05-31-2017 11:49 AM - edited 03-11-2019 12:45 AM
We have a stack of switches that cant be logged into using tacacs, the configuration is a clone of at least 30 configurations all the other devices use tacacs just fine. When I run a debug I can clearly see tacacs is timing out and it seems like the packet is dropped. I can ping both tacacs servers but I can not telnet to port 49. There is no access list applied and I have changed versions of software. I am currently running 15.0.2.10.
Some debug messages...
001945: .May 31 07:46:59.688: TPLUS: Queuing AAA Authentication request 528 for processing
001946: .May 31 07:46:59.688: TPLUS(00000210) login timer started 1020 sec timeout
001947: .May 31 07:46:59.688: TPLUS: processing authentication start request id 528
001948: .May 31 07:46:59.688: TPLUS: Authentication start packet created for 528(username)
001949: .May 31 07:46:59.688: TPLUS: Using server 192.168.1.1
001950: .May 31 07:46:59.688: TPLUS(00000210)/0/NB_WAIT/80304AC: Started 5 sec timeout
001951: .May 31 07:47:04.696: TPLUS(00000210)/0/NB_WAIT/80304AC: timed out
001952: .May 31 07:47:04.696: TPLUS: Choosing next server 192.168.1.2
001953: .May 31 07:47:04.696: TPLUS(00000210)/1/NB_WAIT/80304AC: Started 5 sec timeout
001954: .May 31 07:47:04.696: TPLUS(00000210)/80304AC: releasing old socket 0
001956: .May 31 07:47:04.696: TPLUS(00000210)/1/NB_WAIT/80304AC: Socket 1 is in wait state
09-20-2017 04:07 AM
Can anyone assist with this problem? I have the same.
09-20-2017 04:23 AM - edited 09-20-2017 04:47 AM
I had the same problem, TACACS queries were timing out from some switches, but worked on others. I had not restarted the ISE PSN after enabling Device administration service. After PSN restart the problem was fixed. There is also a bug associated with TACACS failing to respond in ISE 2.1 - CSCva93191
09-20-2017 08:04 AM
I'll be honest, I am not sure of what you are talking about.
What is the ISE PSN?
I am decently new to Tacacs and until this recent switch haven't have any problems. I have verified connectivity but Ikeep getting Socket 1 is in wait state and then timeouts.
09-20-2017 08:56 AM
Apologies, I should have asked what product do you use as your TACACS servers?
09-20-2017 10:14 AM
09-21-2017 07:40 AM
Sorry, I have only used Identity Services Engine as TACACS server, not ACS. There are several reasons why the TACACS server would not respond, such as ACLs blocking the traffic somewhere, bugs on the TACACS server, etc. Try capturing traffic at several places in the network to see how far the request goes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide