topic Re: PSN rejecting TACACS Traffic - tcp reset on port 49 in Network Access Control

PSN rejecting TACACS Traffic - tcp reset on port 49

Jovan — Fri, 23 Aug 2019 06:03:50 GMT

Hey all, I'm seeing an issue with one of our PSNs which has stopped serving TACACS authentication. PSN2 works fine PSN1 is sending a TCP reset. Running ISE 2.4 patch 7.

PSN2

telnet 2.2.2.2 49
Trying 2.2.2.2, 49 ... Open

PSN1

telnet 1.1.1.1 49
Trying 1.1.1.1, 49 ...
% Connection refused by remote host

The application services look fine and the deployment screen has a green tick on the PSN. I have checked and the Device Admin role is ticked under the PSN and it is utilizing a license for it.

Does anyone know where I can find some more info on the specific services running? Which log or command can give me an output specifically on the TACACS service? It is also running RADIUS and profiling roles too but those services are running fine.

Thanks in advance for any help.

PSN1/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 3256
Database Server running 115 PROCESSES
Application Server running 27263
Profiler Database running 6292
ISE Indexing Engine disabled
AD Connector running 18370
M&T Session Database disabled
M&T Log Collector disabled
M&T Log Processor disabled
Certificate Authority Service running 18103
EST Service running 18470
SXP Engine Service disabled
Docker Daemon running 7701
TC-NAC Service disabled

Wifi Setup Helper Container disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE RabbitMQ Container running 9152

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

Mike.Cifelli — Fri, 23 Aug 2019 12:57:00 GMT

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

Nicolo.Steffe — Tue, 30 May 2023 13:42:12 GMT

Probably you need to enable the Device Admin service under Deployment and then Edit the PSN persona services and enable Device Admin (Be careful that the Device Admin is use a dedicated licenses)

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

poongarg — Wed, 31 May 2023 04:34:09 GMT

ISE 2.4 is already EoL/EoS:

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html

Suggestion is to first upgrade the ISE deployment, test and update the results here.

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

Sri Harsha Dasari — Wed, 06 Dec 2023 22:05:50 GMT

Check if Device Administration Service is enabled on that PSN.

Go to Administration -- Deployment -- click on the PSN, click on the checkbox next to Device Administration

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

lanagna — Thu, 07 Dec 2023 12:12:07 GMT

Hi Team,
I'm posting in this forum, since I see the relevant discussion is running. Need support on finding the API[ansible]

a. Trying to find the API for enabling PSN work centers -> Overview -> Deployment -> Device Administration Deployment

=> Activate ISE Nodes for Device Administration
None
All Policy Service Nodes ------ > Finding API to enable the same via ansible
Specific Nodes

b. Similarly, trying to find API to enable Administration - >Network devices - > Network Device - Default Device

=> Default Network Device Status
Disable to Enable ---- > Need API for the same to use in Ansible.

This is to set password under TACACS

TACACS Authentication Settings
Enable TACACS
Shared Secret ____________

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

Charlie Moreton — Thu, 07 Dec 2023 14:07:46 GMT

Please open a new question in this forum for this topic.

Re: PSN rejecting TACACS Traffic - tcp reset on port 49

Charlie Moreton — Thu, 07 Dec 2023 14:10:02 GMT

ISE 2.4 was not EoL when the question was asked in 2019. Unfortunately, the OP didn't respond to the questions in the first response so there's no way of knowing what the actual resolution for them was.