https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767608#M228780 <HTML><HEAD></HEAD><BODY><P>Jose,</P><P></P><P>You mentioned there was a firewall in the picture, at the devices being translated before they hit the ACS server? Does the ACS have these clients in its database? Also is this problem limited to all devices on this subnet or do a few work and the others do not?</P><P></P><P>Also for additional troubleshooting you can follow these steps to enable debug levels on the ACS processes. Login into the cli of the acs &gt; acs-config &gt; (gui username and password) &gt; debug-logs runtime level debug &gt; exit.</P><P></P><P>then as you are reproducing the issue you can try to catch these on the cli by entering "show acs-logs filename acsRuntime.log | last 80" or you can download the support bundle after reproducing the issue and check the acsRuntime.log or any of the archive files in case you box is under a lot of load.</P><P></P><P>Thanks,</P><P>Tarik</P></BODY></HTML> Sun, 11 Sep 2011 05:17:14 GMT Tarik Admani 2011-09-11T05:17:14Z https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767607#M228757 <P>Hi All,</P><P></P><P>I'm troubleshooting a very strange problem. I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device. </P><P></P><P>Any ideas? Could this be a device database problem? </P><P></P><P>Thanks,</P><P></P><P>Jose Ribeiro</P> Mon, 11 Mar 2019 01:23:09 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767607#M228757 josefribeiro 2019-03-11T01:23:09Z https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767608#M228780 <HTML><HEAD></HEAD><BODY><P>Jose,</P><P></P><P>You mentioned there was a firewall in the picture, at the devices being translated before they hit the ACS server? Does the ACS have these clients in its database? Also is this problem limited to all devices on this subnet or do a few work and the others do not?</P><P></P><P>Also for additional troubleshooting you can follow these steps to enable debug levels on the ACS processes. Login into the cli of the acs &gt; acs-config &gt; (gui username and password) &gt; debug-logs runtime level debug &gt; exit.</P><P></P><P>then as you are reproducing the issue you can try to catch these on the cli by entering "show acs-logs filename acsRuntime.log | last 80" or you can download the support bundle after reproducing the issue and check the acsRuntime.log or any of the archive files in case you box is under a lot of load.</P><P></P><P>Thanks,</P><P>Tarik</P></BODY></HTML> Sun, 11 Sep 2011 05:17:14 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767608#M228780 Tarik Admani 2011-09-11T05:17:14Z https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767609#M228798 <HTML><HEAD></HEAD><BODY><P>Hi Tarik,</P><P></P><P>Thanks for the reply.I tried what you mentioned and below is the result. I'm trying from client 10.88.194.33 authenticate to server 10.195.214.37. I captured packets on the ACS and I see requests coming to the ACS</P><P></P><P>Below I have to outputs, one from tech dumptcp and the other from the debug command you suggested. The issue is that ACS does not show the authentication attempt on the report.</P><P></P><P>Results from TECH DUMPTCP</P><P></P><P>16:09:28.386018 IP (tos 0x0, ttl&nbsp; 60, id 32894, offset 0, flags [none], proto 6, length: 52) 10.88.194.33.59919 &gt; ctsbigdcemath01.tacacs: F [tcp sum ok] 48:48(0) ack 1 win 5840 <NOP></NOP></P><P>16:09:28.435743 IP (tos 0x0, ttl&nbsp; 64, id 36921, offset 0, flags [DF], proto 6, length: 52) ctsbigdcemath01.tacacs &gt; 10.88.194.33.59919: . [tcp sum ok] 1:1(0) ack 49 win 46 <NOP></NOP></P><P>16:09:31.944350 IP (tos 0x0, ttl&nbsp; 60, id 14764, offset 0, flags [none], proto 6, length: 60) 10.88.194.33.60168 &gt; ctsbigdcemath01.tacacs: S [tcp sum ok] 401027082:401027082(0) win 5840 <MSS 1460=""></MSS></P><P>16:09:31.944350 IP (tos 0x0, ttl&nbsp; 64, id 0, offset 0, flags [DF], proto 6, length: 60) ctsbigdcemath01.tacacs &gt; 10.88.194.33.60168: S [tcp sum ok] 2134823712:2134823712(0) ack 401027083 win 5792 <MSS 1460=""></MSS></P><P>16:09:31.954321 IP (tos 0x0, ttl&nbsp; 60, id 14765, offset 0, flags [none], proto 6, length: 52) 10.88.194.33.60168 &gt; ctsbigdcemath01.tacacs: . [tcp sum ok] 1:1(0) ack 1 win 5840 <NOP></NOP></P><P>16:09:31.954321 IP (tos 0x0, ttl&nbsp; 60, id 14766, offset 0, flags [none], proto 6, length: 99) 10.88.194.33.60168 &gt; ctsbigdcemath01.tacacs: P 1:48(47) ack 1 win 5840 <NOP></NOP></P><P>16:09:31.954321 IP (tos 0x0, ttl&nbsp; 64, id 51433, offset 0, flags [DF], proto 6, length: 52) ctsbigdcemath01.tacacs &gt; 10.88.194.33.60168: . [tcp sum ok] 1:1(0) ack 48 win 46 <NOP></NOP></P><P></P><P> RESULTS from DEBUG</P><P></P><P># show acs-logs filename acsRuntime.log | include 194.33</P><P>inboundProtocolManager,22/09/2011,16:39:22:487,DEBUG,3005852576,cntx=0002111090,Start Lookup for NAS with IP = 10.88.194.33,Protocol</P><P>DataUtils.cpp:278</P><P>inboundProtocolManager,22/09/2011,16:39:22:487,DEBUG,3005852576,cntx=0002111090,NAS with IP = 10.88.194.33 matches AAAClient with IP</P><P> = 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327</P><P>inboundProtocolManager,22/09/2011,16:40:55:687,DEBUG,3005852576,cntx=0002111302,Start Lookup for NAS with IP = 10.88.194.33,Protocol</P><P>DataUtils.cpp:278</P><P>inboundProtocolManager,22/09/2011,16:40:55:687,DEBUG,3005852576,cntx=0002111302,NAS with IP = 10.88.194.33 matches AAAClient with IP</P><P> = 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327</P><P>inboundProtocolManager,22/09/2011,16:42:06:515,DEBUG,3005852576,cntx=0002111369,Start Lookup for NAS with IP = 10.88.194.33,Protocol</P><P>DataUtils.cpp:278</P><P>inboundProtocolManager,22/09/2011,16:42:06:515,DEBUG,3005852576,cntx=0002111369,NAS with IP = 10.88.194.33 matches AAAClient with IP</P><P> = 10.88.194.33 and mask 32,ProtocolDataUtils.cpp:327</P></BODY></HTML> Thu, 22 Sep 2011 21:03:56 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767609#M228798 josefribeiro 2011-09-22T21:03:56Z https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767610#M228830 <HTML><HEAD></HEAD><BODY><P>Jose,</P><P></P><P>Do you see the hit count increase on the applicable rule when you try to log in from the non-working router?</P></BODY></HTML> Fri, 23 Sep 2011 13:35:25 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-vm-authentication-timeout/m-p/1767610#M228830 Javier Henderson 2011-09-23T13:35:25Z