During failover scenario using Cisco ACS, when the primary VIP EG is disabled, the Cisco ASA was not able to talk to the Secondary VIP EG via Cisco ACS and vice versa.
The Cisco ACS timeout configured for each validation server was very big ~ 60 seconds and the number of retries was set to 3 which was causing delay (60*3=180 sec) and also timeout of a successful packet transmission.
After setting the LDAP timeout as 5 seconds in VIP EG, Cisco ACS timeout as 3 seconds and number of retries as 2 for each validation server, the Cisco ASA was able to successfully switch between primary and secondary EG servers during failover scenario.
Imported Document ID: SO21966
Subscribing will provide email updates when this Article is updated. Login is required.