topic Re: ip tacacs source-interface Loopback0 is not working in Network Access Control

ip tacacs source-interface Loopback0 is not working

Raj Kumar L — Fri, 21 Feb 2020 18:53:08 GMT

Hi,

I have used Loopback 0 as Source interface for tacacs, But I am not able to logging using AD ID, But when I configure GIG 0/0 as source interface, I am able to logging in, Can you please help me to configure Loopback 0 as Source interface for tacacs & let me know what I made wrong?

Re: ip tacacs source-interface Loopback0 is not working

Mohammed al Baqari — Mon, 09 Apr 2018 09:39:02 GMT

Make sure that your loopback IP is able to reach your AD

Re: ip tacacs source-interface Loopback0 is not working

Raj Kumar L — Mon, 09 Apr 2018 09:44:15 GMT

yes Loop back ip is bale to reach AD & tacacs server

Re: ip tacacs source-interface Loopback0 is not working

Mohammed al Baqari — Mon, 09 Apr 2018 11:03:01 GMT

share the output of debug tacacs when you are trying to authenticate

Re: ip tacacs source-interface Loopback0 is not working

Raj Kumar L — Tue, 10 Apr 2018 06:20:05 GMT

Please find the logs

Apr 9 16:54:04.517 GMT: AAA/AUTHOR: auth_need : user= 'telecom' ruser= 'Router C'rem_addr= '10.170.215.72' priv= 1 list= '' AUTHOR-TYPE= 'commands'

Apr 9 16:54:04.517 GMT: AAA/AUTHOR: auth_need : user= 'telecom' ruser= 'Router C'rem_addr= '10.170.215.72' priv= 15 list= '' AUTHOR-TYPE= 'commands'

Apr 9 16:54:04.517 GMT: AAA: parse name=<no string> idb type=-1 tty=-1

Apr 9 16:54:04.517 GMT: AAA/MEMORY: create_user (0x24EA3724) user='User1' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Apr 9 16:54:04.517 GMT: TAC+: send AUTHEN/START packet ver=192 id=-1969424120

Apr 9 16:54:04.517 GMT: TAC+: Using default tacacs server-group "tacacs+" list.

Apr 9 16:54:04.517 GMT: TAC+: Opening TCP/IP to 172.27.1.37/49 timeout=5

Apr 9 16:54:04.517 GMT: TCB08328254 created

Apr 9 16:54:04.517 GMT: TCB08328254 setting property TCP_GIVEUP (41) 1E667A18

Apr 9 16:54:04.517 GMT: TCP: Random local port generated 61624, network 1

Apr 9 16:54:04.517 GMT: TCB08328254 bound to 10.170.222.253.61624

Apr 9 16:54:04.517 GMT: Reserved port 61624 in Transport Port Agent for TCP IP type 1

Apr 9 16:54:04.517 GMT: TCP: pmtu enabled,mss is now set to 1460

Apr 9 16:54:04.517 GMT: TCP: sending SYN, seq 664451917, ack 0

Apr 9 16:54:04.517 GMT: TCP0: Connection to 172.27.1.37:49, advertising MSS 1460

Apr 9 16:54:04.517 GMT: TCP0: state was CLOSED -> SYNSENT [61624 -> 172.27.1.37(49)]

Apr 9 16:54:06.518 GMT: 10.170.222.253:61624 <---> 172.27.1.37:49 congestion window changes

Apr 9 16:54:06.518 GMT: cwnd from 1460 to 1460, ssthresh from 65535 to 2920

Apr 9 16:54:06.518 GMT: TCP0: timeout #1 - timeout is 4000 ms, seq 664451917

Apr 9 16:54:06.518 GMT: TCP: (61624) -> 172.27.1.37(49)

Apr 9 16:54:09.519 GMT: TCP0: GIVEUP timeout timer expired

Apr 9 16:54:09.519 GMT: Released port 61624 in Transport Port Agent for TCP IP type 1 delay 240000

Apr 9 16:54:09.519 GMT: TCP0: state was SYNSENT -> CLOSED [61624 -> 172.27.1.37(49)]

Apr 9 16:54:09.519 GMT: TCB 0x8328254 destroyed

Apr 9 16:54:09.519 GMT: TAC+: TCP/IP open to 172.27.1.37/49 failed -- Connection timed out; remote host not responding

Apr 9 16:54:09.519 GMT: TAC+: Opening TCP/IP to 172.27.1.137/49 timeout=5

Apr 9 16:54:09.519 GMT: TCB24E7AF40 created

Apr 9 16:54:09.519 GMT: TCB24E7AF40 setting property TCP_GIVEUP (41) 1E667A18

Apr 9 16:54:09.519 GMT: TCP: Random local port generated 17979, network 1

Apr 9 16:54:09.519 GMT: TCB24E7AF40 bound to 10.170.222.253.17979

Apr 9 16:54:09.519 GMT: Reserved port 17979 in Transport Port Agent for TCP IP type 1

Apr 9 16:54:09.519 GMT: TCP: pmtu enabled,mss is now set to 1460

Apr 9 16:54:09.519 GMT: TCP: sending SYN, seq 1785071123, ack 0

Apr 9 16:54:09.519 GMT: TCP0: Connection to 172.27.1.137:49, advertising MSS 1460

Apr 9 16:54:09.519 GMT: TCP0: state was CLOSED -> SYNSENT [17979 -> 172.27.1.137(49)]

Apr 9 16:54:11.519 GMT: 10.170.222.253:17979 <---> 172.27.1.137:49 congestion window changes

Apr 9 16:54:11.519 GMT: cwnd from 1460 to 1460, ssthresh from 65535 to 2920

Apr 9 16:54:11.519 GMT: TCP0: timeout #1 - timeout is 4000 ms, seq 1785071123

Apr 9 16:54:11.519 GMT: TCP: (17979) -> 172.27.1.137(49)No authoritative response from any server.

BRIND-MFG-1-C#

Apr 9 16:54:14.520 GMT: TCP0: GIVEUP timeout timer expired

Apr 9 16:54:14.520 GMT: Released port 17979 in Transport Port Agent for TCP IP type 1 delay 240000

Apr 9 16:54:14.520 GMT: TCP0: state was SYNSENT -> CLOSED [17979 -> 172.27.1.137(49)]

Apr 9 16:54:14.520 GMT: TCB 0x24E7AF40 destroyed

Apr 9 16:54:14.520 GMT: TAC+: TCP/IP open to 172.27.1.137/49 failed -- Connection timed out; remote host not responding

Apr 9 16:54:14.520 GMT: AAA/MEMORY: free_user (0x24EA3724) user='User1' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

Re: ip tacacs source-interface Loopback0 is not working

konstantinoschiotakis — Mon, 09 Apr 2018 13:11:20 GMT

Hi Raj Kumar L,

It seems that port 49 on the server is closed. Could you try telnet ip port and see if you get connection? If not i would go on server and check the listening ports.

HTH,

Re: ip tacacs source-interface Loopback0 is not working

Mohammed al Baqari — Mon, 09 Apr 2018 15:40:16 GMT

-##From the debugs connectivity between loopback and tacacs server is
blocked. Check any firewall blocking it or routing.

Re: ip tacacs source-interface Loopback0 is not working

Raj Kumar L — Tue, 10 Apr 2018 03:33:36 GMT

Please find the telnet output & test aaa output

Trying 172.27.1.37, 49 ... Open

[Connection to 172.27.1.37 closed by foreign host]

test aaa group tacacs+ XXXXXX XXXXXX legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

Re: ip tacacs source-interface Loopback0 is not working

Mohammed al Baqari — Tue, 10 Apr 2018 04:01:16 GMT

did you specify source interface with telnet

Re: ip tacacs source-interface Loopback0 is not working

Raj Kumar L — Tue, 10 Apr 2018 05:20:34 GMT

No, When I give the source-interface as loopback 0 telnet is not opening

Re: ip tacacs source-interface Loopback0 is not working

Mohammed al Baqari — Tue, 10 Apr 2018 08:33:42 GMT

Thats the problem check the reacbility