https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059379#M163559 <HTML><HEAD></HEAD><BODY><P>Thanks Tarik, but that's not the case. I'm able to find the AAA logs on the ACS server, everything looks good on the server side. We have other devices with the same configuration, but this only happens on one device.</P></BODY></HTML> Tue, 02 Oct 2012 00:02:36 GMT Jerry Cao 2012-10-02T00:02:36Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059377#M163546 <P>After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well. Anyone had the same issue or any suggestions?</P> Mon, 11 Mar 2019 02:37:05 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059377#M163546 Jerry Cao 2019-03-11T02:37:05Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059378#M163554 <HTML><HEAD></HEAD><BODY><P>Are you using a username that is present on the tacacs server and the local db?</P><P></P><P>My guess is your shared secret is wrong and you could have authenticated using the same account in the local db. Also how many tacacs servers are you using?</P><P></P><P></P><P>Sent from Cisco Technical Support Android App</P></BODY></HTML> Mon, 01 Oct 2012 23:51:20 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059378#M163554 Tarik Admani 2012-10-01T23:51:20Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059379#M163559 <HTML><HEAD></HEAD><BODY><P>Thanks Tarik, but that's not the case. I'm able to find the AAA logs on the ACS server, everything looks good on the server side. We have other devices with the same configuration, but this only happens on one device.</P></BODY></HTML> Tue, 02 Oct 2012 00:02:36 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059379#M163559 Jerry Cao 2012-10-02T00:02:36Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059380#M163583 <HTML><HEAD></HEAD><BODY><P>Are you using single connect in your tacacs configuration can you issue show run | inc aaa, show run | inc tacacs. When you run "test aaa authentication group tacacs (use ? And tab to build the command correctly), see if it take long for the authentication.</P><P></P><P>What version and hardware are you on?</P><P></P><P></P><P>Sent from Cisco Technical Support Android App</P></BODY></HTML> Tue, 02 Oct 2012 00:08:41 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059380#M163583 Tarik Admani 2012-10-02T00:08:41Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059381#M163596 <HTML><HEAD></HEAD><BODY><P>Tarik, thanks for the quick reply. I found the cause. It was the reverse DNS lookup.</P><P></P><P>I turned on debug on the router: debug aaa accounting</P><P>and found a message:" Domain: query for <EM>x.x.x.x</EM>.in-addr.arpa. type 12 to 255.255.255.255"</P><P>Then I issued command: no ip domain-lookup</P><P>everything is back to normal.</P></BODY></HTML> Tue, 02 Oct 2012 00:21:02 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059381#M163596 Jerry Cao 2012-10-02T00:21:02Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059382#M163616 <HTML><HEAD></HEAD><BODY><P>hello <STRONG>Jerry Cao !</STRONG></P><P></P><P>You are rights, I have solved this with "no ip domain-lookup"</P><P></P><P>Thank you !!!</P></BODY></HTML> Thu, 20 Jun 2013 11:05:52 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059382#M163616 Dumitru Otel 2013-06-20T11:05:52Z https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059383#M163641 <P>I'm having the same issue on a Cisco Wide Area Application Services (universal-k9) Software Release 5.3.1 (build b20 Aug &nbsp;4&nbsp;<BR />2013)&nbsp;Version: oe294-5.3.1.20. &nbsp; It will not authenticate with TACAS and is taking up to 2 minutes for cli commands to respond. &nbsp;I have several other Cisco WANX NM-SRE910&nbsp;devices using the same configuration and they are working fine. &nbsp;I've included a snippet of the config below. &nbsp;Any help would be greatly appreciated.</P><P>&nbsp;</P><P>tacacs key ****<BR />tacacs timeout 15<BR />tacacs host 10.2.100.100 primary<BR />tacacs host 10.2.100.101<BR />aaa accounting exec default start-stop tacacs<BR />aaa accounting commands 15 default start-stop tacacs<BR />authentication login tacacs enable primary<BR />authentication configuration tacacs enable primary<BR />authentication login local enable secondary<BR />authentication configuration local enable secondary<BR />authentication fail-over server-unreachable<BR />aaa authorization commands 15 default tacacs+</P><P>&nbsp;</P><P>Thanks,</P><P>JD Canty</P><P>Network Engineer GLS, Inc.</P><P>jcanty@gls.com</P><P>704-973-6829</P> Mon, 23 Jun 2014 19:37:10 GMT https://community.cisco.com/t5/network-access-control/slow-cli-response-after-implementing-tacacs/m-p/2059383#M163641 7tclark 2014-06-23T19:37:10Z