISDN and these sites also configured for TACACS+.
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2 
  crypto isakmp client configuration group Aviation-VPN
  key egntosc
  pool aviation-pool
  acl avi-tunnel
  save-password
  netmask 255.255.255.0
  crypto isakmp profile vpnclient
     match identity group Aviation-VPN
     client authentication list default
     isakmp authorization list Aviation-authorization
     client configuration address respond
  crypto ipsec transform-set aviset esp-3des esp-sha-hmac
  crypto dynamic-map avi 10
  set transform-set aviset
  set isakmp-profile vpnclient
  reverse-route

  Since you're using ACS, I believe the way to do this is to
  go into ACS, and select the username of the user that you want
  to get the static IP. Under that user's setup, there is an option to
  always assign the same IP. Just select that and enter the IP you
  want them to get. - chris

• AAA server logs replication

  •1.       We have two locations and require Cisco ACS 5.x for each location.
  •2.       Both locations are connected via MPLS link.
  •3.       Need to deploy both ACS in Active-Active OR Active-Standby.
  •4.       The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
  •5.       Similarly users in network B will have its primary ACS as ACS B local to their LAN.
  If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
  •6.       Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
  •7.       I would like to have a kind of setup where in  Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
  Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
  Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
  We have around 500 users combining both sides.
  Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.

  I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
  Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
  Regards
  Farrukh

• Errors on aaa server

  Hello,
  pls which service is actually suspended when the AAA server gives this report.
  "Service CSAuth has been stopped or paused by the system. Monitoring will suspend until the service is restarted."
  And how can I resolve it.
  Also, my backup AAA server is still not replying. If I shutdown the service on the primary acs, the errors i get when i try to login are "auth server down".
  What can I do to correct these?

  To my knowledge, it's the authentication service like Radius or Tacacs+ that is suspended.

• More than 1 AAA server for logging in to WebVPN

  Hi everybody,
  Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.
  Please advice.
  Thanks for advance,
  Nitass

  If you are aaa server you are referring to is "radius server", then you can try out the following commands.
  In ASDM you would simply add the said RADIUS servers to the "server group"
  If you wish to do this through CLI, you would define a group eg
  aaa-server radius protocol radius
  aaa-server radius host x.x.x.x
  aaa-server radius host y.y.y.y
  aaa-server radius host z.z.z.z
  and you would then call this in the said tunnel-group :
  tunnel-group opsource type ipsec-ra
  tunnel-group opsource general-attributes
  address-pool admin_ra
  authentication-server-group radius LOCAL
  default-group-policy opsource

• ACS replication and IP pools server

  Hi, I have 2 ACS 3.3.2 with replication active and IP pools server function active.
  I know that the IP pools definitions are not replicated but the group associations with pools are.
  What's the best way to manage the IP pools on the 2 ACSs ?
  60% of the pool on the first and 40% on the second ?
  Or is there a way to infor the second ACS of the single IP assigned by the first ACS to avoid overlapping, in case of failure of the first ACS ?
  Thank you in advance
  greatings
  Renato

  IP pools are purposely not replicated automatically, no way around it. This is to avoid the situation where users authenticating to two different ACS servers get allocated the same IP address.
  Basically there's nothing in ACS where the primary and backups talk to each other about what IP addresses they've allocated (this woul be huge task and require some new sort of communication mechanism between servers). If the same IP pool is configured on all 3 servers, they'll just blindly allocate the next available IP address to users, and you'll run into scenario's where two (or more) users get given the same address.
  The pool is therefore purposely not replicated, which means you have to go in manually and configure it, making sure you configure a UNIQUE pool across the 3 servers. This only has to be done once and is then there forever.