topic Re: Secure ACS Intermittent in Network Access Control

Secure ACS Intermittent

jpl861 — Sun, 10 Mar 2019 21:59:17 GMT

Hi,

We are using Cisco Secure ACS and for the past week, our switch and router logins are really really intermittent. Most of the time, even if we are into the console already and issue a command, "authorization failed" will appear then just keep pressing up and enter then the command will be accepted. Any idea why is this happening? Thank you very much.

Re: Secure ACS Intermittent

darpotter — Thu, 15 Feb 2007 11:36:58 GMT

You could try looking in the in failed attempts report. This would be a good place to start.

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 15 Feb 2007 12:07:16 GMT

Hi,

One more thing which is worth trying is to increase the tacacs-server timeout value.

Regards,

Vivek

Re: Secure ACS Intermittent

smue_decm — Thu, 22 Feb 2007 07:30:39 GMT

Hi,

we have the same problem in our network. Commands entered rapidly first work fine but after a period of time the commands are rejected - "authorization failed". With an increased "tacacs timeout" the message "authorization failed" doesn't appear anymore. as a result the tacacs queue increases and the switch or router has a faint response.

The accepted commands are listed in the "TACACS+ administration" log - as assumed. But the rejected commands don't appear in any log...what's the problem?

Re: Secure ACS Intermittent

ellis_b — Thu, 22 Feb 2007 08:11:11 GMT

Have you tried running a constant ping from the device to the ACS server? Is there something that is dropping packets along the path (ie from congestion or something)? What version of ACS are you running?

Re: Secure ACS Intermittent

smue_decm — Thu, 22 Feb 2007 09:04:17 GMT

Hi,

thanks for the reply.

We're using ACS 4.0.

The network's fine. We tested connectivity from a switch within our LAN AND over many hops from other devices in the network.

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 22 Feb 2007 09:40:30 GMT

Hi,

You can try adding "single-connection" keyword after the "tacacs-server host" command in the device.

The single-connection keyword specifies a single connection (only valid with ACS). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server.

The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.

Regards,

Vivek

Re: Secure ACS Intermittent

smue_decm — Thu, 22 Feb 2007 10:25:45 GMT

Hi,

this works better now. But still, after several tries the entered commands end up in a queue...

Is there any possiblity without reconfiguring a switch or router?

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 22 Feb 2007 10:31:23 GMT

Hi,

With 3.x there was a way to tweak ACS but with 4.x you will have to open a TAC case.

Regards,

Vivek

Re: Secure ACS Intermittent

darpotter — Thu, 22 Feb 2007 11:51:05 GMT

hmmm.. how many concurrent admin sessions might be performing T+ authorisation?

This could be ACS running out of spare connections. You'd see no errors in the ACS CSV, but you might see something in the CSTacacs service log. It really should log if connections/packets are being dropped.

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 22 Feb 2007 12:32:55 GMT

Infact not only concurrent authorization session but accounting sessions also matter.

ACS can handle limited number of concurrent tacacs sessions.

Re: Secure ACS Intermittent

jpl861 — Thu, 22 Feb 2007 13:21:28 GMT

The ACS appliance doesn't reply to ping packets. We are using ACS 3.3.

Sometimes we have to type our username and password again and again because the ACS is not responding.

Can the timeout resolve this issue?

Thank you very much guys. 😃

Re: Secure ACS Intermittent

akemp — Thu, 22 Feb 2007 13:23:15 GMT

Very interesting indeed, do you have that magic number as I'm experiencing that same issue too.

The only figures that I've found documented are from 3.2 and only for 800 AP's and 100K users (how artificially they derived this synthetic info is questionable but Dewan the Product Manager for Cisco Wireless was kinda quiet about it)

Re: Secure ACS Intermittent

smue_decm — Thu, 22 Feb 2007 13:48:54 GMT

Hi,

thanks for your thoughts.

How many tacacs sessions can acs handle?

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 22 Feb 2007 13:53:07 GMT

If I am not wrong Tacacs+ threads hover around a maximum of 50.

Regards,

Vivek

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 22 Feb 2007 14:03:40 GMT

John,

ACS Solution enginer will not reply to ping if CSA Agent is enabled. (System Configuration->Appliance Configuration)

Increasing timeout is not always the answer but is a good first step in identifying the problem.

We could be experiencing a delay from the external db or even from remote logging facility. All these and more would contribute to a delay is authentication

ACS running out of threads is not a common thing and not seen often.

Auth.log would be a very good place to look for problems.

Regards,

Vivek

Re: Secure ACS Intermittent

smue_decm — Thu, 22 Feb 2007 14:25:24 GMT

Vivek,

our test-switch is now configured with:

tacas-server host [ip] single-connection

we're testing the following way:

- log in

- send a cmd (for example: show tacacs)

with "single-connection" on, we have to send a command very often to reproduce the queue and the "authorisation failed"-message - without "single-connection" it was worse.

now we're comparing the number of requests in auth.log with the number of commands that the aaa client sent. it seems to us that there are no dropped requests in auth.log - just "Start RQ****" and "Done RQ****".

we'll keep you posted.

Re: Secure ACS Intermittent

Vivek Santuka — Thu, 22 Feb 2007 14:37:29 GMT

Hi,

I would suggest setting the Log level to full (system configuration->Service control) while testing.

Regards,

Vivek

Re: Secure ACS Intermittent

smue_decm — Fri, 23 Feb 2007 09:53:07 GMT

Hi Vivek,

our log level was, and still is, set to full.

Re: Secure ACS Intermittent

smue_decm — Fri, 23 Feb 2007 10:32:26 GMT

Hi,

how many single-connections does a acs server handle?

Is there a limit? If so, could this limit be configured?

Can the active single-connections be monitored (how many open connections at a/one time?)

Is it possible to shut down active single-connections?